For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mm_pen_242283's avatar
mm_pen_242283
Icon for Nimbostratus rankNimbostratus
Nov 24, 2016

F5 ASM DOS attack logging

Hi experts.

 

Has anyone played with logging of ASM DOS triggered attacks? I am looking into:

 

"Security››Event Logs: DoS: Application Events" and "Security››Event Logs: DoS: Application Attacks"

 

I cannot find any useful information on sources (or their corresponding TPS rate) that triggered the attacks. Only the attack start and end time are shown + affected VS. How can one react to such attack if the attacked cannot be drilled down?

 

Please help!

 

ASM Advanced WAF
security

5 Replies

    • mm_pen_242283's avatar
      mm_pen_242283
      Icon for Nimbostratus rankNimbostratus
      Nov 30, 2016

      Tikka, thank you for your answer.

       

      I am familiar with the referenced documentation and unfortunately it is misleading and wrong. To be honest, I was quite upset when reading through this same documentation (few months ago).

       

      Under: Sample DoS event logs they say: "... how it was mitigated, the IP address where it originated, the transactions per second during the attack ..."

       

      The referencing IP address in the "log events" statistics is the IP address of reporting ASM-DOS engine and not the client IP address, triggering the alarm. Someone from F5 reading this observation should escalate this observation, since it is misleading.

       

      Any other suggestion on how ASM administrator can observe the (DOS) initiating client IP adresses? And why the attack has been triggered? On what ground (calculation, what were the exact "detection" and "history" interval)?

       

      Regards

       

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2016

    I can confirm the reporting and logging capability of this feature can be improved. Especially when in Transparent mode, there's next to nothing you will learn about the L7 DOS attacks. If you go to Blocking mode, then it's possible to see a bit more in Security -> Reporting -> DOS (analytic graphs). However, even when Blocking is enforced the details still come short.

     

    For instance, in case of URL-based (TPS increase) attack, the source IP addresses cannot be listed. You will only see a list of URLs where some mitigation occurred. This level of detail is insufficient for proper after-attack analysis. Logs from other infrastructure assets must be checked to come to a conclusion. For another instance, if many URLs get attacked, you cannot see more than the first 10 URLs where the threshold was breached.

     

    What do do?

     

    • With any improvement requests, you must submit a RFE by e-mailing to F5 support. Describe the problem you are facing and provide as much detail as possible. Tell them what you would like to see improved.

    Regards,

     

  • mplaksin_293271's avatar
    mplaksin_293271
    Icon for Nimbostratus rankNimbostratus
    Nov 27, 2018

    Hello, i have some problem, i see in logs, something like this:

     

    2018-11-26 09:39:06EnforcedVolumetric, Aggregated across all SrcIP's, Device-Wide attack, metric:PPSAttack SampledTCP window sizeAllow3398167252120

     

    But, i need to know the virtual-server affected, a sample of the attack, for example the ip from is comming, where i can found that info.

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Dec 15, 2018

      i would try a new question then jumping on an old one.

       

      my assumption would be this is across your whole box, so not at one virtual server. a sample i haven't seen AFM do. where from should be on the GUI side.