For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mm_pen_242283's avatar
mm_pen_242283
Icon for Nimbostratus rankNimbostratus
Nov 24, 2016

F5 ASM DOS attack logging

Hi experts.   Has anyone played with logging of ASM DOS triggered attacks? I am looking into:   "Security››Event Logs: DoS: Application Events" and "Security››Event Logs: DoS: Application Atta...
ASM Advanced WAF
security
mm_pen_242283's avatar
mm_pen_242283
Icon for Nimbostratus rankNimbostratus
Nov 30, 2016

Tikka, thank you for your answer.

 

I am familiar with the referenced documentation and unfortunately it is misleading and wrong. To be honest, I was quite upset when reading through this same documentation (few months ago).

 

Under: Sample DoS event logs they say: "... how it was mitigated, the IP address where it originated, the transactions per second during the attack ..."

 

The referencing IP address in the "log events" statistics is the IP address of reporting ASM-DOS engine and not the client IP address, triggering the alarm. Someone from F5 reading this observation should escalate this observation, since it is misleading.

 

Any other suggestion on how ASM administrator can observe the (DOS) initiating client IP adresses? And why the attack has been triggered? On what ground (calculation, what were the exact "detection" and "history" interval)?

 

Regards