The F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity | 
| V-266260 | F5BI-FW-300017 | SV-266260r1024878_rule | High | 
| Description | 
| Not configuring a key boundary security protection device such as the firewall against commonly known attacks is an immediate threat to the protected enclave because they are easily implemented by those with little skill. Directions for the attack can be obtained on the internet and in hacker groups. Without filtering enabled for these attacks, the firewall will allow these attacks beyond the protected boundary. Configure the perimeter and internal boundary firewall to guard against the three general methods of well-known DoS attacks: flooding attacks, protocol sweeping attacks, and unauthorized port scanning. Flood attacks occur when the host receives too much traffic to buffer and slows down or crashes. Popular flood attacks include ICMP flood and SYN flood. A TCP flood attack of SYN packets initiating connection requests can overwhelm the device until it can no longer process legitimate connection requests, resulting in denial of service. An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic, also resulting in denial of service. An attacker might use session table floods and SYN-ACK-ACK proxy floods to fill up the session table of a host. In an IP address sweep attack, an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the target’s IP address to the attacker. In a TCP sweep attack, an attacker sends TCP SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, the attacker receives an indication that a port in the target device is open, which makes the port vulnerable to attack. In a UDP sweep attack, an attacker sends UDP packets to the target device. If the device responds to those packets, the attacker receives an indication that a port in the target device is open, which makes the port vulnerable to attack. In a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively. Satisfies: SRG-NET-000362-FW-000028, SRG-NET-000364-FW-000041, SRG-NET-000192-FW-000029, SRG-NET-000193-FW-000030 | 
| STIG | Date | 
| F5 BIG-IP TMOS Firewall Security Technical Implementation Guide | 2024-09-09 | 
Details
| Check Text (C-70184r1024877_chk) | 
| From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand each of the applicable families (Network, DNS, SIP) depending on the traffic being handled by the BIG-IP and verify the "State" is set to "Mitigate" for all signatures in that family. If the BIG-IP appliance is not configured to block outbound traffic containing denial-of-service DoS attacks, this is a finding. | 
| Fix Text (F-70087r1024027_fix) | 
| From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand each of the applicable families (Network, DNS, SIP) one at a time depending on the traffic being handled by the BIG-IP and do the following for each. - Check the box at the top of the list of signatures to select all or, at a minimum, filters that prevent or limit the effects of all types of commonly known DoS attacks, including flooding, packet sweeps, unauthorized port scanning and unknown or out-of-order extension headers. - Set "Set State" to "Mitigate". 5. Click "Commit Changes to System". At a minimum, select filters that prevent or limit the effects of all types of commonly known DoS attacks, including flooding, packet sweeps, unauthorized port scanning. Also, select filters for unknown or out-of-order extension headers. Note: Sites must operationally test or initially use learning mode prior to turning on all of the options in all families to prevent operational impacts, particularly in implementations with large traffic volumes. |