Forum Discussion
Suspicious SSL TPS Spikes
Hello,
I'm kind of struggling to wrap my head around some weird spikes I'm seeing on the F5 BIG-IP Dashboard.
We had two of these spikes this week, hitting like x1200 more SSL TPS than our usual high average.
I'm thinking it might be some kind of attack, given the fact that we also faced some DDoS recently, but honestly, I have no clue how to dig deeper into it.
Or is it possible to be a bug (found this: https://cdn.f5.com/product/bugtracker/ID499348.html) ?
Any ideas are highly appreciated, thank you!
Former Member provided a good answer. I would second that.
My recommendation would be to ensure you are running the latest BIG-IP SW version - you would want to plant to upgrade to latest 17.1.1 version.
with regards to the DDoS attack mitigation:
I would recommend having IP Intelligence license on your BIG-IP device so it can be a mitigation option should the SSL traffic spike are from IP addresses with bad reputation. https://www.f5.com/pdf/products/ip-intelligence-service-ds.pdf
You can configure an iRule or LTM policy to block IP addresses with bad reputation - apply it the VS on question. or, assuming you have BIG-IP ASM/Adv WAF licensed, provisioned and configured, you can enable IP Intelligence on your security policy on the affected Virtual Server. If you have BIG-IP AFM licensed, you can also configure an IP Intelligence policy and apply it to the different AFM contexts.
AFM also have Network and application DDoS mitigations
you can also configure BIG-IP ASM/Adv WAF Bot Defense and DoS protection profiles and apply them to affected VS.you can start with the relaxed profile template for bot defense and if you want stricter detection and mitigations, you can use balanced and strict.
for the DoS protection profile, there is TPS, Stress based and behavioral (bad actor) detection and mitigation options. you can use the automatic threshold or define them as per your needs.
You can also consider F5 Professional Services https://www.f5.com/go/contact/request-f5-professional-services for fine tuning and BIG-IP configurationthere is also F5 Distributed Cloud Services https://www.f5.com/products/distributed-cloud-services for your consideration
having these protections in place will ensure only legitimate web clients have access to your VS/sites and challenge or drop excess and potentially malicious traffic
I hope this helps.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com