Forum Discussion

Ren_Alcala's avatar
Ren_Alcala
Icon for Cirrus rankCirrus
May 21, 2021
Solved

Why it is not blocking and still accepting traffic from the source DoS Attack??

Can anyone help me with this issue 😊 regarding blocking DoS attack because It seems that it is not blocking the actual attack and accepting it that cause my webapp loading slowly. It's weird that in...
AFM
application delivery
BIG-IP
dos attack
security
TCP Syc Flood
  • AlexBCT's avatar
    AlexBCT
    May 22, 2021

    Hi Renato,

     

    The DoS (together with other AFM policies) can be a bit complex to easily say why something happened/didn't happen, so here are some tips to investigate the issue further;

     

    • The first screen is showing the logs of the AFM Firewall. These policies are separate from the DoS policies and as such should not be used to detect DoS issues. Instead, have a look under Security - Events - DoS for the DoS logs.
    • The second screenshot is showing the AFM Firewall policy itself, which again isn't part of the DoS policy so will not have an impact in how the DoS policy behaves.
    • The Dashboard screenshot is indeed showing the DoS issues, which does indeed seem to show that the DoS policy has detected your attack and is mitigating it. I believe that by default, when an attack is triggered, it may be that it is only stopping the vast majority of requests, not all of them. - There are certain reasons for this behaviour. If you want the DoS policy to completely block an IP, you need to configure something like Bad Actor detection / update your IPI policies.

     

    Lastly, a very useful tool for understanding which policy is impacting what traffic, is the Packet Tester, under Security - Debug - Packet Tester. This will also differentiate between the Firewall, IPI and DoS policies.

     

    Hope this helps.

AlexBCT's avatar
AlexBCT
Icon for Cumulonimbus rankCumulonimbus
May 22, 2021

Hi Renato,

 

The DoS (together with other AFM policies) can be a bit complex to easily say why something happened/didn't happen, so here are some tips to investigate the issue further;

 

  • The first screen is showing the logs of the AFM Firewall. These policies are separate from the DoS policies and as such should not be used to detect DoS issues. Instead, have a look under Security - Events - DoS for the DoS logs.
  • The second screenshot is showing the AFM Firewall policy itself, which again isn't part of the DoS policy so will not have an impact in how the DoS policy behaves.
  • The Dashboard screenshot is indeed showing the DoS issues, which does indeed seem to show that the DoS policy has detected your attack and is mitigating it. I believe that by default, when an attack is triggered, it may be that it is only stopping the vast majority of requests, not all of them. - There are certain reasons for this behaviour. If you want the DoS policy to completely block an IP, you need to configure something like Bad Actor detection / update your IPI policies.

 

Lastly, a very useful tool for understanding which policy is impacting what traffic, is the Packet Tester, under Security - Debug - Packet Tester. This will also differentiate between the Firewall, IPI and DoS policies.

 

Hope this helps.

  • Ren_Alcala's avatar
    Ren_Alcala
    Icon for Cirrus rankCirrus
    May 22, 2021

    Hi Sir Alex,

     

    Thanks for the tips, I tried your suggestion to configure my IP Intelligence but its still not working. It doesn't blocked the IP of the DoS user i 'don't know if im missing something but you can check my configuration in screenshots, And also sir i encountered weird scenario that my DoS attack doesn't show on my DoS log events/Dos Dashboard.

     

    Thanks,

    Renato