Forum Discussion

Nishal_Rai's avatar
Nishal_Rai
Icon for Cirrocumulus rankCirrocumulus
Dec 07, 2023

Any resource to learn the database key value of F5 BIG-IP ASM DoS protection

Hello Everyone, Greetings! There has been a lot of false positive regarding the behavioral and L7 DoS attacks on F5-protected services, and it has been a challenging task to point out the specifi...
application delivery
security
F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Dec 08, 2023

Hi Nihal,

It's a Seen behavior which is caused by a known issue tracked with the bug ID 922597, not sure which OS version you are using in your environment. 

For older software versions default adm.health.sensitivity default value is 50. In newer versions it was increased to 500 in order to minimize false-positives.


Bug ID 922597: BADOS default sensitivity of 50 creates false positive attack on some sites

Affected Product(s):
BIG-IP ASM

Known Affected Versions:
14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Fixed In:
16.1.0, 15.1.3, 14.1.4

In my test box 16.1.4.1  it has been already fixed as follows by default value as 500 

root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db adm.health.sensitivity value
sys db adm.health.sensitivity {
value "500"
}

Recommended Actions

If your  db parameter value anythig other than 500 then you may have to modify the default sensitivity value from 50 to 500, sometimes even to 1000 that oyu need to find out the suitable number for your environment. Try first to go with 500, if that does not work you can try incresing this value.

  1. Connect to CLI
  2. First check the sensitivity value
    tmsh list sys db adm.health.sensitivity value
  3. Change the sensitivity value to 500

    tmsh modify sys db adm.health.sensitivity value 500

    K34122128: Controlling BaDoS sensitivity using db variable 'adm.health.sensitivity'
    https://my.f5.com/manage/s/article/K34122128


    Bug ID 922597: BADOS default sensitivity of 50 creates false positive attack on some sites
    https://cdn.f5.com/product/bugtracker/ID922597.html

    K21040310: Behavioral Dos (ASM) false positive blocks legitimate traffic
    https://my.f5.com/manage/s/article/K21040310

    Hope this Helps

    🙏