Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

L7 DDoS Attack Protection Configuration

The L7 DDoS Protection feature in F5 ASM/AWAF is designed to mitigate Layer 7 Distributed Denial of Service (DDoS) attacks, which target the application layer by overloading the web application with requests that appear legitimate. The configuration screen for L7 DDoS protection is divided into five main sections, with criteria based on different methods for detection and response.

1. Detection Criteria:

The Detection Criteria section helps define how the system identifies potential DDoS attacks, specifically focusing on latency and transactions per second (TPS).

  • Latency + TPS:

    • This method combines latency with transactions per second (TPS) to detect unusual traffic patterns.

  • Stress-based Detection:

    • This approach detects stress on the application servers, which could indicate the server is being overwhelmed by traffic typical of a DDoS attack.

  • Auto-calculated (F5 Proprietary):

    • F5's proprietary algorithm automatically calculates the thresholds for DDoS detection, ensuring real-time adjustments based on observed traffic patterns.

  • Server-side Detection:

    • This focuses on server-side metrics to determine whether the server is under stress or if the traffic rate exceeds the normal threshold.

  • Smaller Values:

    • For the Stress-based Detection mechanism, the threshold values for detection should be smaller than the corresponding vectors used in TPS-based Detection. This ensures that stress-based triggers occur before TPS-based detection, allowing for early mitigation.

2. Suspicious Criteria:

The Suspicious Criteria focuses on TPS-based detection, which looks for spikes in traffic that could indicate an ongoing attack.

  • TPS-based Detection:

    • This detection is primarily based on transactions per second (TPS), which measures the rate of requests sent to the web server. A high TPS rate could suggest a potential DDoS attack.

  • Client-side Detection:

    • This method analyzes the traffic from the client-side (e.g., IP address, cookies) to detect abnormal behavior or attack patterns.

  • Greater Values:

    • The TPS-based detection criteria should have higher values than those of Stress-based detection to ensure that TPS thresholds trigger only when significant traffic patterns are detected.

3. Anomaly Engine Interval Values:

The Anomaly Engine is responsible for analyzing traffic patterns over a period of time to determine if a request is legitimate or part of a potential attack. The interval settings for this engine are critical in setting how often traffic is analyzed and anomalies are detected.

  • Interval settings:

    • These settings control how frequently the Anomaly Engine checks for anomalies in the traffic. The interval values help balance real-time monitoring with system performance and resource consumption.

  • Important Consideration:

    • The interval values should be carefully configured to ensure that legitimate traffic is not mistakenly flagged while also ensuring that the system can respond to DDoS attacks quickly. F5 generally uses smaller intervals for more frequent checks, providing faster detection of suspicious traffic spikes.

Key Recommendations for Configuration:

  1. Fine-tuning Detection Criteria:

    • Adjust the latency and TPS-based thresholds based on historical traffic patterns to avoid false positives and ensure timely DDoS detection.

  2. Set Realistic Interval Values:

    • The interval values for anomaly detection should strike a balance between detection speed and system performance. Avoid too short an interval that could overload the system with excessive checks, but ensure it is short enough to detect attacks in a timely manner.

  3. Monitor Client-Side and Server-Side Metrics:

    • Use both client-side and server-side metrics to ensure comprehensive monitoring. Server-side metrics help detect stress on the web application, while client-side metrics are useful for identifying sources of suspicious traffic.

  4. Stress-based Detection:

    • Keep the stress-based detection values smaller than TPS values to ensure early intervention before a traffic spike overwhelms the server.

  5. Regularly Review and Adjust Criteria:

    • Regularly review and adjust the detection and suspicious traffic thresholds as your application traffic patterns evolve, ensuring continued DDoS protection efficacy.

PreviousImportant Tips about Security Policy in F5 ASM/AWAFNextTPS-based Attack Vectors and Stress-based Attack Vectors

Last updated 3 months ago