Concept of F5 Device DoS and DoS profiles
Hi Darren,
well in productive environments I prefer to run in mitigation mode immediately. At least on the Device level, just to make sure the Device is protected.
Mitigation will only kick in when the BIG-IP is too much under stress and then it is a good reason to kick in. Learn only is nice, but it will consider anything as legitimate traffic, which can effect the learning negative (when an attack happens during the learning period).
Going with mitigation or detection mode is from my point of view a better approach. But keep in mind you may need to adjust the floor value, when a vector goes into detect mode, just because there is more traffic than expected, which can easily happen within the first week.
I also plan to write an article about my best practices on configuration and integration of BIG-IP. Then I will discuss it in more details.
Thanks for you nice feedback!
Cheers, sVen