Forum Discussion

Nishal_Rai's avatar
Nishal_Rai
Icon for Cirrocumulus rankCirrocumulus
Dec 07, 2023

Any resource to learn the database key value of F5 BIG-IP ASM DoS protection

Hello Everyone,

Greetings!


There has been a lot of false positive regarding the behavioral and L7 DoS attacks on F5-protected services, and it has been a challenging task to point out the specific threshold values causing false positives in behavioral and L7 DoS attacks. I came across an article suggesting adjusting the 'adm.health.sensitivity' database key to mitigate false positives
Ref:
https://my.f5.com/manage/s/article/K21040310

I'm seeking resources or a list detailing such kind of database keys' functionalities within F5 Big-IP ASM, and any methods to monitor and modify those parameter values based on the client request, especially concerning behavioral protection in F5 Big-IP ASM DoS protection.


Any guidance or shared knowledge on this matter would be immensely appreciated.

6 Replies

  • for 16.1.4.1 here you can see the list of all the 2509 db variables 

    [root@F5-Design_Engg02:Active:Standalone] config # tmsh


    root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db
    Display all 2509 items? (y/n) y

    Options:
    all-properties one-line
    non-default-properties |
    Properties:
    default-value value-range
    scf-config {
    value
    Configuration Items:
    acceleration.log.color merged.merge
    Truncating the results due to 20k characters limit
    arp.vlanpriority platform.diskmonitor.limitwarn.var
    asm.asm_malicious_sources_monitoring_interval platform.diskmonitor.limitwarn.var_log
    asm.brute_force_bypass_non_qualified_url platform.diskmonitor.limitwarn.var_loipc
    asm.brute_force_end_attack_verification_time platform.diskmonitor.limitwarn.var_prompt
    asm.brute_force_max_tmstat_entries platform.diskmonitor.limitwarn.var_tmstat
    asm.brute_force_monitoring_interval platform.diskmonitor.limitwarn.vmdisk
    asm.connlimit platform.diskmonitor.monitor._root_
    asm.cookie_prefix platform.diskmonitor.monitor.appdata
    asm.cookie_revision_base platform.diskmonitor.monitor.config
    asm.cookie_suffix_base platform.diskmonitor.monitor.dev
    asm.credential_stuffing_service platform.diskmonitor.monitor.dev_shm
    asm.cs_challenge_length platform.diskmonitor.monitor.run
    asm.cs_qualified_urls platform.diskmonitor.monitor.run_pamcache
    asm.cshui_susp_event_bot_score platform.diskmonitor.monitor.shared
    asm.csrf_rerun_interval platform.diskmonitor.monitor.shared_rrd.1.2
    asm.fastl4_allow platform.diskmonitor.monitor.usr
    asm.fictive_url platform.diskmonitor.monitor.var
    asm.http_security_headers platform.diskmonitor.monitor.var_log
    asm.ignore_bewaf platform.diskmonitor.monitor.var_loipc
    asm.inject_apm_do_not_touch platform.diskmonitor.monitor.var_prompt
    asm.inject_referrer_hook platform.diskmonitor.monitor.var_tmstat
    asm.mobile_ua platform.diskmonitor.monitor.vmdisk
    asm.restrict_asm_logs_access platform.diskmonitor.state
    asm.risk_engine.salt.restart platform.diskmonitor.time
    asm.session_transactions_sampling_rate platform.diskmonitor.time._root_
    asm.strict_transport_policy platform.diskmonitor.time.appdata
    asm.strip_asm_cookies platform.diskmonitor.time.config
    asm.time_to_free_idle_umus_in_sec platform.diskmonitor.time.dev
    asmconffailure.enabled platform.diskmonitor.time.dev_shm
    asmconffailure.haaction.primary platform.diskmonitor.time.run
    asmconffailure.haaction.secondary platform.diskmonitor.time.run_pamcache
    auto.discover.flow.count platform.diskmonitor.time.shared
    auto.discover.mvs.count platform.diskmonitor.time.shared_rrd.1.2


    l4bdos.anomaly.detection.frequency tmm.pem.td.expected.num.conn
    l4bdos.anomaly.threshold.floor tmm.pem.td.num.conn.wt
    l4bdos.baseline.learning.period tmm.pem.td.sample.interval
    l4bdos.collect.stats.frequency tmm.pem.td.tcpf.os.wt
    l4bdos.dns.stress.compute.frequency tmm.pem.td.ttl.wt
    l4bdos.ha.state.update.frequency tmm.pem.td.ua.os.wt
    l4bdos.netflow.collect.frequency tmm.pkcs11d.invalidatekeyhandle
    l4bdos.netflow.disable.selective.bins tmm.pkcs11d.loadkeyhandles
    l4bdos.packet.sampling.interval tmm.pkcs11d.shmid
    l4bdos.signature.disable.no_stats.periods tmm.policy.tracelevel
    l4bdos.signature.sample.packet.frequency tmm.pop3.max_partial_connbytes
    l4bdos.transient.signature.merge.periods tmm.pop3.max_partial_conncount

    log.diameter.level tmm.websocket.deflate.memory.threshold
    log.dosl7.acy.level tmm.websocket.inflate.max.ratio
    log.dosl7.all.level tmm.wlite
    log.dosl7.bot.level tmm.wlite.pinning
    log.dosl7.challenge.level tmplugin.scheduler
    log.dosl7.conf.level tmplugin.splitplanes.nice
    log.dosl7.datasync.level tmrouted.gracefulrestartdelay
    log.dosl7.main.level tmrouted.netlinkcmdidletimeout
    log.dosl7.misc.level tmrouted.netlinklistenidletimeout
    log.dosl7.mobile.level tmrouted.rhifailoverdelay
    log.dosl7.tcl.level tmrouted.tmos.routing
    log.dosprotect.level tmrouted.tmos.routing.status

    I also use

     

    list sys db all-properties one-line

     

    root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db all-properties one-line
    Display all 2509 items? (y/n) y
    root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list stsys db all-properties one-line
    Display all 2509 items? (y/n) y
    Truncating the results due to 20k characters limit
    sys db asm.asm_malicious_sources_monitoring_interval { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:1800" }
    sys db asm.brute_force_bypass_non_qualified_url { default-value "false" scf-config "true" value "false" value-range "false true" }
    sys db asm.brute_force_end_attack_verification_time { default-value "120" scf-config "true" value "120" value-range "unsigned integer min:1 max:1000" }
    sys db asm.brute_force_max_tmstat_entries { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:10000" }
    sys db asm.brute_force_monitoring_interval { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:60" }
    sys db asm.connlimit { default-value "6000" scf-config "true" value "6000" value-range "integer min:0 max:4294967295" }
    sys db asm.cookie_prefix { default-value "TS" scf-config "true" value "TS" value-range "string min-len:2 max-len:20" }
    sys db asm.cookie_revision_base { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:240" }
    sys db asm.cookie_suffix_base { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:900" }
    sys db asm.credential_stuffing_service { default-value "enable" scf-config "true" value "enable" value-range "disable enable" }
    sys db asm.cs_challenge_length { default-value "4" scf-config "true" value "4" value-range "unsigned integer min:1 max:7" }
    sys db asm.cs_qualified_urls { default-value "," scf-config "true" value "," value-range "string" }
    sys db asm.cshui_susp_event_bot_score { default-value "20" scf-config "true" value "20" value-range "unsigned integer min:0 max:10000000" }
    sys db asm.csrf_rerun_interval { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:10000" }
    sys db asm.fastl4_allow { default-value "enable" scf-config "false" value "enable" value-range "disable enable" }
    sys db asm.fictive_url { default-value "/TSbd/" scf-config "true" value "/TSbd/" value-range "string" }
    sys db asm.http_security_headers { default-value "enable" scf-config "false" value "enable" value-range "disable enable" }
    sys db asm.ignore_bewaf { default-value "false" scf-config "true" value "false" value-range "false true" }
    sys db asm.inject_apm_do_not_touch { default-value "true" scf-config "true" value "true" value-range "false true" }
    sys db asm.inject_referrer_hook { default-value "true" scf-config "true" value "true" value-range "false true" }
    sys db asm.mobile_ua { default-value "," scf-config "true" value "," value-range "string" }
    sys db asm.restrict_asm_logs_access { default-value "false" scf-config "true" value "false" value-range "false true" }
    sys db asm.risk_engine.salt.restart { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:2091752" }
    ---(less 9%)--- sys db asm.session_transactions_sampling_rate { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:60" }
    sys db asm.strict_transport_policy { default-value "disable" scf-config "false" value "disable" value-range "disable enable" }
    sys db asm.strip_asm_cookies { default-value "true" scf-config "true" value "true" value-range "false true" }
    sys db asm.time_to_free_idle_umus_in_sec { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:1800" }
    sys db asmconffailure.enabled { default-value "true" scf-config "true" value "true" value-range "false true" }
    sys db asmconffailure.haaction.primary { default-value "restart_all" scf-config "true" value "restart_all" value-range "go_offline go_offline_downlinks no_action restart_all" }
    sys db asmconffailure.haaction.secondary { default-value "go_offline" scf-config "true" value "go_offline" value-range "go_offline go_offline_downlinks no_action restart_all" }
    sys db auto.discover.flow.count { default-value "3" scf-config "true" value "3" value-range "unsigned integer min:1 max:65530" }

  • Hi Nishal,

    There is no one sigle doumentation i saw that describes the function of all the sys db variables, what I do in case i need i get a list and try to find the closest match of the words, like for asm modules i keep seaching the different variables for keyword asm ,

     

    These keys and their default values can be viewed via tmsh:
    tmsh list sys db [DB KEY]

    These keys can be modified as follows:
    tmsh modify sys db [DB KEY]

    Note: DB key values are automatically applied to a system without the need for a save sys config.

    On v16.1.4.1 here you can see all SYS DB paramaeters using following command in TMSH mode:

    list sys db
    Display all 2509 items? (y/n) y

     

    Once you select the parameter take a backup or note down the default value before changing.

    Once done you can change the parameter in tmsh mode using following

    modify sys db 

     

    root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db as
    Configuration Items:
    asm.asm_malicious_sources_monitoring_interval asm.fictive_url
    asm.brute_force_bypass_non_qualified_url asm.http_security_headers
    asm.brute_force_end_attack_verification_time asm.ignore_bewaf
    asm.brute_force_max_tmstat_entries asm.inject_apm_do_not_touch
    asm.brute_force_monitoring_interval asm.inject_referrer_hook
    asm.connlimit asm.mobile_ua
    asm.cookie_prefix asm.restrict_asm_logs_access
    asm.cookie_revision_base asm.risk_engine.salt.restart
    asm.cookie_suffix_base asm.session_transactions_sampling_rate
    asm.credential_stuffing_service asm.strict_transport_policy
    asm.cs_challenge_length asm.strip_asm_cookies
    asm.cs_qualified_urls asm.time_to_free_idle_umus_in_sec
    asm.cshui_susp_event_bot_score asmconffailure.enabled
    asm.csrf_rerun_interval asmconffailure.haaction.primary
    asm.fastl4_allow asmconffailure.haaction.secondary
    root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimit
    Display all 2509 items? (y/n) n

    Options:
    reset-to-default
    Properties:
    value {
    root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimit

     

    • The following DB keys were added in version 14, to make our captcha feature more robust:
      sys db dosl7.captcha_case_sensitivity {
          default-value "disable"
          scf-config "true"
          value "disable"
          value-range "disable enable"
      }

      sys db dosl7.captcha_challenge_type {
          default-value "characters"
          scf-config "false"
          value "characters"
          value-range "arithmetic characters random"
      }

      sys db dosl7.captcha_characters_pool {
          default-value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789"
          scf-config "true"
          value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789"
          value-range "string"
      }

      sys db dosl7.captcha_length_max {
          default-value "6"
          scf-config "true"
          value "6"
          value-range "unsigned integer min:1 max:10"
      }

      sys db dosl7.captcha_length_min {
          default-value "6"
          scf-config "true"
          value "6"
          value-range "unsigned integer min:1 max:10"
      }

      sys db dosl7.captcha_lines_max {
          default-value "5"
          scf-config "true"
          value "5"
          value-range "unsigned integer min:0 max:20"
      }

      sys db dosl7.captcha_lines_min {
          default-value "5"
          scf-config "true"
          value "5"
          value-range "unsigned integer min:0 max:20"
      }

      sys db dosl7.captcha_max_cpu_prc {
          default-value "90"
          scf-config "true"
          value "90"
          value-range "unsigned integer min:0 max:100"
      }

      sys db dosl7.captcha_noise_max {
          default-value "2"
          scf-config "true"
          value "2"
          value-range "unsigned integer min:0 max:10"
      }

      sys db dosl7.captcha_noise_min {
          default-value "2"
          scf-config "true"
          value "2"
          value-range "unsigned integer min:0 max:10"
      }

      sys db dosl7.captcha_perturbation_max {
          default-value "85"
          scf-config "true"
          value "85"
          value-range "unsigned integer min:10 max:100"
      }

      sys db dosl7.captcha_perturbation_min {
          default-value "85"
          scf-config "true"
          value "85"
          value-range "unsigned integer min:10 max:100"
      }

      sys db dosl7.captcha_transparency_percentage_max {
          default-value "20"
          scf-config "true"
          value "20"
          value-range "unsigned integer min:0 max:85"
      }

      sys db dosl7.captcha_transparency_percentage_min {
          default-value "20"
          scf-config "true"
          value "20"
          value-range "unsigned integer min:0 max:85"
      }
       

      These are the dos related SYS DB settings that you can search more 

      dos.allvlans
      dos.auto.threshold.hysteresis
      dos.auto.threshold.learnalways
      dos.auto.threshold.stresstest
      dos.autodosd.alpha_max
      dos.autodosd.alpha_min
      dos.behavioral.analysis
      dos.blleaklimit
      dos.debug.noneuron.wl
      dos.dns.respfrag.allow
      dos.dnsnxdomain.learnperiod
      dos.dnsnxdomain.period
      dos.dnsnxdomain.trackersize
      dos.dnsport
      dos.dnsvlan
      dos.dropv4mapped
      dos.forceswdos
      dos.fragforwardlimit
      dos.globalsflimits
      dos.httpbdos.exclusivity
      dos.httpbdos.exclusivity.timeout
      dos.icmp6msgtype1
      dos.icmp6msgtype2
      dos.ip.allow.unknown.proto1
      dos.ip.allow.unknown.proto2
      dos.iplowttl
      dos.ipv6.swexthdr
      dos.ipv6endpoint.prefix
      dos.ipv6lowhopcnt
      dos.logging.interval
      dos.maxdnssize
      dos.maxewlsize
      dos.maxicmp6framesize
      dos.maxicmpframesize
      dos.maxipv6exthdrs
      dos.maxipv6extsize
      dos.maxsynsize
      dos.mergepersec
      dos.onehourinitrate
      dos.onehourminrate
      dos.protectedzone
      dos.scrubtime
      dos.sip.uri.limit
      dos.sipport
      dos.spvabl.checkdynamicwl
      dos.syncookiedeactivate
      dos.tcp.allow.unknown.opt1
      dos.tcp.allow.unknown.opt2
      dos.tcplowwindowsize
      dos.tier1divisor
      dos.tscookie.vlan
      dos.unmatched.hwsyncookie_activate
      dos.vcmphwdos
      dos.wl_spva_entries_max
      dos.wlipv6addrsel
      dosl7.allowed_origins
      dosl7.asm_cs_excluded_headers
      dosl7.asm_cs_excluded_urls
      dosl7.assume_https
      dosl7.captcha_case_sensitivity
      dosl7.captcha_challenge_type
      dosl7.captcha_characters_pool
      dosl7.captcha_length_max
      dosl7.captcha_length_min
      dosl7.captcha_lines_max
      dosl7.captcha_lines_min
      dosl7.captcha_max_cpu_prc
      dosl7.captcha_noise_max
      dosl7.captcha_noise_min
      dosl7.captcha_perturbation_max
      dosl7.captcha_perturbation_min
      dosl7.captcha_transparency_percentage_max
      dosl7.captcha_transparency_percentage_min
      dosl7.chal_data_cookie_max_age
      dosl7.cors_ajax_urls
      dosl7.cors_font_urls
      dosl7.cors_related_domains
      dosl7.cs_encode
      dosl7.cs_encrypt
      dosl7.cs_excluded_headers
      dosl7.cs_excluded_urls
      dosl7.cs_expire_sec
      dosl7.cs_max_request_size
      dosl7.cs_max_resend
      dosl7.cs_qualified_urls
      dosl7.cs_validate_ip
      dosl7.cscloud_enabled
      dosl7.cscloud_timeout
      dosl7.cscloud_url
      dosl7.customheaders
      dosl7.early_renewal_period
      dosl7.efoxy_cookie
      dosl7.efoxy_local_storage
      dosl7.efoxy_websql
      dosl7.efoxy_window_name
      dosl7.fastl4_allow
      dosl7.geolocation_drop_private_ips
      dosl7.idle_fast_path
      dosl7.internal_url_cookie_expiration_time
      dosl7.long_ua_header_size
      dosl7.max_captcha_solution_age
      dosl7.max_captcha_solution_time
      dosl7.max_cookie_length
      dosl7.max_dynamic_params_injection_length
      dosl7.max_lookup_length
      dosl7.max_num_headers
      dosl7.max_user_agent_occurrences
      dosl7.min_captcha_solution_time
      dosl7.mobile_cookie_expire_sec
      dosl7.noscript_text
      dosl7.p3p_header
      dosl7.params
      dosl7.parse_html_content_types
      dosl7.parse_html_excluded_accept_header_values
      dosl7.parse_html_excluded_extentions
      dosl7.parse_html_excluded_urls
      dosl7.parse_html_inject_tags
      dosl7.prg_cookie_urls
      dosl7.prg_iframe_urls
      dosl7.proactive_defense_cookie_name
      dosl7.proactive_defense_excluded_headers
      dosl7.proactive_defense_fictive_url
      dosl7.proactive_defense_log_rate_limit
      dosl7.proactive_defense_max_http_request_length
      dosl7.proactive_defense_prefix
      dosl7.proactive_defense_renew_sec
      dosl7.proactive_defense_simple_redirect
      dosl7.proactive_defense_simple_redirect_on_grace
      dosl7.proactive_defense_validate_ip
      dosl7.proactive_defense_validation_percent
      dosl7.report_acy_perf
      dosl7.selenium_timeout
      dosl7.sign_embeded_script
      dosl7.test
      dosl7.use_secure_cookies
      dosl7.web_rootkit_report_min_score
      dosl7d.attack_wait_timeout
      dosl7d.auto_below_thresh_timeout
      dosl7d.auto_cold_start_first_period_length
      dosl7d.auto_cold_start_first_period_switch_period
      dosl7d.auto_cold_start_second_period_length
      dosl7d.auto_drop_ratio
      dosl7d.auto_geo_slice_length
      dosl7d.auto_normal_switch_period
      dosl7d.auto_num_of_top_device_id
      dosl7d.auto_num_of_top_geolocation
      dosl7d.auto_num_of_top_ip
      dosl7d.auto_num_of_top_url
      dosl7d.auto_stress_thresh_multiplier
      dosl7d.auto_time_scale_factor
      dosl7d.auto_tps_thresh_multiplier
      dosl7d.clean_bot_publisher_anomalies
      dosl7d.conf_change_freeze_on_period
      dosl7d.cs_legitimate_successful_rate
      dosl7d.cs_max_reply_time
      dosl7d.cs_min_requests_for_replies
      dosl7d.force_core_on_sigabrt
      dosl7d.grafana_report
      dosl7d.grafana_report_top_only
      dosl7d.heaviness_factor
      dosl7d.max_attack_duration
      dosl7d.max_icc_buffer_size
      dosl7d.max_tcpdump_cpu_usage
      dosl7d.max_tcpdump_files
      dosl7d.max_tcpdump_size
      dosl7d.min_challenge_drop_time
      dosl7d.min_challenge_rps
      dosl7d.min_challenge_success_ratio
      dosl7d.min_geo_reliable_time
      dosl7d.min_heavy_url_drop_rate
      dosl7d.min_time_between_attacks
      dosl7d.min_time_for_attack_end
      dosl7d.min_transaction_count_per_interval
      dosl7d.publish_custom_message
      dosl7d.shun_list
      dosl7d.shun_prevention_time
      dosl7d.sliding_window_long
      dosl7d.sliding_window_medium
      dosl7d.sliding_window_short
      dosl7d.static_uri_protection
      dosl7d.stress_absolute_threshold
      dosl7d.stress_relative_threshold
      dosl7d.susp_max_entities
      dosl7d.tcpdump_rstcause
      dosl7d.trigger_logging

       

      for ASM here you can see

      asm.asm_malicious_sources_monitoring_interval
      asm.brute_force_bypass_non_qualified_url
      asm.brute_force_end_attack_verification_time
      asm.brute_force_max_tmstat_entries
      asm.brute_force_monitoring_interval
      asm.connlimit
      asm.cookie_prefix
      asm.cookie_revision_base
      asm.cookie_suffix_base
      asm.credential_stuffing_service
      asm.cs_challenge_length
      asm.cs_qualified_urls
      asm.cshui_susp_event_bot_score
      asm.csrf_rerun_interval
      asm.fastl4_allow
      asm.fictive_url
      asm.http_security_headers
      asm.ignore_bewaf
      asm.inject_apm_do_not_touch
      asm.inject_referrer_hook
      asm.mobile_ua
      asm.restrict_asm_logs_access
      asm.risk_engine.salt.restart
      asm.session_transactions_sampling_rate
      asm.strict_transport_policy
      asm.strip_asm_cookies
      asm.time_to_free_idle_umus_in_sec
      asmconffailure.enabled
      asmconffailure.haaction.primary
      asmconffailure.haaction.secondary

      For DDos best practes you can refer here:

      https://www.f5.com/pdf/products/ddos-protection-recommended-practices.pdf

      There are tons of documentaiton available for DoS and DDos on f5 site.

       

      Hope that Helps

      🙏

       

  • Hi Nishal_RaiF5_Design_Engineer provides some great information here. There isn't a catch-all document that describes all the db keys, and I'd be cautious to mess around with any of them, particularly in a production environment, that aren't documented in a knowledge article on MyF5 or covered in an article here on DevCentral without the guidance of a support exchange.

  • Hello,

    Thanks, F5_Design_Engineer for the database key insights and JRahm for the cautionary advice!

    I'm curious if logs from dosl7d can help uncover the cause of specific database keys behind triggered behavioral/L7 DoS attacks. Here's a sample log:


    Any tips on deciphering these logs for root cause analysis would be appreciated.

  • Hi Nihal,

    It's a Seen behavior which is caused by a known issue tracked with the bug ID 922597, not sure which OS version you are using in your environment. 

    For older software versions default adm.health.sensitivity default value is 50. In newer versions it was increased to 500 in order to minimize false-positives.


    Bug ID 922597:
    BADOS default sensitivity of 50 creates false positive attack on some sites

    Affected Product(s):
    BIG-IP ASM

    Known Affected Versions:
    14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

    Fixed In:
    16.1.0, 15.1.3, 14.1.4

    In my test box 16.1.4.1  it has been already fixed as follows by default value as 500 

    root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db adm.health.sensitivity value
    sys db adm.health.sensitivity {
    value "500"
    }

    Recommended Actions

    If your  db parameter value anythig other than 500 then you may have to modify the default sensitivity value from 50 to 500, sometimes even to 1000 that oyu need to find out the suitable number for your environment. Try first to go with 500, if that does not work you can try incresing this value.

    1. Connect to CLI
    2. First check the sensitivity value
      tmsh list sys db adm.health.sensitivity value
    3. Change the sensitivity value to 500

      tmsh modify sys db adm.health.sensitivity value 500

      K34122128: Controlling BaDoS sensitivity using db variable 'adm.health.sensitivity'
      https://my.f5.com/manage/s/article/K34122128


      Bug ID 922597: BADOS default sensitivity of 50 creates false positive attack on some sites
      https://cdn.f5.com/product/bugtracker/ID922597.html

      K21040310: Behavioral Dos (ASM) false positive blocks legitimate traffic
      https://my.f5.com/manage/s/article/K21040310

      Hope this Helps

      🙏

       

  • Hello F5_Design_Engineer,

    Thank you for the links about the bugs in f5 big-ip causing false positives in ASM DoS protection.

    Is there any other bugs triggering such false positives in F5 ASM DoS protection, like you've mentioned in the above one.

    The current version of F5 BIG-IP- 16.1.4.1. and, such similar issue of L7 DoS false positives are being triggered:



    Regarding the adm.health.sensitivity value, the value by default was 500, and the issue still persisted when I modified to 1000, so I increased it to 1200.

    I just want to know, does this change affects to all the dos profiles enforced, if so, can I specify the particular dos profile to enforce, such custom value where most of the false positives get triggered.

    Since the global changes in the sensitivity level might affect the other enforced DoS profile services to accurately identify the l7 dos attacks.