Forum Discussion

Antonio_Macia_R's avatar
Antonio_Macia_R
Icon for Nimbostratus rankNimbostratus
Aug 02, 2016

DoS Profile - URL Detection criteria question

Hello,

 

My question is related to the way the F5 detects a DoS when we use the URL detection criteria under the TPS-based anomaly. When calculating the TPS, does it have into account the source IP or it just adds the total of requests for the same URL? From my understanding, if the engine sums all the requests for a URL and the thresholds are reached, then it will start blocking not only the attacker but also legitimate traffic, is this the expected behaviour?

 

On the other hand, how does the DoS engine detect that an attack has finished?

 

Thanks.

 

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Antonio, the DoS metrics aren't always clear and some of the documentation for older versions has been a bit contradictory if i recall.

     

    URL detection is only interested in the URL itself, i.e. source IP metrics are not considered from a TPS perspective. Once an attack is seen by the ASM then the Prevention Policy comes into effect and, depending on version, there are multiple options. For URL Based Client Side Integrity it will challenge all requests, legitimate or not, to pass the javascript challenge, the expectation is legitimate requests will pass this and won't be blocked. for URL Based Rate Limiting it will rate limit all requests to that URL.

     

    I believe from v11.6.0 there are Geolocation and Site Wide preventions too (my lab box is v11.5.1).

     

    In all cases the Prevention Policy will cease once ASM deems the attack to have ceased. To do this the detection v history metrics need to revert back to the pre-attack states, if i understand correctly.

     

    Detection is the previous 1 minute and History is the previous 1 hour.

     

    Hope this helps,

     

    N