Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

F5 ASM DOS attack logging

Hi experts.

Has anyone played with logging of ASM DOS triggered attacks? I am looking into:

"Security››Event Logs: DoS: Application Events" and "Security››Event Logs: DoS: Application Attacks"

I cannot find any useful information on sources (or their corresponding TPS rate) that triggered the attacks. Only the attack start and end time are shown + affected VS. How can one react to such attack if the attacked cannot be drilled down?

Please help!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Comments on this Answer
Comment made 30-Nov-2016 by mm_pen 58

Tikka, thank you for your answer.

I am familiar with the referenced documentation and unfortunately it is misleading and wrong. To be honest, I was quite upset when reading through this same documentation (few months ago).

Under: Sample DoS event logs they say: "... how it was mitigated, the IP address where it originated, the transactions per second during the attack ..."

The referencing IP address in the "log events" statistics is the IP address of reporting ASM-DOS engine and not the client IP address, triggering the alarm. Someone from F5 reading this observation should escalate this observation, since it is misleading.

Any other suggestion on how ASM administrator can observe the (DOS) initiating client IP adresses? And why the attack has been triggered? On what ground (calculation, what were the exact "detection" and "history" interval)?

Regards

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I can confirm the reporting and logging capability of this feature can be improved. Especially when in Transparent mode, there's next to nothing you will learn about the L7 DOS attacks. If you go to Blocking mode, then it's possible to see a bit more in Security -> Reporting -> DOS (analytic graphs). However, even when Blocking is enforced the details still come short.

For instance, in case of URL-based (TPS increase) attack, the source IP addresses cannot be listed. You will only see a list of URLs where some mitigation occurred. This level of detail is insufficient for proper after-attack analysis. Logs from other infrastructure assets must be checked to come to a conclusion. For another instance, if many URLs get attacked, you cannot see more than the first 10 URLs where the threshold was breached.

What do do?

  • With any improvement requests, you must submit a RFE by e-mailing to F5 support. Describe the problem you are facing and provide as much detail as possible. Tell them what you would like to see improved.

Regards,

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello, i have some problem, i see in logs, something like this:

2018-11-26 09:39:06 Enforced Volumetric, Aggregated across all SrcIP's, Device-Wide attack, metric:PPS Attack Sampled TCP window size Allow 3398167252 12 0

But, i need to know the virtual-server affected, a sample of the attack, for example the ip from is comming, where i can found that info.

0
Comments on this Answer
Comment made 1 month ago by boneyard 5578

i would try a new question then jumping on an old one.

my assumption would be this is across your whole box, so not at one virtual server. a sample i haven't seen AFM do. where from should be on the GUI side.

1