Forum Discussion
buzzkiller
Altocumulus
AltocumulusTrigger iRule for DoS event
I would like to activate an iRule for a DoS event, but I can't seem to figure out how.
In the DoS profile, the only option available is a checkbox labeled "Enable."
I've checked the documentation, and it simply mentions the "Trigger iRule" setting without providing clear instructions on configuring an iRule for DoS events (referencing section 5.2 at https://techdocs.f5.com/en-us/bigiq-7-0-0/big-iq-manage-layer-7-security-objects/modifying-a-dos-profile-to-improve-object-protection.html).
How can I set up an iRule specifically for managing DoS events? I couldn't find more information on this, and I'm wondering if I'm overlooking something.
Appreciate your help!
Hi ,
you will need to uses DOSL7 Commands and events in your irule :
https://clouddocs.f5.com/api/irules/DOSL7.htmlfor the optioned mentioned in your query "Trigger iRule" it's mandatory to enable it if you use irule to manage something related to DOSL7.
some examples here : https://clouddocs.f5.com/api/irules/IN_DOSL7_ATTACK.html
thanks
buzzkillerHello,
First of all, thank you for your answer.
I just want to be sure that I clearly understood how this works.
You have a virtual server that has assigned an iRule and a DoS policy. In the iRule you have implement logic for "when IN_DOSL7_ATTACK {}" that is triggered by the DoS policy when an attack is detected.
Thank you!
Yes as described.
I'd recommend creating a test VS and AWAF DOS profile by putting small thresholds values , and attach your irule and DOS profile to that Test VS as well.
Try to trigger a simple dos attack and see if it took an effect due to irule of not when this event is triggered.
also you can rely on using Log action in your irule to see everything in your /var/log/ltm >> this will valid your are on the right way.
