BIG-IP AFM DoS Device Protection source IPs logged?

Question

Are the source IPs of a DoS attack logged on the F5 anywhere?

hosting-team · Answer

Vector: TCP bad ACK floodTrigger: Volumetric, Aggregated across all SrcIP's, Device-Wide attack, metric:PPSMitigation: BlockedWe see this but would the source IPs have been logged?The KB shows IPs in a packtet capture during a DoS but I assume that is not turned on by default.

aubreykingf5 · Answer

Logging on a DoS firewall needs to be carefully dialed in. If we were to turn on source logging by default, a 3DoS could fill a BIG-IP disk in minutes, or even seconds, depending on the attack. Unfortunately, the answer to your question is 'No,' however.. I would highly encourage you to get a dedicated physical link on your F5 - as big as you can get it.. maybe 2 ports per box, aggregated - for logging, if you want to do DoS logging.&nbsp; &nbsp;Then, you need to set up a logging profile:https://support.f5.com/csp/article/K51266926
That should be enough to point you in the right direction.

Forum Discussion

BIG-IP AFM DoS Device Protection source IPs logged?

Recent Discussions

APM webtop customization header message

Installing a PKCS 12 File onto an F5 Device

Irule to allow specific IPs

Uploading SKCS 12 File to F5 Device

F5 not Identifying Parameter in Text/Plain Upload

Related Content

Prepare BIG-IP Central Manager for Automation

Integrate BIG-IP with AWS CloudWAN Service Insertion

F5 BIG-IP SSL Orchestrator Configuration with Advanced WAFaaS

Generating irule logs, emails and reports for Shadow API Endpoints on the F5 BIG-IP AWAF/ASM device

Re: Mitigating OWASP API Security risks using BIG-IP