DOS protection by informing the ISP to redirect traffic

Wasfi, F5s new Silverline ASM solution would be an alternative to Arbor's solution. I'm not fully aware of all the feature set but worth taking a look.

 

See:

 

https://f5.com/products/platforms/silverline

 

Hope this helps,

 

N

 

I don't know how Arbor does what you are describing - it does not make much sense to me.

 

I think your ISP is going to be first to know that the your WAN link between them and you is flooded :)

 

Don't forget that it will be your ISP's switches and firewalls taking the extra traffic first before it reaches you.

 

You notifying ISP that your pipe to them is overwhelmed is a bit like you calling your electricity company to tell them that you are consuming too much electricity asking them to reduce the voltage :)

 

What ASM can go for you is rate-limit the traffic from the offending IP addresses or to rate-limit the connections to the overwhelmed URL - this is all a part of the ASM DoS configuration:

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/1.html

 

If you need to notify some external system that you are under DoS attack you can always use things like iRules/SNMP traps/E-mails/sideband connections to send a notification in the event of the DOS violations being triggered on your ASM.

 

These are the SNMP traps:

 

bigipAsmDosAttackDetected - DoS attack detected by Application Security Module

 

OID number: OID number: .1.3.6.1.4.1.3375.2.4.0.91

 

bigipAsmBruteForceAttackDetected - Brute force attack detected by Application Security Module

 

OID number: OID number: .1.3.6.1.4.1.3375.2.4.0.92

 

You can configure your network monitoring system to look for these SNMP traps to take necessary actions.

 

Also if you are subscribed to a cloud-based DDoS protections service (the likes of Akamai/CloudFlare) they will detect and stop most of the attacks before it reaches your network and ASM.

 

Hope this helps,

 

Sam