DDoS L3 L4 L7 only
Big Hi to all of you, I am currently in the learning phase and have implemented L3/L4 DDoS protection using AFM. Now, I want to focus on L7 DDoS mitigation. However, I find Advanced WAF overwhelming, as it covers a vast range of topics, and I’m unsure where to begin. My goal is to concentrate solely on protecting against L7 DDoS attacks from WAF. Here are some key AFM settings I have implemented—let me know if anything is missing for L3/L4: IP Intelligence is applied at the global level. General Properties: Type: Forwarding (IP) Source Address: 0.0.0.0/0 Destination Address/Mask: x.x.x.x/29 Service Port: * Configuration: Protocol: All protocols Security Policy: DoS Protection Profile: DDoSProfile (Network and DNS enabled only) Now, moving on to my goal of implementing Bot Defense. Since Bot Defense applies only to HTTP service ports, do I need to set up two different Virtual Servers? Additionally, I want to apply a DoS profile that includes HTTP, along with Network and DNS protection (i.e., Network + DNS + HTTP).
What is the best option in Hybrid defender when there expected legal campaign (legal huge traffic)
Hello, What is the best option when using Hybrid defender in Auto Detection / Multiplier Based and at a certain time we expect high traffic to be reached to us As certain company is hosted with us they have normal traffic, but at certain time they publish a new service and expect huge number of users to access it So what is the best option in that scenario?
ASM L7DOS snmp traps
Dear, Do you know of any known issue about l7ddos snmp traps. For some reason they are not sent at all. The log entry in /var/log/dosl7/dosl7d.log is well present, but no snmp trap is sent. I checked the definition in the alertd config files and it looks like it is looking for a specific log entry in order to send the trap: alert.conf alert BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.91"; } bigip_ts_error_maps.h 3 LOG_ERR 01310046 BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR "[SECEV] DoS attack: %s. HTTP classifier: %s, Operation mode: %s" But the problem is that when testing a l7ddos, no log entry can be found in /var/log/asm, there are only logs in /var/log/dosl7/dosl7d.log And it looks like the alertd does not process the later file (K14397) My client is running version 11.5.4 Thanks in advance for your assistance. Abdessamad
ASM L7DOS snmp traps
Dear, Do you know of any known issue about l7ddos snmp traps. For some reason they are not sent at all. The log entry in /var/log/dosl7/dosl7d.log is well present, but no snmp trap is sent. I checked the definition in the alertd config files and it looks like it is looking for a specific log entry in order to send the trap: alert.conf alert BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.91"; } bigip_ts_error_maps.h 3 LOG_ERR 01310046 BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR "[SECEV] DoS attack: %s. HTTP classifier: %s, Operation mode: %s" But the problem is that when testing a l7ddos, no log entry can be found in /var/log/asm, there are only logs in /var/log/dosl7/dosl7d.log And it looks like the alertd does not process the later file (K14397) My client is running version 11.5.4 Thanks in advance for your assistance. AbdessamadAFM protected object address list creation
Hello, What is the best way to create protection objects which have the same protection profile Create a protection object on Address list containing these IPs or create separate protected objects? noting the number of objects are huge System by default does not allow you to assign a protection profile on a protected group created on address list so you have to apply the following workaround, but it is mentioned This should be considered experimental only Enable afm.allowtmcvirtuals variable https://my.f5.com/manage/s/article/K59471927 so what is the best way?
How to allow Google to crawl my Site, when DOS Profile is active?
Hello all, we activated the DDos Protection on our F5 Cluster, but after that Google is no longer able to crawl our site. Although I already set all "Google" Signatures on the "Whitelist". But always when I'm checking the crawl status the Google Bot get's this response: ... Please enable JavaScript to view the page content. And here is the config from our current Profile: security dos profile Homepage { app-service none application { Homepage { bot-defense { browser-legit-captcha disabled browser-legit-enabled disabled mode during-attacks } bot-signatures { categories { "DOS Tool" { action block } "E-Mail Collector" { action block } "Exploit Tool" { action block } "Network Scanner" { action block } "Search Engine" { action report } "Spam Bot" { action block } "Vulnerability Scanner" { action block } "Web Spider" { action block } "Webserver Stress Tool" { action block } Spyware { action block } } check enabled disabled-signatures { "Facebook External Hit" { } "Google AdsBot" { } "Google Desktop" { } "Google Feedfetcher" { } "Google Page Speed Insights" { } "Google Translate" { } "Google favicon" { } "Nokia-WAPToolkit.\* googlebot" { } AppEngine-Google { } Bing { } Google { } Google-Adwords-Instant { } Google-Calendar-Importer { } Google-Sitemaps { } GoogleWebLight { } Google_Analytics_Snippet_Validator { } Java { } Mediapartners-Google { } YahooSeeker { } } } captcha-response { failure { body "You have entered an invalid answer for the question. Please, try again. %DOSL7.captcha.image% %DOSL7.captcha.change% What code is in the image\? %DOSL7.captcha.solution% %DOSL7.captcha.submit%" } first { body "This question is for testing whether you are a human visitor and to prevent automated spam submission. %DOSL7.captcha.image% %DOSL7.captcha.change% What code is in the image\? %DOSL7.captcha.solution% %DOSL7.captcha.submit%" } } ip-whitelist { xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } } stress-based { mode blocking } tcp-dump { record-traffic enabled } tps-based { device-client-side-defense enabled device-rate-limiting enabled ip-client-side-defense enabled } } } partition Common whitelist none } Maybe you have a hint for me how to solve this. Current Big-IP version: 12.1.2 - ASM Signatures: v12.1.2/ASM-SignatureFile_20170403_145743 Thanks, Christoph
Protecting against DDoS attack
Dear Community, I need help from application security experts and seasoned web developers. We are getting DDoS attacks on the following requests. This attack is targetting our SMS gateway; resulting in triggerig thousands of SMSs. Please inform which kind of protections we can introduce in application level / application code level to protect against this DDoS attack. DDoS Request Sample: POST xyz.com/api/otp/asdf HTTP/1.1 Host: xyz.com Content-Length: 32 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90" Accept: application/json, text/plain, */* Authorization: *********** Accept-Language: ar Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/json Origin: http://abc.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://abc.com Accept-Encoding: gzip, deflate Connection: close {"mobileNumber":"123456789"} Warm RegardsWhy does the Local Traffic policy allow Bot profile to be selected but the iRule can't ?
When I attach DOS and BOT profiles with local traffic policy or iRule I always need a default BOT and DOS profile even when I have a default rule that catches all the traffic. That is one thing but the strangest thing is when I decide to attach a Bot profile with iRule it does not work but the Local traffic policies allow this. I will need to test this but is really strange. This is the first time something is only possible with Local Traffic Policies but I will have to test if it works 🙂Preventing DDoS attacks on SMS URL
Dear Community, I am facing DDoS attacks on one of our application. The attacker is sending hundred of requests to a URL, which is consuming all of our SMS quota. The attack is originating from multiple IPs. Please inform how I can protect this application API from this kind of DDoS attack from appliation code level. I need help from application security experts and web developers. https://abc.com is frontend & xyz.com is backend api Sample of DDoS reqeust: POST /asdf/service/sendmobilecode HTTP/1.1 Host: xyz.com Authorization: *********** User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/json Origin: https://abc.com Referer: https://abc.com/ {"number":"91234567890"} Kind Regards[ASM][DDoS][TPS-Based Detection]- TPS description and User Agents requests rate limit
Hello, I am new to the DDoS protection on ASM and therefore I have been reading some KBs, but still did not hit (or might have missed) what can help me solve my points In TPS-Based Detection, what is a Transaction : single packet or single session ? Can I perform a TPS-Based Detection (without an iRule) on User Agent only and not By Device ID? E.g. 10req/s max sent by a specific User Agent (e.g. "Mozilla...") connecting to my site. Thank you for your quick reactions. Regards
