Forum Discussion

InfoSec_38553's avatar
InfoSec_38553
Icon for Nimbostratus rankNimbostratus
Nov 26, 2011

ASM DoS attack - Latency options

Hi all,

 

 

I want to make sure if I'm understanding well Latency-based options in ASM.

 

 

There is Suspicious Criteria, IP Detection Criteria and URL Detection Criteria.

 

ASM will check for these three options and the following is the possible cases:

 

 

1. Suspicious Criteria result is positive then check for IP Detection Criteria if it is positive then it considered the request as DoS.

 

 

2. Suspicious Criteria result is positive then check for IP Detection Criteria if it is negative then it check for URL Detection if it is positive then it will considered the request as DoS.

 

 

3. Suspicious Criteria result is positive then check for IP Detection Criteria if it is negative then it check for URL Detection if it is negative then it will permit the request and not alert as DoS.

 

 

==============

 

- Latency-base always check for Suspicious Criteria first.

 

 

- If one of "Suspicious Criteria" detected and not select any of "Prevention Policy" options ASM just alert and not block any request.

 

 

 

Please tell me if I'm right or not.

 

 

Thank you all.

 

app sec
BIG-IP Access Policy Manager (APM)
security
  • jwham20's avatar
    jwham20
    Icon for Nimbostratus rankNimbostratus
    Nov 29, 2011
    For Latency Based Dos Protection, an attack needs to be suspicious first, before the detection criteria is applied. So what

     

    this means:

     

     

    IP Criteria:

     

    An attacker comes in from ip:1.1.1.1 and sends 201 requests per second.

     

    The ASM considers him suspicious, and applies the detection criteria against him.

     

    If the latency to the servers has increased by 500% (based on historical polling), or latency has reached a certain ms

     

    (higher than the minimum set) it will consider the IP an Attack and enter prevention.

     

     

    This allows the ASM to more finely define what it considers a Dos. If you have a server farm with 10 gig pipes, 400

     

    requests per second are not going to cause it an issue.

     

     

    URL Criteria:

     

    Consider for example large retailers. If Jungle.com/buy/checkout suddenly got 1200 requests per second, it would enter

     

    the suspicious criteria. But, with large pipes to the server farm, the latency barely jumps ms. It's not an attack, just

     

    hordes of shoppers trying to get that cyber monday deal.

     

     

    Hope this helps

     

     

    Josh
  • InfoSec_38553's avatar
    InfoSec_38553
    Icon for Nimbostratus rankNimbostratus
    Jan 12, 2012
    Hi josh,

     

     

    I contacted with F5 support to clarify this issue.

     

    Actually I'm using version 10.2.1 which have some incorrect label for Latency Options. it is fixed in some hotfix.

     

     

    Latency Based first trigger detection criteria then check for suspicious criteria as the follow:

     

     

    1. ASM detect increase of latency as you set in your configuration (ms and percentage)

     

     

    2. When latency has reached as you set in your policy ASM consider this as start of attack.

     

     

    3. Next step ASM will check for suspicious criteria (TPS options).

     

     

    4. If both detection and suspicious criteria is occur ASM will do block action if you set your policy to blocking mode.

     

     

    5. When latency back as normal ASM will define this as end of attack (this as I understand not as they told me).

     

     

    Regarding this question:

     

     

     

    - If one of "Suspicious Criteria" detected and not select any of "Prevention Policy" options ASM just alert and not block any request.

     

     

     

    The answer is yes.

     

     

     

    Thank you for your reply.

     

    Sorry for being late, but I preferred to be sure be submit my conclusion.