Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Why it is not blocking and still accepting traffic from the source DoS Attack??

Go to solution
Ren_Alcala
Cirrus
Cirrus

‎21-May-2021 03:49

Can anyone help me with this issue 😊 regarding blocking DoS attack because It seems that it is not blocking the actual attack and accepting it that cause my webapp loading slowly. It's weird that in my event DoS log the Action is set as(Accept) but in my Dashboard the attack is blocked and when I tried to access my webapp it is loading slowly means it is not blocking the attack. Please see the attached screenshots.

 

Thank you and God Bless,

Renato

0691T00000CoW3KQAV.png

0691T00000CoW3LQAV.png

0691T00000CoW3MQAV.png

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
AlexBCT
MVP
MVP

‎22-May-2021 05:53

Hi Renato,

 

The DoS (together with other AFM policies) can be a bit complex to easily say why something happened/didn't happen, so here are some tips to investigate the issue further;

 

  • The first screen is showing the logs of the AFM Firewall. These policies are separate from the DoS policies and as such should not be used to detect DoS issues. Instead, have a look under Security - Events - DoS for the DoS logs.
  • The second screenshot is showing the AFM Firewall policy itself, which again isn't part of the DoS policy so will not have an impact in how the DoS policy behaves.
  • The Dashboard screenshot is indeed showing the DoS issues, which does indeed seem to show that the DoS policy has detected your attack and is mitigating it. I believe that by default, when an attack is triggered, it may be that it is only stopping the vast majority of requests, not all of them. - There are certain reasons for this behaviour. If you want the DoS policy to completely block an IP, you need to configure something like Bad Actor detection / update your IPI policies.

 

Lastly, a very useful tool for understanding which policy is impacting what traffic, is the Packet Tester, under Security - Debug - Packet Tester. This will also differentiate between the Firewall, IPI and DoS policies.

 

Hope this helps.

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
AlexBCT
MVP
MVP

‎22-May-2021 05:53

Hi Renato,

 

The DoS (together with other AFM policies) can be a bit complex to easily say why something happened/didn't happen, so here are some tips to investigate the issue further;

 

  • The first screen is showing the logs of the AFM Firewall. These policies are separate from the DoS policies and as such should not be used to detect DoS issues. Instead, have a look under Security - Events - DoS for the DoS logs.
  • The second screenshot is showing the AFM Firewall policy itself, which again isn't part of the DoS policy so will not have an impact in how the DoS policy behaves.
  • The Dashboard screenshot is indeed showing the DoS issues, which does indeed seem to show that the DoS policy has detected your attack and is mitigating it. I believe that by default, when an attack is triggered, it may be that it is only stopping the vast majority of requests, not all of them. - There are certain reasons for this behaviour. If you want the DoS policy to completely block an IP, you need to configure something like Bad Actor detection / update your IPI policies.

 

Lastly, a very useful tool for understanding which policy is impacting what traffic, is the Packet Tester, under Security - Debug - Packet Tester. This will also differentiate between the Firewall, IPI and DoS policies.

 

Hope this helps.

0 Kudos

Go to solution
Ren_Alcala
Cirrus
Cirrus
In response to AlexBCT

‎22-May-2021 06:41

Hi Sir Alex,

 

Thanks for the tips, I tried your suggestion to configure my IP Intelligence but its still not working. It doesn't blocked the IP of the DoS user i 'don't know if im missing something but you can check my configuration in screenshots, And also sir i encountered weird scenario that my DoS attack doesn't show on my DoS log events/Dos Dashboard.

 

0691T00000CoYjXQAV.png0691T00000CoYjSQAV.png0691T00000CoYjNQAV.pngThanks,

Renato

 

0 Kudos
Copyright © 2023 Khoros, LLC