Has anyone played with logging of ASM DOS triggered attacks? I am looking into:
"Security››Event Logs: DoS: Application Events"
"Security››Event Logs: DoS: Application Attacks"
I cannot find any useful information on sources (or their corresponding TPS rate) that triggered the attacks. Only the attack start and end time are shown + affected VS. How can one react to such attack if the attacked cannot be drilled down?
Tikka, thank you for your answer.
I am familiar with the referenced documentation and unfortunately it is misleading and wrong. To be honest, I was quite upset when reading through this same documentation (few months ago).
Under: Sample DoS event logs they say:
"... how it was mitigated, the IP address where it originated, the transactions per second during the attack ..."
The referencing IP address in the "log events" statistics is the IP address of reporting ASM-DOS engine and not the client IP address, triggering the alarm. Someone from F5 reading this observation should escalate this observation, since it is misleading.
Any other suggestion on how ASM administrator can observe the (DOS) initiating client IP adresses? And why the attack has been triggered? On what ground (calculation, what were the exact "detection" and "history" interval)?
I can confirm the reporting and logging capability of this feature can be improved. Especially when in Transparent mode, there's next to nothing you will learn about the L7 DOS attacks. If you go to Blocking mode, then it's possible to see a bit more in Security -> Reporting -> DOS (analytic graphs). However, even when Blocking is enforced the details still come short.
For instance, in case of URL-based (TPS increase) attack, the source IP addresses cannot be listed. You will only see a list of URLs where some mitigation occurred. This level of detail is insufficient for proper after-attack analysis. Logs from other infrastructure assets must be checked to come to a conclusion. For another instance, if many URLs get attacked, you cannot see more than the first 10 URLs where the threshold was breached.
What do do?
Hello, i have some problem, i see in logs, something like this:
2018-11-26 09:39:06 Enforced Volumetric, Aggregated across all SrcIP's, Device-Wide attack, metric:PPS Attack Sampled TCP window size Allow 3398167252 12 0
But, i need to know the virtual-server affected, a sample of the attack, for example the ip from is comming, where i can found that info.
i would try a new question then jumping on an old one.
my assumption would be this is across your whole box, so not at one virtual server. a sample i haven't seen AFM do. where from should be on the GUI side.