Explanation of F5 DDoS threshold modes

Der Reader, In my article “Concept of Device DOS and DOS profile”, I recommended to use the “Fully Automatic” or “Multiplier” based configuration option for some DOS vectors. In this article I would...
Published Feb 12, 2020
Version 1.0
AFM
ddos
dhd
dos
flood
Security
series-defense-against-ddos
threshold
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Oct 26, 2021

Hi Sven,

Thanks a lot for clarification, it helps a lot. I just wonder if Detect Only/Mitigation settings influence anyhow Learn Only. I mean when you have fresh AFM install vectors has some preconfigured settings, so when you change state from Disabled some vectors had threshold preset to Fully Automatic (FA), some Fully Manual (FM), for FA some floor values are as well preset.

Question is if learning will work different for vectors with FA preset and for FM preset or it's irrelevant? Learn Only seems to have no sense for vectors with FM threshold (especially when changed manually from FA).

If Threshold Mode is influencing Learn Only State what is advised setting - change every vector supporting FA to FA (if preset is FM)?

 

I wonder as well what is best way to verify what was learned (what Detection Thresholds was learned):

  • Device Protection: Security ›› DoS Protection : DoS Overview (non-HTTP) > File Type: Device DoS
  • Protection Profile: Security ›› DoS Protection : DoS Overview (non-HTTP) > File Type: Protection Profile (or Protected Object)

Am I right?

 

Last one - in FA Detection EPS is not constant but changing over time - but when looking on vector (for example via  File Type: Device DoS) we see just single value in Aggregate column (Detection Threshold EPS section) - what this single value represents? Max Detection EPS value over some period of time, min value, something else?

 

Thanks in advance,

Piotr