For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Explanation of F5 DDoS threshold modes

Der Reader, In my article “Concept of Device DOS and DOS profile”, I recommended to use the “Fully Automatic” or “Multiplier” based configuration option for some DOS vectors. In this article I would...
Published Feb 12, 2020
Version 1.0
AFM
ddos
dhd
dos
flood
security
series-defense-against-ddos
threshold
Sven_Mueller's avatar
Ret. Employee
I´m a Security Solution Architect in EMEA, focused on Application and Network-Security. I act as a liaison between customers, the F5 sales team and the F5 product teams, providing a hands-on real-world perspective. Before I joined F5, I was a Security Consultant and active on HoneyNet research topics. I hold a diploma in Electrical Engineering. Beside my IT Security interests,I love driving on the Nuerburgring (Green Hell).
View Profile
Sven_Mueller's avatar
Ret. Employee
I´m a Security Solution Architect in EMEA, focused on Application and Network-Security. I act as a liaison between customers, the F5 sales team and the F5 product teams, providing a hands-on real-world perspective. Before I joined F5, I was a Security Consultant and active on HoneyNet research topics. I hold a diploma in Electrical Engineering. Beside my IT Security interests,I love driving on the Nuerburgring (Green Hell).
View Profile
Max_P's avatar
Max_P
Icon for Nimbostratus rankNimbostratus
Jan 26, 2023

Hi Sven,

First of all, thanks again for your reply in the other post.

I have a question regarding the "Detection Threshold %" of the fully manual mode.

I've trying to get an alert with this threshold on a protected object, but with no much success. I've configured the detection eps and mitigation eps to a very high value above 40k to make sure that I didn't get an alert and no mitigation occur with this two thresholds and generated a baseline of 160 eps for about 4 hours and keep it running while I generate an attack of around 20k eps and let the "Detection Threshold %" at 200 but never get the alert.

The vectorI tested was SYN Flood with only the threshols configured, no bad actor enabled.

An I missing something here?

Thanks in advance.

Maxi