Forum Discussion

Nishal_Rai's avatar
Nishal_Rai
Icon for Cirrocumulus rankCirrocumulus
Jun 27, 2023
Solved

ASM L7 DoS email alert

Hello Everyone, 

Greetings!

I've been trying to configure email notifcation when ASM L7 DoS event is triggered in F5 BIG-IP. And as far the configration goes are mentioned below:

Created an iRule and attached to virtual server.

when IN_DOSL7_ATTACK {
    log local0. "Attacker IP: $DOSL7_ATTACKER_IP"
    log local0. "Mitigation: $DOSL7_MITIGATION"
    #DOSL7::disable
}



 I enabled the Trigger iRule on DoS profile of ASM module and the DoS profile attached to its respective virtual server.

 

 

When I performed the DoS attack using locust tool on the F5 virtual ip then on the dosl7d.log, the attack was recorded -
On GUI

 


On CLI:

 

but there was simply just two entry on the /var/log/ltm

 

The iRule used is 

 

 

 

Just a quick questions:

- Do i need to have additional configuraiton, or am i expecting the wrong entry of the DoS event on the ltm log?

- Regarding the behavioral DoS detection,


Any idea like what are the parameters does the behavioral dos monitors and then triggers it on F5 BIG-IP.
SInce the actual code or logic to identify and trigger behavioral dos is kept in a compiled mode.

 

application delivery
ASM L7 Behavioral DoS attack email notification
security
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Jun 28, 2023

    Hi Nishal_Rai , 
    For your inquiry about how bigip AWAD L7 DDoS use the rate-limit prevention.....

    Well , 
    First you have two concepts >>> Detection interval & historical interval 
    Detection interval >>> Avg of TPS in last 10 sec
    Historical interval >>> Avg of TPS in last 1 hour ( Which should be the Legitimate TPS ) 
    Both of intervals updated each 10 sec. 

    Bigip Rate-limit by using simple equation : ( Historical intrval TPS + Configured threshold ) /2 
    For Example : 
    If you configured absolute threshold >> 200 TPS ( Like diagram you have sent above ). 
    and Let we assume historical intraval ( AVG TPS within hour ) >>> 100 TPS 
    So Bigip will rate-limit to 150 TPS. 

    Bigip will rate-limit if the TPS exceeded the absolute threshold , or if the ( Relative threshold + at least TPS ) violated. 

    > btw , you can review it from logs when attack started you can observe the Limit which bigip used when this attack started. 
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    What is the Rate-limit mechanism , I have tested it before I will tell you my findings >>> 
    you have an option to record traffic in your AWAF DDOS profile , Bigip starts to record traffic ( Taking tcpdump ). 
    while looking at recorded Packet capture ( when Attack started ) you will find much traffic receiving RST Packets from Bigip and some samples receive normal responses ( 200 OK ) therefore when using ( Rate-limit ) as a prevension method >>> much traffic will be Reseted from Bigip ip while some of these requests will path through  bigip normally. 

    The Key difference between ( Block ALL and Rate limit ) >>> Block all will show you at Recorded Packet capture file when attack start >> All Traffic from specific source are reseted ( RST Flag enabled ) no traffic Path through bigip , in the other hand ( Rate-limit ) Like I discribed above. 

    Let me know if you have further queries , I will be happy to think with you ^_^

9 Replies

Sort By
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Jun 27, 2023

    Hi Nishal_Rai , 

    >> For your first Question : about Logs regarding L7Dos >>> 
    I see that you are using CS ( Client side integrity Defense ) as a prevention/mitigation method. 
    But using this Prevention method doesn't trigger your event "IN_DOSL7_ATTACK" 
    According this : https://clouddocs.f5.com/api/irules/IN_DOSL7_ATTACK.html

    So First try to change it to rate limit for example , and monitor again. 

    >> For your second Question about Behavioral DoS : 

    Well , 
    Behavioral method : is an intelligent way to identify and mitigate DOS Attacks by creating good baseline from normal traffic ( users normal traffic ) , you should give your bigip sufficient time to create it's baseline of learning the good traffic ( Not DoS attack ) one. 
    use this command to monitor your bigip and making sure that Bigip ip creates the baseline well from traffic : 
    Should be like this >>>

    admd -s vs./Common/vs_hackazon_http+/Common/hackazon_bados.info.learning

    Where ( vs_hackazon_http is the virtual server & hackazon_bados is the Dos profile that Behavioral Dos Enabled in)
    For more details for baiseline , Please Follow this Article:

     https://clouddocs.f5.com/training/community/ddos/html/class7/bados/module1.html 


    After that you will change the enforcement mode to Blocking in ( Behavioral & stress based ) , try your Dos Traffic against Bigip ( don't forget to attach your Behaioral Dos profile to the virtual server that you test the attack against ) 

    Behaivoral Detection & mitigation statge : 

    • when bigip feel upnormal patterns of traffic violates it's learnt baseline , and observe the latency increases in Servers >>> it starts to create signatures for this attack patterns and start to slow down/ rate limiting the requests according to the used mitigation technique ( Standard protection , Aggressive protection ....) 
      Note ( Use the Help Tab in bigip GUI to know the differences between Protection methods in Behavioral DoS ) 
    • Okay , What is the role of Signature and what are the parameters which these signatures depend on : 
      Bigip Behavioral Take some headers from the violating/attack requests "upnormal ones I mean " and store it in a signature , these headers are ANDed with each other within a single signature to identify the attacked request. >>> and these are the parameter that you asked about. 
    • After that >> if you are using  the "use approved signature only " enabled check box >>> That's mean you should open the signture and review it's headers and inforamtion to approve it ( if you feel that is an attack request )or disable it ( if you feel it's a normal request and valid) 
    • After approving signatures >>> Any request match any signature will be blocked immediately and quickly , so this keeps your servers safe and powerful also cleaned from attacking requests. 
    • If you disable / uncheck "use approved signature only" Bigip will use the created signatures immediately without your approval , and will start to block any request matchs any signature. 

    That's all , you can monitor the DoS >> by viewing Reporting / DOS Visibility or navigate ( Statistics >> Dashboad and choose Behavioral Dos if you expect a live attack ) 

    I hope I explained Behavioral Dos well and use this Article as a starting point :

     https://techdocs.f5.com/en-us/bigiq-7-1-0/managing-ddos-attacks-using-big-iq/monitoring-bados-protection.html

     

    Thanks and Goodluck 🙂 

    • Nishal_Rai's avatar
      Nishal_Rai
      Icon for Cirrocumulus rankCirrocumulus
      Jun 28, 2023

      Hello Mohamed_Ahmed_Kansoh,

      Thank for the answer and yes, you do have answered the addressed queries.

      However, regarding the rate limit mitigation of the DoS profile - "How does this rate limiting mitigation apply once the DoS has been triggered?

      Is it layer 4 or layer 7 based rate-limiting? If its based on layer 4 (TCP) then what will be its approach like will it simply drop TCP packets (no ACK to the client) or drop the whole TCP connection?



      Since not much is described in the documentation about the rate-limiting of the traffic once the DoS profile has been triggered and before such implementation can have negative impact on the false-positive cases (the legitimate users request on the window period of DoS profile triggered). So just want to be know the impact before the implementation of rate-limiting as the mitigation.



      Nikoolayy1, on the bot defense profile if DoS mitigation mode is enabled then do I also need to enable client side integrity defense on the DoS protection profile?

      or the clide side integrity defense provide different set of javascript challenges and approach to verify whether it's a maliciours or a legitimate users (browser or bot)?

  • Nishal_Rai's avatar
    Nishal_Rai
    Icon for Cirrocumulus rankCirrocumulus
    Jun 27, 2023

    The last post pictures was not good enough to identify the required details. So I will be posting the better image for the analysis.



    DoS trigger logs on /var/log/dosl7d.log



    Log on the /var/log/ltm

     

    Even with the use of iRule as provided on the DevCentral forum, it does not log the dos trigger event on the ltm /var/ltm/log. 

     

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Jun 27, 2023

    Better attach the irule under the virtual server as seen in https://clouddocs.f5.com/api/irules/IN_DOSL7_ATTACK.html as the irule option under the DOS profile is for layer 3/4 if I am not wrong and for the Flow_Init event https://clouddocs.f5.com/api/irules/FLOW_INIT.html .

     

    Also just in case enable the ASM Normal mode for irules in the ASM policy if it does not work.

     

    Still better forward the logs to a SIEM or BIG-IQ DCD and from there to send the email. Also there should be already logs in /var/log/dosl7/dosl7d.log

    • Nishal_Rai's avatar
      Nishal_Rai
      Icon for Cirrocumulus rankCirrocumulus
      Jun 27, 2023

      The current running version of the F5 BIG-IP is BIG-IP 17.1.0.1 Build 0.0.4 Point Release 1

      I have attached the iRule on the virtual server before:



      Also just in case enable the ASM Normal mode for irules in the ASM policy if it does not work.

      I even tried that but the same result, no dosl7d logs on the ltm.



      Regarding the dos logs:





      on the /var/log/ltm


      Still better forward the logs to a SIEM or BIG-IQ DCD and from there to send the email.
      Both of these addressed solutions are not present with us, right now. So I'm looking for a workaround.

      I hope you understand.

       

      • Nikoolayy1's avatar
        Nikoolayy1
        Icon for MVP rankMVP
        Jun 27, 2023

        Better test this on 16.1.3.5. Why use 17.1 as it is still not stable?

         

        As a test workaround you can create a publisher for the logging profile that has the local-syslog as destination and a fake remote destnation and use it under the Security logging profile. Also enable the option in https://my.f5.com/manage/s/article/K03912652  (K03912652: Enable Log Publisher to log when a logging destination becomes unavailable)

         

         

        Outside of that test 16.1.3.5 as mentioned and if it works open a support case to F5 TAC as they deal with such issues.