Forum Discussion

Evergrim's avatar
Evergrim
Icon for Altocumulus rankAltocumulus
Nov 27, 2023

ASM DoS Profile blacklist duration

Hi,

We had to create a DoS profile for a virtual server at the weekend due to a DoS attack.
I have activated three vectors in the profile
- Behavioral Anomalous Bad Actors
- Stress-based High-Volume Client IP
- TPS-based High-Volume Client IP
Request Blocking is set to "Block all".
Today the question came up as to how long the blocked IPs remain blocked. It's been a while since my ASM training, but I knew that there was a setting. So I found this article, but there are no "General Settings" when I create a new profile.

Now to my questions:
1. does the statement that the IP of a bad actor remains blocked for 4h by default fit?
2. where can this setting be found (we use OS version 16.1.3.4)

best regards and many thanks
B

security

6 Replies

Sort By
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Nov 27, 2023

    Hi Evergrim , 
    Have a look in the below deployment , it has all info about using behavioral and bad actor vector for HTTP : 
    https://readthedocs.org/projects/bados-sg-agility-2018/downloads/pdf/latest/

    From your Post , I detect that you have an AFM and AWAF license , so that you see a bit difference in GUI from an AWAF only provisioned license. 


    in your Article you are refering to Network Attack vectors not http ones. 

    In Network DoS Attack vector , you can easly set the duration of bad actors and it's configurable. 

    in HTTP Vectors it seems to be not that easy and I think there's no way to set the duration for bad-actors. 

    Maybe it's 4 hours like the described in the article because Bad-actors is a mitigation technique for L3 and L4 not L7 attacks , so I think it should follow the same criteria like Network bad-actors duration. 

    I want to say ( even in L7 vectors or Network Vectors >>> It's a security check happens in Layer 3 and 4 only. 


  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Nov 27, 2023

    Hi Evergrim,

    looks like you are talking about the AWAF feature Application Layer or L7 DDoS protection, even though the article you reference is for AFM.
    My recommendation is to use Behavioral DoS, don't mix with TPS or stress-based. For BaDOS this config is my gold standard.

    This will generate dynamic signatures to mitigate L7 DDoS attacks. Dynamic signatures remain in the list until the maximum number is detected (for ASM HTTP, 1024; for AFM, 32 per device or protected object). 

    KR
    Daniel

    • Mohamed_Ahmed_Kansoh's avatar
      Mohamed_Ahmed_Kansoh
      Icon for MVP rankMVP
      Nov 27, 2023

      Hi Daniel_Wolf , 

      He has both AWAF and AFM licenses provisioned , so he don't see the legacy view of AWAF DoS , but he see the Dos Protection as a multiple vectors distributed between ( Network , SIP , DNS and HTTP ). 

      So If he need to configure the Behavioral Dos For HTTP , He can select the Behavioral Vector for HTTP and he can proceed. 

      The Snap shot you have shared here is identical to the Behavioral HTTP , Just F5 merged AFM DoS with AWAF DoS shown as a number of Vectors if you have both license provisioned.

      So in the recent versions or releases he will not able to switch to legacy view and obtain like your snapshot. 

      Correct me If I am wrong 

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP
        Nov 27, 2023

        Hi Mohamed_Ahmed_Kansoh,

        the screenshot is from my AWAF with v16.1. Today I was looking at a customer environment with AWAF+AFM (v17.1) provisioned and there I had the possibility to switch between AFM view and legacy view. If legacy view is in 17.1, I'm pretty sure it's also in 16.1.

        KR
        Daniel