Explanation of F5 DDoS threshold modes
Der Reader, In my article “Concept of Device DOS and DOS profile”, I recommended to use the “Fully Automatic” or “Multiplier” based configuration option for some DOS vectors. In this article I would...
Published Feb 12, 2020
Version 1.0Sven_Mueller
I´m a Security Solution Architect in EMEA, focused on Application and Network-Security.
I act as a liaison between customers, the F5 sales team and the F5 product teams, providing a hands-on real-world perspective.
Before I joined F5, I was a Security Consultant and active on HoneyNet research topics.
I hold a diploma in Electrical Engineering.
Beside my IT Security interests,I love driving on the Nuerburgring (Green Hell).Ret. Employee
Sven_Mueller
I´m a Security Solution Architect in EMEA, focused on Application and Network-Security.
I act as a liaison between customers, the F5 sales team and the F5 product teams, providing a hands-on real-world perspective.
Before I joined F5, I was a Security Consultant and active on HoneyNet research topics.
I hold a diploma in Electrical Engineering.
Beside my IT Security interests,I love driving on the Nuerburgring (Green Hell).Ret. Employee
Max_P
Nimbostratus
Jan 26, 2023Hi Sven,
First of all, thanks again for your reply in the other post.
I have a question regarding the "Detection Threshold %" of the fully manual mode.
I've trying to get an alert with this threshold on a protected object, but with no much success. I've configured the detection eps and mitigation eps to a very high value above 40k to make sure that I didn't get an alert and no mitigation occur with this two thresholds and generated a baseline of 160 eps for about 4 hours and keep it running while I generate an attack of around 20k eps and let the "Detection Threshold %" at 200 but never get the alert.
The vectorI tested was SYN Flood with only the threshols configured, no bad actor enabled.
An I missing something here?
Thanks in advance.
Maxi