Inquiries about Advanced WAF DoS Protection

Question

Hi All,The customer using the BIG-IP i2800 with v17.1 has some questions regarding the Advanced WAF "DoS Protection" feature. Hoping you can help me with a few things below:&nbsp;1. What is the definition of a "transaction" in the following TPS-based DoS Detection configuration?For example;1) SYN flood attack caseIf 100 pps of SYN packets are received from one source IP, how many transactions will be counted?2) Smurf attack caseIf 1,000 pps of spoofed ICMP packets are received from one source IP, how many transactions will be counted?&nbsp;&nbsp;2. After the number of malicious transactions reaches the threshold configured above and the mitigation/blocking action is triggered, under what conditions will this action be automatically lifted? Also, is it possible to manually lift the action once it has been triggered?&nbsp;3. When identifying the source IP with the X-Forwarded-For (XFF) field in the HTTP request header, which IP address will be subject to the mitigation/blocking action if multiple IP addresses are listed in the XFF field? Is it only the first original client IP?&nbsp; X-Forwarded-For: &lt;client_IP&gt;, &lt;proxy1_IP&gt;, &lt;proxy2_IP&gt; ...&nbsp;Thanks in advance,Shinichi

injeyan_kostas · Answer

As you're referring to Advanced WAF, it's important to note that it only addresses Layer 7 (L7) DDoS attacks, where 1 HTTP request is considered as 1 transaction.

Attacks such as SYN floods or Smurf (ICMP) attacks are not handled by Advanced WAF, as they occur at lower layers. For these types of attacks, you should consider using LTM (for basic TCP protection) or AFM (for full Layer 3/4 DoS protection).
In such cases, each SYN or ICMP packet is counted as 1 transaction.

Mitigation is automatically lifted once the TPS rate drops below the configured threshold.

Regarding X-Forwarded-For (XFF) headers, ASM uses the first IP address in the list

shinichi_kawai · Answer

Thanks for the quick reply, Injeyan! Here is my understanding:
- 1 HTTP request (L7) is counted as 1 transaction.
- Advanced WAF does not handle lower layers information such as TCP headers (L4) and IP headers (L3).

Q2 and Q3 are now clear as well.

injeyan_kostas · Answer

Yes 1 Http request is 1 transaction&nbsp;Waf itself is handling only L7. BIG-IP though has also some LTM funcionaltites even when only Waf is provisioned which you can use like SYN cookie protection.

shinichi_kawai · Answer

Thanks Injeyan for the additional comment!
I will propose some effective LTM functionalities along with adding the Advanced WAF DoS Protection feature.
Since the customer has been experiencing DoS attacks about twice a month, they’re hoping to quickly implement protection using their existing BIG-IP i2800.

Forum Discussion

Inquiries about Advanced WAF DoS Protection

4 Replies

How I did it - "High-Performance S3 Load Balancing of Dell ObjectScale with F5 BIG-IP"

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

failover issue between datacenters with GSLB

F5 Device Certificate renewal process on Active and Standby devices

Win 10 and Server 2016 clients will not connect. Stuck on Initializing

Version 17.5.1 as next move?

SSL Orchestrator and Traffic Flows

Related Content

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

From ASM to Advanced WAF: Advancing your Application Security

F5 API Security: Discovery and Protection

Securing Modern Applications with BIG-IP Advanced WAF

Explore how F5 BIG-IP Advanced WAF protects against attacks on GraphQL API

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS