For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mm_pen_242283's avatar
mm_pen_242283
Icon for Nimbostratus rankNimbostratus
Nov 24, 2016

F5 ASM DOS attack logging

Hi experts.   Has anyone played with logging of ASM DOS triggered attacks? I am looking into:   "Security››Event Logs: DoS: Application Events" and "Security››Event Logs: DoS: Application Atta...
ASM Advanced WAF
security
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Nov 30, 2016

I can confirm the reporting and logging capability of this feature can be improved. Especially when in Transparent mode, there's next to nothing you will learn about the L7 DOS attacks. If you go to Blocking mode, then it's possible to see a bit more in Security -> Reporting -> DOS (analytic graphs). However, even when Blocking is enforced the details still come short.

 

For instance, in case of URL-based (TPS increase) attack, the source IP addresses cannot be listed. You will only see a list of URLs where some mitigation occurred. This level of detail is insufficient for proper after-attack analysis. Logs from other infrastructure assets must be checked to come to a conclusion. For another instance, if many URLs get attacked, you cannot see more than the first 10 URLs where the threshold was breached.

 

What do do?

 

  • With any improvement requests, you must submit a RFE by e-mailing to F5 support. Describe the problem you are facing and provide as much detail as possible. Tell them what you would like to see improved.

Regards,