Forum Discussion

ukhan20's avatar
ukhan20
Icon for Nimbostratus rankNimbostratus
Jun 09, 2024

DoS profile Learning Phase

There are two distinct products: one for DDoS Attack detection and another for mitigation. These products integrate seamlessly, connecting GenieATM for detection and F5 AFM for mitigation.. They are seamlessly integrated to ensure effective coordination and response."
 
Regarding understanding the GenieATM workflow, here are explanation of how it operates?
 
1. Anomaly traffic is detected by GenieATM with Netflow and triggers an anomaly event
2. The anomaly event triggers Mitigation F5, and ATM announces the BGP to the Router to redirect the anomaly traffic to go through the F5 device. At this moment, ATM will detect whether the victim IP exists in the F5 virtual server. If not, ATM will push a temporary host-based virtual server to F5 by API. If yes, ATM will do nothing.
3. The anomaly traffic is redirected to F5, and F5 starts to mitigate and generate the report. ATM will also poll F5 to generate a mitigation report on the mitigation action.
4. After the anomaly event stops, the mitigation will also stop. If ATM has pushed a temporary virtual server to F5, ATM will delete this temporary virtual server with API.
 
I trust everything regarding the traffic flow is now clear.
 
My question pertains to F5. It has been observed that when new Virtual Servers (VS) are created by GenieATM along with a DoS Profile, although most VSs are already created, it holds client traffic until it completes learning (by default 120 minutes) or hits the detection or mitigation parameters in the default profile.
 
What occurs when the default DoS profile enters the learning phase? We have noticed that it retains customer traffic as it does not mitigate the traffic during this phase."
  • Hi, 
    I see that you configure some vectors in fully automatic.. 
    My question is > are those vectors in a Mitigate status or ( Detect only/learn only) 
    1) If it ( Detect/learn only Status ) the Dos profile will do nothing just will keep leaning and figure it's baseline traffic, and as you said if traffic hit the detection threshold or the floor value ( if floor value larger than detection EPS ) Bigip stops learning.

    2) If it ( Mitigate ) Status with fully automatic >>> Bigip will mitigate only under two conditions : 
          i. The Traffic exceeded Detection EPS AND BIGIP sensed/saw there is a huge stress on the backend servers at the same time ( such as high latency coming in server responses )

     So the mitigation doesn't occur if the EPS reached to Detection EPS only, but Mitigation triggers if Detection EPS reached and there is a servers stress/high latency on servers. 
    this for Protection/Dos profiles that used to protect virtual servers. 

    If you use Device DoS >>> Mitigation Triggers for vector if Detection EPS reached and there are high Spikes/load on BIGIP CPU. 

    Just wanted to differentiate between Protection profiles and Device DoS in Automatic mode. 

    >>>>>

    If you want to start Mitigation after anomaly detection >>> you should configure DOS Vectors on Fully Manual so BIGIP will not consider any stress or high CPU load to start the mitigation, but it triggers the mitigation upon reaching to mitigate thresholds. 

    So I think you need to adjust the used DoS vectors from fully Automatic to fully manual to take your expected effect when mitigation EPS reached.

    I hope I have given you some insights

    Thanks :)