Forum Discussion
How can I alert on an ASM Denial of Service event?
- Mar 15, 2016
Hello,
Your irule is correct.
But, please note that there is some limitations :
The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.
And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.
You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.
Hello,
Your irule is correct.
But, please note that there is some limitations :
The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.
And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.
You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com