Forum Discussion

mm_pen_242283's avatar
mm_pen_242283
Icon for Nimbostratus rankNimbostratus
Oct 26, 2016

DOS protection: Source-IP based

Hi experts.

 

I have a DOS profile activated with "source-ip based" checked under Policy Prevention section. My understanding of "source-IP" mode of operation is that ASM only starts observing this client (as DOS candidate) after TPS reaches "Minimum TPS Threshold for detection". And statistics are calculated per each unique source-IP (hitting certain VS, where DOS policy is applied).

 

After reaching this threshold, ASM starts comparing average detection interval with history interval by dividing the two (for this same source-IP and not overall VS statistics).

 

Is my understanding correct? I am kindly asking for your elaboration or example on how ASM does the decision on DOS blocking (per source-IP).

 

Regards,

 

application delivery
ASM Advanced WAF

1 Reply

Sort By
  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account
    Nov 29, 2016

    There are three options that control the IP detection:

     

    TPS increased by

     

    Specifies that the system considers an IP address to be that of an attacker if the transactions sent per second have increased by this percentage. The default value is 500%.

     

    TPS reached

     

    Specifies that the system considers an IP address to be suspicious if the number of transactions sent per second from an IP address equals, or is greater than, this value. This setting provides an absolute value, so, for example, if an attack increases the number of transactions gradually, the increase might not exceed the TPS increased by threshold and would not be detected. If the TPS reaches the TPS reached value, the system considers traffic to be an attack even if it did not meet the TPS increased by value. The default value is 200 TPS.

     

    Minimum TPS Threshold for detection

     

    Specifies that the system considers an IP address to be an attacker if the detected TPS for a specific IP address equals, or is greater than, this number, and the TPS increased by number was reached. The default setting is 40 transactions per second.

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/18.html