ASM L7 DoS email alert
Hello Everyone,
Greetings!
I've been trying to configure email notifcation when ASM L7 DoS event is triggered in F5 BIG-IP. And as far the configration goes are mentioned below:
Created an iRule and attached to virtual server.
when IN_DOSL7_ATTACK {
log local0. "Attacker IP: $DOSL7_ATTACKER_IP"
log local0. "Mitigation: $DOSL7_MITIGATION"
#DOSL7::disable
}
I enabled the Trigger iRule on DoS profile of ASM module and the DoS profile attached to its respective virtual server.
When I performed the DoS attack using locust tool on the F5 virtual ip then on the dosl7d.log, the attack was recorded -
On GUI
On CLI:
but there was simply just two entry on the /var/log/ltm
The iRule used is
Just a quick questions:
- Do i need to have additional configuraiton, or am i expecting the wrong entry of the DoS event on the ltm log?
- Regarding the behavioral DoS detection,
Any idea like what are the parameters does the behavioral dos monitors and then triggers it on F5 BIG-IP.
SInce the actual code or logic to identify and trigger behavioral dos is kept in a compiled mode.
Hi Nishal_Rai ,
For your inquiry about how bigip AWAD L7 DDoS use the rate-limit prevention.....
Well ,
First you have two concepts >>> Detection interval & historical interval
Detection interval >>> Avg of TPS in last 10 sec
Historical interval >>> Avg of TPS in last 1 hour ( Which should be the Legitimate TPS )
Both of intervals updated each 10 sec.
Bigip Rate-limit by using simple equation : ( Historical intrval TPS + Configured threshold ) /2
For Example :
If you configured absolute threshold >> 200 TPS ( Like diagram you have sent above ).
and Let we assume historical intraval ( AVG TPS within hour ) >>> 100 TPS
So Bigip will rate-limit to 150 TPS.
Bigip will rate-limit if the TPS exceeded the absolute threshold , or if the ( Relative threshold + at least TPS ) violated.
> btw , you can review it from logs when attack started you can observe the Limit which bigip used when this attack started.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
What is the Rate-limit mechanism , I have tested it before I will tell you my findings >>>
you have an option to record traffic in your AWAF DDOS profile , Bigip starts to record traffic ( Taking tcpdump ).
while looking at recorded Packet capture ( when Attack started ) you will find much traffic receiving RST Packets from Bigip and some samples receive normal responses ( 200 OK ) therefore when using ( Rate-limit ) as a prevension method >>> much traffic will be Reseted from Bigip ip while some of these requests will path through bigip normally.
The Key difference between ( Block ALL and Rate limit ) >>> Block all will show you at Recorded Packet capture file when attack start >> All Traffic from specific source are reseted ( RST Flag enabled ) no traffic Path through bigip , in the other hand ( Rate-limit ) Like I discribed above.
Let me know if you have further queries , I will be happy to think with you ^_^