For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Concept of F5 Device DoS and DoS profiles

Dear Reader, I´m about to write a series of DDoS articles, which will hopefully help you to better understand how F5 DDoS works and how to configure it. I plan to release them in a more or less ...
Published Jan 29, 2020
Version 1.0
AFM
ddos
dhd
dos
flood
security
series-defense-against-ddos
Sven_Mueller's avatar
Ret. Employee
I´m a Security Solution Architect in EMEA, focused on Application and Network-Security. I act as a liaison between customers, the F5 sales team and the F5 product teams, providing a hands-on real-world perspective. Before I joined F5, I was a Security Consultant and active on HoneyNet research topics. I hold a diploma in Electrical Engineering. Beside my IT Security interests,I love driving on the Nuerburgring (Green Hell).
View Profile
Sven_Mueller's avatar
Ret. Employee
I´m a Security Solution Architect in EMEA, focused on Application and Network-Security. I act as a liaison between customers, the F5 sales team and the F5 product teams, providing a hands-on real-world perspective. Before I joined F5, I was a Security Consultant and active on HoneyNet research topics. I hold a diploma in Electrical Engineering. Beside my IT Security interests,I love driving on the Nuerburgring (Green Hell).
View Profile
Sven_Mueller's avatar
Sven_Mueller
Ret. Employee
Apr 19, 2021

Hi Darren,

well in productive environments I prefer to run in mitigation mode immediately. At least on the Device level, just to make sure the Device is protected.

Mitigation will only kick in when the BIG-IP is too much under stress and then it is a good reason to kick in. Learn only is nice, but it will consider anything as legitimate traffic, which can effect the learning negative (when an attack happens during the learning period).

Going with mitigation or detection mode is from my point of view a better approach. But keep in mind you may need to adjust the floor value, when a vector goes into detect mode, just because there is more traffic than expected, which can easily happen within the first week.

 

I also plan to write an article about my best practices on configuration and integration of BIG-IP. Then I will discuss it in more details.

 

Thanks for you nice feedback!

Cheers, sVen