Explanation of F5 DDoS threshold modes

Der Reader, In my article “Concept of Device DOS and DOS profile”, I recommended to use the “Fully Automatic” or “Multiplier” based configuration option for some DOS vectors. In this article I would...
Published Feb 12, 2020
Version 1.0
AFM
ddos
dhd
dos
flood
Security
series-defense-against-ddos
threshold
Sven_Mueller's avatar
Sven_Mueller
Ret. Employee
Oct 26, 2021

Hi Piotr,

"Learn Only" is great, when you implement the box. But you should keep the caveats also in mind. First of all, in "Learn Only" mode, the box never mitigates, which can be of course dangerous. It also takes everything as valid traffic, which again means, when there is an attack, it negatively impacts the learning and threshold calculation.

I usually go immediately with "Mitigate" and set the floor value to a reasonable value. Soon, I will publish an article about my ELK based DDoS dashboards (https://github.com/elk-f5ddos/DDOS-Dashboard), which also provide packet rate graphs for all vectors. I´m sure this makes fine tuning way easier.

Please keep in mind that the box also learns with "Mitigate" and "Detect only" mode, unless it detects an anomaly.

"Detect Only" is really only for reporting from my point of view.

I never used "Manual Detection/Auto Mitigation" to be honest.

 

I hope that helps!?

Cheers, sVen