Explanation of F5 DDoS threshold modes
Der Reader, In my article “Concept of Device DOS and DOS profile”, I recommended to use the “Fully Automatic” or “Multiplier” based configuration option for some DOS vectors. In this article I would...
Published Feb 12, 2020
Version 1.0Sven_Mueller
I´m a Security Solution Architect in EMEA, focused on Application and Network-Security.
I act as a liaison between customers, the F5 sales team and the F5 product teams, providing a hands-on real-world perspective.
Before I joined F5, I was a Security Consultant and active on HoneyNet research topics.
I hold a diploma in Electrical Engineering.
Beside my IT Security interests,I love driving on the Nuerburgring (Green Hell).Ret. Employee
Sven_Mueller
I´m a Security Solution Architect in EMEA, focused on Application and Network-Security.
I act as a liaison between customers, the F5 sales team and the F5 product teams, providing a hands-on real-world perspective.
Before I joined F5, I was a Security Consultant and active on HoneyNet research topics.
I hold a diploma in Electrical Engineering.
Beside my IT Security interests,I love driving on the Nuerburgring (Green Hell).Ret. Employee
dragonflymr
Cirrostratus
Oct 05, 2021One more question about using different State settings. Could you share some real life examples when to use:
- Learn Only - my understanding is that it's useful when DDoS is first enabled and when Full Automatic/Auto Detection mode is planned to be used in the future. Does it make any sense if Full Manual will be used?
- Detect Only - seems to be more useful as it creates Alerts (in opposite to Learn Only) so it allows for better understanding if there are attacks or what could be false positive
You never mentioned Manual Detection/Auto Mitigation - is that because this mode is not really useful?
Piotr