Forum Discussion
InfoSec_38553
Nimbostratus
NimbostratusASM DoS attack - Latency options
Hi all,Latency-based options in ASM.There is Suspicious Criteria, IP Detection Criteria and URL Detection Criteria.ASM will check for these three options and the following is the possible cases:1. Suspicious Criteria result is positive then check for IP Detection Criteria if it is positive then it considered the request as DoS.2. Suspicious Criteria result is positive then check for IP Detection Criteria if it
is negative then it check for URL Detection if it is positive then it will considered the request as DoS.3. Suspicious Criteria result is positive then check for IP Detection Criteria if it
is negative then it check for URL Detection if it is negative then it will permit the request and not alert as DoS.
I want to make sure if I'm understanding well
==============
- Latency-base always check for Suspicious Criteria first.
- If one of "Suspicious Criteria" detected and not select any of "Prevention Policy" options ASM just alert and not block any request.
Please tell me if I'm right or not.
Thank you all.
2 Replies
jwham20For Latency Based Dos Protection, an attack needs to be suspicious first, before the detection criteria is applied. So what
this means:
IP Criteria:
An attacker comes in from ip:1.1.1.1 and sends 201 requests per second.
The ASM considers him suspicious, and applies the detection criteria against him.
If the latency to the servers has increased by 500% (based on historical polling), or latency has reached a certain ms
(higher than the minimum set) it will consider the IP an Attack and enter prevention.
This allows the ASM to more finely define what it considers a Dos. If you have a server farm with 10 gig pipes, 400
requests per second are not going to cause it an issue.
URL Criteria:
Consider for example large retailers. If Jungle.com/buy/checkout suddenly got 1200 requests per second, it would enter
the suspicious criteria. But, with large pipes to the server farm, the latency barely jumps ms. It's not an attack, just
hordes of shoppers trying to get that cyber monday deal.
Hope this helps
Josh
InfoSec_38553Hi josh,
I contacted with F5 support to clarify this issue.
Actually I'm using version 10.2.1 which have some incorrect label for Latency Options. it is fixed in some hotfix.
Latency Based first trigger detection criteria then check for suspicious criteria as the follow:
1. ASM detect increase of latency as you set in your configuration (ms and percentage)
2. When latency has reached as you set in your policy ASM consider this as start of attack.
3. Next step ASM will check for suspicious criteria (TPS options).
4. If both detection and suspicious criteria is occur ASM will do block action if you set your policy to blocking mode.
5. When latency back as normal ASM will define this as end of attack (this as I understand not as they told me).
Regarding this question:
- If one of "Suspicious Criteria" detected and not select any of "Prevention Policy" options ASM just alert and not block any request.
The answer is yes.
Thank you for your reply.
Sorry for being late, but I preferred to be sure be submit my conclusion.
