F5 Firewall Solutions > 3. Class - F5 BIG-IP DDoS and DNS DoS Protections Source | Edit on
3.3. Appendix¶
3.3.1. DNS Security vectors¶
The system tracks and rate limits all UDP DNS packets (excluding those whitelisted). TCP DNS packets are also tracked but only for the DNS requests that reach a virtual server that has a DNS profile associated with it.
NOTE: This information applies to 13.1.0.1.
For vectors where VLAN is <tunable>, you can tune this value in tmsh: modify sys db dos.dnsvlan value, where value is 0-4094.
| DoS category | Attack name | Dos vector name | Information | Hardware accelerated |
|---|---|---|---|---|
| DNS | DNS A Query | dns-a-query | DNS Query, DNS Qtype is A_QRY, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS AAAA Query | dns-aaaa-query | DNS Query, DNS Qtype is AAAA, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS Any Query | dns-any-query | DNS Query, DNS Qtype is ANY_QRY, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS AXFR Query | dns-axfr-query | DNS Query, DNS Qtype is AXFR, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS CNAME Query | dns-cname-query | DNS Query, DNS Qtype is CNAME, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS IXFR Query | dns-ixfr-query | DNS Query, DNS Qtype is IXFR, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS Malformed | dns-malformed | Malformed DNS packet | Yes |
| DNS | DNS MX Query | dns-mx-query | DNS Query, DNS Qtype is MX, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS NS Query | dns-ns-query | DNS Query, DNS Qtype is NS, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS OTHER Query | dns-other-query | DNS Query, DNS Qtype is OTHER, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS PTR Query | dns-ptr-query | DNS Query, DNS Qtype is PTR, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS Question Items != 1 | dns-qdcount-limit | DNS Query, DNS Qtype is ANY_QRY, the DNS query has more than one question. | Yes |
| DNS | DNS Response Flood | dns-response-flood | UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable> in tmsh using dos.dnsvlan. | Yes |
| DNS | DNS SOA Query | dns-soa-query | DNS Query, DNS Qtype is SOA_QRY, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS SRV Query | dns-srv-query | DNS Query, DNS Qtype is SRV, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
| DNS | DNS TXT Query | dns-txt-query | DNS Query, DNS Qtype is TXT, VLAN is <tunable> in tmsh usingdos.dnsvlan. | Yes |
3.3.2. Network Security Vectors¶
| DoS category | Attack name | Dos vector name | Information | Hardware accelerated |
|---|---|---|---|---|
| Flood | Ethernet Broadcast Packet | ether-brdcst-pkt | Ethernet broadcast packet flood | Yes |
| Flood | Ethernet Multicast Packet | ether-multicst-pkt | Ethernet destination is not broadcast, but is multicast | Yes |
| Flood | ARP Flood | arp-flood | ARP packet flood | Yes |
| Flood | IP Fragment Flood | ip-frag-flood | Fragmented packet flood with IPv4 | Yes |
| Flood | IGMP Flood | igmp-flood | Flood with IGMP packets (IPv4 packets with IP protocol number 2) | Yes |
| Flood | Routing Header Type 0 | routing-header-type-0 | Routing header type zero is present in flood packets | Yes |
| Flood | IPv6 Fragment Flood | ipv6-frag-flood | Fragmented packet flood with IPv6 | No |
| Flood | IGMP Fragment Flood | igmp-frag-flood | Fragmented packet flood with IGMP protocol | Yes |
| Flood | TCP SYN Flood | tcp-syn-flood | TCP SYN flood | Yes |
| Flood | TCP SYN ACK Flood | tcp-synack-flood | TCP SYN/ACK flood | Yes |
| Flood | TCP RST Flood | tcp-rst-flood | TCP RST flood | Yes |
| Flood | TCP Window Size | tcp-window-size | The TCP window size in packets is above the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value, where value is <=128. | Yes |
| Flood | ICMPv4 Flood | icmpv4-flood | Flood with ICMP v4 packets | Yes |
| Flood | ICMPv6 Flood | icmpv6-flood | Flood with ICMP v6 packets | Yes |
| Flood | UDP Flood | udp-flood | UDP flood attack | Yes |
| Flood | TCP SYN Oversize | tcp-syn-oversize | Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value, in tmsh: modify sys db dos.maxsynsize value. The default size is 64 and the maximum allowable value is 9216. | Yes |
| Flood | TCP Push Flood | tcp-push-flood | TCP push packet flood | Yes |
| Flood | TCP BADACK Flood | tcp-ack-flood | TCP ACK packet flood | No |
| Bad Header - L2 | Ethernet MAC Source Address == Destination Address | ether-mac-sa-eq-da | Ethernet MAC source address equals the destination address | Yes |
| Bad Header - IPv4 | Bad IP Version | bad-ver | The IPv4 address version in the IP header is not 4 | Yes |
| Bad Header - IPv4 | Header Length Too Short | hdr-len-too-short | IPv4 header length is less than 20 bytes | Yes |
| Bad Header - IPv4 | Header Length > L2 Length | hdr-len-gt-l2-len | No room in layer 2 packet for IP header (including options) for IPv4 address | Yes |
| Bad Header - IPv4 | L2 Length >> IP Length | l2-len-ggt-ip-len | Layer 2 packet length is much greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size | Yes |
| Bad Header - IPv4 | No L4 | no-l4 | No layer 4 payload for IPv4 address | Yes |
| Bad Header - IPv4 | Bad IP TTL Value | bad-ttl-val | Time-to-live equals zero for an IPv4 address | Yes |
| Bad Header - IPv4 | TTL <= <tunable> | ttl-leq-one | An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttli value, where value is 1-4. | Yes |
| Bad Header - IPv4 | IP Error Checksum | ip-err-chksum | The header checksum is not correct | Yes |
| Bad Header - IPv4 | IP Option Frames | ip-opt-frames | IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options. | Yes |
| Bad Header - IPv4 | Bad Source | ip-bad-src | The IPv4 source IP = 255.255.255.255 or 0xe0000000U | Yes |
| Bad Header - IPv4 | IP Option Illegal Length | bad-ip-opt | Option present with illegal length | No |
| Bad Header - IPv4 | Unknown Option Type | unk-ipopt-type | Unknown IP option type | No |
| Bad Header - IGMP | Bad IGMP Frame | bad-igmp-frame | IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. | Yes |
| Fragmentation | IP Fragment Too Small | ip-short-frag | IPv4 short fragment error | Yes |
| Fragmentation | IPv6 Fragment Too Small | ipv6-short-frag | IPv6 short fragment error | Yes |
| Fragmentation | IPV6 Atomic Fragment | ipv6-atomic-frag | IPv6 Frag header present with M=0 and FragOffset =0 | Yes |
| Fragmentation | ICMP Fragment | icmp-frag | ICMP fragment flood | Yes |
| Fragmentation | IP Fragment Error | ip-other-frag | Other IPv4 fragment error | Yes |
| Fragmentation | IPV6 Fragment Error | ipv6-other-frag | Other IPv6 fragment error | Yes |
| Fragmentation | IP Fragment Overlap | ip-overlap-frag | IPv4 overlapping fragment error | No |
| Fragmentation | IPv6 Fragment Overlap | ipv6-overlap-frag | IPv6 overlapping fragment error | No |
| Bad Header - IPv6 | Bad IPV6 Version | bad-ipv6-ver | The IPv6 address version in the IP header is not 6 | Yes |
| Bad Header - IPv6 | IPV6 Length > L2 Length | ipv6-len-gt-l2-len | IPv6 address length is greater than the layer 2 length | Yes |
| Bad Header - IPv6 | Payload Length < L2 Length | payload-len-ls-l2-len | Specified IPv6 payload length is less than the L2 packet length | Yes |
| Bad Header - IPv6 | Too Many Extension Headers | too-many-ext-hdrs | For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value, where value is 0-15. | Yes |
| Bad Header - IPv6 | IPv6 duplicate extension headers | dup-ext-hdr | An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header | Yes |
| Bad Header - IPv6 | IPv6 extension header too large | ext-hdr-too-large | An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value, where value is 0-1024. | Yes |
| Bad Header - IPv6 | No L4 (Extended Headers Go To Or Past End of Frame) | l4-ext-hdrs-go-end | Extended headers go to the end or past the end of the L4 frame | Yes |
| Bad Header - IPv6 | Bad IPV6 Hop Count | bad-ipv6-hop-cnt | Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad | Yes |
| Bad Header - IPv6 | IPv6 hop count <= <tunable> | hop-cnt-leq-one | The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value, where value is 1-4. | Yes |
| Bad Header - IPv6 | IPv6 Extended Header Frames | ipv6-ext-hdr-frames | IPv6 address contains extended header frames | Yes |
| Bad Header - IPv6 | IPv6 extended headers wrong order | bad-ext-hdr-order | Extension headers in the IPv6 header are in the wrong order | Yes |
| Bad Header - IPv6 | Bad IPv6 Addr | ipv6-bad-src | IPv6 source IP = 0xff00:: | Yes |
| Bad Header - IPv6 | IPv4 Mapped IPv6 | ipv4-mapped-ipv6 | IPv4 address is in the lowest 32 bits of an IPv6 address. | Yes |
| Bad Header - TCP | TCP Header Length Too Short (Length < 5) | tcp-hdr-len-too-short | The Data Offset value in the TCP header is less than five 32-bit words | Yes |
| Bad Header - TCP | TCP Header Length > L2 Length | tcp-hdr-len-gt-l2-len | Yes | |
| Bad Header - TCP | Unknown TCP Option Type | unk-tcp-opt-type | Unknown TCP option type | Yes |
| Bad Header - TCP | Option Present With Illegal Length | opt-present-with-illegal-len | Option present with illegal length | Yes |
| Bad Header - TCP | TCP Option Overruns TCP Header | tcp-opt-overruns-tcp-hdr | The TCP option bits overrun the TCP header | Yes |
| Bad Header - TCP | Bad TCP Checksum | bad-tcp-chksum | The TCP checksum does not match | Yes |
| Bad Header - TCP | Bad TCP Flags (All Flags Set) | bad-tcp-flags-all-set | Bad TCP flags (all flags set) | Yes |
| Bad Header - TCP | Bad TCP Flags (All Cleared) | bad-tcp-flags-all-clr | Bad TCP flags (all cleared and SEQ#=0) | Yes |
| Bad Header - TCP | SYN && FIN Set | syn-and-fin-set | Bad TCP flags (SYN and FIN set) | Yes |
| Bad Header - TCP | FIN Only Set | fin-only-set | Bad TCP flags (only FIN is set) | Yes |
| Bad Header - TCP | TCP Flags - Bad URG | tcp-bad-urg | Packet contains a bad URG flag, this is likely malicious | Yes |
| Bad Header - ICMP | Bad ICMP Checksum | bad-icmp-chksum | An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet | Yes |
| Bad Header - ICMP | Bad ICMP Frame | bad-icmp-frame | The ICMP frame is either the wrong size, or not of one of the valid IPv4 or IPv6 types. Valid IPv4 types:
Valid IPv6 types:
|
Yes |
| Bad Header - ICMP | ICMP Frame Too Large | icmp-frame-too-large | The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value, where value is <=65515. | Yes |
| Bad Header - UDP | Bad UDP Header (UDP Length > IP Length or L2 Length) | bad-udp-hdr | UDP length is greater than IP length or layer 2 length | Yes |
| Bad Header - UDP | Bad UDP Checksum | bad-udp-chksum | The UDP checksum is not correct | Yes |
| Other | Host Unreachable | host-unreachable | Host unreachable error | Yes |
| Other | TIDCMP | tidcmp | ICMP source quench attack | Yes |
| Other | LAND Attack | land-attack | Source IP equals destination IP address | Yes |
| Other | IP Unknown protocol | ip-unk-prot | Unknown IP protocol | No |
| Other | TCP Half Open | tcp-half-open | The number of new or untrusted TCP connections that can be established. Overrides the Global SYN Check threshold in Configuration > Local Traffic > General. | No |
| Other | IP uncommon proto | ip-uncommon-proto | Sets thresholds for and tracks packets containing IP protocols considered to be uncommon. By default, all IP protocols other than TCP, UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list. | Yes |
| Bad Header - DNS | DNS Oversize | dns-oversize | Detects oversized DNS headers. To tune this value, in tmsh: modify sys db dos.maxdnssize value, where value is 256-8192. | Yes |
| Single Endpoint | Single Endpoint Sweep | sweep | Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. | No |
| Single Endpoint | Single Endpoint Flood | flood | Flood to a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. | No |
| Bad Header-SCTP | Bad SCTP Checksum | bad-sctp-checksum | Bad SCTP packet checksum | No |