ukhan20
Jun 09, 2024Nimbostratus
DoS profile Learning Phase
There are two distinct products: one for DDoS Attack detection and another for mitigation. These products integrate seamlessly, connecting GenieATM for detection and F5 AFM for mitigation.. They are seamlessly integrated to ensure effective coordination and response."
Regarding understanding the GenieATM workflow, here are explanation of how it operates?
1. Anomaly traffic is detected by GenieATM with Netflow and triggers an anomaly event
2. The anomaly event triggers Mitigation F5, and ATM announces the BGP to the Router to redirect the anomaly traffic to go through the F5 device. At this moment, ATM will detect whether the victim IP exists in the F5 virtual server. If not, ATM will push a temporary host-based virtual server to F5 by API. If yes, ATM will do nothing.
3. The anomaly traffic is redirected to F5, and F5 starts to mitigate and generate the report. ATM will also poll F5 to generate a mitigation report on the mitigation action.
4. After the anomaly event stops, the mitigation will also stop. If ATM has pushed a temporary virtual server to F5, ATM will delete this temporary virtual server with API.
I trust everything regarding the traffic flow is now clear.
My question pertains to F5. It has been observed that when new Virtual Servers (VS) are created by GenieATM along with a DoS Profile, although most VSs are already created, it holds client traffic until it completes learning (by default 120 minutes) or hits the detection or mitigation parameters in the default profile.
What occurs when the default DoS profile enters the learning phase? We have noticed that it retains customer traffic as it does not mitigate the traffic during this phase."