AFM DoS Enhancements in BIG-IP v13
Following up on our previous article AFM Enhancements In BIG-IP v13, we'll narrow our discussion for this article to Denial-Of-Service (DoS) updates in v13. Architectural changes in BIG-IP's user int...
Published Apr 01, 2017
Version 1.0
Chase_Abbott
Employee
EmployeeChase_AbbottEmployee
Employee
dragonflymr
Cirrostratus
CirrostratusHi,
Very useful summary! Some questions popped up:
Vector States:
Not Enforced - Statistics are collected. I assume that statistics are only relevant for Auto-Threshold. So what is Manual Configuration is selected - statistics are still collected? If so is that mean that after changing to Auto-Threshold and Enforce collected statistics will be used immediately so setting detection and rate limit levels will be faster?
Auto Threshold Status have 4 states section:
Enabled - quite obvious
Disabled - ...for the vector if enabled... what do you mena be enabled? Enforced?
Allowed - this is complete mystery for me "The vector is disabled, but if enabled will use Auto Threshold" - vector state is Disabled but when set to Enforced (or enabled means something else?) Auto Threshold will automatically be used (Auto-Threshold Configuration radio button selected)? If so it seems not to be the case. When I am setting vector State to Enforce, Manual Configuration is selected. I am getting Allowed resulting in Auto-Threshold selected only after such steps (fresh config of DoS profile):
vector with State: Disabled, Auto Threshold: Allow
select vector, set to Enforce - Manual Configuration selected
Change to Auto-Threshold Configuration, Update
Edit vector again, set to Disabled, Update - Allowed listed (as before)
Edit vector again, set to Enforced - now Auto-Threshold Configuration is selected
Is that interface bug or I misunderstood explanation? For me Allowed means only that Auto-Threshold for given vector is supported by BIG-IP
Not Enforced - I assume that this value in Auto Threshold is just to inform that for this vector there is no way to enable Auto-Threshold because system is not supporting this functionality, nothing that can be changed by user?
Auto Threshold per VS - is DoS Profile for vectors enabled for it are collecting completely separate stats than those at Global level. So part of stat is collected both on Global and VS level (if given vector is enabled in both)?
"Auto Threshold is enabled by default. If you enable a vector which allows Auto Threshold, it will use it until you change to static." - as already described seems to not work like that in v13.0.0.0.0.1645 VE
Dynamic Signatures - are those signatures created by BDoS? Is that Network BDoS? If so can't find settings for that. BDoS seems to be only visible for Application tab of dos profile.
"Auto Blacklist now available for single endpoint flood" - I can see this type of vector only in Device Configuration:Network Security. In DoS Profile there is only Sweep - is this Sweep vector covering both Single Endpoint Sweep and Single Endpoint Flood?
Is there any reason why vector list at Device level has different layout/look that in DoS Profile?
Piotr