Why it is not blocking and still accepting traffic from the source DoS Attack??

Ren_Alcala · ‎21-May-2021

Can anyone help me with this issue 😊 regarding blocking DoS attack because It seems that it is not blocking the actual attack and accepting it that cause my webapp loading slowly. It's weird that in my event DoS log the Action is set as(Accept) but in my Dashboard the attack is blocked and when I tried to access my webapp it is loading slowly means it is not blocking the attack. Please see the attached screenshots.

Thank you and God Bless,

Renato

AlexBCT · ‎22-May-2021

Hi Renato,

The DoS (together with other AFM policies) can be a bit complex to easily say why something happened/didn't happen, so here are some tips to investigate the issue further;

The first screen is showing the logs of the AFM Firewall. These policies are separate from the DoS policies and as such should not be used to detect DoS issues. Instead, have a look under Security - Events - DoS for the DoS logs.
The second screenshot is showing the AFM Firewall policy itself, which again isn't part of the DoS policy so will not have an impact in how the DoS policy behaves.
The Dashboard screenshot is indeed showing the DoS issues, which does indeed seem to show that the DoS policy has detected your attack and is mitigating it. I believe that by default, when an attack is triggered, it may be that it is only stopping the vast majority of requests, not all of them. - There are certain reasons for this behaviour. If you want the DoS policy to completely block an IP, you need to configure something like Bad Actor detection / update your IPI policies.

Lastly, a very useful tool for understanding which policy is impacting what traffic, is the Packet Tester, under Security - Debug - Packet Tester. This will also differentiate between the Firewall, IPI and DoS policies.

Hope this helps.

View solution in original post

AlexBCT · ‎22-May-2021

Hi Renato,

The DoS (together with other AFM policies) can be a bit complex to easily say why something happened/didn't happen, so here are some tips to investigate the issue further;

The first screen is showing the logs of the AFM Firewall. These policies are separate from the DoS policies and as such should not be used to detect DoS issues. Instead, have a look under Security - Events - DoS for the DoS logs.
The second screenshot is showing the AFM Firewall policy itself, which again isn't part of the DoS policy so will not have an impact in how the DoS policy behaves.
The Dashboard screenshot is indeed showing the DoS issues, which does indeed seem to show that the DoS policy has detected your attack and is mitigating it. I believe that by default, when an attack is triggered, it may be that it is only stopping the vast majority of requests, not all of them. - There are certain reasons for this behaviour. If you want the DoS policy to completely block an IP, you need to configure something like Bad Actor detection / update your IPI policies.

Lastly, a very useful tool for understanding which policy is impacting what traffic, is the Packet Tester, under Security - Debug - Packet Tester. This will also differentiate between the Firewall, IPI and DoS policies.

Hope this helps.

Ren_Alcala · ‎22-May-2021

Hi Sir Alex,

Thanks for the tips, I tried your suggestion to configure my IP Intelligence but its still not working. It doesn't blocked the IP of the DoS user i 'don't know if im missing something but you can check my configuration in screenshots, And also sir i encountered weird scenario that my DoS attack doesn't show on my DoS log events/Dos Dashboard.

Thanks,

Renato

DevCentral

Why it is not blocking and still accepting traffic from the source DoS Attack??

Khoros Kudos Award 2022