Explanation of F5 DDoS threshold modes

Der Reader, In my article “Concept of Device DOS and DOS profile”, I recommended to use the “Fully Automatic” or “Multiplier” based configuration option for some DOS vectors. In this article I would...
Published Feb 12, 2020
Version 1.0
AFM
ddos
dhd
dos
flood
security
series-defense-against-ddos
threshold
Sven_Mueller's avatar
Icon for Employee rankEmployee
I'm a Security Solution Architect in EMEA, focused on Application and Network Security. I act as a liaison between customers, the F5 sales team and the F5 product teams, providing a hands-on real-world perspective. Before I joined F5, I was a Security Consultant and active on HoneyNet research topics. I hold a diploma in Electrical Engineering. Beside my IT Security interests, I'm a Bitcoin enthusiast and love driving on the Nürburgring (Green Hell).
View Profile
Max_P's avatar
Max_P
Icon for Nimbostratus rankNimbostratus
Jan 26, 2023

Hi Sven,

First of all, thanks again for your reply in the other post.

I have a question regarding the "Detection Threshold %" of the fully manual mode.

I've trying to get an alert with this threshold on a protected object, but with no much success. I've configured the detection eps and mitigation eps to a very high value above 40k to make sure that I didn't get an alert and no mitigation occur with this two thresholds and generated a baseline of 160 eps for about 4 hours and keep it running while I generate an attack of around 20k eps and let the "Detection Threshold %" at 200 but never get the alert.

The vectorI tested was SYN Flood with only the threshols configured, no bad actor enabled.

An I missing something here?

Thanks in advance.

Maxi