BIG-IP AFM DoS Device Protection source IPs logged?

Question

Are the source IPs of a DoS attack logged on the F5 anywhere?

hosting-team · Answer

Vector: TCP bad ACK floodTrigger: Volumetric, Aggregated across all SrcIP's, Device-Wide attack, metric:PPSMitigation: BlockedWe see this but would the source IPs have been logged?The KB shows IPs in a packtet capture during a DoS but I assume that is not turned on by default.

aubreykingf5 · Answer

Logging on a DoS firewall needs to be carefully dialed in. If we were to turn on source logging by default, a 3DoS could fill a BIG-IP disk in minutes, or even seconds, depending on the attack. Unfortunately, the answer to your question is 'No,' however.. I would highly encourage you to get a dedicated physical link on your F5 - as big as you can get it.. maybe 2 ports per box, aggregated - for logging, if you want to do DoS logging.&nbsp; &nbsp;Then, you need to set up a logging profile:https://support.f5.com/csp/article/K51266926
That should be enough to point you in the right direction.

Forum Discussion

BIG-IP AFM DoS Device Protection source IPs logged?

2 Replies

Recent Discussions

How to add a new DNS(gtm) to the existing network?

Failed to add new DNS machine to the existing DNS sync-group

Email Notification Sent For The Configuration Change

F5 Malicious Source IP Address Alert

F5 APM Variable Assign agent

Related Content

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

Protect Your Kubernetes Cluster Against The Apache Log4j2 Vulnerability Using BIG-IP

BIG-IP Geolocation Updates – Part 1

BIG-IP Orchestrate in private Data Center using Terraform Cloud Agent

Re: Mitigating OWASP API Security risks using BIG-IP