For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Roger_101461's avatar
Roger_101461
Icon for Nimbostratus rankNimbostratus
Dec 15, 2011

"Blocking DOS attack" showed on ltm led,How to tracked attack surce?

Hey everyone,

 

 

 

 

 

 

A alert "Blocking DOS attack" showed on ltm led

 

 

And the Local Traffic log only have two logs which looks related.

 

 

 

"sweeper_update: aggressive mode activated. 372313/438016 pages sweeper_update: aggressive mode activated. 372313/438016 pages"

 

 

 

"sweeper_update: aggressive mode deactivated. 371799/438016 pages sweeper_update: aggressive mode deactivated. 371799/438016 pages"

 

 

The system performance and connection looks normally in that time.

 

 

 

I want to track the attack source,what should i do?

 

 

security

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 15, 2011
    Hi Roger,

     

     

    I don't think LTM logs any info on source IP address(es) when it goes into sweeper mode. These alerts are triggered when LTM runs low on memory. Here are a few related solutions:

     

     

    sol4611: Overview of adaptive reaping

     

    http://support.f5.com/kb/en-us/solutions/public/4000/600/sol4611.html

     

     

    sol7301: Protecting the BIG-IP LTM against denial of service attacks

     

    http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7301.html

     

     

    Aaron