I want to protect the company transactional website from L7 DoS/DDoS attacks using the DOS profile.
Users access to the website via web browsers and mobile applications.
In order to avoid false positives and unwanted service cut, I have gone through the official documentation, I will use the automatic Thresholds mode and I will run the profile on the transparent mode for 7 days, but I still have some technical questions :
The WAF is based on the access history to identify the number of TPS expected at a given moment
So many questions at once. :-). Let me try..
1. How do auto-thresholds work? When you build policy automatically, it understands the traffic, per-URI, and gets an idea of how many PPS, TPS and req/resp sizing of packets and flows. Again.. PER-URI. So the thresholds know if a URI typically has a 5k req. and gets a 500k resp. normally. It will threshold to the peak. If the VIP is variable, it will understand that, as well and ends up thresholding more to the delta between req / resp to understand that a resp could be proportionately larger as per the difference between the smallest respones and the peak.
2. I would not recommend that you use one policy for mobile and browser based. Maybe one VIP, but you should definitely select policy based on EUD.
3. You would do it either way. Can you show me the screen where you're mitigating DoS with CAPTCHA? You're talking about AFM as though it's a WAF. Are you using AFM or AWAF (ASM)?
4. It considers that threshold as whatever you set it to.
Quick thing.. DoS profiles usually work to defend against UDP / TCP / packets.
L7 is not done with a DoS profile unless you're doing DPI.. which is disctinctly NOT WAF.
Please just tell me what you want to do.. zIt sounds like you need AWAF, not AFM.
I saw you already got an answer. But I would like to mention the configuration I usually use to mitigate L7 HTTP/s DoS attacks.
My typical recomendation is to use BaDoS only. -Don´t use it together with TPS or stress-based!
From the screenshot you can take the config. BaDoS is a layered DoS protection, which means it has multiple options mitigation, but it does only kick in, when your server is under stress!
To get the details on traffic, stress, mitigation, ... etc you can go to the BaDoS dashboard. You find this in the drop-down menu of the BIG-IP dashboard.
I hope that helps!?