Forum Discussion

Brandon_12607's avatar
Brandon_12607
Icon for Nimbostratus rankNimbostratus
Aug 01, 2017

ASM V.13 Security Dos Protection Profile Threshold Sensitivity Definition

V.13 ASM Bot Threshold Sensitivity High Medium and low .Does anybody have a good explantion on what the order is to allowing or blocking more traffic

 

 

1 Reply

  • I'm sorry that is so late when I'm writing this answer but I had just saw you post. so:

     

    There is an algorithm to calculate this values that it is based in the traffic but it is not shared:

     

    Low: Detection threshold is scaled to a much higher value (than any other setting) Medium: Detection threshold is scaled to a value (lower than one for ‘low’ setting & ‘higher’ than one for ‘high’ setting) High: Detection threshold is scaled to a value (lower than any other setting)

     

    This algorithm takes into account the amount of traffic, CPU usage and server health.

     

    DOS mechanism are based on two attributes: a) traffic anomaly AND b) health

     

    For L7 it is server health. For L3/4 it is BIG-IP health (CPU) for the device mitigation and for the per VS DOS it is server health measured on TCP metrics (>= 13.1, like TCP window size, retransmission,…) for versions before 13.1 it is CPU utilisation for the specific VS. On UDP it is basically the same, except it is always VS CPU load for the specific VS. For DNS (13.1) we calculate the request/response ratio on the specific VS.

     

    So again, we mitigate if the number of packets (L3/4) is more then expected AND the server (BIG-IP) health is bad. That means, as long as your BIG-IP and/or backend server can handle the load during x-mas time, all is good. Its just an anomaly, but we do not mitigate.

     

    So basically it defines aggressiveness for mitigation in the same way that it does for Auto-threshold w 12.1.

     

    Threshold Sensitivity Configure the system-wide DoS Auto Threshold sensitivity. Options are Low, Medium, and High, and provide DoS thresholding from relaxed to very aggressive, and sets the default threshold floor and limits accordingly.