Forum Discussion
Nishal_Rai
Cirrocumulus
CirrocumulusASM L7 DoS email alert
Hello Everyone, Greetings! I've been trying to configure email notifcation when ASM L7 DoS event is triggered in F5 BIG-IP. And as far the configration goes are mentioned below: Created a...
Hi Nishal_Rai ,
For your inquiry about how bigip AWAD L7 DDoS use the rate-limit prevention.....
Well ,
First you have two concepts >>> Detection interval & historical interval
Detection interval >>> Avg of TPS in last 10 sec
Historical interval >>> Avg of TPS in last 1 hour ( Which should be the Legitimate TPS )
Both of intervals updated each 10 sec.
Bigip Rate-limit by using simple equation : ( Historical intrval TPS + Configured threshold ) /2
For Example :
If you configured absolute threshold >> 200 TPS ( Like diagram you have sent above ).
and Let we assume historical intraval ( AVG TPS within hour ) >>> 100 TPS
So Bigip will rate-limit to 150 TPS.
Bigip will rate-limit if the TPS exceeded the absolute threshold , or if the ( Relative threshold + at least TPS ) violated.
> btw , you can review it from logs when attack started you can observe the Limit which bigip used when this attack started.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
What is the Rate-limit mechanism , I have tested it before I will tell you my findings >>>
you have an option to record traffic in your AWAF DDOS profile , Bigip starts to record traffic ( Taking tcpdump ).
while looking at recorded Packet capture ( when Attack started ) you will find much traffic receiving RST Packets from Bigip and some samples receive normal responses ( 200 OK ) therefore when using ( Rate-limit ) as a prevension method >>> much traffic will be Reseted from Bigip ip while some of these requests will path through bigip normally.
The Key difference between ( Block ALL and Rate limit ) >>> Block all will show you at Recorded Packet capture file when attack start >> All Traffic from specific source are reseted ( RST Flag enabled ) no traffic Path through bigip , in the other hand ( Rate-limit ) Like I discribed above.
Let me know if you have further queries , I will be happy to think with you ^_^
Nishal_RaiCirrocumulus
CirrocumulusHello Mohamed_Ahmed_Kansoh,
Thank for the answer and yes, you do have answered the addressed queries.
However, regarding the rate limit mitigation of the DoS profile - "How does this rate limiting mitigation apply once the DoS has been triggered?
Is it layer 4 or layer 7 based rate-limiting? If its based on layer 4 (TCP) then what will be its approach like will it simply drop TCP packets (no ACK to the client) or drop the whole TCP connection?
Since not much is described in the documentation about the rate-limiting of the traffic once the DoS profile has been triggered and before such implementation can have negative impact on the false-positive cases (the legitimate users request on the window period of DoS profile triggered). So just want to be know the impact before the implementation of rate-limiting as the mitigation.
Nikoolayy1, on the bot defense profile if DoS mitigation mode is enabled then do I also need to enable client side integrity defense on the DoS protection profile?
or the clide side integrity defense provide different set of javascript challenges and approach to verify whether it's a maliciours or a legitimate users (browser or bot)?
Nikoolayy1
MVP
MVPThe Bot Profile option I mentioned uses the same javascript check but it checks the users every time not only during DOS attack, so if you have API traffic this can be an issue (there is a way to stop the bot profile browser check for specific URLs as mentioned in https://community.f5.com/t5/technical-forum/why-does-the-local-traffic-policy-allow-bot-profile-to-be/td-p/302769 ) and "Verify After Access" is the safer one.
As I mentioned read https://my.f5.com/manage/s/article/K42323285