Forum Discussion
Antonio_Macia_R
Nimbostratus
NimbostratusDoS Profile - URL Detection criteria question
Hello,
My question is related to the way the F5 detects a DoS when we use the URL detection criteria under the TPS-based anomaly. When calculating the TPS, does it have into account the source I...
nathe
Cirrocumulus
CirrocumulusAntonio, the DoS metrics aren't always clear and some of the documentation for older versions has been a bit contradictory if i recall.
URL detection is only interested in the URL itself, i.e. source IP metrics are not considered from a TPS perspective. Once an attack is seen by the ASM then the Prevention Policy comes into effect and, depending on version, there are multiple options. For URL Based Client Side Integrity it will challenge all requests, legitimate or not, to pass the javascript challenge, the expectation is legitimate requests will pass this and won't be blocked. for URL Based Rate Limiting it will rate limit all requests to that URL.
I believe from v11.6.0 there are Geolocation and Site Wide preventions too (my lab box is v11.5.1).
In all cases the Prevention Policy will cease once ASM deems the attack to have ceased. To do this the detection v history metrics need to revert back to the pre-attack states, if i understand correctly.
Detection is the previous 1 minute and History is the previous 1 hour.
Hope this helps,
N