Bad Actor Detection
~~~~~~~~~~~~~~~~~~~

Bad actor detection and blacklisting allows us to completely block
communications from malicious hosts at the BIG-IP, completely preventing
those hosts from reaching the back-end servers. To demonstrate:

1.  Navigate to **Security** > **DoS Protection** > **DoS Profiles**.

2.  Click on the **dns-dos-profile** profile name.

3.  Click on the **Protocol Security** tab then select **DNS Security**.

4.  Click on the **DNS A Query** attack type name.

5.  Modify the vector as follows:

    - Bad Actor Detection: Checked
    - Per Source IP Detection Threshold EPS: 80
    - Per Source IP Mitigation Threshold EPS: 100
    - Add Source Address to Category: Checked
    - Category Name: denial_of_service
    - Sustained Attack Detection Time: 15 seconds
    - | Category Duration Time: 60 seconds
      | |image62|

6.  Make sure you click **Update** to save your changes.

7.  Navigate to **Security** > **Network Firewall** > **IP
    Intelligence** > **Policies** and create a new IP Intelligence
    policy with the following values, leaving unspecified attributes at
    their default values:

    - Name: dns-bad-actor-blocking

    - Default Log Actions section:
       - Log Blacklist Category Matches: Yes

    - Blacklist Matching Policy
       - Create a new blacklist matching policy:
           - Blacklist Category: denial_of_service
           - | Click **Add** to add the policy then click finished
             | |image63|

8.  Navigate to **Local Traffic** > **Virtual Servers** > **Virtual
    Server List**.

9.  Click on the **udp_dns_VS** virtual server name.

10. Click on the **Security** tab and select **Policies**.

11. | Enable **IP Intelligence** and choose the
      **dns-bad-actor-blocking** policy.
    | |image64|

12. Make sure you click **Update** to save your changes.

13. Navigate to **Security** > **Event Logs** > **Logging Profiles**.

14. Click the **global-network** logging profile name.

15. | Under the **Network Firewall** tab (next to Protocol Security),
      set the IP Intelligence Publisher to **local-db-publisher** and
      check **Log Shun Events**.
    | |image65|

16. Click **Update** to save your changes.

17. Click the **dns-dos-profile-logging** logging profile name.

18. | Check **Enabled** next to **Network Firewall**.
    | |image66|

19. | Under the **Network Firewall** tab, change the **IP Intelligence
      Publisher** to **local-db-publisher** and click **Update**.
    | |image67|

20. Bring into view the Victim Server SSH session running the top
    utility to monitor CPU utilization.

21. | On the Attack Server host, launch the DNS attack once again using
      the following syntax:
    | ``dnsperf -s 10.20.0.10 -d queryfile-example-current -c 20 -T 20 -l 30 -q 10000 -Q 10000``

22. | You’ll notice CPU utilization on the BIG-IP begin to climb, but
      slowly drop. The attack host will show that queries are timing out
      as shown below. This is due to the BIG-IP blacklisting the bad
      actor.
    | |image68|

23. Navigate to **Security** > **Event Logs** > **Network** > **IP
    Intelligence**. Observe the bad actor blocking mitigation logs.

24. | Navigate to **Security** > **Event Logs** > **Network** >
      **Shun**. This screen shows the bad actor being added to (and
      later deleted from) the shun category.
    | |image69|

25. While the attack is running, navigate to **Security** > **DoS
    Protection**> **DoS Overview (you may need to refresh or set the
    auto refresh to 10 seconds).** You will notice from here you can see
    all the details of the active attacks. You can also modify an attack
    vector right from this screen by clicking on the attack vector and
    modifying the fly out.

|image70|

26. | Navigate to **Security** > **Reporting** > **Protocol** > **DNS**.
      Change the **View By** drop-down to view various statistics around
      the DNS traffic and attacks.
    | |image71|

27. Navigate to **Security** > **Reporting** > **Network** > **IP
    Intelligence**. The default view may be blank. Change the **View
    By** drop-down to view various statistics around the IP Intelligence
    handling of the attack traffic.

28. | Navigate to **Security** > **Reporting** > **DoS** > **Dashboard**
      to view an overview of the DoS attacks and timeline. You can
      select filters in the filter pane to highlight specific attacks.
    | |image72|

29. Finally, navigate to **Security** > **Reporting** > **DoS** >
    **Analysis**. View detailed statistics around each attack.

|image73|

.. |image62| image:: /_static/class1/image60.png
   :width: 2.67129in
   :height: 5.81457in
.. |image63| image:: /_static/class1/image61.png
   :width: 6.22083in
   :height: 3.675in
.. |image64| image:: /_static/class1/image62.png
   :width: 3.81074in
   :height: 5.31788in
.. |image65| image:: /_static/class1/image63.png
   :width: 4.17881in
   :height: 2.18072in
.. |image66| image:: /_static/class1/image64.png
   :width: 3.40297in
   :height: 3.22001in
.. |image67| image:: /_static/class1/image65.png
   :width: 2.96026in
   :height: 1.54149in
.. |image68| image:: /_static/class1/image66.png
   :width: 2.36111in
   :height: 0.68056in
.. |image69| image:: /_static/class1/image67.png
   :width: 4.875in
   :height: 1.68056in
.. |image70| image:: /_static/class1/image68.png
   :width: 6.69121in
   :height: 3.10185in
.. |image71| image:: /_static/class1/image69.png
   :width: 4.3245in
   :height: 3.69594in
.. |image72| image:: /_static/class1/image70.png
   :width: 5in
   :height: 4.06944in
.. |image73| image:: /_static/class1/image71.png
   :width: 6.49097in
   :height: 2.17569in