Forum Discussion
Nishal_Rai
Cirrocumulus
CirrocumulusAny resource to learn the database key value of F5 BIG-IP ASM DoS protection
Hello Everyone,
Greetings!
There has been a lot of false positive regarding the behavioral and L7 DoS attacks on F5-protected services, and it has been a challenging task to point out the specific threshold values causing false positives in behavioral and L7 DoS attacks. I came across an article suggesting adjusting the 'adm.health.sensitivity' database key to mitigate false positives
Ref:
https://my.f5.com/manage/s/article/K21040310
I'm seeking resources or a list detailing such kind of database keys' functionalities within F5 Big-IP ASM, and any methods to monitor and modify those parameter values based on the client request, especially concerning behavioral protection in F5 Big-IP ASM DoS protection.
Any guidance or shared knowledge on this matter would be immensely appreciated.
for 16.1.4.1 here you can see the list of all the 2509 db variables
[root@F5-Design_Engg02:Active:Standalone] config # tmsh
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db
Display all 2509 items? (y/n) yOptions:
all-properties one-line
non-default-properties |
Properties:
default-value value-range
scf-config {
value
Configuration Items:
acceleration.log.color merged.merge
Truncating the results due to 20k characters limit
arp.vlanpriority platform.diskmonitor.limitwarn.var
asm.asm_malicious_sources_monitoring_interval platform.diskmonitor.limitwarn.var_log
asm.brute_force_bypass_non_qualified_url platform.diskmonitor.limitwarn.var_loipc
asm.brute_force_end_attack_verification_time platform.diskmonitor.limitwarn.var_prompt
asm.brute_force_max_tmstat_entries platform.diskmonitor.limitwarn.var_tmstat
asm.brute_force_monitoring_interval platform.diskmonitor.limitwarn.vmdisk
asm.connlimit platform.diskmonitor.monitor._root_
asm.cookie_prefix platform.diskmonitor.monitor.appdata
asm.cookie_revision_base platform.diskmonitor.monitor.config
asm.cookie_suffix_base platform.diskmonitor.monitor.dev
asm.credential_stuffing_service platform.diskmonitor.monitor.dev_shm
asm.cs_challenge_length platform.diskmonitor.monitor.run
asm.cs_qualified_urls platform.diskmonitor.monitor.run_pamcache
asm.cshui_susp_event_bot_score platform.diskmonitor.monitor.shared
asm.csrf_rerun_interval platform.diskmonitor.monitor.shared_rrd.1.2
asm.fastl4_allow platform.diskmonitor.monitor.usr
asm.fictive_url platform.diskmonitor.monitor.var
asm.http_security_headers platform.diskmonitor.monitor.var_log
asm.ignore_bewaf platform.diskmonitor.monitor.var_loipc
asm.inject_apm_do_not_touch platform.diskmonitor.monitor.var_prompt
asm.inject_referrer_hook platform.diskmonitor.monitor.var_tmstat
asm.mobile_ua platform.diskmonitor.monitor.vmdisk
asm.restrict_asm_logs_access platform.diskmonitor.state
asm.risk_engine.salt.restart platform.diskmonitor.time
asm.session_transactions_sampling_rate platform.diskmonitor.time._root_
asm.strict_transport_policy platform.diskmonitor.time.appdata
asm.strip_asm_cookies platform.diskmonitor.time.config
asm.time_to_free_idle_umus_in_sec platform.diskmonitor.time.dev
asmconffailure.enabled platform.diskmonitor.time.dev_shm
asmconffailure.haaction.primary platform.diskmonitor.time.run
asmconffailure.haaction.secondary platform.diskmonitor.time.run_pamcache
auto.discover.flow.count platform.diskmonitor.time.shared
auto.discover.mvs.count platform.diskmonitor.time.shared_rrd.1.2
l4bdos.anomaly.detection.frequency tmm.pem.td.expected.num.conn
l4bdos.anomaly.threshold.floor tmm.pem.td.num.conn.wt
l4bdos.baseline.learning.period tmm.pem.td.sample.interval
l4bdos.collect.stats.frequency tmm.pem.td.tcpf.os.wt
l4bdos.dns.stress.compute.frequency tmm.pem.td.ttl.wt
l4bdos.ha.state.update.frequency tmm.pem.td.ua.os.wt
l4bdos.netflow.collect.frequency tmm.pkcs11d.invalidatekeyhandle
l4bdos.netflow.disable.selective.bins tmm.pkcs11d.loadkeyhandles
l4bdos.packet.sampling.interval tmm.pkcs11d.shmid
l4bdos.signature.disable.no_stats.periods tmm.policy.tracelevel
l4bdos.signature.sample.packet.frequency tmm.pop3.max_partial_connbytes
l4bdos.transient.signature.merge.periods tmm.pop3.max_partial_conncount
log.diameter.level tmm.websocket.deflate.memory.threshold
log.dosl7.acy.level tmm.websocket.inflate.max.ratio
log.dosl7.all.level tmm.wlite
log.dosl7.bot.level tmm.wlite.pinning
log.dosl7.challenge.level tmplugin.scheduler
log.dosl7.conf.level tmplugin.splitplanes.nice
log.dosl7.datasync.level tmrouted.gracefulrestartdelay
log.dosl7.main.level tmrouted.netlinkcmdidletimeout
log.dosl7.misc.level tmrouted.netlinklistenidletimeout
log.dosl7.mobile.level tmrouted.rhifailoverdelay
log.dosl7.tcl.level tmrouted.tmos.routing
log.dosprotect.level tmrouted.tmos.routing.status
I also uselist sys db all-properties one-line
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db all-properties one-line
Display all 2509 items? (y/n) y
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list stsys db all-properties one-line
Display all 2509 items? (y/n) y
Truncating the results due to 20k characters limit
sys db asm.asm_malicious_sources_monitoring_interval { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:1800" }
sys db asm.brute_force_bypass_non_qualified_url { default-value "false" scf-config "true" value "false" value-range "false true" }
sys db asm.brute_force_end_attack_verification_time { default-value "120" scf-config "true" value "120" value-range "unsigned integer min:1 max:1000" }
sys db asm.brute_force_max_tmstat_entries { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:10000" }
sys db asm.brute_force_monitoring_interval { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:60" }
sys db asm.connlimit { default-value "6000" scf-config "true" value "6000" value-range "integer min:0 max:4294967295" }
sys db asm.cookie_prefix { default-value "TS" scf-config "true" value "TS" value-range "string min-len:2 max-len:20" }
sys db asm.cookie_revision_base { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:240" }
sys db asm.cookie_suffix_base { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:900" }
sys db asm.credential_stuffing_service { default-value "enable" scf-config "true" value "enable" value-range "disable enable" }
sys db asm.cs_challenge_length { default-value "4" scf-config "true" value "4" value-range "unsigned integer min:1 max:7" }
sys db asm.cs_qualified_urls { default-value "," scf-config "true" value "," value-range "string" }
sys db asm.cshui_susp_event_bot_score { default-value "20" scf-config "true" value "20" value-range "unsigned integer min:0 max:10000000" }
sys db asm.csrf_rerun_interval { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:10000" }
sys db asm.fastl4_allow { default-value "enable" scf-config "false" value "enable" value-range "disable enable" }
sys db asm.fictive_url { default-value "/TSbd/" scf-config "true" value "/TSbd/" value-range "string" }
sys db asm.http_security_headers { default-value "enable" scf-config "false" value "enable" value-range "disable enable" }
sys db asm.ignore_bewaf { default-value "false" scf-config "true" value "false" value-range "false true" }
sys db asm.inject_apm_do_not_touch { default-value "true" scf-config "true" value "true" value-range "false true" }
sys db asm.inject_referrer_hook { default-value "true" scf-config "true" value "true" value-range "false true" }
sys db asm.mobile_ua { default-value "," scf-config "true" value "," value-range "string" }
sys db asm.restrict_asm_logs_access { default-value "false" scf-config "true" value "false" value-range "false true" }
sys db asm.risk_engine.salt.restart { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:2091752" }
---(less 9%)--- sys db asm.session_transactions_sampling_rate { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:60" }
sys db asm.strict_transport_policy { default-value "disable" scf-config "false" value "disable" value-range "disable enable" }
sys db asm.strip_asm_cookies { default-value "true" scf-config "true" value "true" value-range "false true" }
sys db asm.time_to_free_idle_umus_in_sec { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:1800" }
sys db asmconffailure.enabled { default-value "true" scf-config "true" value "true" value-range "false true" }
sys db asmconffailure.haaction.primary { default-value "restart_all" scf-config "true" value "restart_all" value-range "go_offline go_offline_downlinks no_action restart_all" }
sys db asmconffailure.haaction.secondary { default-value "go_offline" scf-config "true" value "go_offline" value-range "go_offline go_offline_downlinks no_action restart_all" }
sys db auto.discover.flow.count { default-value "3" scf-config "true" value "3" value-range "unsigned integer min:1 max:65530" }Hi Nishal,
There is no one sigle doumentation i saw that describes the function of all the sys db variables, what I do in case i need i get a list and try to find the closest match of the words, like for asm modules i keep seaching the different variables for keyword asm ,
These keys and their default values can be viewed via tmsh:
tmsh list sys db [DB KEY]These keys can be modified as follows:
tmsh modify sys db [DB KEY]Note: DB key values are automatically applied to a system without the need for a save sys config.
On v16.1.4.1 here you can see all SYS DB paramaeters using following command in TMSH mode:
list sys db
Display all 2509 items? (y/n) yOnce you select the parameter take a backup or note down the default value before changing.
Once done you can change the parameter in tmsh mode using following
modify sys db
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db as
Configuration Items:
asm.asm_malicious_sources_monitoring_interval asm.fictive_url
asm.brute_force_bypass_non_qualified_url asm.http_security_headers
asm.brute_force_end_attack_verification_time asm.ignore_bewaf
asm.brute_force_max_tmstat_entries asm.inject_apm_do_not_touch
asm.brute_force_monitoring_interval asm.inject_referrer_hook
asm.connlimit asm.mobile_ua
asm.cookie_prefix asm.restrict_asm_logs_access
asm.cookie_revision_base asm.risk_engine.salt.restart
asm.cookie_suffix_base asm.session_transactions_sampling_rate
asm.credential_stuffing_service asm.strict_transport_policy
asm.cs_challenge_length asm.strip_asm_cookies
asm.cs_qualified_urls asm.time_to_free_idle_umus_in_sec
asm.cshui_susp_event_bot_score asmconffailure.enabled
asm.csrf_rerun_interval asmconffailure.haaction.primary
asm.fastl4_allow asmconffailure.haaction.secondary
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimit
Display all 2509 items? (y/n) nOptions:
reset-to-default
Properties:
value {
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimit- The following DB keys were added in version 14, to make our captcha feature more robust:
sys db dosl7.captcha_case_sensitivity {
default-value "disable"
scf-config "true"
value "disable"
value-range "disable enable"
}
sys db dosl7.captcha_challenge_type {
default-value "characters"
scf-config "false"
value "characters"
value-range "arithmetic characters random"
}
sys db dosl7.captcha_characters_pool {
default-value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789"
scf-config "true"
value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789"
value-range "string"
}
sys db dosl7.captcha_length_max {
default-value "6"
scf-config "true"
value "6"
value-range "unsigned integer min:1 max:10"
}
sys db dosl7.captcha_length_min {
default-value "6"
scf-config "true"
value "6"
value-range "unsigned integer min:1 max:10"
}
sys db dosl7.captcha_lines_max {
default-value "5"
scf-config "true"
value "5"
value-range "unsigned integer min:0 max:20"
}
sys db dosl7.captcha_lines_min {
default-value "5"
scf-config "true"
value "5"
value-range "unsigned integer min:0 max:20"
}
sys db dosl7.captcha_max_cpu_prc {
default-value "90"
scf-config "true"
value "90"
value-range "unsigned integer min:0 max:100"
}
sys db dosl7.captcha_noise_max {
default-value "2"
scf-config "true"
value "2"
value-range "unsigned integer min:0 max:10"
}
sys db dosl7.captcha_noise_min {
default-value "2"
scf-config "true"
value "2"
value-range "unsigned integer min:0 max:10"
}
sys db dosl7.captcha_perturbation_max {
default-value "85"
scf-config "true"
value "85"
value-range "unsigned integer min:10 max:100"
}
sys db dosl7.captcha_perturbation_min {
default-value "85"
scf-config "true"
value "85"
value-range "unsigned integer min:10 max:100"
}
sys db dosl7.captcha_transparency_percentage_max {
default-value "20"
scf-config "true"
value "20"
value-range "unsigned integer min:0 max:85"
}
sys db dosl7.captcha_transparency_percentage_min {
default-value "20"
scf-config "true"
value "20"
value-range "unsigned integer min:0 max:85"
}These are the dos related SYS DB settings that you can search more
dos.allvlans
dos.auto.threshold.hysteresis
dos.auto.threshold.learnalways
dos.auto.threshold.stresstest
dos.autodosd.alpha_max
dos.autodosd.alpha_min
dos.behavioral.analysis
dos.blleaklimit
dos.debug.noneuron.wl
dos.dns.respfrag.allow
dos.dnsnxdomain.learnperiod
dos.dnsnxdomain.period
dos.dnsnxdomain.trackersize
dos.dnsport
dos.dnsvlan
dos.dropv4mapped
dos.forceswdos
dos.fragforwardlimit
dos.globalsflimits
dos.httpbdos.exclusivity
dos.httpbdos.exclusivity.timeout
dos.icmp6msgtype1
dos.icmp6msgtype2
dos.ip.allow.unknown.proto1
dos.ip.allow.unknown.proto2
dos.iplowttl
dos.ipv6.swexthdr
dos.ipv6endpoint.prefix
dos.ipv6lowhopcnt
dos.logging.interval
dos.maxdnssize
dos.maxewlsize
dos.maxicmp6framesize
dos.maxicmpframesize
dos.maxipv6exthdrs
dos.maxipv6extsize
dos.maxsynsize
dos.mergepersec
dos.onehourinitrate
dos.onehourminrate
dos.protectedzone
dos.scrubtime
dos.sip.uri.limit
dos.sipport
dos.spvabl.checkdynamicwl
dos.syncookiedeactivate
dos.tcp.allow.unknown.opt1
dos.tcp.allow.unknown.opt2
dos.tcplowwindowsize
dos.tier1divisor
dos.tscookie.vlan
dos.unmatched.hwsyncookie_activate
dos.vcmphwdos
dos.wl_spva_entries_max
dos.wlipv6addrsel
dosl7.allowed_origins
dosl7.asm_cs_excluded_headers
dosl7.asm_cs_excluded_urls
dosl7.assume_https
dosl7.captcha_case_sensitivity
dosl7.captcha_challenge_type
dosl7.captcha_characters_pool
dosl7.captcha_length_max
dosl7.captcha_length_min
dosl7.captcha_lines_max
dosl7.captcha_lines_min
dosl7.captcha_max_cpu_prc
dosl7.captcha_noise_max
dosl7.captcha_noise_min
dosl7.captcha_perturbation_max
dosl7.captcha_perturbation_min
dosl7.captcha_transparency_percentage_max
dosl7.captcha_transparency_percentage_min
dosl7.chal_data_cookie_max_age
dosl7.cors_ajax_urls
dosl7.cors_font_urls
dosl7.cors_related_domains
dosl7.cs_encode
dosl7.cs_encrypt
dosl7.cs_excluded_headers
dosl7.cs_excluded_urls
dosl7.cs_expire_sec
dosl7.cs_max_request_size
dosl7.cs_max_resend
dosl7.cs_qualified_urls
dosl7.cs_validate_ip
dosl7.cscloud_enabled
dosl7.cscloud_timeout
dosl7.cscloud_url
dosl7.customheaders
dosl7.early_renewal_period
dosl7.efoxy_cookie
dosl7.efoxy_local_storage
dosl7.efoxy_websql
dosl7.efoxy_window_name
dosl7.fastl4_allow
dosl7.geolocation_drop_private_ips
dosl7.idle_fast_path
dosl7.internal_url_cookie_expiration_time
dosl7.long_ua_header_size
dosl7.max_captcha_solution_age
dosl7.max_captcha_solution_time
dosl7.max_cookie_length
dosl7.max_dynamic_params_injection_length
dosl7.max_lookup_length
dosl7.max_num_headers
dosl7.max_user_agent_occurrences
dosl7.min_captcha_solution_time
dosl7.mobile_cookie_expire_sec
dosl7.noscript_text
dosl7.p3p_header
dosl7.params
dosl7.parse_html_content_types
dosl7.parse_html_excluded_accept_header_values
dosl7.parse_html_excluded_extentions
dosl7.parse_html_excluded_urls
dosl7.parse_html_inject_tags
dosl7.prg_cookie_urls
dosl7.prg_iframe_urls
dosl7.proactive_defense_cookie_name
dosl7.proactive_defense_excluded_headers
dosl7.proactive_defense_fictive_url
dosl7.proactive_defense_log_rate_limit
dosl7.proactive_defense_max_http_request_length
dosl7.proactive_defense_prefix
dosl7.proactive_defense_renew_sec
dosl7.proactive_defense_simple_redirect
dosl7.proactive_defense_simple_redirect_on_grace
dosl7.proactive_defense_validate_ip
dosl7.proactive_defense_validation_percent
dosl7.report_acy_perf
dosl7.selenium_timeout
dosl7.sign_embeded_script
dosl7.test
dosl7.use_secure_cookies
dosl7.web_rootkit_report_min_score
dosl7d.attack_wait_timeout
dosl7d.auto_below_thresh_timeout
dosl7d.auto_cold_start_first_period_length
dosl7d.auto_cold_start_first_period_switch_period
dosl7d.auto_cold_start_second_period_length
dosl7d.auto_drop_ratio
dosl7d.auto_geo_slice_length
dosl7d.auto_normal_switch_period
dosl7d.auto_num_of_top_device_id
dosl7d.auto_num_of_top_geolocation
dosl7d.auto_num_of_top_ip
dosl7d.auto_num_of_top_url
dosl7d.auto_stress_thresh_multiplier
dosl7d.auto_time_scale_factor
dosl7d.auto_tps_thresh_multiplier
dosl7d.clean_bot_publisher_anomalies
dosl7d.conf_change_freeze_on_period
dosl7d.cs_legitimate_successful_rate
dosl7d.cs_max_reply_time
dosl7d.cs_min_requests_for_replies
dosl7d.force_core_on_sigabrt
dosl7d.grafana_report
dosl7d.grafana_report_top_only
dosl7d.heaviness_factor
dosl7d.max_attack_duration
dosl7d.max_icc_buffer_size
dosl7d.max_tcpdump_cpu_usage
dosl7d.max_tcpdump_files
dosl7d.max_tcpdump_size
dosl7d.min_challenge_drop_time
dosl7d.min_challenge_rps
dosl7d.min_challenge_success_ratio
dosl7d.min_geo_reliable_time
dosl7d.min_heavy_url_drop_rate
dosl7d.min_time_between_attacks
dosl7d.min_time_for_attack_end
dosl7d.min_transaction_count_per_interval
dosl7d.publish_custom_message
dosl7d.shun_list
dosl7d.shun_prevention_time
dosl7d.sliding_window_long
dosl7d.sliding_window_medium
dosl7d.sliding_window_short
dosl7d.static_uri_protection
dosl7d.stress_absolute_threshold
dosl7d.stress_relative_threshold
dosl7d.susp_max_entities
dosl7d.tcpdump_rstcause
dosl7d.trigger_loggingfor ASM here you can see
asm.asm_malicious_sources_monitoring_interval
asm.brute_force_bypass_non_qualified_url
asm.brute_force_end_attack_verification_time
asm.brute_force_max_tmstat_entries
asm.brute_force_monitoring_interval
asm.connlimit
asm.cookie_prefix
asm.cookie_revision_base
asm.cookie_suffix_base
asm.credential_stuffing_service
asm.cs_challenge_length
asm.cs_qualified_urls
asm.cshui_susp_event_bot_score
asm.csrf_rerun_interval
asm.fastl4_allow
asm.fictive_url
asm.http_security_headers
asm.ignore_bewaf
asm.inject_apm_do_not_touch
asm.inject_referrer_hook
asm.mobile_ua
asm.restrict_asm_logs_access
asm.risk_engine.salt.restart
asm.session_transactions_sampling_rate
asm.strict_transport_policy
asm.strip_asm_cookies
asm.time_to_free_idle_umus_in_sec
asmconffailure.enabled
asmconffailure.haaction.primary
asmconffailure.haaction.secondaryFor DDos best practes you can refer here:
https://www.f5.com/pdf/products/ddos-protection-recommended-practices.pdf
There are tons of documentaiton available for DoS and DDos on f5 site.
Hope that Helps
🙏
- The following DB keys were added in version 14, to make our captcha feature more robust:
- JRahm
Admin
Hi Nishal_Rai, F5_Design_Engineer provides some great information here. There isn't a catch-all document that describes all the db keys, and I'd be cautious to mess around with any of them, particularly in a production environment, that aren't documented in a knowledge article on MyF5 or covered in an article here on DevCentral without the guidance of a support exchange.
- Nishal_Rai
Hello,
Thanks, F5_Design_Engineer for the database key insights and JRahm for the cautionary advice!
I'm curious if logs from dosl7d can help uncover the cause of specific database keys behind triggered behavioral/L7 DoS attacks. Here's a sample log:
Any tips on deciphering these logs for root cause analysis would be appreciated. Hi Nihal,
It's a Seen behavior which is caused by a known issue tracked with the bug ID 922597, not sure which OS version you are using in your environment.
For older software versions default adm.health.sensitivity default value is 50. In newer versions it was increased to 500 in order to minimize false-positives.
Bug ID 922597: BADOS default sensitivity of 50 creates false positive attack on some sitesAffected Product(s):
BIG-IP ASMKnown Affected Versions:
14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2Fixed In:
16.1.0, 15.1.3, 14.1.4In my test box 16.1.4.1 it has been already fixed as follows by default value as 500
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db adm.health.sensitivity value
sys db adm.health.sensitivity {
value "500"
}Recommended Actions
If your db parameter value anythig other than 500 then you may have to modify the default sensitivity value from 50 to 500, sometimes even to 1000 that oyu need to find out the suitable number for your environment. Try first to go with 500, if that does not work you can try incresing this value.
- Connect to CLI
- First check the sensitivity value
tmsh list sys db adm.health.sensitivity value - Change the sensitivity value to 500
tmsh modify sys db adm.health.sensitivity value 500
K34122128: Controlling BaDoS sensitivity using db variable 'adm.health.sensitivity'
https://my.f5.com/manage/s/article/K34122128
Bug ID 922597: BADOS default sensitivity of 50 creates false positive attack on some sites
https://cdn.f5.com/product/bugtracker/ID922597.htmlK21040310: Behavioral Dos (ASM) false positive blocks legitimate traffic
https://my.f5.com/manage/s/article/K21040310Hope this Helps
🙏
- Nishal_Rai
Hello F5_Design_Engineer,
Thank you for the links about the bugs in f5 big-ip causing false positives in ASM DoS protection.
Is there any other bugs triggering such false positives in F5 ASM DoS protection, like you've mentioned in the above one.
The current version of F5 BIG-IP- 16.1.4.1. and, such similar issue of L7 DoS false positives are being triggered:
Regarding the adm.health.sensitivity value, the value by default was 500, and the issue still persisted when I modified to 1000, so I increased it to 1200.I just want to know, does this change affects to all the dos profiles enforced, if so, can I specify the particular dos profile to enforce, such custom value where most of the false positives get triggered.
Since the global changes in the sensitivity level might affect the other enforced DoS profile services to accurately identify the l7 dos attacks.
