Forum Discussion

solaikumar_1217's avatar
solaikumar_1217
Icon for Nimbostratus rankNimbostratus
Feb 11, 2016

DOS protection in F5

Dear All,

 

Can anyone tell me the calculation behind ASM DOS protection .

 

Does the DOS policy learns some baselines during the ERP period based on the calculation? Please guide.

 

I have kept the DOS policy in block mode and it blocks even when the connection count is within 10 from individual IP's

 

The default configuration values in F5 DOS policy are

 

IP detection criteria

TPS increased by - 500 ; TPS reached - 200 ; Minimum TPS Threshold for detection - 40 .

 

Prevention policy

Client side Integrity defense

 

Source IP-Based Geolocation-Based, URL-Based, Site-wide.

 

1 Reply

  • I can shed some light on the baselines. We don't start caring about how many transactions are happening until you've reached 40 transactions per second (to prevent baselining at no connections and erroneously blocking legitimate traffic). We won't take any action unless you have at least 200 transactions per second coming in, and we won't trigger unless the traffic coming in has increased by 500 transactions per second.

     

    If you mean that you have IPs being blocked at 10 transactions per second, then I would recommend opening a case with support.