Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

BIG-IP AFM DoS Device Protection source IPs logged?

hosting-team
Nimbostratus
Nimbostratus

‎26-Sep-2022 06:59

Are the source IPs of a DoS attack logged on the F5 anywhere?

Labels:
0 Kudos
2 REPLIES 2

hosting-team
Nimbostratus
Nimbostratus

‎26-Sep-2022 07:19

Vector: TCP bad ACK flood
Trigger: Volumetric, Aggregated across all SrcIP's, Device-Wide attack, metric:PPS
Mitigation: Blocked

We see this but would the source IPs have been logged?
The KB shows IPs in a packtet capture during a DoS but I assume that is not turned on by default.
0 Kudos

AubreyKingF5
Community Manager
Community Manager

‎03-Oct-2022 17:16

Logging on a DoS firewall needs to be carefully dialed in. If we were to turn on source logging by default, a 3DoS could fill a BIG-IP disk in minutes, or even seconds, depending on the attack. Unfortunately, the answer to your question is 'No,' however.. I would highly encourage you to get a dedicated physical link on your F5 - as big as you can get it.. maybe 2 ports per box, aggregated - for logging, if you want to do DoS logging.   Then, you need to set up a logging profile:
https://support.f5.com/csp/article/K51266926

That should be enough to point you in the right direction.

0 Kudos
Copyright © 2023 Khoros, LLC