ACOS 5.1.

0
DDoS Mitigation Guide (for ADC)
for A10 Thunder® Series
29 November 2019
© 2019 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.

PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual patent marking pro-
visions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Networks' products, including all
Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:

https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking

TRADEMARKS
A10 Networks trademarks are listed at:

https://www.a10networks.com/company/legal-notices/a10-trademarks

CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be dis-
closed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as confi-
dential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in this docu-
ment or available separately. Customer shall not:

1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any means.
2. Sub-license, rent, or lease the Software.

DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fit-
ness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this
publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be
available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and
services are subject to A10 Networks’ standard terms and conditions.

ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufac-
turer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.

FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks location, which can
be found by visiting www.a10networks.com.
Table of Contents

Introduction ................................................................................................................................. 9
Application Access Management..........................................................................................9
Login Portal ................................................................................................................................................. 10
Online Certificate Status Protocol (OCSP) ............................................................................................ 10
Authentication Relay ................................................................................................................................. 10
AAA Health Monitoring and Load Balancing ........................................................................................ 10
Online Certificate Status Protocol .......................................................................................10
DDoS Mitigation....................................................................................................................11
Single CPU Attack Prevention .............................................................................................11
Policy-Based SLB..................................................................................................................11
SYN Cookies .........................................................................................................................12
IP Limiting .............................................................................................................................12
ICMP Rate Limiting...............................................................................................................12
Web Application Firewall......................................................................................................12
Slowloris Prevention.............................................................................................................13
DNS Application Firewall......................................................................................................13
DNSSEC.................................................................................................................................13
SSL Insight............................................................................................................................14
Geo-location-based VIP Access...........................................................................................14

IP Anomaly Filtering ................................................................................................................... 15

Overview of IP Anomaly Filtering.........................................................................................15
IP Anomaly Filters ...................................................................................................................................... 15
Frag ........................................................................................................................................................ 16
IP-option ................................................................................................................................................ 16
Land-attack .......................................................................................................................................... 16
Zero-length TCP Window .................................................................................................................. 16
Out-of-sequence Packet .................................................................................................................... 16
Ping-of-death ....................................................................................................................................... 16
TCP-no-flag .......................................................................................................................................... 16
TCP-SYN-FIN ....................................................................................................................................... 16
TCP-SYN-frag ....................................................................................................................................... 16
IP Anomaly Filters for System-wide PBSLB ......................................................................................... 17
Threshold ..................................................................................................................................................... 17
SOCKSTRESS_CHECK Session State .................................................................................................... 17
Implementation Notes .............................................................................................................................. 18
Configuring IP Anomaly Filtering.........................................................................................18
Using the GUI to Configure IP Anomaly Filtering ................................................................................ 18

page 3
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Contents

Using the CLI to Configure IP Anomaly Filtering ................................................................................. 19

Displaying IP Anomaly Statistics ........................................................................................19
Using the GUI to Display IP Anomaly Statistics .................................................................................. 19
Using the CLI to Display IP Anomaly Statistics ................................................................................... 19

Policy-based SLB ....................................................................................................................... 21

Overview................................................................................................................................21
Configuring a Black/White List ............................................................................................22
Configuration Details and Examples ...................................................................................................... 22
Example Black/White List ........................................................................................................................ 23
Dynamic Black/White-list Client Entries ................................................................................................ 24
Connection Limit for Dynamic Entries ................................................................................................... 25
Aging of Dynamic Entries ......................................................................................................................... 25
Wildcard Address Support in PBSLB Policies Bound to Virtual Ports ............................................. 25
Configuring System-wide PBSLB.........................................................................................25
Options for System-wide PBSLB Policies ............................................................................................. 26
Using the GUI to Configure System-wide PBSLB ................................................................................ 26
Using the CLI to Configure System-wide PBSLB ................................................................................. 26
Displaying and Clearing System-wide PBSLB Information ............................................................... 27
Configuring PBSLB for Individual Virtual Ports ..................................................................27
Configuration Details ................................................................................................................................ 27
Using the GUI to Configure PBSLB for Individual Virtual Ports ........................................................ 28
Using the CLI to Configure PBSLB for Individual Virtual Ports ......................................................... 29
Configuration Example for Sockstress Attack Protection .................................................30
PBSLB Statistics Display .....................................................................................................31

SYN Cookies .............................................................................................................................. 33

Overview of SYN Cookies.....................................................................................................33
SYN Flood Attacks ..................................................................................................................................... 33
Identifying SYN Flood Attacks ................................................................................................................ 34
ACOS SYN-cookie Protection .................................................................................................................. 35
Dynamic SYN Cookies .............................................................................................................................. 35
SYN Cookie Buffering ................................................................................................................................ 36
SACK and MSS with Software-based SYN-cookies ............................................................................ 36
SACK ...................................................................................................................................................... 36
MSS ........................................................................................................................................................ 37
Configuring SYN Cookies .....................................................................................................37
Enabling SYN-cookie Support ................................................................................................................. 37
Details .................................................................................................................................................... 37
FTA Models .......................................................................................................................................... 38
Non-FTA Models ................................................................................................................................. 38
Configuration with Target VIP and Client-side Router in Different Subnets .................................. 39
Modifying the Threshold for TCP Handshake Completion ................................................................ 40
Configuring SYN-cookie Buffering .......................................................................................................... 40
Details .................................................................................................................................................... 40

page 4
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Contents

Using the GUI to Configure SYN-cookie Buffering ....................................................................... 41

Using the CLI to Configure SYN-cookie Buffering ........................................................................ 41
Viewing SYN-cookie Statistics ............................................................................................42
Using the GUI to View SYN-cookie Statistics ....................................................................................... 42
Using the CLI to View SYN-cookie Statistics ....................................................................................... 42
L4 SYN attack ...................................................................................................................................... 42
L4 TCP Established ............................................................................................................................. 42
Examples .............................................................................................................................................. 43
CLI Example 1: View Attack Prevention Statistics ....................................................................... 43
CLI Example 2: View SYN Attack Counter ...................................................................................... 44
CLI Example 3: View Legitimate Session Counter ....................................................................... 44
CLI Example 4: View SYN-cookie Buffering Statistics ................................................................. 45
SYN Attack Counter Support for L3V .............................................................................................. 45

IP Limiting .................................................................................................................................. 47
Overview of IP Limiting ........................................................................................................47
Understanding Class Lists ...................................................................................................48
Class List Syntax ........................................................................................................................................ 48
IP Address Matching ................................................................................................................................. 49
Example Class Lists .................................................................................................................................. 50
Configuring Class Lists ............................................................................................................................. 50
Using the GUI to Import a Class List ............................................................................................... 51
Using the GUI to Configure a Class List ......................................................................................... 51
Using the CLI to Import a Class List ................................................................................................ 51
Using the CLI to Configure a Class List .......................................................................................... 52
Understanding IP Limiting Rules .........................................................................................52
Parameters .................................................................................................................................................. 52
Match IP Address ...................................................................................................................................... 54
Request Limiting and Request-Rate Limiting in Class Lists ............................................................. 54
CLI Examples: Request Limiting and Request-rate Limiting Settings Are Used ........................... 54
Example 1: GLID Used in Policy Template and Bound to Virtual Port ...................................... 54
Example 2: LID Used in Policy Template and Bound to Virtual Port ......................................... 55
CLI Examples: Request Limiting and Request-rate Limiting Settings Are Not Used ................... 56
Example 1: Policy Template Bound to Virtual Server Instead of Virtual Port ......................... 56
Example 2: System GLID ................................................................................................................... 56
Example 3: System-wide Policy Template ..................................................................................... 56
Configuring Source IP Limiting ............................................................................................................... 57
CLI Examples - Configuration...............................................................................................57
Configuring System-wide IP Limiting With a Single Class ................................................................ 58
Configuring System-wide IP Limiting With Multiple Classes ............................................................ 58
Configuring IP Limiting on a Virtual Server ........................................................................................... 59
Configuring IP Limiting on a Virtual Port ............................................................................................... 60
Configuring Class List Entries That Age Out ........................................................................................ 60
CLI Examples - Display .........................................................................................................61
Viewing Class-Lists ................................................................................................................................... 62

page 5
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Contents

Viewing IP Limiting Rules ......................................................................................................................... 62

Viewing IP Limiting Statistics .................................................................................................................. 62

ICMP Rate Limiting .................................................................................................................... 63

ICMP Rate Limiting Overview ..............................................................................................63
Configuring ICMP Rate Limiting ..........................................................................................63
ICMP Rate Limiting Parameters ............................................................................................................. 64
Using the GUI to Configure ICMP Rate Limiting .................................................................................. 64
Configuring ICMP Rate Limiting on an Ethernet Interface ......................................................... 64
Configuring ICMP Rate Limiting in a Virtual Server Template ................................................... 65
Using the CLI to Configure ICMP Rate Limiting .................................................................................. 65

HTTP Slowloris Prevention ......................................................................................................... 67

Details .......................................................................................................................................................... 67
Using the GUI to Configure Request Header Timeout ....................................................................... 67
Using the CLI to Configure Request Header Timeout ........................................................................ 67

DNS Application Firewall ............................................................................................................ 69

Overview of the DNS Application Firewall...........................................................................69
DNS Sanity Check.................................................................................................................69
Sanity Checking for Virtual-Port Type UDP .......................................................................................... 70
Sanity Checking for Virtual-Port Type DNS-UDP ................................................................................. 70
Configuring DNSSEC ............................................................................................................71
Details .......................................................................................................................................................... 71
Using the CLI to Configure DNSSEC ...................................................................................................... 71
DNS Application Firewall Setup ....................................................................................................... 71
Service-Group Redirection for DNS “Any” Requests (using aFleX) ........................................... 72

DNS Response Rate Limiting ..................................................................................................... 73

Overview of DNS Response Rate Limiting (RRL)................................................................73
Details .......................................................................................................................................................... 73
DNS Reflection Attacks ............................................................................................................................ 74
Challenges of Stopping DNS Reflection Attacks ................................................................................. 74
ACOS Mitigation of DNS Reflection Attacks ........................................................................................ 74
Two-tiered Rate-limiting System for DNS Queries .............................................................................. 75
Configuration Parameters for DNS RRL ............................................................................................... 75
Setting the Rate Limits ...................................................................................................................... 75
Protecting System Resources .......................................................................................................... 76
Allowing Valid DNS Queries to Pass ............................................................................................... 76
More Information ................................................................................................................................ 76
Limitations .................................................................................................................................................. 76
Configuration Example.........................................................................................................78
Using the GUI to Configure DNS RRL .................................................................................................... 78
Using the CLI to Configure and Monitor DNS RRL .............................................................................. 79

DNSSEC Support ........................................................................................................................ 81

page 6
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Contents

Overview of DNSSEC Support..............................................................................................81

Details .......................................................................................................................................................... 81
DNS without Security ................................................................................................................................ 82
DNSSEC (DNS with Security) .................................................................................................................. 84
Building the Chain of Trust ..................................................................................................88
Dynamic Key Generation and Rollover ................................................................................89
Key Generation and Rollover Parameters ............................................................................................. 90
Key Rollover and Distribution Process .................................................................................................. 90
Key Regeneration Log Messages ........................................................................................................... 91
Importing/Exporting Key Files ................................................................................................................ 92
Emergency Key Rollover .......................................................................................................................... 92
Changing Key Settings ............................................................................................................................. 93
Hardware Security Module Support ....................................................................................93
DNSSEC Configuration.........................................................................................................93
Modes .......................................................................................................................................................... 94
DNSSEC Configuration Example ............................................................................................................ 94
Configuring an HSM Template ......................................................................................................... 94
Configuring a DNSSEC Template .................................................................................................... 95
Configuring GSLB ................................................................................................................................ 95
Configuring a GSLB Policy and Enable Server Mode ................................................................... 98
Binding the DNSSEC Template to the Zone .................................................................................. 98
Configuring DNSSEC Standalone .................................................................................................... 99
Configuring the VIP for DNSSEC Requests ................................................................................... 99

Location-Based VIP Access ..................................................................................................... 101

Overview of Location-based VIP Access.......................................................................... 101
Configuration Using a Class List ...................................................................................... 101
Configuration Using a Black/White List ........................................................................... 103
Details ........................................................................................................................................................103
Configuring the Black/White List ..........................................................................................................104
Methods ..............................................................................................................................................104
Using the GUI .....................................................................................................................................105
CLI Example .......................................................................................................................................106
Enabling Full-Domain Checking........................................................................................ 107
Details ........................................................................................................................................................107
Using the GUI to Configure Full-Domain Checking ...........................................................................108
Using the CLI to Configure Full-Domain Checking ............................................................................108
Enabling PBSLB Statistics Counter Sharing .................................................................... 109
Details ........................................................................................................................................................109
Using the GUI to Enable PBSLB Statistics Counter Sharing ...........................................................109
Using the CLI to Enable PBSLB Statistics Counter Sharing ............................................................110

page 7
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Contents

page 8
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

Introduction

ACOS provides a suite of security features that allow you to protect your customer traffic:

• Application Access Management

• Online Certificate Status Protocol

• DDoS Mitigation

• Single CPU Attack Prevention

• Policy-Based SLB

• SYN Cookies

• IP Limiting

• ICMP Rate Limiting

• Web Application Firewall

• Slowloris Prevention

• DNS Application Firewall

• DNSSEC

• SSL Insight

• Geo-location-based VIP Access

Application Access Management

Application Access Management (AAM) is an ACOS security feature that optimizes Authentication,
Authorization, and Accounting (AAA) for client-server traffic.

AAM includes the following features:

• Login Portal

• Online Certificate Status Protocol (OCSP)

• Authentication Relay

• AAA Health Monitoring and Load Balancing

Feedback page 9
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Online Certificate Status Protocol FFee
e

NOTE: For more information about AAM, see the Application Access Manage-
ment Guide.

Login Portal
Provides a sign-on interface. By using a request-reply exchange or using a Web-based form, ACOS
obtains the your credentials and uses a backend AAA server to verify these credentials.

Online Certificate Status Protocol (OCSP)

Provides certificate verification services and eliminates the need to import certificate revocation list
(CRL) files to the ACOS device.

The CRLs are maintained on the OCSP responder (server). When a client sends its certificate as part of
a request for a secured service, ACOS first sends the certificate to the OCSP responder for verification.
After the certificate is verified, the client can access secured services.

Authentication Relay
Offloads your AAA servers. ACOS contacts the backend AAA servers on behalf of the clients, and after a
server responds, ACOS caches the reply and uses this reply for subsequent client requests.

AAA Health Monitoring and Load Balancing

Load balances authentication traffic among a group of AAA servers. ACOS supports custom health
checks for LDAP, RADIUS, Kerberos, and OCSP.

Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) is a network component that provides certificate verification
services.

OCSP is an efficient alternative to CRLs, which is also supported by ACOS. To use CRLs with ACOS, you
must import the CRL files into the ACOS device. If you use OCSP, ACOS can also send certificate verifi-
cation queries to external OCSP servers (generally called responders). This process only occurs when a
client sends a certificate as part of a request to set up a secure session to a server application that is
managed by ACOS.

page 10
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
DDoS Mitigation

NOTE: For more information about OSCP, see: Checking Client Certificates
Using OCSP in the SSL Configuration Guide and AAM with OCSP in the
Application Access Management Guide.

DDoS Mitigation
Distributed Denial of Service (DDoS) is a type of DoS attack where multiple systems that are infected
with a Trojan or malware are, in turn, used to target a particular system. This process causes a denial of
service. If a hacker (attacker) mounts an attack from one host, this is classified as a DoS attack. In a
DDoS attack, many systems are used simultaneously to launch attacks against a remote system.

ACOS includes filters that check traffic for IP anomalies that can indicate a DDoS attack.

NOTE: For more information about DDos Mitigation, see IP Anomaly Filtering.

Single CPU Attack Prevention

The CPU Round Robin feature is used to mitigate the effects of Denial of Service (DoS) attacks that tar-
get a single CPU on the ACOS device. The command system cpu-load-sharing is used to configure
thresholds for CPU load sharing. If a threshold exceeds, CPU load sharing is activated, and additional
CPUs are enlisted to help process the traffic and relieve the burden on the targeted CPU. A round robin
algorithm distributes packets across all the other data CPUs on the device. Load sharing will remain in
effect until traffic no longer exceeds the thresholds that originally activated the feature.

NOTE: For more information about the command system cpu-load-sharing,

see Command Line Reference guide.

Policy-Based SLB
Policy-based SLB (PBSLB) allows you to “black list” or “white list” individual clients or client subnets.
Based on actions that you specify, ACOS will allow (white list) or drop (black list) traffic from specific
client hosts or subnets in the list.

NOTE: For more information about policy-based SLB, see Policy-based SLB.

page 11
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
SYN Cookies FFee
e

SYN Cookies
SYN cookies provide protection against a common type of DDoS attack, the TCP SYN flood attack. The
attacker sends a high volume of TCP-SYN requests to the target device, but the attacker does not reply
to SYN-ACKs to complete the three-way handshake for any of the sessions. The purpose of the attack
is to consume the target’s resources with half-open TCP sessions.

When SYN cookies are enabled, the ACOS device can continue to serve legitimate clients during TCP
SYN flood attacks, while preventing illegitimate traffic from consuming system resources.

NOTE: For more information about SYN cookies, see SYN Cookies.

IP Limiting
IP limiting provides a enhanced implementation of the source IP connection limiting and connection-
rate limiting feature that was available in earlier releases.

NOTE: For more information about IP limiting, see IP Limiting.

ICMP Rate Limiting

ICMP rate limiting protects against ICMP-based or ICMPv6-based DoS attacks, such as Smurf attacks,
which consist of floods of spoofed broadcast ping messages. ICMP rate limiting monitors the rate of
ICMP traffic and drops ICMP packets when the configured thresholds have been exceeded.

NOTE: For more information about ICMP rate limiting, see ICMP Rate Limiting.

Web Application Firewall

ACOS provides additional security for your Web servers with the Web Application Firewall (WAF) fea-
ture. WAF filters communication between end-users and Web applications to protect Web servers and
sites from unauthorized access and malicious programs.

This new layer of security examines the following types of traffic to safeguard against Web attacks and
protect sensitive information hosted on Web servers:

page 12
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Slowloris Prevention

• Incoming user requests

• Output from Web servers

• Access to Web site content

NOTE: Fore more information about WAF, see the Web Application Firewall Guide.

Slowloris Prevention
In addition to the WAF, ACOS includes an HTTP security option that prevents Slowloris attacks, in
which the attacker attempts to consume resources on the target system with incomplete HTTP
request headers.

NOTE: For more information about Slowloris prevention, see HTTP Slowloris
Prevention.

DNS Application Firewall

DNS Application Firewall (WAF) filters for malformed queries. The DAF also protects against “any” que-
ries for all DNS records. An “any” query is a request for a DNS server to send copies of all of its DNS
records. Because this type of query can heavily consume DNS resources, it is sometimes used as a
DDoS attack.

NOTE: For more information about DAF, see DNS Application Firewall.

DNSSEC
ACOS supports DNS Security Extensions (DNSSEC). In Global Server Load Balancing (GSLB) deploy-
ments, you can use DNSSEC with Hardware Module Security (HSM) to dynamically secure DNS
resource records for GSLB zones.

NOTE: For more information about DNSSEC, see DNSSEC Support.

page 13
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
SSL Insight FFee
e

NOTE: The ACOS also supports DNS caching for DNSSEC, but DNSSEC support
for caching does not require GSLB.

SSL Insight
SSL Insight (SSLi) provides high-performance SSL decryption and re-encryption. When used in conjunc-
tion with third-party traffic inspection devices, SSLi adds content-level security.

SSLi decrypts SSL-encrypted client traffic and sends the decrypted traffic to a third-party traffic inspec-
tion device. Traffic that is permitted by the traffic inspection device is re-encrypted by ACOS and for-
warded to its destination.

NOTE: For more information about SSL Insight, see “SSL Insight” in the SSL
Configuration Guide.

Geo-location-based VIP Access

Geo-location-based VIP access controls the access to a VIP based on the client’s location. You can
configure ACOS to perform one of the following actions for traffic from a client, depending on the loca-
tion of the client:

• Drop the traffic

• Reset the connection

• If configured by using a black/white list, send the traffic to a specific service group

ACOS determines a client’s location by looking up the client’s subnet in the geo-location database that
is used by Global Server Load Balancing (GSLB).

NOTE: For more information about Geo-location-based VIP access, see Loca-
tion-Based VIP Access.

page 14
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

IP Anomaly Filtering

ACOS helps you detect and mitigate Distributed Denial of Service (DDoS) attacks. One of the features, IP
anomaly filtering, can protect against numerous types of attacks.

This chapter contains the following topics:

• Overview of IP Anomaly Filtering

• Configuring IP Anomaly Filtering

• Displaying IP Anomaly Statistics

Overview of IP Anomaly Filtering

IP anomaly filtering detects and drops packets that contain the common signatures of DDoS attacks.

This topic contains the following sections:

• IP Anomaly Filters

• IP Anomaly Filters for System-wide PBSLB

• Threshold

• SOCKSTRESS_CHECK Session State

• Implementation Notes

IP Anomaly Filters
Users can enable the following IP anomaly filters. This section has the following sub-sections:

• Frag

• IP-option

• Land-attack

• Zero-length TCP Window

• Out-of-sequence Packet

• Ping-of-death

Feedback page 15
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Overview of IP Anomaly Filtering FFee
e

• TCP-no-flag

• TCP-SYN-FIN

• TCP-SYN-frag

Frag
Drops all IP fragments, which can be used to attack hosts that run IP stacks with known vulnerabilities
in their fragment reassembly code.

IP-option
Drops all packets with IP options.

Land-attack
Drops spoofed SYN packets that contain the same IP address as the source and destination. These
packets can be used to launch an “IP land attack”.

Zero-length TCP Window

This a type of the filtering window.

Out-of-sequence Packet
This is a type of filtering packet.

Ping-of-death
Drops all jumbo ICMP packets, which are also known as “ping of death” packets.

TCP-no-flag
Drops all TCP packets that have no TCP flags set.

TCP-SYN-FIN
Drops all TCP packets in which both the SYN and FIN flags are set.

TCP-SYN-frag
Drops incomplete (fragmented) TCP Syn packets, which can be used to launch TCP Syn flood attacks.

page 16
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Overview of IP Anomaly Filtering

IP Anomaly Filters for System-wide PBSLB

The following IP anomaly filters are supported for system-wide PBSLB, although you can also use them
without PBSLB:

• Invalid HTTP or SSL payload

• Zero-length TCP window

• Out-of-sequence packet

When these filters are enabled, the ACOS device checks for these anomalies in new HTTP or HTTPS
connection requests from clients.

Filtering for these anomalies is disabled by default. However, if you configure a system-wide PBSLB pol-
icy, the filters are automatically enabled. You also can configure the filters on an individual basis.

NOTE: These filters are supported only for HTTP and HTTPS traffic.

NOTE: For information about system-wide PBSLB, see Configuring System-wide

PBSLB.

Threshold
The threshold specifies the number of times the anomaly is allowed to occur in a client’s connection
requests.

If system-wide PBSLB is configured, ACOS applies the policy’s over-limit action to clients that exceed
the threshold. The range for the threshold value is 1-127 occurrences of the anomaly, and the default
value is 10.

NOTE: The thresholds are not tracked by PBSLB policies that are bound to indi-
vidual virtual ports.

SOCKSTRESS_CHECK Session State

When the ACOS device checks a data packet against the new IP anomaly filters, the client’s session is in
the SOCKSTRESS_CHECK state. You might see this state if you are viewing debug output for the client’s
session.

page 17
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring IP Anomaly Filtering FFee
e

Implementation Notes
Consider the following information when you work with IP anomaly filtering:

• All IP anomaly filters are supported for IPv4.

• All IP anomaly filters, except IP-option filtering, are supported for IPv6.

• DDoS protection is hardware-based on the following models:

• Thunder 6430S, Thunder 6430, and Thunder 5430S

• AX 3200-12
DDoS protection is software-based on other models.
• DDoS detection applies only to Layer 3, Layer 4, and Layer 7 traffic.

Layer 2 traffic is not affected by the feature. Layer 4 and Layer 7 DDoS applies only to software
releases that support Server Load Balancing (SLB).
• All IP anomaly filters, except “IP-option”, apply to IPv4 and IPv6. The “IP-option” filter applies only
to IPv4.
• The ping-of-death option drops all IP packets longer than 32000 bytes on the following models

• Thunder 3030S, Thunder 1030S, and Thunder 930

The option drops IP packets that are longer than 65535 bytes on the other models.

Configuring IP Anomaly Filtering

By default, all the IP anomaly filters that are described in this chapter are disabled. You can enable indi-
vidual IP anomaly filters, on a system-wide basis.

This topic contains the following sections:

• Using the GUI to Configure IP Anomaly Filtering

• Using the CLI to Configure IP Anomaly Filtering

Using the GUI to Configure IP Anomaly Filtering

To use the GUI, navigate to Security >> DDoS Protection and select the anomaly for which you want
to enable protection.

page 18
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Displaying IP Anomaly Statistics

Using the CLI to Configure IP Anomaly Filtering

To enable IP anomaly filters from the CLI, use the ip anomaly-drop command.

For example, the following command enables DDoS protection against ping-of-death attacks:

ACOS(config)# ip anomaly-drop ping-of-death

Refer to the “ip anomaly-drop” command in the Network Configuration Guide for more information about
this command.

Displaying IP Anomaly Statistics

This section describes how to view IP anomaly statistics. It has the following sub-sections:

• Using the GUI to Display IP Anomaly Statistics

• Using the CLI to Display IP Anomaly Statistics

Using the GUI to Display IP Anomaly Statistics

Navigate to ADC >> Statistics >> Switch.

NOTE: For more information, see the online Help.

Using the CLI to Display IP Anomaly Statistics

To display IP anomaly statistics, enter the show slb l4 command:

For system-wide PBSLB statistics, you use the show pbslb client command. In the output of this com-
mand, the counters for a dynamic client are reset to 0 when a client’s dynamic entry ages out.

To clear all Layer 4 SLB statistics, including the IP anomaly counters, enter the clear slb l4 command:

NOTE: For more information about these commands, see Command Line Inter-
face Reference Guide.

page 19
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Displaying IP Anomaly Statistics FFee
e

page 20
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

Policy-based SLB

This chapter helps you understand and configure policy-based SLB (PBSLB).

The following topics are covered in this chapter:

• Overview

• Configuring a Black/White List

• Configuring System-wide PBSLB

• Configuring PBSLB for Individual Virtual Ports

• Configuration Example for Sockstress Attack Protection

• PBSLB Statistics Display

Overview
ACOS allows you to “black list” or “white list” individual clients or client subnets. White list traffic is
allowed, and black list traffic is dropped from specific client hosts or subnets in the list.

For white list traffic, you can specify the service group to use. You also can specify the action that will
be taken (drop or reset) on new connections that exceed the configured connection threshold for the cli-
ent address.

Example

The user can configure ACOS to respond to DDoS attacks from a client by dropping excessive connec-
tion attempts from the client.

You can apply PBSLB on a system-wide basis. If Server Load Balancing (SLB) is supported, you also can
apply PBSLB on individual virtual ports.

NOTE: ACOS also allows policy templates to be applied at the virtual-server level.
However, PBSLB does not take effect if you apply the policy template at
the virtual-server level. Only class lists are supported at the virtual-server
level. To use PBSLB, you must apply the policy template globally or on
individual virtual ports.

Feedback page 21
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring a Black/White List FFee
e

NOTE: If a connection limit is specified in a black/white list, the ACOS device

does not support using the list for system-wide PBSLB and for PBSLB on
an individual virtual port. In this case, the ACOS device may increase the
current connection counter more than once, which results in a much
lower connection limit than the configured value. To resolve this issue,
you should use separate black/white lists.

Configuring a Black/White List

The following sections are described in this topic:

• Configuration Details and Examples

• Example Black/White List

• Dynamic Black/White-list Client Entries

• Connection Limit for Dynamic Entries

• Aging of Dynamic Entries

• Wildcard Address Support in PBSLB Policies Bound to Virtual Ports

Configuration Details and Examples

Client IP lists, such as black/white lists, can be configured on an external device and imported to the
ACOS device or can be entered in the GUI. The actions to take on the addresses in the list are specified
on the ACOS device. A black/white list can contain up to 8 million individual host addresses and up to
64,000 subnet addresses.

For each IP address (host or subnet) in a black/white list, you can add a row by using the following syn-
tax:

ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string]

The syntax is defined in the following way:

TABLE 1 Black/White List

Parameter Description
ipaddr Host or subnet address of the client.
network-mask Optional network mask length. The default is 32, which means that the address is a
host address.

page 22
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuring a Black/White List

TABLE 1 Black/White List

Parameter Description
group-id Number between 1 and 31 in a Black/White list that identifies a group of IP host or
subnet addresses in the list. In a PBSLB policy template on the ACOS device, you can
map the group to one of the following actions:

• Drop the traffic

• Reset the connection
• Send the traffic to a specific service group

The default group ID is 0, which means that no group is assigned.

#conn-limit Maximum number of concurrent connections that are allowed from the client. By
default, there is no connection limit. If you decide to set a limit, the valid range is
between 1 and 32767. On the ACOS device, you can specify whether to reset or drop
new connections that exceed this limit.

The # is required only if you do not specify a group-id.

comment-string Comment; everything to the right of the semi-colon (;) is ignored by the ACOS device
when it parses the file.

NOTE: The conn-limit is a coarse limit. The larger the number you specify, the
more coarse the limit.

Example
• If you specify 100, the ACOS device limits the total connections to 100.

• As another example, if you specify 1000, the device limits the connections to a maximum of 992
connections.

If the number in the file is larger than the supported maximum limit value, the parser uses the longest
set of digits in the number that you enter that makes a valid value.

Example
• If the file contains 32768, the parser uses 3276 as the value.

• As another example, if the file contains 111111, the parser will use 11111 as the value.

Example Black/White List

The following text is a sample black/white list:

10.10.1.3 4; blocking a single host. 4 is the drop group

10.10.2.0/24 4; blocking the entire 10.10.2.x subnet
192.168.1.1/32 #20 ; 20 concurrent connections max, any group ok

page 23
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring a Black/White List FFee
e

192.168.4.69 2 #20 ; assign to group 2, and allow 20 max

The first row assigns a specific host to group 4. On the ACOS device, the drop action is assigned to this
group, which black lists the client.

The second row black lists an entire subnet by assigning it to the same group (4).

The third row sets the maximum number of concurrent connections for a specific host to 20.

The fourth row assigns a specific host to group 2 and specifies a maximum of 20 concurrent connec-
tions.

NOTE: The ACOS device allows up to three parser errors when reading the file
but stops reading after the third parser error.

Dynamic Black/White-list Client Entries

The ACOS device supports dynamic client entries. You can configure this feature by adding the client
address 0.0.0.0/0 (wildcard address) to the black/white list that is used by the system-wide PBSLB pol-
icy.

When a client sends an HTTP or HTTPS connection request, the ACOS device checks the system-wide
PBSLB policy’s black/white list for the client’s IP address, with one of the following results:

• If there is no entry for the client, he ACOS device creates a dynamic entry for the client’s host
address.
• If there is a dynamic entry for the client, the ACOS device resets the timeout value for the entry.
(Dynamic entry aging is described below.)

NOTE: If there is a static entry for the client’s host or subnet address, the static
entry is used instead.

The following is an example of a wildcard address in a black/white list:

0.0.0.0/0 1 #20

In this example, the clients who do not match a static entry in the list are assigned to group 1 and are
limited to 20 concurrent connections.

The ACOS device supports up to 8 million dynamic client entries for system-wide PBSLB. Once this limit
is reached, the ACOS device no longer track connections or anomaly counters for additional clients.

page 24
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuring System-wide PBSLB

Connection Limit for Dynamic Entries

For dynamic entries in a system-wide PBSLB policy’s black/white list, the connection limit in the list
applies to each client.

In the example above, each client that has a dynamic entry in the black/white list will be allowed to have
a maximum of 20 concurrent connections.

Aging of Dynamic Entries

When the ACOS device creates a dynamic black/white list entry for a client, the device also sets the tim-
eout for the entry. The timeout value for the dynamic entry decreases until the timeout reaches 0 or the
client sends a new HTTP or HTTPS connection request.

If the client sends a new HTTP or HTTPS connection request, the timeout is reset to its full value. If the
timeout reaches 0 and the client does not have active connections, the dynamic entry is removed. How-
ever, if the client has an active connection, the dynamic entry is not removed until the client’s connec-
tion ends. You can set the timeout to 1-127 minutes, and the default is 5 minutes.

If client-lockup is enabled, the timeout for a locked up client does not begin decreasing until the lockup
expires.

Wildcard Address Support in PBSLB Policies Bound to Virtual Ports

Dynamic client entries are supported only for system-wide PBSLB policies.

You can add a wildcard address (0.0.0.0/0) to a black/white list that is used by a virtual port’s PBSLB
policy. The group ID and connection limit that are specified for the wildcard address are applied to cli-
ents that do not match a static entry in the list.

Consider the following limitations:

• The ACOS device does not create dynamic entries in the list.

• The connection limit applies collectively to all clients that do not have a static entry in the list.

Configuring System-wide PBSLB

The following sections are described in this topic:

• Options for System-wide PBSLB Policies

• Using the GUI to Configure System-wide PBSLB

page 25
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring System-wide PBSLB FFee
e

• Using the CLI to Configure System-wide PBSLB

• Displaying and Clearing System-wide PBSLB Information

Options for System-wide PBSLB Policies

System-wide PBSLB policies provide the following options:

• Dynamic black/white-list client entries

• Client lockup

• IP anomaly checking and tracking, using IP anomaly filters

These options are not available in policies that are applied to individual ports.

Using the GUI to Configure System-wide PBSLB

To configure a system-wide PBSLB policy using the GUI, do the following:

1. Configure the PBSLB settings in an SLB policy template.

a. Navigate to ADC >> Template >> L7.
b. Click Create and select Policy from the drop-down list.
c. Specify a policy name; for example, pol1.
d. Expand the BW List section, and configure the Black/White list settings as desired.
e. Click OK.
2. Apply the policy template at the system level.
a. Navigate to ADC >> SLB >> Global.
b. In the System template policy field, select pol1 from the drop-down list.
c. Click Update.

Using the CLI to Configure System-wide PBSLB

To configure a system-wide PBSLB policy using the CLI, do the following:

1. Configure the PBSLB settings in an SLB policy template.

The following example drops any connections from clients exceeding one of the following limits:
• The connection limit that is configured in the specified in the Black/White list.

page 26
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuring PBSLB for Individual Virtual Ports

• The threshold of any of the new IP anomaly filters.

Logging is enabled and messages are generated two minutes.

ACOS(config)# slb template policy pol1

ACOS(config-policy)# bw-list id 1 drop logging 2
ACOS(config-policy)# bw-list over-limit lockup 5 logging 2
ACOS(config-policy)# exit
ACOS(config)#

2. Apply the policy template at the system level:

ACOS(config)# system template policy pol1

Displaying and Clearing System-wide PBSLB Information

To display information for system-wide PBSLB, enter the show pbslb system or show pbslb client
commands.

To clear PBSLB information, use the clear pbslb system or clear pbslb client commands.

Use the entry option with the clear pbslb client command to clear both statistical counters and cli-
ent entries; without this option, only the statistical counters are cleared.

Configuring PBSLB for Individual Virtual Ports

The following sections are described in this topic:

• Configuration Details

• Using the GUI to Configure PBSLB for Individual Virtual Ports

• Using the CLI to Configure PBSLB for Individual Virtual Ports

Configuration Details
You can configure PBSLB parameters for virtual ports by configuring the settings on individual ports or
by configuring a PBSLB policy template and binding the template to individual virtual ports.

NOTE: This feature is supported only in software releases that support Server
Load Balancing (SLB).

page 27
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring PBSLB for Individual Virtual Ports FFee
e

These steps assume that the real servers, service groups, and virtual servers have already been config-
ured.

To configure PBSLB:

1. Configure a black/white list remotely or on the ACOS device.

If you configure the list remotely, import the list to the ACOS device.
2. Optionally, modify the sync interval for the list.
ACOS regularly synchronizes with the list to ensure that the ACOS version is current.
3. Configure PBSLB settings.
You can configure a policy template and bind the template to virtual ports or configure the follow-
ing settings on individual virtual ports:
• Specify the black/white list.
• Optionally, map each group ID that used in the list to one of the following actions:
• Send the traffic to a specific service group.
• Reset the traffic.
• Drop the traffic.
• Optionally, change the action (drop or reset) that ACOS will take on connections that exceed the
specified limit.
• Optionally, if necessary, change the client address matching from source IP matching to desti-
nation IP matching.

Using the GUI to Configure PBSLB for Individual Virtual Ports

To configure a PBSLB policy for individual virtual ports using the GUI, do the following:

1. Configure the PBSLB settings in an SLB policy template.

a. Navigate to ADC >> Template >> L7.
b. Click Create and select Policy from the drop-down list.
c. Specify a policy name; for example, pol1.
d. Expand the BW List section, and configure the Black/White list settings as desired.

page 28
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuring PBSLB for Individual Virtual Ports

e. Click OK.

2. Apply the policy template at the virtual port level.

a. Navigate to ADC >> SLB >> Virtual Servers.
b. Click Edit in the Actions column for an existing virtual server.
c. On the Update Virtual Server page, click Edit in the Actions column for an existing virtual port.
d. On the Update Virtual Port page, expand the Templates section.
e. Select the desired policy template from the drop-down list in the Template Policy field.
f. Click Update.

Using the CLI to Configure PBSLB for Individual Virtual Ports

The following commands import black/white list “sample-bwlist.txt” to the ACOS device:

ACOS(config)# import bw-list sample-bwlist tftp://myhost/TFTP-Root/ACOS_bwlists/sample-

bwlist.txt

page 29
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuration Example for Sockstress Attack Protection FFee
e

ACOS(config)# show bw-list

Name Url Size(Byte) Date

------------------------------------------------------------------------------
sample-bwlist tftp://myhost/TFTP-Root/ACOS_ N/A N/A
bwlists/sample-bwlist.txt
Total: 1

The following commands configure a PBSLB template and bind it to a virtual port:

ACOS(config)# slb template policy bw1

ACOS(config-policy)# bw-list name bw1
ACOS(config-policy)# bw-list id 2 service-group srvcgroup2
ACOS(config-policy)# bw-list id 4 drop
ACOS(config-policy)# exit
ACOS(config)# slb virtual-server PBSLB_VS1 10.10.10.69
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template policy bw1
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit

The following commands displays PBSLB information:

ACOS(config-slb vserver-vport)# show pbslb

Total number of PBSLB configured: 1
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
------------------------------------------------------------------------------
PBSLB_VS1 80 sample-bwlist 2 0 0 0
4 0 0 0
PBSLB_VS2 80 sample-bwlist 2 0 0 0
4 0 0 0

Configuration Example for Sockstress Attack Protection

You can use system-wide PBSLB with IP anomaly filters to protect against Sockstress attacks, which is
a type of DDoS attack.

In this example, the ACOS device drops all new connection attempts from a client if one of the following
conditions occur:

page 30
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
PBSLB Statistics Display

• The client already has 20 active connections and attempts to open a new HTTP or HTTPS con-
nection.
• The client exceeds any of the IP anomaly thresholds.

The lockup period is set to 5 minutes, to continue enforcing the over-limit action for 5 minutes after the
over-limit action is triggered. The timeout for dynamic black/white list entries is set to 2 minutes.

This example uses the following black/white list:

0.0.0.0/0 1 #20

PBSLB Statistics Display

The following command displays system-wide statistics for the new IP anomaly filters:

ACOS(config)# show slb l4

Total
------------------------------------------------------------------
IP out noroute 20061
TCP out RST 0
TCP out RST no SYN 0
...
Anomaly out of sequence 225408
Anomaly zero window 225361
Anomaly bad content 224639

The following command displays statistics for the system-wide PBSLB policy:

ACOS(config)# show pbslb system

System B/W list: bwlist-wc
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
--------------------------------------------------------------------------------
System bwlist-wc 1 12 0 0
2 0 0 0

The following command displays summary statistics for individual black/white-list clients:

page 31
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
PBSLB Statistics Display FFee
e

ACOS# show pbslb client

GID = Group ID, S/D = Static or dynamic entry
Out-s = Out of sequence, Zero-w = Zero window, Bad-c = Bad content
IP S/D GID Conn-limit Curr-conn Age Lockup Out-s Zero-w Bad-c
------------------+---+---+----------+---------+-----+------+-----+------+----
40.40.40.168 /32 D 1 20 5 120 0 0 5 5
40.40.40.169 /32 D 1 20 6 0 5 0 6 6
40.40.40.170 /32 D 1 20 6 0 5 0 6 6
40.40.40.171 /32 D 1 20 6 0 5 0 6 6
40.40.40.172 /32 D 1 20 6 0 5 0 6 6
40.40.40.173 /32 D 1 20 2 120 0 0 2 2
40.40.40.174 /32 D 1 20 5 120 0 0 5 5
40.40.40.175 /32 D 1 20 5 120 0 0 5 5
40.40.40.160 /32 D 1 20 5 120 0 0 5 5
40.40.40.161 /32 D 1 20 6 120 0 0 6 6
40.40.40.162 /32 D 1 20 6 0 5 0 6 6
40.40.40.163 /32 D 1 20 6 0 5 0 6 6
40.40.40.164 /32 D 1 20 6 0 5 0 6 6
40.40.40.165 /32 D 1 20 5 120 0 0 5 5

The Age column indicates how many seconds are left before a dynamic entry ages out. For clients who
are currently locked out of the system, the value in the Lockup column indicates how many minutes the
lockup will continue. For locked up clients, the age value is 0 until the lockup expires. After the lockup
expires, the age is set to its full value. In this example, the lockup value is 120 seconds.

The following command displays detailed statistics for a specific black/white-list client:

ACOS# show pbslb client 40.40.40.168

IP address: 40.40.40.168
Netmask length: 32
Type: Dynamic
Group ID: 1
Connection limit (0 = no limit): 1984
Current connection: 6
Age: 0 second
Lockup time: 5 minute
Out of sequence: 0
Zero window: 6
Bad content: 6

page 32
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

SYN Cookies

This chapter describes the SYN-cookie feature and how it helps protect ACOS devices against disrup-
tive SYN-based flood attacks. The following topics are described in this chapter:

• Overview of SYN Cookies

• Configuring SYN Cookies

• Viewing SYN-cookie Statistics

Overview of SYN Cookies

SYN cookies protect against TCP SYN flood attacks. When SYN cookies are enabled, the ACOS device
can continue to serve legitimate clients during these attacks, while preventing illegitimate traffic from
consuming system resources.

This section contains the following topics:

• SYN Flood Attacks

• Identifying SYN Flood Attacks

• ACOS SYN-cookie Protection

• Dynamic SYN Cookies

• SYN Cookie Buffering

• SACK and MSS with Software-based SYN-cookies

SYN Flood Attacks

During a TCP SYN flood attack, an attacker sends many TCP SYN Requests to a network device, such
as a server. The server replies with a standard SYN-ACK message. However, rather than reply to this
attempt at establishing a 3-way handshake with the standard ACK, an attacker ignores the reply and
creates a “half-open” TCP connection. System resources are consumed because the device waits for a
response from the client that never arrives.

Under large-scale attacks, excessive half-open connections cause a network device’s TCP connection
queue to become full. This over-subscription prevents the device from establishing new connections
with legitimate clients.

Feedback page 33
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Overview of SYN Cookies FFee
e

Identifying SYN Flood Attacks

The graphics in this section illustrate how the ACOS device determines whether a particular TCP con-
nection is from a legitimate request or if it is part of a SYN flood attack.

The Figure 1 depicts a typical 3-way TCP handshake, which includes a SYN request from the client, the
SYN-ACK reply from the ACOS device, and finally, an ACK from the client to the ACOS device.

FIGURE 1 SYN-ACK Handshake (Legitimate Client)

However, SYN flood attacks (Figure 2) can cripple a network by sending multiple SYN requests to a net-
work device. The device responds to these SYN requests with SYN-ACKs and waits for responses from
the client that never arrive. These bogus requests create many “half-open” sessions, which wastes sys-
tem memory and other system resources. The state of being oversubscribed reduces the device’s free
resources, which prevents it from accepting requests from legitimate clients.

FIGURE 2 SYN-ACK Handshake (Hacker)

Enabling SYN cookies mitigates the damage caused by such DoS attacks by preventing the attacks
from consuming system resources.

TCP connections for which the ACOS device did not receive an ACK from the client is identified as
belonging to a SYN flood attack, and this information is displayed with the counter in the output of the
show command.

page 34
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Overview of SYN Cookies

ACOS SYN-cookie Protection

By enabling SYN cookies, the ACOS device’s TCP connection queue is prevented from filling up during
TCP SYN flood attacks. When a client sends an SYN request, the ACOS device responds with a SYN
cookie. This response is a special type of SYN ACK message.

SYN cookies prevent hackers from consuming excessive system resources by encoding the necessary
state information for the client connection in a TCP sequence number. Rather than storing state infor-
mation for each TCP session, the sequence number in the SYN cookie acts as a shorthand, which
allows the ACOS device to compress much of the session information into a smaller amount of data.

This sequence number is sent to the client as a SYN-ACK packet. When a legitimate client receives this
information, it replies with an ACK that contains the sequence number plus 1.

When the SYN ACK that contains the sequence number from the client is received, the ACOS device
reconstructs the connection information and establishes a connection with that client.

If the SYN Request is part of an attack, the attacker does not send an ACK to the ACOS device. The
ACOS device sends a SYN cookie, but the attacker does not receive it (or may choose to ignore it), and
the ACOS device does not establish a connection.

Dynamic SYN Cookies

You can configure on and off thresholds for SYN cookies. When there are no TCP SYN attacks, the TCP
options are preserved.

You can configure the following dynamic SYN cookie options:

• On-threshold – specifies the maximum number of concurrent half-open TCP connections that are
allowed on the ACOS device, before SYN cookies are enabled. If the number of half-open TCP
connections exceeds the on-threshold value, the ACOS device enables SYN cookies. You can
specify 0-2147483647 half-open connections.
• Off-threshold – specifies the minimum number of concurrent half-open TCP connections for
which to keep SYN cookies enabled. If the number of half-open TCP connections falls below this
level, SYN cookies are disabled. You can specify 0-2147483647 half-open connections.

By default, hardware-based SYN cookies are disabled. When the feature is enabled, there are no default
settings for the on- and off-threshold. If you omit the on-threshold and off-threshold options, SYN cook-
ies are enabled and are always on, regardless of the number of half-open TCP connections on the ACOS
device.

NOTE: It may take up to 10 milliseconds for the ACOS device to detect and
respond to crossover of either threshold.

page 35
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Overview of SYN Cookies FFee
e

SYN Cookie Buffering

SYN Cookie Buffering optimizes performance by increasing the amount of buffers that are allocated to
TCP connections when system memory usage is low and reducing the number of buffers when system
memory usage is high.

When SYN cookies are enabled, the ACOS device allocates 10 buffers to each TCP connection, and by
default, offers a TCP window size of 8000.

When memory usage increases and system resources are scarce, the number of buffers that are
reserved for each TCP connection gradually reduces from 10 buffers to 1 buffer per TCP connection.
The window size also reduces during this process.

SYN Cookie Buffering is automatically enabled when SYN cookies are enabled. By default, 10 buffers
are allocated to each TCP connection. Instead being dropped and requiring later re-transmission, the
packets are stored in the ACOS device’s memory and forwarded to the real server when the back-end
connection is available.

NOTE: This feature is not supported with SLB fast-path processing.

SACK and MSS with Software-based SYN-cookies

Software-based SYN cookies is an optional feature that is available on certain AX models at the config-
uration level for virtual ports. The ACOS device bases Selective Acknowledgment (SACK) support, and
the maximum segment size (MSS) setting, in software-based SYN cookies on server replies to TCP
health checks that are sent to the servers.

This section contains the following topics:

• SACK

• MSS

SACK
The ACOS device includes the Sack-Permitted option in TCP SYN health check packets sent to servers.

• If all of the up servers in the service group reply with a TCP SYN-ACK that contains a SACK option,
the ACOS device uses SACK with the software-based SYN-cookie feature for all servers in the ser-
vice group.
• If any of the up servers in the service group do not send a SACK option, the ACOS device does not
use SACK with the software-based SYN-cookie feature for any servers in the service group.

page 36
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuring SYN Cookies

MSS
The lowest MSS value that is supported by a server in the service group is the MSS value that is used
by the ACOS device for software-based SYN-cookies.

Configuring SYN Cookies

The following sections describe how to enable SYN-cookie support and configure advanced features:

• Enabling SYN-cookie Support

• Configuration with Target VIP and Client-side Router in Different Subnets

• Modifying the Threshold for TCP Handshake Completion

• Configuring SYN-cookie Buffering

Enabling SYN-cookie Support

This section contains the following topics:

• Details

• FTA Models

• Non-FTA Models

Details
Depending on the Thunder or AX model, you can use hardware-based SYN cookies or software-based
SYN cookies:

• Hardware-based SYN cookies can be globally enabled and applied to all virtual server ports that
are configured on the device.
Hardware-based SYN cookies are available on FTA devices. See the FTA Devices section on the
A10 Hardware Install Guides website for a list of FTA Thunder and AX devices.
• Software-based SYN cookies can be enabled on individual virtual ports. This version of the feature
is available on all AX models.

Consider the following information:

• Hardware-based SYN cookies are a faster, easier-to-configure alternative to the software-based

SYN cookie feature available on all AX platforms.

page 37
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring SYN Cookies FFee
e

If your AX model supports hardware-based SYN cookies, A10 Networks recommends that you use
the hardware-based version of the feature instead of the software-based version.
If both hardware-based and software-based SYN cookies are enabled, only hardware-based SYN
cookies are used. Although software-based SYN cookies can be enabled, they are not used.
If Application Delivery Partitioning (ADP) is configured, hardware-based SYN cookies apply to all
partitions. The feature is not partition-aware.
• If the target VIP is in a different subnet from the client-side router, use of hardware-based SYN
cookies requires some additional configuration.

NOTE: For more information, see Configuration with Target VIP and Client-side
Router in Different Subnets.

• Software-based SYN cookies are supported only in software releases that support SLB.

FTA Models
To enable hardware-based SYN cookies on ACOS models that feature FTAs, use the syn-cookie enable
command at the global configuration level:.

The command in the following example enables dynamic-based SYN cookies when the number of con-
current half-open TCP connections exceeds 50000 and disables SYN cookies when the number falls
below 30000:

ACOS(config)# syn-cookie enable on-threshold 50000 off-threshold 30000

Non-FTA Models
To enable software-based SYN cookies, use the syn-cookie command at the virtual-port level. For
example:

ACOS(config)# slb virtual-server vip1

ACOS(config-slb vserver)# port 80 tcp
ACOS(config-slb vserver-vport)# syn-cookie

page 38
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuring SYN Cookies

Configuration with Target VIP and Client-side Router in Different

Subnets
Usually, the target VIP in an SLB configuration is in the same subnet as the client-side router. However,
if the target VIP is in a different subnet, to use hardware-based SYN cookies, configure the following
items:

• On the ACOS device, configure a “dummy” VIP that is in the same subnet as the client-side router.

• On the client-side router, configure a static route to the VIP by using the dummy VIP as the next
hop.

Figure 3 is an example of this deployment.

FIGURE 3 Hardware-based SYN Cookies – Target VIP and Client-Side Router in Different Subnets

The following commands configure hardware-based SYN cookies on the ACOS device:

ACOS(config)# slb virtual-server dummyvip 10.10.10.154

ACOS(config-slb vserver)# exit
ACOS(config)# syn-cookie

page 39
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring SYN Cookies FFee
e

NOTE: If VRRP-A is configured, add both the target VIP and the dummy VIP to
the same VRID so these VIPs will fail over as a unit.

Modifying the Threshold for TCP Handshake Completion

To modify the threshold for TCP handshake completion, use the ip tcp syn-cookie threshold global
configuration command.

For example, to set the threshold to 3 seconds:

ACOS(config)# ip tcp syn-cookie threshold 3

Configuring SYN-cookie Buffering

This section contains the following topics:

• Details

• Using the GUI to Configure SYN-cookie Buffering

• Using the CLI to Configure SYN-cookie Buffering

Details
When SYN cookies are enabled, 10 buffers are available to hold overflow packets from each client ses-
sion. When the system memory is occupied, the number of buffers dedicated to each TCP connection is
reduced. The reduction process occurs gradually and is tied to system memory usage.

There are three different thresholds that can be configured on the ACOS device. When these free sys-
tem memory thresholds are breached, the number of buffers that are allocated to each session (and the
TCP window size) are reduced. This reduction in the TCP window sized is an attempt to prevent the cli-
ent from sending data faster than the ACOS device can receive it.

The graduated buffers and window sizes appear below. By default, each TCP session is allocated 10
buffers, and the TCP window size is set to 8K.

• If the first threshold is breached, the buffer is reduced to 4 buffers, and the TCP window size is
reduced to 4K.
• If the next memory threshold is breached, the buffer is reduced to 2 buffers, and the TCP window
size is reduced to 2K.
• If the final threshold is breached, the buffer is reduced to 1 buffer, and the TCP window size is
reduced to 1K.

page 40
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuring SYN Cookies

These thresholds are based on system memory usage, and the values are configurable.

Consider the following information:

• Each buffer size is approximately 1500 bytes.

The total number of buffers varies from one model to the next and is based on the total memory
per connection.
• If hardware-based SYN cookies are enabled, ACOS does not modify the TCP window size.

It remains hard-coded at 65K.

Using the GUI to Configure SYN-cookie Buffering

To configure SYN-cookie buffering using the GUI:

1. Navigate to the ADC >> SLB >> Global page.

2. Click the Buffer Threshold checkbox.

This reveals additional fields that can be configured.

NOTE: For more information, see the latest version of the Online Help for addi-
tional information about the fields.

Using the CLI to Configure SYN-cookie Buffering

You can enter the buff-thresh CLI command to configure the thresholds for system memory usage.
These threshold configurations apply to both software- and hardware-based models.

You do not have to change the system memory usage thresholds from the default settings. However,
you can modify these thresholds by entering the following CLI commands:

!
slb common
buff-thresh hw-buff num relieve-thresh num sys-buff-low num sys-buf-high num

For additional information about changing the system memory thresholds, see the buff-thresh com-
mand in the Command Line Interface Reference.

page 41
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Viewing SYN-cookie Statistics FFee
e

Viewing SYN-cookie Statistics

This section describes how to view SYN-cookie statistics by using the GUI or CLI.

This section contains the following topics:

• Using the GUI to View SYN-cookie Statistics

• Using the CLI to View SYN-cookie Statistics

Using the GUI to View SYN-cookie Statistics

To display SYN-cookie statistics, navigate to the ADC >> Statistics >> L4 page in the GUI.

NOTE: For more information, see the latest version of the Online Help for addi-
tional information about the fields.

Using the CLI to View SYN-cookie Statistics

This section summarizes some of the CLI commands that can be used to view SYN-cookie statistics.

The following sections are described in this topic:

• L4 SYN attack

• L4 TCP Established

• Examples

The following fields in the output of the show slb l4 command allow you to view TCP traffic in terms of
legitimate traffic and attacks.

L4 SYN attack
Displays a running counter of the number of packets that the ACOS device considers to be from a SYN
flood attack. This assumption is based on the fact that the device did not receive an ACK from the cli-
ent.

L4 TCP Established
Displays a running counter of TCP packets that the ACOS device considers to be from legitimate clients.
When SYN cookies are enabled, and a legitimate client sends a SYN request, the ACOS device responds
with a SYN ACK. If the ACOS device receives an ACK, the packet is considered safe.

page 42
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Viewing SYN-cookie Statistics

Examples
These fields are highlighted in the following examples:

• CLI Example 1: View Attack Prevention Statistics

• CLI Example 2: View SYN Attack Counter

• CLI Example 3: View Legitimate Session Counter

• CLI Example 4: View SYN-cookie Buffering Statistics

CLI Example 1: View Attack Prevention Statistics

You can view SYN-cookies statistics for one sampling interval or across the following time intervals:

• Current

• 1 second

• 5 seconds

• 30 seconds

• 1 minute

• 5 minutes

The following command displays SYN-cookie statistics across multiple time intervals:

ACOS# show slb attack-prevention

Current 1 sec 5 sec 30 sec 1 min 5 min
-----------------------------------------------------------------------------
SYN cookie snt 0 0 0 0 0 0
SYN cookie snt ts 0 0 0 0 0 0
SYN cookie snt fail 0 0 0 0 0 0
SYN cookie chk fail 0 0 0 0 0 0
SYN attack 0 0 0 0 0 0

The Table 2 displays the fields that appear in the CLI output of the show slb attack-prevention com-
mand.

TABLE 2 show slb attack-prevention fields

Field Description
SYN cookie snt Number of TCP SYN cookies sent.
SYN cookie snt ts Number of expanded TCP SYN cookies sent.
SYN cookie snt fail Number of TCP SYN cookie send attempts that failed.

page 43
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Viewing SYN-cookie Statistics FFee
e

TABLE 2 show slb attack-prevention fields

Field Description
SYN cookie chk fail Number of TCP SYN cookies for which the responding ACK failed the SYN cookie check.
SYN attack Total number of SYN connections that did not receive an ACK from the client and
assumed to be SYN attack.

Limitations
• When running the show slb attack-prevention command on an FTA model, the SYN attack field
does not display output for the historical counters (1s/5s/30s/1min/5min). Output is only pro-
vided for the Current column.
• This feature is supported for L3V private partitions in non-FTA models. If the show slb attack-
prevention command is run from an L3V network partitions on an FTA model, the SYN attack
counter displays zero for all columns.

To clear these statistics, enter the clear slb attack-prevention command.

CLI Example 2: View SYN Attack Counter

The following example displays output from the show slb l4 command. The L4 SYN attack field indi-
cates that 30 packets appear to have been part of a SYN flood attack.

ACOS# show slb l4

Total
------------------------------------------------------------------
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
...
L4 SYN attack 30
...

CLI Example 3: View Legitimate Session Counter

The following example displays output from the show slb l4 command. The L4 TCP Established field
indicates that 1,766 packets appear to have been from a legitimate source, not from an attacker.

ACOS# show slb l4

Total
------------------------------------------------------------------
IP out noroute 0
TCP out RST 0

page 44
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Viewing SYN-cookie Statistics

TCP out RST no SYN 0

...
L4 TCP Established 1766

CLI Example 4: View SYN-cookie Buffering Statistics

The following example displays output for SYN cookie buffer statistics:

ACOS# show slb syn-cookie-buffer

Maximum SYN cookie buffer size : 10
Total SYN cookie buffer queued : 0
Total SYN cookie buffer drop : 0

SYN Attack Counter Support for L3V

The SYN flood attack counter in the output for the show slb l4 command may not work correctly in
every situation. For example, while counters that are associated with software-based SYN cookies work
correctly in L3V and non-L3V deployments, counters that are associated with hardware-based SYN
cookies do not work with private partitions.

The Table 3 shows the limitations that are associated with using SYN flood attack counters under a
variety of conditions.

TABLE 3 SYN flood attack counter matrix

Hardware-based Software-based L3V SYN cookie counter
SYN cookie SYN cookie Private Partitions incremented?
Enabled Disabled Disabled Yes
Disabled Enabled Disabled Yes
Disabled Enabled Enabled Yes
Enabled Enabled (irrelevant)1 Enabled No2

1. If hardware-based and software-based SYN cookies are enabled, only hardware-based SYN cookies are used. “Irrele-
vant” means that hardware-based SYN cookies are also enabled.
2. “No” means that the SYN flood attack counters fail when hardware- and software-based SYN cookies are enabled at
the same time as L3V (private partitions). This is a known limitation with this feature.

The SYN cookie counter incremented? column indicates whether the SYN cookie counter display will
function correctly, based on the status of the other conditions that are associated with this deployment.

page 45
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Viewing SYN-cookie Statistics FFee
e

page 46
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

IP Limiting

IP limiting provides a an enhanced implementation of the source IP connection limiting and connection-
rate limiting feature. This chapter describes the IP limiting options and how to configure and apply
these options.

This chapter contains the following topics:

• Overview of IP Limiting

• Understanding Class Lists

• Understanding IP Limiting Rules

• CLI Examples - Configuration

• CLI Examples - Display

Overview of IP Limiting
IP limiting provides the following benefits:

• Configuration flexibility:

You can apply source IP limiting on a system-wide basis, on individual virtual servers, or on individ-
ual virtual ports.
• Class lists:

You can configure different classes of clients, and apply a separate set of IP limits to each class.
You also can exempt specific clients from being limited.

NOTE: For more information, see Understanding Class Lists.

• Separate limits can be configured for each of the following items:

• Concurrent connections
• Connection rate
• Concurrent Layer 7 requests
• Layer 7 request rate

Feedback page 47
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Understanding Class Lists FFee
e

NOTE: Layer 7 request limiting applies only to the HTTP, HTTPS, and fast-HTTP
virtual port types.

Understanding Class Lists

A class list is a set of IP host or subnet addresses that are mapped to IP limiting rules. The ACOS device
can support up to 255 class lists, and each class list can contain up to 8 million host IP addresses and
64,000 subnets.

NOTE: Class lists can be configured only in the shared partition. A policy tem-
plate that is configured in a shared partition or in a private partition can
use a class list that is configured in the shared partition.

This topic contains the following sections:

• Class List Syntax

• IP Address Matching

• Example Class Lists

• Configuring Class Lists

Class List Syntax

Each row in the class list defines a client class and has the following format:

ipaddr /network-mask [glid num | lid num] [age minutes] [; comment-string]

The Table 4 provides a description of each portion of the format.

TABLE 4 Class List Syntax Parameters

Parameter Description
ipaddr Specifies the host or subnet address of the client. Both IPv4 and IPv6 addresses are sup-
ported.
network-mask Subnet mask for the client address.

To configure a wildcard IP address, specify 0.0.0.0 /0 (for IPv4) or ::/0 (for IPv6). The
wildcard address matches on all addresses that do not match any entry in the class list.
glid num Specifies the ID of the IP limiting rule that will be used to match clients. A glid configures
an IP limiting rule that is configured at the global configuration level.

page 48
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Understanding Class Lists

TABLE 4 Class List Syntax Parameters

Parameter Description
lid num Specifies the ID of the IP limiting rule that will be used to match clients. A lid configures
an IP limiting rule that is configured at the same level as the class list (in the same policy
template).
age minutes Removes a host entry from the class list after the specified number of minutes. You can
specify 1-2000 minutes.

When you assign an age value, the host entry remains in the class list only for the speci-
fied number of minutes. After the age reaches 0, the host entry is removed from the class
list in the next minute.

You can use the age option with IP limiting options in the LID or GLID to temporarily con-
trol client access. Traffic limiting settings in the LID or GLID that are assigned to the host
entry are in effect only until the age expires.

The age option applies only to host entries (IPv4 /32 or IPv6 /128). The age option is not
supported for subnet entries.

NOTE: If you use a class-list file that is periodically re-

imported, the age for class-list entries that are
added to the system from the file do not reset
when the class-list file is re-imported. Instead, the
entries are allowed to continue aging normally.
;comment-string Custom comment. Use a semi-colon (;) in front of the comment string.

NOTE: The ACOS device discards the comment string

when you save the class list.

IP Address Matching
By default, the ACOS device matches the class-list entries based on the source IP address of client traf-
fic. Optionally, you can also match based on one of the following items:

• Destination IP address:

Matches based on the destination IP address instead of the source IP address.

• IP address in HTTP request:

Matches based on the IP address in a header in the HTTP request. You can specify the header
when you enable this option.

page 49
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Understanding Class Lists FFee
e

Example Class Lists

Here is an example of a simple class list. This list matches on all clients and uses an IP limiting rule that
is configured at the global configuration level:

0.0.0.0/0 glid 1

The following is an example with more options:

1.1.1.1 /32 lid 1

2.2.2.0 /24 lid 2 ; LID 2 applies to every single IP of this subnet
0.0.0.0 /0 lid 10 ; LID 10 applied to every undefined single IP
3.3.3.3 /32 glid 3 ; Use global LID 3
4.4.4.4 /32 ; No LID is applied (exception list)

The rows in the list specify the following:

• For individual host 1.1.1.1, use IP limiting rule 1, which is configured in a policy template.

A policy template can be applied globally for system-wide IP limiting or to an individual virtual
server or virtual port. This is described in more detail in a later section.
• For all hosts in subnet 2.2.2.0/24, use IP limiting rule 2, which is configured in a policy template.

• For all hosts that do not match another entry in the class list, use IP limiting rule 10, which is con-
figured in a policy template.
• For individual host 3.3.3.3, use IP limiting rule 3, which is configured at the global configuration
level.
• For individual host 4.4.4.4, do not use an IP limiting rule.

Configuring Class Lists

This section contains the following topics:

• Using the GUI to Import a Class List

• Using the GUI to Configure a Class List

• Using the CLI to Import a Class List

• Using the CLI to Configure a Class List

page 50
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Understanding Class Lists

Using the GUI to Import a Class List

To import a class list using the GUI:

1. Hover over ADC and select SLB from the menu bar.
2. Click the Class Lists tab, then select Import from the drop-down list.
3. Click Import.
4. Specify the name and location of the file you want to import. Refer to the GUI online help for this
page for more information about each field.
5. Click Import.

Using the GUI to Configure a Class List

To configure a class list using the GUI:

1. Hover over ADC and select SLB from the menu bar.
2. Click the Class Lists tab, then select Configuration from the drop-down list.
3. Click Create.
4. In the Name field, specify a class list name.
5. Complete the fields on this page as desired. Refer to the GUI online help for this page for more infor-
mation about each field.

NOTE: If the class list contains at least 100 entries, you should use the Store as
a file option. A class list can be exported only if you use this option.

6. Click Create.

Using the CLI to Import a Class List

To import a class list using the CLI, use the import command. For example:

ACOS(config)# import class-list vs_list ftp:

Address or name of remote host []? 1.1.1.2
User name []? ACOSadmin
Password []? *********
File name [/]? vs_list

page 51
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Understanding IP Limiting Rules FFee
e

Using the CLI to Configure a Class List

To configure a class list in the CLI, use the class-list command. For example:

ACOS(config)# class-list examplelist

ACOS(config-class list)# 1.1.1.1 /32 glid 1
ACOS(config-class list)# 2.2.2.2 /32 glid 2
ACOS(config-class list)# 10.1.2.1 /32 lid 1
ACOS(config-class list)# 10.1.2.2 /32 lid 2

NOTE: See Class List Syntax for more information about the syntax.

Understanding IP Limiting Rules

This chapter contains the following topics:

• Parameters

• Match IP Address

• Request Limiting and Request-Rate Limiting in Class Lists

• CLI Examples: Request Limiting and Request-rate Limiting Settings Are Used

• CLI Examples: Request Limiting and Request-rate Limiting Settings Are Not Used

• Configuring Source IP Limiting

Parameters
IP limiting rules specify connection and request limits for clients.

Each IP limiting rule has the following parameters:

• Limit ID – Number from 1-31 that identifies the rule.

• Connection limit – Maximum number of concurrent connections that are allowed for a client.
You can specify 0-1048575. Connection limit 0 immediately locks down matching clients, and
there is no default value.
• Connection-rate limit – Maximum number of new connections that are allowed for a client in
the limit period. You can specify 1-2147483647 connections. The limit period can be 100-
6553500 milliseconds (ms), specified in increments of 100 ms. There is no default.

page 52
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Understanding IP Limiting Rules

• Request limit – Maximum number of concurrent Layer 7 requests that are allowed for a client.
You can specify 1-1048575, and there is no default.
• Request-rate limit – Maximum number of Layer 7 requests that are allowed for a client in the
limit period. You can specify 1-4294967295 connections. The limit period can be 100-6553500
milliseconds (ms), specified in increments of 100 ms. There is no default.
• Over-limit action – Action to take when a client exceeds at least one limit.

The action can be one of the following:

• Drop – The ACOS device drops that traffic. If logging is enabled, the ACOS device also gener-
ates a log message. This is the default action.
• Forward – The ACOS device forwards the traffic. If logging is enabled, the ACOS device also
generates a log message.
• Reset – For TCP, the ACOS device sends a TCP RST to the client. If logging is enabled, the
ACOS device also generates a log message.
• Lockout period – Number of minutes during which to apply the over-limit action after the client
exceeds a limit. The lockout period is activated when a client exceeds a limit. The lockout period
can be 1-1023 minutes, and there is no default.
• Logging – Generates log messages when clients exceed a limit. Logging is disabled by default.

When you enable logging, by default, a separate message is generated for each over-limit occur-
rence. If you specify a logging period, the ACOS device keeps the repeated messages for the speci-
fied period and sends a message at the end of the period for all instances that occurred during this
period.
The logging period can be 0-255 minutes. The default is 0, which means that there is no wait
period.

NOTE: When configured in a policy template, the class-list options request limit
and request-rate limit are applicable only in policy templates that are
bound to virtual ports. These options are not applicable in policy tem-
plates that are bound to virtual servers or in policy templates that are
used for system-wide PBSLB.

NOTE: For more information, see Request Limiting and Request-Rate Limiting in
Class Lists. The request limit and request-rate limit options apply only to
HTTP, fast-HTTP, and HTTPS virtual ports. The over-limit logging, when
used with the request-limit or request-rate-limit option, always lists Ether-
net port 1 as the interface.

page 53
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Understanding IP Limiting Rules FFee
e

Match IP Address
By default, the ACOS device matches class-list entries based on the source IP address of client traffic.
Optionally, you can also match based on one of the following options:

• Destination IP address – Matches based on the destination IP address in packets from cli-
ents.
• IP address in client packet header – Matches based on the IP address in the specified
header in packets from clients. If you do not specify a header name, this option uses the IP
address in the X-Forwarded-For header.

Request Limiting and Request-Rate Limiting in Class Lists

If a LID or GLID in a class list contains settings for request limiting or request-rate limiting, the settings
apply only if the following conditions are true:

• The LID or GLID is used in a policy template.

• The policy template is bound to a virtual port.

The settings apply only to the virtual port but do not apply in the following cases:

• The policy template is applied to the virtual server, instead of the virtual port.

• The settings are in a system-wide GLID.

• The settings are in a system-wide policy template.

NOTE: This limitation does not apply to connection limiting or connection-rate

limiting. Those settings are valid in the cases listed above.

CLI Examples: Request Limiting and Request-rate Limiting Settings

Are Used
The request limiting and request-rate limiting settings are used in the following examples.

• Example 1: GLID Used in Policy Template and Bound to Virtual Port

• Example 2: LID Used in Policy Template and Bound to Virtual Port

Example 1: GLID Used in Policy Template and Bound to Virtual Port

The following configuration is valid for request limiting and request-rate limiting. These settings are in a
GLID that is used by a policy template that is bound to a virtual port.

page 54
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Understanding IP Limiting Rules

ACOS(config)# class-list 2
ACOS(config-class list)# 5.1.1.100/32 glid 1023
ACOS(config-class list)# 55.1.1.0/24 lid 31
ACOS(config-class list)# exit
ACOS(config)# glid 1023
ACOS(config-glid:1023)# request-limit 10
ACOS(config-glid:1023)# request-rate-limit 2 per 100
ACOS(config-glid:1023)# over-limit-action reset log
ACOS(config-glid:1023)# exit
ACOS(config)# slb template policy global_policy
ACOS(config-policy)# class-list 2
ACOS(config-policy-class-list:2)# exit
ACOS(config-policy)# exit
ACOS(config)# slb virtual-server vs-55 55.1.1.55
ACOS(config-slb vserver)# vrid 1
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# service-group vlan-80-grp
ACOS(config-slb vserver-vport)# template policy global_policy

Example 2: LID Used in Policy Template and Bound to Virtual Port

The following configuration also is valid for request limiting and request-rate limiting. These settings are
in a LID that is configured in a policy template that is bound to a virtual port.

ACOS(config)# class-list l2
ACOS(config-class list)# 55.1.1.100/32 lid 31
ACOS(config-class list)# exit
ACOS(config)# slb template policy poltemplate1
ACOS(config-policy)# class-list l2
ACOS(config-policy-class-list:l2)# exit
ACOS(config-policy)# class-list l3
ACOS(config-policy-class-list:l3)# lid 30
ACOS(config-policy-class-list:l3-lid:30)# request-limit 10
ACOS(config-policy-class-list:l3-lid:30)# request-rate-limit 2 per 100
ACOS(config-policy-class-list:l3-lid:30)# exit
ACOS(config-policy-class-list:l3)# exit
ACOS(config-policy)# exit
ACOS(config)# slb virtual-server vs-55 55.1.1.55
ACOS(config-slb vserver)# vrid 1
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# service-group vlan-80-grp

page 55
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Understanding IP Limiting Rules FFee
e

ACOS(config-slb vserver-vport)# template policy poltemplate1

CLI Examples: Request Limiting and Request-rate Limiting Settings

Are Not Used
The request limiting and request-rate limiting settings are not used in the following examples.

• Example 1: Policy Template Bound to Virtual Server Instead of Virtual Port

• Example 2: System GLID

• Example 3: System-wide Policy Template

Example 1: Policy Template Bound to Virtual Server Instead of Virtual Port

The following configuration is not valid for request limiting and request-rate limiting. The policy
template is bound to the virtual server instead of the virtual port.

ACOS(config)# slb virtual-server vs-55 55.1.1.55

ACOS(config-slb vserver)# vrid 1
ACOS(config-slb vserver)# template policy gg
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# service-group vlan-80-grp

Example 2: System GLID

The following configuration is not valid for request limiting and request-rate limiting, because the
settings are in a system GLID.

ACOS(config)# system glid 1023

Example 3: System-wide Policy Template

The following configuration is not valid for request limiting and request-rate limiting, because the
settings are in a policy template used for system-wide PBSLB.

ACOS(config)# system template policy pol1

page 56
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
CLI Examples - Configuration

Configuring Source IP Limiting

To configure source IP limiting:

1. Configure a class list on the ACOS device or another device.

If you configure the class list on another device, import it to the ACOS device.
2. Configure the following IP limiting rules:
• For system-wide IP limiting, configure the rules in a policy template or in standalone IP limiting
rules.
• For IP limiting on an individual virtual server or virtual port, configure the rules in a policy tem-
plate.
3. Apply the IP limiting rules.

You can configure multiple policy templates with different IP limiting rules. You can use a given class
list in one or more policy templates.

• For system-wide source IP limiting, apply the policy template globally.

• For source IP limiting on an individual virtual server or virtual port, apply the policy template to the
virtual server or virtual port.

Clients must comply with all IP limiting rules that are applicable to the client. For example, if you config-
ure system-wide IP limiting and also configure IP limiting on a virtual server, clients must comply with
the system-wide IP limits and with the IP limits that are applied to the individual virtual server accessed
by the client.

CLI Examples - Configuration

The examples in this section show how to configure IP limiting.

This topic contains the following section:

• Configuring System-wide IP Limiting With a Single Class

• Configuring System-wide IP Limiting With Multiple Classes

• Configuring IP Limiting on a Virtual Server

• Configuring IP Limiting on a Virtual Port

• Configuring Class List Entries That Age Out

page 57
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
CLI Examples - Configuration FFee
e

Configuring System-wide IP Limiting With a Single Class

The following commands configure a standalone IP limiting rule to be applied globally to all IP clients,
which match class list “global”:

ACOS(config)# glid 1
ACOS(config-glid:1)# conn-rate-limit 10000 per 1
ACOS(config-glid:1)# conn-limit 1000000
ACOS(config-glid:1)# over-limit-action forward log
ACOS(config-glid:1)# exit
ACOS(config)# system glid 1

The following commands configure class list “global”, which matches on all clients and uses IP limiting
rule 1:

ACOS(config)# class-list global

ACOS(config-class list)# 0.0.0.0/0 glid 1
ACOS(config-class list)# exit

Configuring System-wide IP Limiting With Multiple Classes

The commands in this example configure system-wide IP limiting by using a policy template.

ACOS(config)# slb template policy global_policy

ACOS(config-policy)# class-list global
ACOS(config-policy-class-list:global)# lid 1
ACOS(config-policy-class-list:global-lid...)# conn-rate-limit 20000 per 1
ACOS(config-policy-class-list:global-lid...)# conn-limit 5000000
ACOS(config-policy-class-list:global-lid...)# over-limit reset logging
ACOS(config-policy-class-list:global-lid...)# exit
ACOS(config-policy-class-list:global)# exit
ACOS(config-policy)# exit

The following command imports the class list that are used by the policy:

ACOS(config)# import class-list global_list ftp:

Address or name of remote host []? 1.1.1.2
User name []? ACOSadmin

page 58
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
CLI Examples - Configuration

Password []? *********

File name [/]? global_list

The following command applies the policy to the system:

ACOS(config)# system template policy global_policy

Configuring IP Limiting on a Virtual Server

The commands in this example configure IP limiting for a virtual server.

The following commands configure a policy template:

ACOS(config)# slb template policy vs_policy

ACOS(config-policy)# class-list vs_list
ACOS(config-policy-class-list:vs_list)# lid 1
ACOS(config-policy-class-list:vs_list-lid...)# conn-rate-limit 200 per 1
ACOS(config-policy-class-list:vs_list-lid...)# conn-limit 50000
ACOS(config-policy-class-list:vs_list-lid...)# over-limit lockout 10 logging
ACOS(config-policy-class-list:vs_list-lid...)# exit
ACOS(config-policy-class-list:vs_list)# exit
ACOS(config-policy)# exit

The following command imports the class list that is used by the policy:

ACOS(config)# import class-list vs_list ftp:

Address or name of remote host []? 1.1.1.2
User name []? ACOSadmin
Password []? *********
File name [/]? vs_list

The following commands apply the policy to a virtual server:

ACOS(config)# slb virtual server vs1

ACOS(config-slb vserver)# template policy vs_policy

page 59
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
CLI Examples - Configuration FFee
e

Configuring IP Limiting on a Virtual Port

The commands in this example configure IP limiting for a virtual port.

NOTE: In this example, IP limiting is applied to a virtual port on a virtual server

that also has IP limiting. Clients must conform to both sets of limits.

The following commands configure a policy template:

ACOS(config)# slb template policy vp_policy

ACOS(config-policy)# class-list vp_list
ACOS(config-policy-class-list:vp_list)# lid 1
ACOS(config-policy-class-list:vp_list-lid...)# request-rate-limit 50 per 1
ACOS(config-policy-class-list:vp_list-lid...)# request-limit 60000
ACOS(config-policy-class-list:vp_list-lid...)# over-limit reset logging
ACOS(config-policy-class-list:vp_list-lid...)# exit
ACOS(config-policy-class-list:vp_list)# exit
ACOS(config-policy)# exit

The following command imports the class list that is used by the policy:

ACOS(config)# import class-list vp_list ftp:

Address or name of remote host []?1.1.1.2
User name []? ACOSadmin
Password []? *********
File name [/]? vp_list

The following commands apply the policy to a virtual port:

ACOS(config)# slb virtual server vs1

ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template policy vp_policy

Configuring Class List Entries That Age Out

The following commands configure a class list with 2 host entries, and assign an age value to each
entry.

page 60
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
CLI Examples - Display

ACOS(config)# class-list local

ACOS(config-class list)# 192.168.1.100 /32 lid 30 age 1
ACOS(config-class list)# 192.168.1.101 /32 lid 30 age 10
ACOS(config-class list)# exit

The following commands configure a policy template.

The template includes an LID that sets the connection limit to 0. The LID also resets and logs connec-
tion attempts.

ACOS(config)# slb template policy 1

ACOS(config-policy)# class-list local
ACOS(config-policy-class-list:local)# lid 30
ACOS(config-policy-class-list:local-lid...)# conn-limit 0
ACOS(config-policy-class-list:local-lid...)# over-limit-action reset log
ACOS(config-policy-class-list:local-lid...)# exit
ACOS(config-policy-class-list:local)# exit
ACOS(config-policy)# exit

The following commands apply the policy template to a virtual port.

ACOS(config)# slb virtual-server vs1 192.168.1.33

ACOS(config-slb vserver)# port 8080 http
ACOS(config-slb vserver-vport)# template policy 1

In the configuration above, host 192.168.1.100 is not allowed to establish a connection during the first
minute after the host entry is created. After the age expires, the host entry is removed form the class
list, and the connection limit no longer applies to the client.

Host 192.168.1.101 is not allowed to establish a connection during the first 10 minutes after that host
entry is created. Once the age expires, the client is no longer locked down.

CLI Examples - Display

This topic contains the following section:

• Viewing Class-Lists

• Viewing IP Limiting Rules

• Viewing IP Limiting Statistics

page 61
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
CLI Examples - Display FFee
e

Viewing Class-Lists
Use the show class-list command to view information about your class list configuration.

NOTE: For information, see “show class-list” in the Command Line Interface
Reference.

Viewing IP Limiting Rules

Use the show glid command to view the configuration of each standalone IP limiting rule.

NOTE: For information, see “show glid” in the Command Line Interface Refer-
ence.

Viewing IP Limiting Statistics

Use the show pbslb command to view IP limiting statistics.

NOTE: For information, see “show pbslb” in the Command Line Interface Refer-
ence.

page 62
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

ICMP Rate Limiting

This chapter contains the following topics:

• ICMP Rate Limiting Overview

• Configuring ICMP Rate Limiting

ICMP Rate Limiting Overview

ICMP/ICMPv61 rate limiting protects against denial-of-service (DoS) attacks such as Smurf attacks,
which consist of floods of spoofed broadcast ping messages.

ICMP rate limiting monitors the rate of ICMP traffic and drops ICMP packets when the configured
thresholds are exceeded.

Configuring ICMP Rate Limiting

You can configure ICMP rate limiting filters globally, on individual Ethernet interfaces, and in virtual
server templates. If you configure ICMP rate limiting filters at more than one of these levels, all filters
are applicable.

This section contains the following topics:

• ICMP Rate Limiting Parameters

• Using the GUI to Configure ICMP Rate Limiting

• Using the CLI to Configure ICMP Rate Limiting

1. Subsequent references use the term “ICMP rate limiting”. Unless otherwise specified, this term also applies to ICMPv6
rate limiting.

Feedback page 63
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring ICMP Rate Limiting FFee
e

ICMP Rate Limiting Parameters

ICMP rate limiting filters consist of the following parameters:

• Normal rate – The ICMP normal rate is the maximum number of ICMP packets that are allowed
per second.
If the ACOS device receives more than the normal rate of ICMP packets, the excess packets are
dropped until the next one-second interval begins. The normal rate can be 1-65535 packets per
second.
• Maximum rate – The ICMP maximum rate is the maximum number of ICMP packets allowed
per second before the ACOS device locks up ICMP traffic.
When ICMP traffic is locked up, all ICMP packets are dropped until the lockup expires. The maxi-
mum rate can be 1-65535 packets per second.
• Lockup time – The lockup time is the number of seconds for which the ACOS device drops all
ICMP traffic, after the maximum rate is exceeded.
The lockup time can be 1-16383 seconds.

NOTE: Specifying a maximum rate (lockup rate) and lockup time is optional. If
you do not specify them, lockup does not occur. Log messages are gen-
erated only if the lockup option is used and lockup occurs. Otherwise, the
ICMP rate-limiting counters are still incremented but log messages are
not generated.

NOTE: The maximum rate must be larger than the normal rate.

Using the GUI to Configure ICMP Rate Limiting

This section contains the following topics:

• Configuring ICMP Rate Limiting on an Ethernet Interface

• Configuring ICMP Rate Limiting in a Virtual Server Template

Configuring ICMP Rate Limiting on an Ethernet Interface

To configure ICMP rate limiting on an Ethernet interface:

1. Navigate to the Network >> Interfaces >> LAN page.

2. Click the Edit link in the Actions column for the Ethernet interface for which you want to configure
ICMP rate limiting.

page 64
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuring ICMP Rate Limiting

3. In the Update Ethernet page, select the checkbox in the ICMP Rate Limit field, then specify the
desired ICMP rate limiting parameters.

NOTE: For descriptions of the parameters, see ICMP Rate Limiting Parameters.

Configuring ICMP Rate Limiting in a Virtual Server Template

To configure ICMP rate limiting in a virtual server template:

NOTE: This option applies only to software releases that support SLB.

1. Navigate to the ADC >> Templates >> SLB page.

2. Click Create, then select Virtual Server from the drop-down list.
3. In the Create Virtual Server Template page, specify the desired values in the fields beginning with
“ICMP” or “ICMPv6” as desired.

NOTE: For descriptions of the parameters, see ICMP Rate Limiting Parameters.

Using the CLI to Configure ICMP Rate Limiting

The following example configures a virtual server template that sets ICMP rate limiting:

ACOS(config)# slb template virtual-server vip-tmplt

ACOS(config-vserver)# icmp-rate-limit 25000 lockup 30000 60

You can enter the icmp-rate-limit command at any of the following configuration levels:

• Global configuration level

• Configuration level for a physical or virtual Ethernet interface

• Configuration level for a virtual server template

NOTE: For descriptions of the parameters, see ICMP Rate Limiting Parameters.

To view ICMP rate limiting information, enter the following commands:

show icmp
show icmpv6
show interfaces

page 65
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring ICMP Rate Limiting FFee
e

show slb virtual-server server-name detail

page 66
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

HTTP Slowloris Prevention

This chapter has the following sections:

• Details

• Using the GUI to Configure Request Header Timeout

• Using the CLI to Configure Request Header Timeout

Details
The ACOS includes an HTTP template option that specifies the maximum number of seconds allowed
for all parts of a request header to be received. If the entire request header is not received within the
specified amount of time, ACOS terminates the connection.

This option provides security against attacks such as Slowloris attacks, which attempt to consume
resources on the target system by sending HTTP requests in multiple increments, and at a slow rate.
The intent of this type of attack is to cause the target system to consume its buffer resources with the
partially completed requests.

NOTE: The request-header wait time can bet set to 1-31 seconds. The default is
7 seconds.

Using the GUI to Configure Request Header Timeout

To configure the request header timeout using the GUI:

1. Navigate to the ADC >> Templates >> L7 page.

2. Click Create and select HTTP from the drop-down list to create a new HTTP template.
3. On the Create HTTP Template page, select the checkbox in the Request Header Wait Time
Before Abort Connection field, then specify a timeout value in seconds (1-31, default is 7).

Using the CLI to Configure Request Header Timeout

To change the request-header wait time in an HTTP template, use the req-hdr-wait-time command at
the configuration level for the template:

Feedback page 67
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
FFee
e

ACOS(config)# slb template http exampletemplate

ACOS(config-http)# req-hdr-wait-time 10

NOTE: For more HTTP security options, see the Web Application Firewall Guide.

page 68
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

DNS Application Firewall

This chapter contains the following topics:

• Overview of the DNS Application Firewall

• DNS Sanity Check

• Configuring DNSSEC

Overview of the DNS Application Firewall

The DNS Application Firewall (DAF) provides security for DNS VIPs.

The DAF examines DNS queries that are addressed to a VIP to ensure that the queries are not mal-
formed. If a malformed DNS query is detected, the ACOS device takes one of the following actions:

NOTE: These actions are specified in the DNS security policy.

• Drops the query.

• Forwards the query to another service group – This option is useful if you want to quarantine and
examine the malformed queries, while keeping the queries away from the DNS server.

This feature parses DNS queries based on the following RFCs:

• RFC 1034: Domain Names – Concepts and Facilities

• RFC 1035: Domain Names – Implementation and Specification

• RFC 2671 – Extension Mechanisms for DNS (EDNS0)

DNS Sanity Check

The DNS security performs a sanity check on DNS client requests and, if applicable, the DNS server
replies.

This topic contains the following section:

Feedback page 69
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
DNS Sanity Check FFee
e

• Sanity Checking for Virtual-Port Type UDP

• Sanity Checking for Virtual-Port Type DNS-UDP

Sanity Checking for Virtual-Port Type UDP

The DNS sanity checking on virtual-port type UDP is performed only for client requests.

For a DNS client request to pass the sanity check, all of the following conditions must be met:

• Flags.qr == 0 (first bit in flags)

• Flags.opcode <=5 (bits 2 to 5 in flags)

• Flags.rcode == 0 (last 4 bits in flags)

• qdcount > 0 (questions in DNS header)

Sanity Checking for Virtual-Port Type DNS-UDP

DNS sanity checking on virtual-port type DNS-UDP is performed for client requests and server
responses.

For a client request to pass the sanity check, all of the following conditions must be met:

• Flags.qr == 0 (first bit in flags)

• Flags.opcode == 0 (bits 2 to 5 in flags)

• Flags.rcode == 0 (last 4 bits in flags)

• qdcount == 1 (questions in DNS header)

For a server response to pass the sanity check, all of the following conditions must be met:

• Flags.qr == 1 (first bit in flags)

• Flags.opcode <=5

• Flags.rcode == 0

• qdcount > 0

• ancount > 0 (Answer count)

page 70
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuring DNSSEC

Configuring DNSSEC
This topic contains the following section:

• Details

• Using the CLI to Configure DNSSEC

Details
To configure DNS security for a DNS virtual port:

1. Create a DNS template and specify the DNS security action in the template.
2. Bind the DNS template to the DNS virtual port.

Using the CLI to Configure DNSSEC

This section includes the following examples:

• DNS Application Firewall Setup

• Service-Group Redirection for DNS “Any” Requests (using aFleX)

DNS Application Firewall Setup

The following commands configure a DNS template for DNS security and bind the template to the DNS
virtual port on a virtual server. The drop option drops malformed queries so that they are not processed
by the DNS virtual port to which the template has been applied.

ACOS(config)# slb template dns dns-sec

ACOS(config-dns)# malformed-query drop
ACOS(config-dns)# exit

The following commands configure the real server and service group:

ACOS(config)# slb server dns-sec1 10.10.10.88

ACOS(config-real server)# port 53 udp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group dns-sec-grp udp
ACOS(config-slb svc group)# member dns-sec1 53

page 71
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuring DNSSEC FFee
e

ACOS(config-slb svc group-member:53)# exit

ACOS(config-slb svc group)# exit

The following commands bind the service group and DNS template to the DNS virtual port on a virtual
server:

ACOS(config)# slb virtual-server dnsvip1 192.168.1.53

ACOS(config-slb vserver)# port 53 udp
ACOS(config-slb vserver-vport)# service-group dns-sec-grp
ACOS(config-slb vserver-vport)# template dns dns-sec

Since the drop action is specified, malformed DNS queries sent to the virtual DNS server are dropped by
the ACOS device.

Service-Group Redirection for DNS “Any” Requests (using aFleX)

The following aFleX script can be applied to a DNS virtual port to detect DNS “any” requests and redirect
them to an alternate service group. In this example, DNS requests of type “ANY” are sent to service
group rate_limited_service_group. DNS requests of other types are sent to service group
no_rate_limit_service_group.

when DNS_REQUEST {
set record ANY
if {[DNS::question type] equals $record} {
pool rate_limited_service_group
} else {
pool no_rate_limit_service_group
}
}

page 72
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

DNS Response Rate Limiting

This chapter covers the following topics:

• Overview of DNS Response Rate Limiting (RRL)

• Configuration Example

Overview of DNS Response Rate Limiting (RRL)

This section covers the following topics:

• Details

• DNS Reflection Attacks

• Challenges of Stopping DNS Reflection Attacks

• ACOS Mitigation of DNS Reflection Attacks

• Two-tiered Rate-limiting System for DNS Queries

• Configuration Parameters for DNS RRL

• Limitations

Details
For some ADC deployments, it may be difficult to control the rate of DNS responses from the DNS serv-
ers to external hosts. This vulnerability could cause your network resources to be used in DNS reflection
attacks or DNS amplification attacks.

To prevent your network equipment from becoming an unwanted participant in a DNS reflection or
amplification attack, this release introduces support for DNS Response Rate Limiting (RRL).

The DNS Response Rate Limiting is a BIND feature which applies a rate-limit to the DNS server
responses, with the goal of decreasing unnecessary load on the authoritative DNS servers.

NOTE: DNS RRL is implemented based on ISC-TN-2012-1-Draft1, which is used

by both BIND9 and NSD.

Feedback page 73
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Overview of DNS Response Rate Limiting (RRL) FFee
e

DNS Reflection Attacks

A DNS reflection attack is when a hacker hijacks multiple computers using botnets and then sends a
large number of queries to one or more DNS servers. The hacker’s DNS requests include a spoofed
source IP address, so it appears as though the DNS queries are originating from what is essentially a
fake address (that is, the address of the intended victim). The unwitting DNS server replies to the
spoofed address of the victim instead of replying to the real source of the threat. When the hacker
scales-up the attack by employing botnets, the replies from the DNS servers can use up all the
resources on the target’s network, preventing legitimate traffic from getting through.1

Challenges of Stopping DNS Reflection Attacks

DNS runs on the connectionless UDP protocol, so it is difficult to check the validity of each DNS query
and drop malicious traffic in a targeted manner. However, the ACOS can employ a blunt approach to
mitigate this type of threat by applying rate limits to the traffic.

The ACOS identifies potentially malicious queries if the following are true of the DNS requests:

1. There are an excessive number of queries,

2. They are originating from the same domain,
3. They are requesting the same FQDN-to-IP mapping from the DNS server.

Once the source is flagged as potentially malicious, then ACOS can take protective action.

ACOS Mitigation of DNS Reflection Attacks

To respond to this threat, ACOS applies rate-limits to the DNS server responses associated with those
DNS requests that have been flagged as potentially malicious.

NOTE: Note that ACOS does not apply rate limits to the malicious queries them-
selves, but only to the responses from the DNS server to the victim.

When this feature is enabled, ACOS monitors the DNS response rate and request rate, and it detects any
abnormal increase in the rate or frequency, which is based on the IPv4/IPv6 source address (source IP
of the request).

1.
For more information about DNS Reflection attacks, see https://en.wikipedia.org/wiki/Reflection_attack.

page 74
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Overview of DNS Response Rate Limiting (RRL)

Two-tiered Rate-limiting System for DNS Queries

In its implementation of DNS RRL, BIND software tracks all DNS queries by placing them into one large
table. However, in order to allocate system resources in a more efficient manner, the ACOS implemen-
tation of DNS RRL uses a two-tiered system with two tables.

The first of the two tables is called the “filter table”, and the second of the two tables is called the
“rate-limiting entry table”. Both tables apply rate limits to DNS queries, but the “filter table” uses
only two bytes for each DNS query in its table, while the “rate-limiting entry table” uses approxi-
mately 100 bytes for each DNS query.

All DNS queries first go to the “filter table”, and if the query is flagged as potentially malicious, subse-
quent requests from that source IP + FQDN combination are stored in the second table (the rate-limit-
ing entry table).

Configuration Parameters for DNS RRL

This section covers the following topics:

• Setting the Rate Limits

• Protecting System Resources

• Allowing Valid DNS Queries to Pass

• More Information

Setting the Rate Limits

DNS RRL can be configured using the following CLI parameters:

• “filter table” – This table is for the non-offenders making normal DNS requests. This is where all
normal DNS queries are processed. Rate limits can be set for this table using the filter-
response-rate command under response-rate-limiting.

• “rate-limiting entry table” – This table is for the offenders making abnormal DNS requests,
who need to be monitored more closely. Only a small subset of DNS queries are placed into this
table of potential abusers. Rate limits can be set for this table using the response-rate command
under response-rate-limiting.
• “window” – This option configures the rate-limiting-window, which is the time interval over which
rates are measured for response-rate and slip-rate. If the same DNS mapping is requested too
many times, similar queries from that client are dropped for the rest of the window’s interval.

The “rate-limit entry table” is for the offenders who have exceeded the rate limits configured in the
filter table. The sources address (and hash of the FQDN) for these requests are tracked based on the
combination of information (source IP + requested FQDN). These queries are monitored more closely
than regular DNS queries and the rate-limiting table allocates a credit rate to each entry (for example, a

page 75
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Overview of DNS Response Rate Limiting (RRL) FFee
e

credit of up to 10 requests per second), which can be used up. Any DNS queries exceeding their credit
rate are then rate-limited, meaning ACOS will drop the traffic.

Protecting System Resources

The DNS Response Rate Limiting feature also includes configuration options to help prevent DNS
attacks from consuming too much system memory in the “rate-limiting entry table”. The command
that is used to configure this resource protective behavior is dns-response-rate-limiting max-table-
entries.

After 1000 entries in the table are used up, all other traffic is placed into an overflow bucket where the
source IP + FQDN is no longer tracked.

Allowing Valid DNS Queries to Pass

The DNR RRL feature allows a “slip rate”, so that a certain percentage of valid DNS queries are allowed
to pass through, even during an attack. The command that is used to configure this resource protection
behavior is the slip-rate option, under response-rate-limiting.

More Information

NOTE: For more information about any of these CLI commands, see the follow-
ing commands in the CLI Reference for ADC.

• “slb template dns” command updated with new “response-rate-limiting” option.

• “slb common” command updated with “dns-response-rate-limiting max-table-entries” option.

• “show” command updated with new “response-rate-limiting entries” option.

Limitations
This release contains the following limitations for the DNS RRL feature:

• Any changes to the SLB maximum table entries (CLI command: dns-response-rate-limiting
max-table-entries under slb common) requires disabling and then re-enabling the template on the
virtual port to which it is bound.
Use the show command to verify that all rate-limiting entries have been aged out before re-enabling
the template.
(Tracking ID: 473179)
• When configuring the log-only option, if the Action is set to log-only, the counters for Dropped,
Allowed, and Slipped are incremented, even though these packets were actually Permitted to
pass.

page 76
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Overview of DNS Response Rate Limiting (RRL)

Log-only mode offers a simulation of how many packets would be getting Dropped/Allowed/
Slipped if the device were not in observation mode, but while in observation mode, none of the
packets are actually getting dropped.
(Tracking ID: 473200)
• For the rate-limiting tables discussed here, Two-tiered Rate-limiting System for DNS Queries,
users cannot see the entries in the table.
The entries in the rate-limiting tables are not yet visible via the GUI or CLI.
(Tracking ID: 473182)
• Due to CM limitation, if you configure slb template <name> response-rate-limiting without
configuring anything underneath, the line “response-rate-limiting” will not appear in the output of
the show running-config command.
• Dynamic changes to age setting are in effect only after the existing filter table entry ages out.

• DNS RRL is not supported on service-partitions.

(Tracking ID: 473566)

NOTE: The following limitations that existed in the previous releases are now
removed:

• DNS RRL was not supported on L3V partitions. DNS RRL is now supported on L3V partitions.

• If you configured slb template <name> response-rate-limiting without configuring anything

underneath it, then response-rate-limiting line was not appearing in the output of the show run-
ning-config command.

The updated show command now displays the entry in the rate-limiting tables.

page 77
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuration Example FFee
e

Configuration Example
This topic contains the following sections:

• Using the GUI to Configure DNS RRL

• Using the CLI to Configure and Monitor DNS RRL

Using the GUI to Configure DNS RRL

The DNS Response Rate Limiting (RRL) feature helps prevent network equipment (DNS authoritative
servers) from becoming unwanted participants in a DNS reflection or DNS amplification attack.

To configure DNS Response Rate Limiting:

1. Navigate to the ADC > Templates > L7 Protocols menu.

2. Click Create, and select DNS from the drop-down menu.
3. From the page that appears, select the DNS Response Rate Limiting checkbox.
From this page, you can configure the options needed to enable DNS Response Rate Limiting
(RRL).
4. Click OK to save your changes.

To set limits around the amount of memory consumed during a DNS reflection attack:

1. Navigate to ADC > SLB > Global.

2. Select the DNS Response Rate Limiting checkbox.
3. From the Max Table Entries field that appears, specify the desired value.
4. Click Update to save your changes.

NOTE: For descriptions about these parameters, see Configuration Parameters

for DNS RRL.

page 78
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuration Example

Using the CLI to Configure and Monitor DNS RRL

The following example configures DNS RRL:

ACOS(config)# slb common

ACOS(config-common)# dns-response-rate-limiting
ACOS(config-common-dns-response-rate-limi...)# max-table-entries 20000
ACOS(config-common-dns-response-rate-limi...)# exit

ACOS(config)# slb template dns DNSRRL

ACOS(config-dns)# response-rate-limiting
ACOS(config-dns-response-rate-limiting)# response-rate 5
ACOS(config-dns-response-rate-limiting)# filter-response-rate 5
ACOS(config-dns-response-rate-limiting)# slip-rate 5
ACOS(config-dns-response-rate-limiting)# enable-log
ACOS(config-dns-response-rate-limiting)# exit

ACOS(config)# slb server RS 1.1.1.1

ACOS(config-real server)# port 53 udp
ACOS(config-real server-node port)# exit

ACOS(config)# slb service-group SG udp

ACOS(config-slb svc group)# member RS 53
ACOS(config-slb svc group-member:53)# exit

ACOS(config)# slb virtual-server VS 1.1.1.2

ACOS(config-slb vserver)# port 53 dns-udp
ACOS(config-slb vserver-vport)# template dns DNSRRL
ACOS(config-slb vserver-vport)# service-group SG
ACOS(config-slb vserver-vport)# exit

The following example shows the DNS response rate limiting entries returned by the show command:

ACOS#show dns response-rate-limiting entries

Source Address FQDN Hit Count

-----------------------+-------------------------+----------
10.211.3.101 test4.example.com 4
10.211.3.100 test4.example.com 3
10.211.3.101 test0.example.com 4
10.211.3.100 test0.example.com 4
10.211.3.101 test1.example.com 3

page 79
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuration Example FFee
e

10.211.3.100 test1.example.com 3
10.211.3.101 test3.example.com 3
10.211.3.100 test3.example.com 4
10.211.3.2 test2.example.com 4
10.211.3.2 test4.example.com 4
10.211.3.2 test0.example.com 3
10.211.3.2 test1.example.com 3
10.211.3.2 test3.example.com 4
10.211.3.101 test2.example.com 4
10.211.3.100 test2.example.com 3
Total Entries: 15

NOTE: For more information about these configuration and how to monitor
these commands, see the CLI Reference for ADC Guide.

page 80
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

DNSSEC Support

This chapter describes the ACOS device’s DNSSEC support.

This topic contains the following section:

• Overview of DNSSEC Support

• Building the Chain of Trust

• Dynamic Key Generation and Rollover

• Hardware Security Module Support

• DNSSEC Configuration

Overview of DNSSEC Support

This topic contains the following section:

• Details

• DNS without Security

• DNSSEC (DNS with Security)

Details
An ACOS device that is configured as a Global Server Load Balancing (GSLB) controller can act as an
authoritative DNS server for a domain zone. As the authoritative DNS server for the zone, the ACOS
device sends records in response to requests from DNS clients. The ACOS device supports the ability to
respond to client requests for the following types of records:

• A

• AAAA

• CNAME

• NS

• MX

Feedback page 81
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Overview of DNSSEC Support FFee
e

• PTR

• SRV

• TXT

If you place the ACOS device in the DNS infrastructure, the device is exposed to potential online attacks.
When DNS was originally designed, there were no mechanisms to ensure the DNS infrastructure would
remain secure.

In an unsecured DNS environment, the client’s DNS resolver has no way to assess the validity of the
address it receives for a particular domain name, so the client’s DNS resolver cannot tell whether an
address received for a particular domain is from the legitimate owner of that domain.

This potential security hole makes DNS vulnerable to “man-in-the-middle” attacks, DNS cache poisoning
attacks, and other online attacks that could be used to forge DNS data, hijack traffic, and to potentially
steal sensitive information from the user.

To close this security hole, in the 1990s, the Internet Engineering Task Force (IETF) introduced a set of
standards called Domain Name System Security Extensions (DNSSEC). These additional standards add
authentication to DNS and help ensure the integrity of the data that is transferred between the client
resolvers and DNS servers.

DNSSEC offers authentication through the use of cryptographic keys and digital signatures, which
ensure that entries in DNS tables are correct and that connections are made to legitimate servers. The
ACOS device’s implementation of DNSSEC is based on RFCs 4033, 4034, and 4035.

NOTE: DNSSEC for GSLB is not supported in proxy mode.

DNS without Security

The Figure 4 illustrates basic DNS without DNSSEC. The figure shows the recursive lookup process
that occurs when a client resolver requests the IP address for a URL. Note that this illustration shows
how a client request works in a simple DNS environment without DNSSEC.

page 82
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Overview of DNSSEC Support

FIGURE 4 DNS Packet Flow without DNSSEC

A client (shown at upper left) requires access to a server in the domain zone1.example.org (at lower
left). The ACOS device, which is acting as the GSLB controller, is the authoritative DNS server for the
zone. To access this server, the client requires the IP address for this zone or domain.

When the user enters the domain name in the web browser’s URL, the process to obtain the IP address
that is associated with this domain is as follows:

1. The DNS resolver that is embedded in the client’s web browser sends an address request (“A?”) to
the Caching DNS server to see whether the Caching DNS server has the required IP address cached
in its memory for the requested example.org domain.
2. The Caching DNS server has a list of IP address-to-domain mappings, but the list is not compre-
hensive, and unfortunately, the Caching DNS server does not have the required IP address.
It acts as a proxy for the client and makes a recursive query to the Root DNS Server, which is
located at the top of the DNS hierarchy.
3. The Root DNS Server does not have the requested IP address.

page 83
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Overview of DNSSEC Support FFee
e

4. In an attempt to point the Caching DNS server in the right direction, it responds to the request with
a Name Server (NS) record, which contains the IP of the Top Level Domain (TLD) server for the
“.org” domain.
5. The Caching DNS server now has the IP address for the name server that manages the “.org”
domain, so it sends an address request on behalf of the client to the TLD DNS server for the “.org”
domain.
6. The TLD Server does not have the requested IP address.
7. The TLD server points the Caching DNS server in the right direction by providing an NS record that
contains the IP address for the next name server in the DNS hierarchy, which is the authoritative
DNS server for the example.org subdomain.
8. The Caching DNS server has the IP address that is needed to reach the authoritative DNS server for
the example.org domain, so the server sends a request for zone1.example.org to this authoritative
DNS server.
9. The authoritative DNS server does not have the requested information, but it can get the Caching
DNS server one step closer to its destination by providing the NS record for the authoritative DNS
server for the zone1.example.org domain.
10.The Caching DNS Server sends a request to the authoritative DNS server for the zone1.example.org
domain.
11.The ACOS device, which is the authoritative DNS server for zone1.example.org, has the IP address
that the client needs.
12.The ACOS device sends the requested IP address to the Caching DNS server.
13.The Caching DNS server sends the IP address that is provided by the ACOS device to the DNS
resolver in the client’s browser.

The client now has the IP address needed to reach the server in the zone1 subdomain.

DNSSEC (DNS with Security)

The Figure 5 illustrates how the DNS query process works when the security extensions are used with
DNS to provide security (DNSSEC). The process is similar to the process illustrated in the Figure 4, but
with the notable exception that DNSSEC uses the following additional resource record types to provide
security:

• DNS Key (DNSKEY) – Public key used by an Authoritative DNS server to sign resource records
for its zone.
• Delegation Signer (DS) – Hash (message digest) of a public key. A DNS server uses the DS for
a zone that is directly underneath it in the DNS hierarchy to verify that signed resource records
from the Authoritative DNS server for that zone are legitimate.

page 84
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Overview of DNSSEC Support

• Resource Record Signature (RRSIG) – Digitally signs another resource record, such as an A
record.
The digital signature is created by applying a hash function to the DNS record to reduce its file size,
an encryption algorithm is applied to the hash value (using the private key), and this encrypted hash
value appears as the digital signature at the bottom of the resource record. The RRSIG record,
which contains the private key that is used to encrypt the hash value, appears at the bottom of the
record being signed.

While the Figure 4 shows how basic DNS works without DNSSEC, the Figure 5 shows how the DNS
lookup process works with DNSSEC.

The recursive lookup process remains largely unchanged, with the higher level DNS servers pointing to
lower level servers in the DNS hierarchy to move the request closer to the authoritative server for the
desired domain.

However, when DNSSEC is added, the additional records such as DS, RRSIG, and DNSKE are used to
sign and authenticate the communications from the DNS servers. This step proves to the client that
each of the name servers in the “chain of trust” are authoritative for their respective domains.

NOTE: For more details, Building the Chain of Trust.

page 85
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Overview of DNSSEC Support FFee
e

FIGURE 5 DNS Packet Flow with DNSSEC

The Figure 5 shows the resolution process for an address query from the DNS resolver on a client for
the IP address of zone1.example.org.

1. The DNS resolver on the client sends an address query for the IP address of a host under
zone1.example.org.
2. The Caching DNS server, which does not have the address, forwards the request to the root server.
3. The root server redirects the Caching DNS server to the TLD DNS server for the .org domain.
This is accomplished by sending an NS record with the IP address of that TLD server. The root
server uses an RRSIG record, which is used to store the private key, to sign the NS record, and the
root server sends a copy of the DS record to the Caching DNS server, which points to the TLD
server.

page 86
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Overview of DNSSEC Support

4. The Caching DNS server sends the address query to the TLD server for the .org domain.
5. The TLD server does not have the requested address, so it points the Caching DNS server to the
Authoritative DNS server for example.org.
6. The TLD server sends an NS record with the IP address of the authoritative server for example.org,
and the TLD server signs the NS record with the private key in the RRSIG record.
7. The Caching DNS server sends the address query to the Authoritative DNS server for example.org.
8. The Authoritative DNS server for example.org does not have the requested address, so it responds
to the caching server’s request by sending the NS record (signed with the RRSIG record).
This NS record contains the IP address of the Authoritative DNS server for zone1.example.org.
9. The server sends the DS record for the zone1.example.org server to the Caching DNS server.
10.The Caching DNS server sends the address query to the Authoritative DNS server for zone1.exam-
ple.org, which happens to be the ACOS device.
11.The Caching DNS server has reached the Authoritative DNS server for zone1.example.org.
12.The Authoritative DNS server (which is the ACOS device) replies with an SOA record, the requested
A record, and RRSIG records that contains the private key, which is used to sign the SOA and A
records.
13.The Caching DNS server asks the ACOS device for its DNSKEY record, which is where the public
key for the zone is advertised.
This public key is needed to unlock the resource records and verify the hash values back up the
chain.
14.The ACOS device sends its DNSKEY record, with an RRSIG record that was used to sign the DNS-
KEY record.
The RRSIG record contains the private key.
15.To continue assembling the chain of trust, the Caching DNS server asks the Authoritative DNS
server for example.org for its DNSKEY record.
16.The Authoritative DNS server for example.org sends its DNSKEY record with an RRSIG record (with
the private key) that was used to sign the DNSKEY record.
17.The Caching DNS server asks the TLD server for .org for its DNSKEY record.
18.The TLD server sends its DNSKEY record with an RRSIG record that was used to sign the DNSKEY
record.
19.The Caching DNS server now has all the private/public key pairs and has validated all of the links in
the chain of trust.
The Caching DNS server can now send the trusted response to the DNS resolver on the client.

page 87
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Building the Chain of Trust FFee
e

Building the Chain of Trust

The Figure 6 illustrates how the Chain of Trust is built in the DNSSEC infrastructure. A Chain of Trust is
built like a series of links, where each node authenticates the one below it.

The presence of a Chain of Trust allows the client’s DNS resolver to know that all of the DNS servers in
the chain have vouched for one another, starting from the Root DNS Server and continuing down to the
lowest-level DNS server.

FIGURE 6 DNSSEC Chain of Trust

The Figure 6 shows the Authoritative DNS Server for the zone1.example.org domain at the bottom left,
and the Root DNS Server is located at the upper right.

page 88
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Dynamic Key Generation and Rollover

Starting from the lower left, the Authoritative DNS Server for the zone1.example.org domain, has a DNS
key record (DNSKEY). This DNSKEY record contains the public Zone Signing Key (ZSK) for zone1. The
ZSK is used to sign other record types, such as A records, for the zone. The DNSKEY record is signed by
the Key Signing Key (KSK), which also belongs to this zone.

The Start of Authority (SOA) record indicates that this server is the Authoritative DNS Server for zone1.
The A record provides the IP address for zone1.example.org.

The next level up in the DNS hierarchy corresponds to the next “label” in the example.org domain, and it
has a record called the Delegation Signer (DS). The DS record contains a hash, or message digest, of the
public Key Signing Key (KSK), which belongs to the Authoritative DNS Server for the node below,
zone1.example.org.

The DNS resolver (or the Caching DNS Server) can compare the hash value for any of the nodes in the
Chain of Trust, and the values should match. If the hash values in a DS record cannot be recreated from
the DNSKEY record, packet that contains the key record may have been tampered with, cannot be
trusted, and should be discarded.

However, if the hash value is correct, this indicates that the Chain of Trust is unbroken and that the DNS-
KEY record for the Authoritative DNS Server that is associated with the zone1.example.org domain is
properly linked to the DS record above.

In turn, the DNSKEY record for the Authoritative DNS Server associated with the example.org domain is
properly linked to the DS record above. This process of DNSKEY records being linked with the DS record
of the node above continues all the way to the Root DNS Server.

The client’s DNS resolver knows that the Root DNS Server is legitimate due to the presence of a “trust
anchor”. This trust anchor, which consists of information for the Root DNS Server, is included in the
resolver software that is installed on the client. This minimizes the chance that a client could access a
corrupt root DNS server.

Because of this anchor, the client knows that the Root DNS Server can be trusted, and the client can
infer that the other nodes in the Chain of Trust can also be trusted. The hash values match all the way
down the line, which is an indication that the Chain of Trust is intact, and that the client’s DNS resolver
can trust the Authoritative DNS Server for zone1.example.org. The Server is located at the bottom of the
Chain of Trust in the DNS hierarchy.

Dynamic Key Generation and Rollover

DNSSEC uses dynamic key generation and rollover that are provided by HSM, and HSM configuration is
required.

This topic contains the following section:

• Key Generation and Rollover Parameters

page 89
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Dynamic Key Generation and Rollover FFee
e

• Key Rollover and Distribution Process

• Key Regeneration Log Messages

• Importing/Exporting Key Files

• Emergency Key Rollover

• Changing Key Settings

Key Generation and Rollover Parameters

When HSM and DNSSEC are enabled, ACOS uses the following key generation and rollover settings for
DNSSEC:

• Key size – Length of the keys in bits. You can specify 1024-4096 bits. The default length for
ZSKs and KSKs is 2048 bits.
• Lifetime – Maximum amount of time a dynamically generated key remains valid.

• Rollover time – Amount of time to wait after a new key becomes active, before generating that
key’s replacement.

The range of values for the lifetime and rollover time is 1 to 2,147,483,647 seconds (about 68 years).
The default lifetime and rollover time differ for ZSKs and KSKs:

• ZSKs – The default lifetime is 7,776,000 seconds (90 days), and the default rollover time is
7,171,200 seconds (83 days).
• KSKs – The default lifetime is 31,536,000 seconds (365 days), and the rollover time is 30,931,200
seconds (358 days).

Key Rollover and Distribution Process

The features such as dynamic key generation and rollover are enabled by default when a DNSSEC tem-
plate becomes active. No additional configuration is required. The Figure 7 shows the rekey and roll-
over schedule if the default rekey and rollover settings for ZSKs and KSKs are used.

page 90
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Dynamic Key Generation and Rollover

FIGURE 7 DNSSEC - Default Rekey and Rollover

When DNSSEC is enabled, HSM generates a KSK for the GSLB zone, generates a ZSK for the zone, and
signs it with the KSK. The following text is an example of message that appears in the log.

Key Regeneration Log Messages

ACOS generates messages such as the following when key regeneration occurs:

Log Buffer: 30000 Jul 31 2013 06:49:13 Notice [DNS]:succeed to reload the signature of
zone "test.com"
Jul 31 2013 06:48:58 Notice [CLI]: DNSSEC module:succeed to generate ZSK
test.com_zsk_2013-07-31-06-48-58 for zone test.com
Jul 31 2013 06:48:58 Notice [CLI]: DNSSEC module:please transfer the DS RR of zone
test.com to the parent zone for the initial process.
Jul 31 2013 06:48:58 Notice [CLI]: DNSSEC module:succeed to generate KSK test.com_k-
sk_2013-07-31-06-48-57 for zone test.com

page 91
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Dynamic Key Generation and Rollover FFee
e

The first message, starting at the bottom, indicates a successful generation of a KSK for child zone
test.com. The next message, which is second from the bottom, is a reminder to copy the DS resource
record for the key to the authoritative DNS server for the parent zone.

The third message indicates a successful generation of the ZSK for child zone test.com. The final mes-
sage at the top, indicates completion of the rekey process.

CAUTION: Although key generation and rollover are automatic, ACOS does not auto-
matically send the DS record for the new KSK to the parent zone. This
part of the process must be performed manually. If the default key gener-
ation and rollover settings are used, this process needs to be performed
once a year.

Importing/Exporting Key Files

The import command is used to import and export DNSSEC key files. For example, to import a file:

ACOS# import dnssec-dnskey zone-name scp://[email protected]/file

To export a file:

ACOS# export dnssec-dnskey zone-name scp://[email protected]/file

After enabling DNSSEC, wait about a minute for the key to be generated. You can use the export dns-
sec-ds command to copy the DS resource record for the zone to the DNS server that is authoritative for
the parent zone.

For syntax information, see the Command Line Interface Reference.

Emergency Key Rollover

The dnssec key-rollover command allows you to force an immediate key rollover, if necessary. For
example, to force an immediate ZSK rollover in emergency mode:

ACOS(config)# dnssec key-rollover zone1 ZSK start

The start option initiates a rollover for the specified key type.

page 92
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Hardware Security Module Support

For KSK rollover, the ds-ready-in-parent-zone option indicates that the DS record for the new KSK has
been exported to the parent zone. Use this option only after you have installed the DS record for the new
KSK on the authoritative DNS server for the parent zone. For example:

ACOS(config)# dnssec key-rollover zone2 KSK ds-ready-in-parent-zone

Changing Key Settings

Use the zsk lifetime and ksk lifetime commands to change the lifetime and rollover settings for
ZSKs and KSKs, respectively.

Enter the commands at the configuration level for the DNSSEC template.

NOTE: For more information about the supported values, see Key Generation
and Rollover Parameters.

Hardware Security Module Support

Hardware Security Module (HSM) provides additional security, while simplifying key management.

The current release supports a software emulation version of HSM in ACOS. Keys are generated and
stored on the ACOS device. This version can be useful for testing or for environments where the addi-
tional security of a hardware-based HSM is not required.

HSM is required for DNSSEC, and manual key generation of DNSSEC ZSKs or KSKs is not supported.
For information about external HSM support, contact A10 Networks.

DNSSEC Configuration
This topic contains the following section:

• Modes

• DNSSEC Configuration Example

page 93
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
DNSSEC Configuration FFee
e

Modes
To configure DNSSEC, the following modes or options can be considered:

1. Configuring an HSM Template.

2. Configuring a DNSSEC Template.
3. Configuring a GSLB Policy and Enable Server Mode.
4. Binding the DNSSEC Template to the Zone.
The other configuration requirements are the same as the requirements without DNSSEC. For
more information, see the Global Server Load Balancing Guide.
5. Configuring DNSSEC Standalone
Unless the ACOS device is part of a GSLB controller group, enable standalone operation.
6. Configuring the VIP for DNSSEC Requests.

DNSSEC Configuration Example

This topic contains the following section:

• Configuring an HSM Template

• Configuring a DNSSEC Template

• Configuring GSLB

• Configuring a GSLB Policy and Enable Server Mode

• Binding the DNSSEC Template to the Zone

• Configuring DNSSEC Standalone

• Configuring the VIP for DNSSEC Requests

The following are the configuration modes from a device that is configured for DNSSEC.

Configuring an HSM Template

The following commands configure an HSM template:

ACOS(config)# hsm template hsm1 softHSM

ACOS(config-template:hsm1)# password encrypted /+mboU9rpJM8EIy41dsA5zwQjLjV2wDnPBCMuNXbA-
Oc8EIy41dsA5zwQjLjV2wDn
ACOS(config-template:hsm1)# exit

page 94
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
DNSSEC Configuration

Configuring a DNSSEC Template

The following commands configure a DNSSEC template:

ACOS(config)# dnssec template dt1

ACOS(config-dnssec)# zsk lifetime 2400 rollover-time 1900
ACOS(config-dnssec)# ksk lifetime 2500 rollover-time 2000
ACOS(config-dnssec)# signature-validity-period 11
ACOS(config-dnssec)# dnskey-ttl 5
ACOS(config-dnssec)# hsm hsm1
ACOS(config-dnssec)# exit

Configuring GSLB
The following commands configure GSLB.

ACOS(config)# gslb service-ip vip-1 1.0.0.1

ACOS(config-service-ip:vip-1)# health-check-protocol-disable
ACOS(config-service-ip:vip-1)# health-check-disable
ACOS(config-service-ip:vip-1)# port 80 tcp
ACOS(config-service-ip:vip-1-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-1-port:tcp)# health-check-disable
ACOS(config-service-ip:vip-1-port:tcp)# exit
ACOS(config-service-ip:vip-1)# port 21 tcp
ACOS(config-service-ip:vip-1-port:tcp)# exit
ACOS(config-service-ip:vip-1)# exit
ACOS(config)# gslb service-ip vip-2 1.0.0.2
ACOS(config-service-ip:vip-2)# health-check-protocol-disable
ACOS(config-service-ip:vip-2)# health-check-disable
ACOS(config-service-ip:vip-2)# port 80 tcp
ACOS(config-service-ip:vip-2-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-2-port:tcp)# health-check-disable
ACOS(config-service-ip:vip-2-port:tcp)# exit
ACOS(config-service-ip:vip-2)# port 21 tcp
ACOS(config-service-ip:vip-2-port:tcp)# exit
ACOS(config-service-ip:vip-2)# exit
ACOS(config)# gslb service-ip vip-3 1.0.0.3
ACOS(config-service-ip:vip-3)# health-check-protocol-disable
ACOS(config-service-ip:vip-3)# health-check-disable
ACOS(config-service-ip:vip-3)# port 80 tcp
ACOS(config-service-ip:vip-3-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-3-port:tcp)# health-check-disable

page 95
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
DNSSEC Configuration FFee
e

ACOS(config-service-ip:vip-3-port:tcp)# exit
ACOS(config-service-ip:vip-3)# port 21 tcp
ACOS(config-service-ip:vip-3-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-3-port:tcp)# health-check-disable
ACOS(config-service-ip:vip-3-port:tcp)# exit
ACOS(config-service-ip:vip-3)# exit
ACOS(config)# gslb service-ip ns 10.10.10.5
ACOS(config-service-ip:ns)# health-check-protocol-disable
ACOS(config-service-ip:ns)# health-check-disable
ACOS(config-service-ip:ns)# exit
ACOS(config)# gslb service-ip vip-4 1.0.0.4
ACOS(config-service-ip:vip-4)# health-check-protocol-disable
ACOS(config-service-ip:vip-4)# health-check-disable
ACOS(config-service-ip:vip-4)# port 80 tcp
ACOS(config-service-ip:vip-4-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-4-port:tcp)# health-check-disable
ACOS(config-service-ip:vip-4-port:tcp)# exit
ACOS(config-service-ip:vip-4)# port 21 tcp
ACOS(config-service-ip:vip-4-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-4-port:tcp)# health-check-disable
ACOS(config-service-ip:vip-4-port:tcp)# exit
ACOS(config-service-ip:vip-4)# exit
ACOS(config)# gslb service-ip vip-5 1.0.0.5
ACOS(config-service-ip:vip-5)# health-check-protocol-disable
ACOS(config-service-ip:vip-5)# health-check-disable
ACOS(config-service-ip:vip-5)# port 80 tcp
ACOS(config-service-ip:vip-5-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-5-port:tcp)# health-check-disable
ACOS(config-service-ip:vip-5-port:tcp)# exit
ACOS(config-service-ip:vip-5)# port 21 tcp
ACOS(config-service-ip:vip-5-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-5-port:tcp)# health-check-disable
ACOS(config-service-ip:vip-5-port:tcp)# exit
ACOS(config-service-ip:vip-5)# exit
ACOS(config)# gslb service-ip vip-6 1.0.0.6
ACOS(config-service-ip:vip-6)# health-check-protocol-disable
ACOS(config-service-ip:vip-6)# health-check-disable
ACOS(config-service-ip:vip-6)# port 80 tcp
ACOS(config-service-ip:vip-6-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-6-port:tcp)# health-check-disable
ACOS(config-service-ip:vip-6-port:tcp)# exit
ACOS(config-service-ip:vip-6)# port 21 tcp
ACOS(config-service-ip:vip-6-port:tcp)# health-check-protocol-disable
ACOS(config-service-ip:vip-6-port:tcp)# health-check-disable

page 96
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
DNSSEC Configuration

ACOS(config-service-ip:vip-6-port:tcp)# exit
ACOS(config-service-ip:vip-6)# exit
ACOS(config)# gslb service-ip vip6-1 2001:111::1
ACOS(config-service-ip:vip6-1)# port 80 tcp
ACOS(config-service-ip:vip6-1-port:tcp)# exit
ACOS(config-service-ip:vip6-1)# port 21 tcp
ACOS(config-service-ip:vip6-1-port:tcp)# exit
ACOS(config-service-ip:vip6-1)# exit
ACOS(config)# gslb service-ip vip6-2 2001:111::2
ACOS(config-service-ip:vip6-2)# port 80 tcp
ACOS(config-service-ip:vip6-2-port:tcp)# exit
ACOS(config-service-ip:vip6-2)# port 21 tcp
ACOS(config-service-ip:vip6-2-port:tcp)# exit
ACOS(config-service-ip:vip6-2)# exit
ACOS(config)# gslb service-ip vip6-3 2001:111::3
ACOS(config-service-ip:vip6-3)# port 80 tcp
ACOS(config-service-ip:vip6-3-port:tcp)# exit
ACOS(config-service-ip:vip6-3)# port 21 tcp
ACOS(config-service-ip:vip6-3-port:tcp)# exit
ACOS(config-service-ip:vip6-3)# exit
ACOS(config)# gslb service-ip vip6-4 2001:111::4
ACOS(config-service-ip:vip6-4)# port 80 tcp
ACOS(config-service-ip:vip6-4-port:tcp)# exit
ACOS(config-service-ip:vip6-4)# port 21 tcp
ACOS(config-service-ip:vip6-4-port:tcp)# exit
ACOS(config-service-ip:vip6-4)# exit
ACOS(config)# gslb service-ip vip6-5 2001:111::5
ACOS(config-service-ip:vip6-5)# port 80 tcp
ACOS(config-service-ip:vip6-5-port:tcp)# exit
ACOS(config-service-ip:vip6-5)# port 21 tcp
ACOS(config-service-ip:vip6-5-port:tcp)# exit
ACOS(config-service-ip:vip6-5)# exit
ACOS(config)# gslb service-ip vip6-6 2001:111::6
ACOS(config-service-ip:vip6-6)# port 80 tcp
ACOS(config-service-ip:vip6-6-port:tcp)# exit
ACOS(config-service-ip:vip6-6)# port 21 tcp
ACOS(config-service-ip:vip6-6-port:tcp)# exit
ACOS(config-service-ip:vip6-6)# exit
ACOS(config)# gslb service-ip vip-187 1.1.1.187
ACOS(config-service-ip:vip-187)# health-check-protocol-disable
ACOS(config-service-ip:vip-187)# health-check-disable
ACOS(config-service-ip:vip-187)# exit
ACOS(config)# gslb site local
ACOS(config-gslb site:local)# bw-cost limit 100 threshold 10

page 97
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
DNSSEC Configuration FFee
e

ACOS(config-gslb site:local)# slb-dev self 127.0.0.1

ACOS(config-gslb site:local-slb dev:self)# vip-server vip1
ACOS(config-gslb site:local-slb dev:self)# vip-server vip2
ACOS(config-gslb site:local-slb dev:self)# vip-server vip3
ACOS(config-gslb site:local-slb dev:self)# exit
ACOS(config-gslb site:local)# ip-server ns
ACOS(config-gslb site:local)# ip-server vip-187
ACOS(config-gslb site:local)# ip-server vip-1
ACOS(config-gslb site:local)# ip-server vip-2
ACOS(config-gslb site:local)# ip-server vip-3
ACOS(config-gslb site:local)# exit
ACOS(config)# gslb site remote
ACOS(config-gslb site:remote)# weight 10
ACOS(config-gslb site:remote)# slb-dev site 192.168.217.1
ACOS(config-gslb site:remote-slb dev:site)# vip-server vip6-4
ACOS(config-gslb site:remote-slb dev:site)# vip-server vip6-5
ACOS(config-gslb site:remote-slb dev:site)# vip-server vip6-6
ACOS(config-gslb site:remote-slb dev:site)# vip-server vip-4
ACOS(config-gslb site:remote-slb dev:site)# vip-server vip-5
ACOS(config-gslb site:remote-slb dev:site)# vip-server vip-6
ACOS(config-gslb site:remote-slb dev:site)# exit
ACOS(config-gslb site:remote)# exit
ACOS(config)#

Configuring a GSLB Policy and Enable Server Mode

The gslb policy command configures a GSLB policy.

ACOS(config)# gslb policy gpol1

ACOS(config-policy:gpol1)# dns geoloc-alias
ACOS(config-policy:gpol1)# dns server authoritative ns ptr srv sec

The dns server command enables server mode, and also enables this ACOS device to be the authorita-
tive DNS server for the GSLB zones that use this policy.

Binding the DNSSEC Template to the Zone

Use the template dnssec command to bind the DNSSEC template to the zone:

ACOS(config)# gslb zone test.com

ACOS(config-zone:test.com)# policy gpol1

page 98
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
DNSSEC Configuration

ACOS(config-zone:test.com)# template dnssec dt1

ACOS(config-zone:test.com)# service 0 www
ACOS(config-zone:test.com-service:www)# dns-a-record vip-2 static
ACOS(config-zone:test.com-service:www)# dns-a-record vip-1 static
ACOS(config-zone:test.com-service:www)# exit
ACOS(config-zone:test.com)# exit
ACOS(config)# gslb zone test1.com
ACOS(config-zone:test.com)# policy gpol1
ACOS(config-zone:test.com)# template dnssec dt1
ACOS(config-zone:test.com)# service 0 www
ACOS(config-zone:test.com-service:www)# dns-a-record vip-2 static
ACOS(config-zone:test.com-service:www)# dns-a-record vip-1 static
ACOS(config-zone:test.com-service:www)# exit
ACOS(config-zone:test.com)# exit

Configuring DNSSEC Standalone

The ACOS device does not need to be a member of a GSLB controller group to run DNSSEC. GSLB is still
required with standalone DNSSEC operation, but configuring a GSLB controller group is not required.

By default, support for standalone DNSSEC operation is optional and is disabled.

ACOS(config)# dnssec standalone

Configuring the VIP for DNSSEC Requests

The following commands configure the virtual servers and DNS service ports:

ACOS(config)# slb virtual-server vs-1 10.105.1.111

ACOS(config-slb vserver)# port 53 udp
ACOS(config-slb vserver-vport)# name _1.1.1.1_UDP_53
ACOS(config-slb vserver-vport)# gslb-enable
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# port 53 dns-tcp
ACOS(config-slb vserver-vport)# name _1.1.1.1_DNS-TCP_53
ACOS(config-slb vserver-vport)# gslb-enable
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit

page 99
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
DNSSEC Configuration FFee
e

page 100
Feedback ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

Location-Based VIP Access

This chapter contains the following topics:

• Overview of Location-based VIP Access

• Configuration Using a Class List

• Configuration Using a Black/White List

• Enabling Full-Domain Checking

• Enabling PBSLB Statistics Counter Sharing

Overview of Location-based VIP Access

You can control access to a VIP that is based on the geo-location of the client. Depending on the loca-
tion of the client, you also can configure ACOS to perform one of the following actions for traffic from a
client:

• Drop the traffic

• Reset the connection

• Send the traffic to a specific service group (if configured using a black/white list)

ACOS determines a client’s location by looking up the client’s subnet in the geo-location database that is
used by Global Server Load Balancing (GSLB).

NOTE: This feature requires you to load a geo-location database, but does not
require any other configuration of GSLB. The ACOS system image
includes the Internet Assigned Numbers Authority (IANA) database. By
default, the IANA database is not loaded but you can easily load it. For
more information, see Loading the IANA Geo-Location Database.

Configuration Using a Class List

This section shows how to configure the geo-location-based VIP access by using a class list.

Feedback page 101

ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuration Using a Class List FFee
e

NOTE: In the current release, geo-location-based VIP access works only if the
class list is imported as a file. The CLI does not support configuration of
class-list entries for this application.

Example

The following class list maps client geo-locations to limit IDs (LIDs), which specify the maximum num-
ber of concurrent connections allowed for clients in the geo-locations.

L US 1
L US.CA 2
L US.CA.SJ 3

The following commands import the class list to the ACOS device, configure a policy template, and bind
the template to a virtual port. The connection limits specified in the policy template apply to clients that
send requests to the virtual port.

NOTE: This example assumes the default geo-location database (iana) is

loaded.

ACOS(config)# import class-list c-share tftp://192.168.32.162/

File name [/]? c-share
Importing ... Done.
ACOS(config)# slb template policy pclass
ACOS(config-policy)# class-list c-share
ACOS(config-policy-class-list:c-share)# lid 1
ACOS(config-policy-class-list:c-share-li...)# conn-limit 4
ACOS(config-policy-class-list:c-share-li...)# exit
ACOS(config-policy-class-list:c-share)# lid 2
ACOS(config-policy-class-list:c-share-li...)# conn-limit 2
ACOS(config-policy-class-list:c-share-li...)# exit
ACOS(config-policy-class-list:c-share)# lid 3
ACOS(config-policy-class-list:c-share-li...)# conn-limit 1
ACOS(config-policy-class-list:c-share-li...)# exit
ACOS(config-policy-class-list:c-share)# exit
ACOS(config-policy)# geo-location overlap
ACOS(config-policy)# exit
ACOS(config)# slb virtual-server vip1 10.1.1.155
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template policy pclass
ACOS(config-slb vserver-vport)# exit

page 102
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuration Using a Black/White List

The following command verifies the operation of the policy:

ACOS(config-policy)# show slb geo-location statistics

M = Matched or Level, ID = Group ID

Conn = Connection number, Last = Last Matched IP
v = Exact Match, x = Fail
Virtual Server: vip1/80, c-share
--------------------------------------------------------------------------------
max Depth: 3
Success: 3
Geo-location M ID Permit Deny Conn Last
--------------------------------------------------------------------------------
US.CA.SJ v 3 1 1 1 77.1.1.107
--------------------------------------------------------------------------------
Total: 1

Configuration Using a Black/White List

This topic contains the following section:

• Details

• Configuring the Black/White List

Details
To configure geo-location-based access control for a VIP:

1. Configure a black/white list.

You can configure the list by using a text editor or enter the list into the GUI. If you configure the list
by using a text editor, import the list to the ACOS device.
2. Configure an SLB policy (PBSLB) template.
In the template, specify the black/white list name, and the actions to perform for the group IDs in
the list.
3. Verify that the geo-location database is loaded.
For more information about loading the geo-location database, see Loading the IANA Geo-Loca-
tion Database.

page 103
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuration Using a Black/White List FFee
e

4. Apply the policy template to the virtual port for which you want to control access.

Configuring the Black/White List

This topic contains the following section:

• Methods

• Using the GUI

• CLI Example

Methods
You can configure black/white lists in one of the following ways:

• Remote – Use a text editor and import the list to the ACOS device.

• Local – Enter the black/white list in a management GUI window.

With both methods, the syntax is the same. The black/white list must be a text file that contains entries
(rows) in the following format:

L "geo-location" group-id #conn-limit

The various parameters in the syntax are described in the Table 5.

TABLE 5 Black/White List Syntax Description

Parameter Description
L Indicates that the client’s location will be determined by using information in the geo-
location database.
geo-location String in the geo-location database that is mapped to the client’s IP address, for exam-
ple, “US”, “US.CA”, or “US.CA.SanJose”.
group-id Number from 1 to 31 that identifies a group of clients (geo-locations) in the list. The
default group ID is 0, which means no group is assigned. On the ACOS device, the group
ID specifies the action to perform on client traffic.
#conn-limit Maximum number of concurrent connections allowed from a client. The # is required
only if you do not specify a group ID. The connection limit is optional. For simplicity, the
examples in this section do not specify a connection limit.

Below is a simple example of a Black/White list:

L "US" 1
L "US.CA" 2

page 104
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Configuration Using a Black/White List

L "JP" 3

Using the GUI

This topic contains the following section:

• Creating a Black-White List

• Configuring an SLB policy (PBSLB) Template

• Loading the IANA Geo-Location Database

• Applying the Policy Template to a Virtual Port

Creating a Black-White List

To configure Black-White list by using the GUI:

1. Navigate to ADC >> Black-white Lists.

2. Click Create and complete the fields on the Create Black-White List page.
Enter the list in the Definition field.

NOTE: For more details and information about any of the required fields on this
page, see the latest version of the GUI Online Help.

3. Click Create.

Configuring an SLB policy (PBSLB) Template

To configure an SLB policy template:

1. Navigate to ADC >> Templates > L7.

2. Click Create and select Policy from the drop-down list.
3. In the Name field, specify a template name.
4. Complete the other fields on the screen as desired.

NOTE: For more details and information about any of the required fields on this
page, see the latest version of the GUI Online Help.

5. Click OK.

Loading the IANA Geo-Location Database

To load the IANA geo-location database:

page 105
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Configuration Using a Black/White List FFee
e

1. Navigate to GSLB >> Geo-Location Files.

2. Click Import.
3. Specify iana in the Name field.
4. Complete the Host and Location fields to specify the location of the file you are importing.
5. Leave the Template fields blank.
6. Click Import.

NOTE: You can also import a custom geo-location database.

NOTE: For more information, see the Global Server Load Balancing Guide.

Applying the Policy Template to a Virtual Port

To apply the policy template to a new virtual port:

1. Navigate to ADC >> SLB >> Virtual Servers.

2. Click Create.
3. Specify the name and IP address of the virtual server.
4. In the Virtual Port section, click Create.
a. Specify a protocol and port number.
b. Expand the Templates section.
c. In the Template Policy field, select the desired policy template.
d. Click Create.
5. Click Update.

CLI Example
The following command imports black/white list “geolist” onto the ACOS device.

ACOS(config)# import bw-list geolist scp://192.168.1.2/root/geolist

The following commands configure a policy template named “geoloc” and add the black/white list to it.
The template is configured to drop traffic from clients in the geo-location mapped to group 1 in the list.

ACOS(config)# slb template policy geoloc

page 106
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Enabling Full-Domain Checking

ACOS(config-policy)# bw-list name geolist

ACOS(config-policy)# bw-list id 1 drop
ACOS(config-policy)# exit

The following commands apply the policy template to port 80 on virtual server “vip1”:

ACOS(config)# slb virtual-server vip1

ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template policy geoloc

To view SLB geo-location statistics, use the show slb geo-location command.

Enabling Full-Domain Checking

This topic contains the following section:

• Details

• Using the GUI to Configure Full-Domain Checking

• Using the CLI to Configure Full-Domain Checking

Details
By default, when a client requests a connection, the ACOS device checks the connection count only for
the specific geo-location level of the client. If the connection limit for that specific geo-location level is
not reached, the client’s connection is permitted. Similarly, the permit counter is increased only for that
specific geo-location level.

Table 6 shows an example set of geo-location connection limits and current connections.

TABLE 6 Geo-location connection limit example

Geo-location Connection Limit Current Connections
US 100 100
US.CA 50 37
US.CA.SanJose 20 19

Using the default behavior, the connection request from the client at US.CA.SanJose is allowed even
though CA has reached its connection limit. Similarly, a connection request from a client at US.CA is
allowed. However, a connection request from a client whose location match is simply “US” is denied.

page 107
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Enabling Full-Domain Checking FFee
e

After these three clients are permitted or denied, the connection permit and deny counters are
increased in the following way:

• US – Deny counter is increased by 1.

• US.CA – Permit counter is increased by 1.

• US.CA.SanJose – Permit counter is increased by 1.

When full-domain checking is enabled, the ACOS device checks the current connection count not only
for the client’s specific geo-location, but for all geo-locations higher up in the domain tree.

Based on full-domain checking, all three connection requests from the clients in the example above are
denied. This is because the US domain has reached its connection limit. Similarly, the counters for each
domain are updated as follows:

• US – Deny counter is incremented by 1.

• US.CA – Deny counter is incremented by 1.

Using the GUI to Configure Full-Domain Checking

This is configurable on the configuration page for the policy template:

1. Navigate to ADC >> Templates >> L7.

2. Click Create and select Policy from the drop-down list.
3. Specify a name for the policy template.
4. Expand the Geo Location pane.
5. Select Full Domain Tree.
6. Click OK.

Using the CLI to Configure Full-Domain Checking

To enable full-domain checking for geo-location-based connection limiting, enter the geo-location
full-domain-tree command at the configuration level for the PBSLB template:

ACOS(config)# slb template policy example_policy_template

ACOS(config-policy)# geo-location full-domain-tree

page 108
 ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
Feedback
Enabling PBSLB Statistics Counter Sharing

NOTE: You must enable or disable this option before you enable GSLB. Chang-
ing the state of this option while GSLB is running can cause the related
statistics counters to be incorrect.

Enabling PBSLB Statistics Counter Sharing

This topic contains the following section:

• Details

• Using the GUI to Enable PBSLB Statistics Counter Sharing

• Using the CLI to Enable PBSLB Statistics Counter Sharing

Details
You can enable sharing of statistics counters for all virtual servers and virtual ports that use a PBSLB
template. This option causes the following counters to be shared by the virtual servers and virtual ports
that use the template:

• Permit

• Deny

• Connection number

• Connection limit

Using the GUI to Enable PBSLB Statistics Counter Sharing

This is configurable on the configuration page for the policy template:

1. Navigate to ADC >> Templates >> L7.

2. Click Create and select Policy from the drop-down list.
3. Specify a name for the policy template.
4. Expand the Geo Location pane.
5. Select Share.
6. Click OK.

page 109
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)
FeedbackFF
Enabling PBSLB Statistics Counter Sharing FFee
e

Using the CLI to Enable PBSLB Statistics Counter Sharing

To enable the share option, enter the geo-location share command at the configuration level for the
PBSLB policy template:

ACOS(config)# slb template policy example_policy_template

ACOS(config-policy)# geo-location share

NOTE: You must enable or disable this option before you enable GSLB. Chang-
ing the state of this option while GSLB is running can cause the related
statistics counters to be incorrect.

page 110
ACOS 5.1.0 DDoS Mitigation Guide (for ADC)

page 111
 CONTACT US
1 a10networks.com/contact

ACOS 5.1.0 DDOS MITIGATION GUIDE (FOR ADC) 29 NOVEMBER 2019