What is the best option in Hybrid defender when there expected legal campaign (legal huge traffic)
Hello, What is the best option when using Hybrid defender inAuto Detection / Multiplier Based and at a certain time we expect high traffic to be reached to us As certain company is hosted with us they have normal traffic, but at certain time they publish a new service and expect huge number of users to access it So what is the best option in that scenario?
ASM L7DOS snmp traps
Dear, Do you know of any known issue about l7ddos snmp traps. For some reason they are not sent at all. The log entry in /var/log/dosl7/dosl7d.log is well present, but no snmp trap is sent. I checked the definition in the alertd config files and it looks like it is looking for a specific log entry in order to send the trap: alert.conf alert BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.91"; } bigip_ts_error_maps.h 3 LOG_ERR 01310046 BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR "[SECEV] DoS attack: %s. HTTP classifier: %s, Operation mode: %s" But the problem is that when testing a l7ddos, no log entry can be found in /var/log/asm, there are only logs in /var/log/dosl7/dosl7d.log And it looks like the alertd does not process the later file (K14397) My client is running version 11.5.4 Thanks in advance for your assistance. Abdessamad
ASM L7DOS snmp traps
Dear, Do you know of any known issue about l7ddos snmp traps. For some reason they are not sent at all. The log entry in /var/log/dosl7/dosl7d.log is well present, but no snmp trap is sent. I checked the definition in the alertd config files and it looks like it is looking for a specific log entry in order to send the trap: alert.conf alert BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.91"; } bigip_ts_error_maps.h 3 LOG_ERR 01310046 BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR "[SECEV] DoS attack: %s. HTTP classifier: %s, Operation mode: %s" But the problem is that when testing a l7ddos, no log entry can be found in /var/log/asm, there are only logs in /var/log/dosl7/dosl7d.log And it looks like the alertd does not process the later file (K14397) My client is running version 11.5.4 Thanks in advance for your assistance. AbdessamadAFM protected object address list creation
Hello, What is the best way to create protection objects which have the same protection profile Create a protection object on Address list containing these IPs or create separate protected objects? noting the number of objects are huge System by default does not allow you to assign a protection profile on a protected group created on address list so you have to apply the following workaround, but it is mentionedThis should be considered experimental only Enable afm.allowtmcvirtuals variable https://my.f5.com/manage/s/article/K59471927 so what is the best way?
How to allow Google to crawl my Site, when DOS Profile is active?
Hello all, we activated the DDos Protection on our F5 Cluster, but after that Google is no longer able to crawl our site. Although I already set all "Google" Signatures on the "Whitelist". But always when I'm checking the crawl status the Google Bot get's this response: ... Please enable JavaScript to view the page content. And here is the config from our current Profile: security dos profile Homepage { app-service none application { Homepage { bot-defense { browser-legit-captcha disabled browser-legit-enabled disabled mode during-attacks } bot-signatures { categories { "DOS Tool" { action block } "E-Mail Collector" { action block } "Exploit Tool" { action block } "Network Scanner" { action block } "Search Engine" { action report } "Spam Bot" { action block } "Vulnerability Scanner" { action block } "Web Spider" { action block } "Webserver Stress Tool" { action block } Spyware { action block } } check enabled disabled-signatures { "Facebook External Hit" { } "Google AdsBot" { } "Google Desktop" { } "Google Feedfetcher" { } "Google Page Speed Insights" { } "Google Translate" { } "Google favicon" { } "Nokia-WAPToolkit.\* googlebot" { } AppEngine-Google { } Bing { } Google { } Google-Adwords-Instant { } Google-Calendar-Importer { } Google-Sitemaps { } GoogleWebLight { } Google_Analytics_Snippet_Validator { } Java { } Mediapartners-Google { } YahooSeeker { } } } captcha-response { failure { body "You have entered an invalid answer for the question. Please, try again. %DOSL7.captcha.image% %DOSL7.captcha.change% What code is in the image\? %DOSL7.captcha.solution% %DOSL7.captcha.submit%" } first { body "This question is for testing whether you are a human visitor and to prevent automated spam submission. %DOSL7.captcha.image% %DOSL7.captcha.change% What code is in the image\? %DOSL7.captcha.solution% %DOSL7.captcha.submit%" } } ip-whitelist { xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } xxx.xxx.xxx.xxx/xx { } } stress-based { mode blocking } tcp-dump { record-traffic enabled } tps-based { device-client-side-defense enabled device-rate-limiting enabled ip-client-side-defense enabled } } } partition Common whitelist none } Maybe you have a hint for me how to solve this. Current Big-IP version: 12.1.2 - ASM Signatures: v12.1.2/ASM-SignatureFile_20170403_145743 Thanks, Christoph
Protecting against DDoS attack
Dear Community, I need help from application security experts and seasoned web developers. We are getting DDoS attacks on the following requests. This attack is targetting our SMS gateway; resulting in triggerig thousands of SMSs. Please inform which kind of protections we can introduce in application level / application code level to protect against this DDoS attack. DDoS Request Sample: POST xyz.com/api/otp/asdf HTTP/1.1 Host: xyz.com Content-Length: 32 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90" Accept: application/json, text/plain, */* Authorization: *********** Accept-Language: ar Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/json Origin: http://abc.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer:http://abc.com Accept-Encoding: gzip, deflate Connection: close {"mobileNumber":"123456789"} Warm RegardsWhy does the Local Traffic policy allow Bot profile to be selected but the iRule can't ?
When I attach DOS and BOT profiles with local traffic policy or iRule I always need a default BOT and DOS profile even when I have a default rule that catches all the traffic. That is one thing but the strangest thing is when I decide to attach a Bot profile with iRule it does not work but the Local traffic policies allow this. I will need to test this but is really strange. This is the first time something is only possible with Local Traffic Policies but I will have to test if it works 🙂Preventing DDoS attacks on SMS URL
Dear Community, I am facing DDoS attacks on one of our application. The attacker is sending hundred of requests to a URL, which is consuming all of our SMS quota. The attack is originating from multiple IPs. Please inform how I can protect this application API from this kind of DDoS attack from appliation code level. I need help from application security experts and web developers. https://abc.comis frontend & xyz.com is backend api Sample of DDoS reqeust: POST /asdf/service/sendmobilecode HTTP/1.1 Host:xyz.com Authorization: *********** User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/json Origin:https://abc.com Referer:https://abc.com/ {"number":"91234567890"} Kind Regards[ASM][DDoS][TPS-Based Detection]- TPS description and User Agents requests rate limit
Hello, I am new to the DDoS protection on ASM and therefore I have been reading some KBs, but still did not hit (or might have missed) what can help me solve my points In TPS-Based Detection, what is a Transaction : single packet or single session ? Can I perform a TPS-Based Detection (without an iRule) on User Agent only and not By Device ID? E.g. 10req/s max sent by a specific User Agent (e.g. "Mozilla...") connecting to my site. Thank you for your quick reactions. Regards
