"Blocking DOS attack" showed on ltm led,How to tracked attack surce?

Question

Hey everyone,&nbsp;&nbsp;&nbsp;

&nbsp;
&nbsp;

&nbsp;A alert "Blocking DOS attack" showed on ltm led&nbsp;&nbsp;
And the Local Traffic log only have two logs which looks related.&nbsp;&nbsp;&nbsp;
"sweeper_update: aggressive mode activated. 372313/438016 pages sweeper_update: aggressive mode activated. 372313/438016 pages"&nbsp;&nbsp;&nbsp;
"sweeper_update: aggressive mode deactivated. 371799/438016 pages sweeper_update: aggressive mode deactivated. 371799/438016 pages"&nbsp;&nbsp;
The system performance and connection looks normally in that time.&nbsp;&nbsp;&nbsp;
I want to track the attack source,what should i do?&nbsp;&nbsp;

hooleylist · Answer

Hi Roger, 
&nbsp;  
&nbsp; I don't think LTM logs any info on source IP address(es) when it goes into sweeper mode.  These alerts are triggered when LTM runs low on memory.  Here are a few related solutions: 
&nbsp;  
&nbsp; sol4611: Overview of adaptive reaping 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/4000/600/sol4611.html 
&nbsp;  
&nbsp; sol7301: Protecting the BIG-IP LTM against denial of service attacks 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7301.html 
&nbsp;  
&nbsp; Aaron

Forum Discussion

"Blocking DOS attack" showed on ltm led,How to tracked attack surce?

1 Reply

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

Real Attack Stories: The "MOP Sink" Attack

About AWAF "Redirect URLs" in "Responses and Blocks"

Tourniquet iRule to detect, BLOCK, log, and count CVE-2016-9244 "Ticketbleed" attacks

Is the update and application of new AWAF attack signatures "Service Affecting"?

Automate ASM "Ready to Be Enforced" Attack Signatures