L7 DoS Profile

Question

I have what I think should be a couple of simple questions about L7 DoS profiles in ASM.  I am running 11.5.3 HF2, and right now I have a couple of application configured with L7 DoS profiles doing TPS based detection and rate limiting for mitigation.  It has been a while since these profiles were implemented I am looking to tune some of the settings and also use some of the new features that have been been put in place.  I have read through the implementation guides, but there were a couple things I still wasn't real clear on.  &nbsp;

I see the settings for Escalation/De Escalation and it see that it for mitigation. So does that mean if I have Client Side Integrity and Rate Limiting turned on it will try the Integrity checks first for a period to mitigate and then proceed to rate limiting?

In the Heavy URL protection I see there is auto detect.  Can anyone tell me what it is using for criteria to detect Heavy URLs?&nbsp;

This one is more experience based.  Do you have a preference on Latency vs TPS based detection, and why?&nbsp;

Any help or advice is appreciated.  &nbsp;

michael_koyfma1 · Answer

With respect to your first question, yes - all mitigation methods are tried sequentially - if the attack cannot be mitigated using the first method, ASM will move down the list of enabled mitigations.&nbsp;
For question 2, ASM tracks latency for all the URLs that traverse the policy.  It uses a proprietary algorithm to compare latencies of individual URls across site-wide average latency and thus classify certain URLs as heavy based upon the URLs that frequently exhibit higher latency than others.&nbsp;
For question 3, I have always been a fan of latency-based approach as long as once knows what acceptable application latency is.  TPS-only is great if you want to more proactively limit access to site/URLs above certain volume - but, typically, latency is the most accurate indicator of the backend application health and performance abilities.&nbsp;

michael_koyfman · Answer

With respect to your first question, yes - all mitigation methods are tried sequentially - if the attack cannot be mitigated using the first method, ASM will move down the list of enabled mitigations.&nbsp;
For question 2, ASM tracks latency for all the URLs that traverse the policy.  It uses a proprietary algorithm to compare latencies of individual URls across site-wide average latency and thus classify certain URLs as heavy based upon the URLs that frequently exhibit higher latency than others.&nbsp;
For question 3, I have always been a fan of latency-based approach as long as once knows what acceptable application latency is.  TPS-only is great if you want to more proactively limit access to site/URLs above certain volume - but, typically, latency is the most accurate indicator of the backend application health and performance abilities.&nbsp;

saddam_zemmali_ · Answer

L7 DDoS vs. F5 ASM /DEMO&nbsp;
https://www.youtube.com/watch?v=Ci12-tcyzhg&nbsp;

saddam_zemmali_ · Answer

L7 DDoS vs. F5 ASM /DEMO&nbsp;
https://www.youtube.com/watch?v=Ci12-tcyzhg&nbsp;

Forum Discussion

L7 DoS Profile

4 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

L7 DoS Protection with NGINX App Protect DoS

DoS Profiles

AppSec Made Easy: L7 Behavioral DoS

Configuring L7 Behavioral DoS Protection with BIG-IQ Centralized Management

Device ID - Bot/Dos Profile