Forum Discussion

InfoSec_38553's avatar
InfoSec_38553
Icon for Nimbostratus rankNimbostratus
Nov 26, 2011

ASM DoS attack - Latency options

Hi all,     I want to make sure if I'm understanding well Latency-based options in ASM.     There is Suspicious Criteria, IP Detection Criteria and URL Detection Criteria....
app sec
BIG-IP Access Policy Manager (APM)
security
InfoSec_38553's avatar
InfoSec_38553
Icon for Nimbostratus rankNimbostratus
Jan 12, 2012
Hi josh,

 

 

I contacted with F5 support to clarify this issue.

 

Actually I'm using version 10.2.1 which have some incorrect label for Latency Options. it is fixed in some hotfix.

 

 

Latency Based first trigger detection criteria then check for suspicious criteria as the follow:

 

 

1. ASM detect increase of latency as you set in your configuration (ms and percentage)

 

 

2. When latency has reached as you set in your policy ASM consider this as start of attack.

 

 

3. Next step ASM will check for suspicious criteria (TPS options).

 

 

4. If both detection and suspicious criteria is occur ASM will do block action if you set your policy to blocking mode.

 

 

5. When latency back as normal ASM will define this as end of attack (this as I understand not as they told me).

 

 

Regarding this question:

 

 

 

- If one of "Suspicious Criteria" detected and not select any of "Prevention Policy" options ASM just alert and not block any request.

 

 

 

The answer is yes.

 

 

 

Thank you for your reply.

 

Sorry for being late, but I preferred to be sure be submit my conclusion.