Forum Discussion

Nishal_Rai's avatar
Nishal_Rai
Icon for Cirrocumulus rankCirrocumulus
Dec 07, 2023

Any resource to learn the database key value of F5 BIG-IP ASM DoS protection

Hello Everyone, Greetings! There has been a lot of false positive regarding the behavioral and L7 DoS attacks on F5-protected services, and it has been a challenging task to point out the specifi...
application delivery
security
F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Dec 07, 2023

Hi Nishal,

There is no one sigle doumentation i saw that describes the function of all the sys db variables, what I do in case i need i get a list and try to find the closest match of the words, like for asm modules i keep seaching the different variables for keyword asm ,

 

These keys and their default values can be viewed via tmsh:
tmsh list sys db [DB KEY]

These keys can be modified as follows:
tmsh modify sys db [DB KEY]

Note: DB key values are automatically applied to a system without the need for a save sys config.

On v16.1.4.1 here you can see all SYS DB paramaeters using following command in TMSH mode:

list sys db
Display all 2509 items? (y/n) y

 

Once you select the parameter take a backup or note down the default value before changing.

Once done you can change the parameter in tmsh mode using following

modify sys db 

 

root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db as
Configuration Items:
asm.asm_malicious_sources_monitoring_interval asm.fictive_url
asm.brute_force_bypass_non_qualified_url asm.http_security_headers
asm.brute_force_end_attack_verification_time asm.ignore_bewaf
asm.brute_force_max_tmstat_entries asm.inject_apm_do_not_touch
asm.brute_force_monitoring_interval asm.inject_referrer_hook
asm.connlimit asm.mobile_ua
asm.cookie_prefix asm.restrict_asm_logs_access
asm.cookie_revision_base asm.risk_engine.salt.restart
asm.cookie_suffix_base asm.session_transactions_sampling_rate
asm.credential_stuffing_service asm.strict_transport_policy
asm.cs_challenge_length asm.strip_asm_cookies
asm.cs_qualified_urls asm.time_to_free_idle_umus_in_sec
asm.cshui_susp_event_bot_score asmconffailure.enabled
asm.csrf_rerun_interval asmconffailure.haaction.primary
asm.fastl4_allow asmconffailure.haaction.secondary
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimit
Display all 2509 items? (y/n) n

Options:
reset-to-default
Properties:
value {
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimit

 

  • The following DB keys were added in version 14, to make our captcha feature more robust:
    sys db dosl7.captcha_case_sensitivity {
        default-value "disable"
        scf-config "true"
        value "disable"
        value-range "disable enable"
    }

    sys db dosl7.captcha_challenge_type {
        default-value "characters"
        scf-config "false"
        value "characters"
        value-range "arithmetic characters random"
    }

    sys db dosl7.captcha_characters_pool {
        default-value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789"
        scf-config "true"
        value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789"
        value-range "string"
    }

    sys db dosl7.captcha_length_max {
        default-value "6"
        scf-config "true"
        value "6"
        value-range "unsigned integer min:1 max:10"
    }

    sys db dosl7.captcha_length_min {
        default-value "6"
        scf-config "true"
        value "6"
        value-range "unsigned integer min:1 max:10"
    }

    sys db dosl7.captcha_lines_max {
        default-value "5"
        scf-config "true"
        value "5"
        value-range "unsigned integer min:0 max:20"
    }

    sys db dosl7.captcha_lines_min {
        default-value "5"
        scf-config "true"
        value "5"
        value-range "unsigned integer min:0 max:20"
    }

    sys db dosl7.captcha_max_cpu_prc {
        default-value "90"
        scf-config "true"
        value "90"
        value-range "unsigned integer min:0 max:100"
    }

    sys db dosl7.captcha_noise_max {
        default-value "2"
        scf-config "true"
        value "2"
        value-range "unsigned integer min:0 max:10"
    }

    sys db dosl7.captcha_noise_min {
        default-value "2"
        scf-config "true"
        value "2"
        value-range "unsigned integer min:0 max:10"
    }

    sys db dosl7.captcha_perturbation_max {
        default-value "85"
        scf-config "true"
        value "85"
        value-range "unsigned integer min:10 max:100"
    }

    sys db dosl7.captcha_perturbation_min {
        default-value "85"
        scf-config "true"
        value "85"
        value-range "unsigned integer min:10 max:100"
    }

    sys db dosl7.captcha_transparency_percentage_max {
        default-value "20"
        scf-config "true"
        value "20"
        value-range "unsigned integer min:0 max:85"
    }

    sys db dosl7.captcha_transparency_percentage_min {
        default-value "20"
        scf-config "true"
        value "20"
        value-range "unsigned integer min:0 max:85"
    }
     

    These are the dos related SYS DB settings that you can search more 

    dos.allvlans
    dos.auto.threshold.hysteresis
    dos.auto.threshold.learnalways
    dos.auto.threshold.stresstest
    dos.autodosd.alpha_max
    dos.autodosd.alpha_min
    dos.behavioral.analysis
    dos.blleaklimit
    dos.debug.noneuron.wl
    dos.dns.respfrag.allow
    dos.dnsnxdomain.learnperiod
    dos.dnsnxdomain.period
    dos.dnsnxdomain.trackersize
    dos.dnsport
    dos.dnsvlan
    dos.dropv4mapped
    dos.forceswdos
    dos.fragforwardlimit
    dos.globalsflimits
    dos.httpbdos.exclusivity
    dos.httpbdos.exclusivity.timeout
    dos.icmp6msgtype1
    dos.icmp6msgtype2
    dos.ip.allow.unknown.proto1
    dos.ip.allow.unknown.proto2
    dos.iplowttl
    dos.ipv6.swexthdr
    dos.ipv6endpoint.prefix
    dos.ipv6lowhopcnt
    dos.logging.interval
    dos.maxdnssize
    dos.maxewlsize
    dos.maxicmp6framesize
    dos.maxicmpframesize
    dos.maxipv6exthdrs
    dos.maxipv6extsize
    dos.maxsynsize
    dos.mergepersec
    dos.onehourinitrate
    dos.onehourminrate
    dos.protectedzone
    dos.scrubtime
    dos.sip.uri.limit
    dos.sipport
    dos.spvabl.checkdynamicwl
    dos.syncookiedeactivate
    dos.tcp.allow.unknown.opt1
    dos.tcp.allow.unknown.opt2
    dos.tcplowwindowsize
    dos.tier1divisor
    dos.tscookie.vlan
    dos.unmatched.hwsyncookie_activate
    dos.vcmphwdos
    dos.wl_spva_entries_max
    dos.wlipv6addrsel
    dosl7.allowed_origins
    dosl7.asm_cs_excluded_headers
    dosl7.asm_cs_excluded_urls
    dosl7.assume_https
    dosl7.captcha_case_sensitivity
    dosl7.captcha_challenge_type
    dosl7.captcha_characters_pool
    dosl7.captcha_length_max
    dosl7.captcha_length_min
    dosl7.captcha_lines_max
    dosl7.captcha_lines_min
    dosl7.captcha_max_cpu_prc
    dosl7.captcha_noise_max
    dosl7.captcha_noise_min
    dosl7.captcha_perturbation_max
    dosl7.captcha_perturbation_min
    dosl7.captcha_transparency_percentage_max
    dosl7.captcha_transparency_percentage_min
    dosl7.chal_data_cookie_max_age
    dosl7.cors_ajax_urls
    dosl7.cors_font_urls
    dosl7.cors_related_domains
    dosl7.cs_encode
    dosl7.cs_encrypt
    dosl7.cs_excluded_headers
    dosl7.cs_excluded_urls
    dosl7.cs_expire_sec
    dosl7.cs_max_request_size
    dosl7.cs_max_resend
    dosl7.cs_qualified_urls
    dosl7.cs_validate_ip
    dosl7.cscloud_enabled
    dosl7.cscloud_timeout
    dosl7.cscloud_url
    dosl7.customheaders
    dosl7.early_renewal_period
    dosl7.efoxy_cookie
    dosl7.efoxy_local_storage
    dosl7.efoxy_websql
    dosl7.efoxy_window_name
    dosl7.fastl4_allow
    dosl7.geolocation_drop_private_ips
    dosl7.idle_fast_path
    dosl7.internal_url_cookie_expiration_time
    dosl7.long_ua_header_size
    dosl7.max_captcha_solution_age
    dosl7.max_captcha_solution_time
    dosl7.max_cookie_length
    dosl7.max_dynamic_params_injection_length
    dosl7.max_lookup_length
    dosl7.max_num_headers
    dosl7.max_user_agent_occurrences
    dosl7.min_captcha_solution_time
    dosl7.mobile_cookie_expire_sec
    dosl7.noscript_text
    dosl7.p3p_header
    dosl7.params
    dosl7.parse_html_content_types
    dosl7.parse_html_excluded_accept_header_values
    dosl7.parse_html_excluded_extentions
    dosl7.parse_html_excluded_urls
    dosl7.parse_html_inject_tags
    dosl7.prg_cookie_urls
    dosl7.prg_iframe_urls
    dosl7.proactive_defense_cookie_name
    dosl7.proactive_defense_excluded_headers
    dosl7.proactive_defense_fictive_url
    dosl7.proactive_defense_log_rate_limit
    dosl7.proactive_defense_max_http_request_length
    dosl7.proactive_defense_prefix
    dosl7.proactive_defense_renew_sec
    dosl7.proactive_defense_simple_redirect
    dosl7.proactive_defense_simple_redirect_on_grace
    dosl7.proactive_defense_validate_ip
    dosl7.proactive_defense_validation_percent
    dosl7.report_acy_perf
    dosl7.selenium_timeout
    dosl7.sign_embeded_script
    dosl7.test
    dosl7.use_secure_cookies
    dosl7.web_rootkit_report_min_score
    dosl7d.attack_wait_timeout
    dosl7d.auto_below_thresh_timeout
    dosl7d.auto_cold_start_first_period_length
    dosl7d.auto_cold_start_first_period_switch_period
    dosl7d.auto_cold_start_second_period_length
    dosl7d.auto_drop_ratio
    dosl7d.auto_geo_slice_length
    dosl7d.auto_normal_switch_period
    dosl7d.auto_num_of_top_device_id
    dosl7d.auto_num_of_top_geolocation
    dosl7d.auto_num_of_top_ip
    dosl7d.auto_num_of_top_url
    dosl7d.auto_stress_thresh_multiplier
    dosl7d.auto_time_scale_factor
    dosl7d.auto_tps_thresh_multiplier
    dosl7d.clean_bot_publisher_anomalies
    dosl7d.conf_change_freeze_on_period
    dosl7d.cs_legitimate_successful_rate
    dosl7d.cs_max_reply_time
    dosl7d.cs_min_requests_for_replies
    dosl7d.force_core_on_sigabrt
    dosl7d.grafana_report
    dosl7d.grafana_report_top_only
    dosl7d.heaviness_factor
    dosl7d.max_attack_duration
    dosl7d.max_icc_buffer_size
    dosl7d.max_tcpdump_cpu_usage
    dosl7d.max_tcpdump_files
    dosl7d.max_tcpdump_size
    dosl7d.min_challenge_drop_time
    dosl7d.min_challenge_rps
    dosl7d.min_challenge_success_ratio
    dosl7d.min_geo_reliable_time
    dosl7d.min_heavy_url_drop_rate
    dosl7d.min_time_between_attacks
    dosl7d.min_time_for_attack_end
    dosl7d.min_transaction_count_per_interval
    dosl7d.publish_custom_message
    dosl7d.shun_list
    dosl7d.shun_prevention_time
    dosl7d.sliding_window_long
    dosl7d.sliding_window_medium
    dosl7d.sliding_window_short
    dosl7d.static_uri_protection
    dosl7d.stress_absolute_threshold
    dosl7d.stress_relative_threshold
    dosl7d.susp_max_entities
    dosl7d.tcpdump_rstcause
    dosl7d.trigger_logging

     

    for ASM here you can see

    asm.asm_malicious_sources_monitoring_interval
    asm.brute_force_bypass_non_qualified_url
    asm.brute_force_end_attack_verification_time
    asm.brute_force_max_tmstat_entries
    asm.brute_force_monitoring_interval
    asm.connlimit
    asm.cookie_prefix
    asm.cookie_revision_base
    asm.cookie_suffix_base
    asm.credential_stuffing_service
    asm.cs_challenge_length
    asm.cs_qualified_urls
    asm.cshui_susp_event_bot_score
    asm.csrf_rerun_interval
    asm.fastl4_allow
    asm.fictive_url
    asm.http_security_headers
    asm.ignore_bewaf
    asm.inject_apm_do_not_touch
    asm.inject_referrer_hook
    asm.mobile_ua
    asm.restrict_asm_logs_access
    asm.risk_engine.salt.restart
    asm.session_transactions_sampling_rate
    asm.strict_transport_policy
    asm.strip_asm_cookies
    asm.time_to_free_idle_umus_in_sec
    asmconffailure.enabled
    asmconffailure.haaction.primary
    asmconffailure.haaction.secondary

    For DDos best practes you can refer here:

    https://www.f5.com/pdf/products/ddos-protection-recommended-practices.pdf

    There are tons of documentaiton available for DoS and DDos on f5 site.

     

    Hope that Helps

    🙏