Forum Discussion
CirrocumulusASM L7 DoS email alert
Hi Nishal_Rai ,
For your inquiry about how bigip AWAD L7 DDoS use the rate-limit prevention.....
Well ,
First you have two concepts >>> Detection interval & historical interval
Detection interval >>> Avg of TPS in last 10 sec
Historical interval >>> Avg of TPS in last 1 hour ( Which should be the Legitimate TPS )
Both of intervals updated each 10 sec.
Bigip Rate-limit by using simple equation : ( Historical intrval TPS + Configured threshold ) /2
For Example :
If you configured absolute threshold >> 200 TPS ( Like diagram you have sent above ).
and Let we assume historical intraval ( AVG TPS within hour ) >>> 100 TPS
So Bigip will rate-limit to 150 TPS.
Bigip will rate-limit if the TPS exceeded the absolute threshold , or if the ( Relative threshold + at least TPS ) violated.
> btw , you can review it from logs when attack started you can observe the Limit which bigip used when this attack started.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
What is the Rate-limit mechanism , I have tested it before I will tell you my findings >>>
you have an option to record traffic in your AWAF DDOS profile , Bigip starts to record traffic ( Taking tcpdump ).
while looking at recorded Packet capture ( when Attack started ) you will find much traffic receiving RST Packets from Bigip and some samples receive normal responses ( 200 OK ) therefore when using ( Rate-limit ) as a prevension method >>> much traffic will be Reseted from Bigip ip while some of these requests will path through bigip normally.
The Key difference between ( Block ALL and Rate limit ) >>> Block all will show you at Recorded Packet capture file when attack start >> All Traffic from specific source are reseted ( RST Flag enabled ) no traffic Path through bigip , in the other hand ( Rate-limit ) Like I discribed above.
Let me know if you have further queries , I will be happy to think with you ^_^
Hi Nishal_Rai ,
>> For your first Question : about Logs regarding L7Dos >>>
I see that you are using CS ( Client side integrity Defense ) as a prevention/mitigation method.
But using this Prevention method doesn't trigger your event "IN_DOSL7_ATTACK"
According this : https://clouddocs.f5.com/api/irules/IN_DOSL7_ATTACK.html
So First try to change it to rate limit for example , and monitor again.
>> For your second Question about Behavioral DoS :
Well ,
Behavioral method : is an intelligent way to identify and mitigate DOS Attacks by creating good baseline from normal traffic ( users normal traffic ) , you should give your bigip sufficient time to create it's baseline of learning the good traffic ( Not DoS attack ) one.
use this command to monitor your bigip and making sure that Bigip ip creates the baseline well from traffic :
Should be like this >>>
admd -s vs./Common/vs_hackazon_http+/Common/hackazon_bados.info.learning
Where ( vs_hackazon_http is the virtual server & hackazon_bados is the Dos profile that Behavioral Dos Enabled in)
For more details for baiseline , Please Follow this Article:
https://clouddocs.f5.com/training/community/ddos/html/class7/bados/module1.html
After that you will change the enforcement mode to Blocking in ( Behavioral & stress based ) , try your Dos Traffic against Bigip ( don't forget to attach your Behaioral Dos profile to the virtual server that you test the attack against )
Behaivoral Detection & mitigation statge :
- when bigip feel upnormal patterns of traffic violates it's learnt baseline , and observe the latency increases in Servers >>> it starts to create signatures for this attack patterns and start to slow down/ rate limiting the requests according to the used mitigation technique ( Standard protection , Aggressive protection ....)
Note ( Use the Help Tab in bigip GUI to know the differences between Protection methods in Behavioral DoS ) - Okay , What is the role of Signature and what are the parameters which these signatures depend on :
Bigip Behavioral Take some headers from the violating/attack requests "upnormal ones I mean " and store it in a signature , these headers are ANDed with each other within a single signature to identify the attacked request. >>> and these are the parameter that you asked about. - After that >> if you are using the "use approved signature only " enabled check box >>> That's mean you should open the signture and review it's headers and inforamtion to approve it ( if you feel that is an attack request )or disable it ( if you feel it's a normal request and valid)
- After approving signatures >>> Any request match any signature will be blocked immediately and quickly , so this keeps your servers safe and powerful also cleaned from attacking requests.
- If you disable / uncheck "use approved signature only" Bigip will use the created signatures immediately without your approval , and will start to block any request matchs any signature.
That's all , you can monitor the DoS >> by viewing Reporting / DOS Visibility or navigate ( Statistics >> Dashboad and choose Behavioral Dos if you expect a live attack )
I hope I explained Behavioral Dos well and use this Article as a starting point :
Thanks and Goodluck 🙂
MVPMohamed could be right about the client side integrity. You can still use javascript to check the users if there is no API traffic the virtual server but with the Bot profile feature.
