CirrusWhy it is not blocking and still accepting traffic from the source DoS Attack??
Can anyone help me with this issue 😊 regarding blocking DoS attack because It seems that it is not blocking the actual attack and accepting it that cause my webapp loading slowly. It's weird that in my event DoS log the Action is set as(Accept) but in my Dashboard the attack is blocked and when I tried to access my webapp it is loading slowly means it is not blocking the attack. Please see the attached screenshots.
Thank you and God Bless,
Renato
Hi Renato,
The DoS (together with other AFM policies) can be a bit complex to easily say why something happened/didn't happen, so here are some tips to investigate the issue further;
- The first screen is showing the logs of the AFM Firewall. These policies are separate from the DoS policies and as such should not be used to detect DoS issues. Instead, have a look under Security - Events - DoS for the DoS logs.
- The second screenshot is showing the AFM Firewall policy itself, which again isn't part of the DoS policy so will not have an impact in how the DoS policy behaves.
- The Dashboard screenshot is indeed showing the DoS issues, which does indeed seem to show that the DoS policy has detected your attack and is mitigating it. I believe that by default, when an attack is triggered, it may be that it is only stopping the vast majority of requests, not all of them. - There are certain reasons for this behaviour. If you want the DoS policy to completely block an IP, you need to configure something like Bad Actor detection / update your IPI policies.
Lastly, a very useful tool for understanding which policy is impacting what traffic, is the Packet Tester, under Security - Debug - Packet Tester. This will also differentiate between the Firewall, IPI and DoS policies.
Hope this helps.
