Forum Discussion
NimbostratusF5 ASM DOS attack logging
NimbostratusI can confirm the reporting and logging capability of this feature can be improved. Especially when in Transparent mode, there's next to nothing you will learn about the L7 DOS attacks. If you go to Blocking mode, then it's possible to see a bit more in Security -> Reporting -> DOS (analytic graphs). However, even when Blocking is enforced the details still come short.
For instance, in case of URL-based (TPS increase) attack, the source IP addresses cannot be listed. You will only see a list of URLs where some mitigation occurred. This level of detail is insufficient for proper after-attack analysis. Logs from other infrastructure assets must be checked to come to a conclusion. For another instance, if many URLs get attacked, you cannot see more than the first 10 URLs where the threshold was breached.
What do do?
- With any improvement requests, you must submit a RFE by e-mailing to F5 support. Describe the problem you are facing and provide as much detail as possible. Tell them what you would like to see improved.
Regards,
