Forum Discussion
AltocumulusSuspicious SSL TPS Spikes
SIRTFormer Member provided a good answer. I would second that.
My recommendation would be to ensure you are running the latest BIG-IP SW version - you would want to plant to upgrade to latest 17.1.1 version.
with regards to the DDoS attack mitigation:
I would recommend having IP Intelligence license on your BIG-IP device so it can be a mitigation option should the SSL traffic spike are from IP addresses with bad reputation. https://www.f5.com/pdf/products/ip-intelligence-service-ds.pdf
You can configure an iRule or LTM policy to block IP addresses with bad reputation - apply it the VS on question. or, assuming you have BIG-IP ASM/Adv WAF licensed, provisioned and configured, you can enable IP Intelligence on your security policy on the affected Virtual Server. If you have BIG-IP AFM licensed, you can also configure an IP Intelligence policy and apply it to the different AFM contexts.
AFM also have Network and application DDoS mitigations
you can also configure BIG-IP ASM/Adv WAF Bot Defense and DoS protection profiles and apply them to affected VS.
you can start with the relaxed profile template for bot defense and if you want stricter detection and mitigations, you can use balanced and strict.
for the DoS protection profile, there is TPS, Stress based and behavioral (bad actor) detection and mitigation options. you can use the automatic threshold or define them as per your needs.
You can also consider F5 Professional Services https://www.f5.com/go/contact/request-f5-professional-services for fine tuning and BIG-IP configuration
there is also F5 Distributed Cloud Services https://www.f5.com/products/distributed-cloud-services for your consideration
having these protections in place will ensure only legitimate web clients have access to your VS/sites and challenge or drop excess and potentially malicious traffic
I hope this helps.