Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

TPS-based Attack Vectors and Stress-based Attack Vectors

F5 ASM/AWAF employs several strategies to mitigate DDoS and other traffic-based attacks, including TPS-based and Stress-based attack vectors. These vectors identify and manage suspicious traffic based on different criteria and apply mitigation techniques to protect the web application and infrastructure.

TPS-based Attack Vectors:

TPS (Transactions Per Second) attack vectors are designed to detect and block excessive requests from various sources based on their rate of traffic. These are the key methods for mitigating TPS-based attacks:

  1. By Source IP:

    • Mitigation Methods: The system can apply three different mitigation techniques to offending IP addresses that generate excessive requests.

  2. By Device ID:

    • Mitigation Methods: The system can track requests from specific device IDs (often tied to user-agent or fingerprinting) and apply three different mitigation methods to manage excessive traffic from these devices.

  3. By Geolocation:

    • Country-based Blocking: The system uses geolocation data to determine whether traffic from a specific country should be treated as suspicious or part of an attack. Mitigation can be applied to countries that generate abnormal traffic levels.

  4. By URL:

    • Specific URL Protection: This method focuses on detecting and mitigating excessive requests to specific URLs. If a URL is being targeted with high TPS, mitigation can be applied to prevent overloading the application.

  5. Site-Wide:

    • Entire Site Mitigation: This method monitors and mitigates traffic across the entire Virtual Server or website. If the overall TPS exceeds thresholds, mitigation can be applied site-wide.

Stress-based Attack Vectors:

Stress-based attack vectors focus on detecting and mitigating server-side stress caused by excessive or abnormal traffic. These vectors provide different approaches to identify and mitigate attacks that cause resource exhaustion on the application or server.

  1. By Source IP:

    • Similar to TPS-based mitigation, this approach applies mitigation techniques to offending IP addresses that cause excessive stress on the server by generating high traffic.

  2. By Device ID:

    • Identifies stress caused by specific devices (through device IDs) and applies mitigation measures for abnormal traffic patterns originating from these devices.

  3. By Geolocation:

    • Similar to the TPS-based geolocation method, this strategy can apply mitigation to traffic from specific countries that exhibit behavior associated with attack traffic.

  4. By URL:

    • This method focuses on detecting stress caused by high traffic targeting specific URLs, applying mitigation to prevent the server from being overwhelmed by requests to those URLs.

  5. Site-Wide:

    • Mitigation can also be applied site-wide (across the entire virtual server) based on excessive stress detected in the system, ensuring that the entire application or site does not get affected by an overload of traffic.

  6. Behavioral:

    • Behavioral Stress Detection: This approach uses the Anomaly Detection Engine to monitor the normal traffic behavior of the application. If traffic deviates from expected patterns, suggesting stress, the system can trigger mitigation.

    • The Behavioral DoS (BaDoS) feature is a self-adjusting and adaptive engine that measures normal traffic behavior and applies mitigation techniques when server stress occurs.

Behavioral DoS (BaDoS):

Behavioral DoS (BaDoS) is an advanced feature that analyzes the normal traffic patterns to the server and uses this baseline to detect and mitigate potential Denial of Service (DoS) attacks based on observed deviations.

  1. 4 Available Mitigation Options:

    • No Mitigation (Default): No action is taken, and normal traffic continues.

    • Conservative: A more cautious approach to mitigation, reducing traffic volume gradually and avoiding false positives.

    • Standard: The default mitigation option that balances between performance and aggressive mitigation.

    • Aggressive: This method aggressively blocks or rate-limits offending traffic to prevent service degradation.

  2. Self-Adjusting and Adaptive:

    • The BaDoS engine adapts to changing traffic patterns, adjusting its mitigation techniques based on observed traffic shifts. This helps ensure that legitimate traffic is not mistakenly blocked, while still responding to abnormal spikes that could indicate a DoS attack.

Summary of Key Concepts:

  • TPS-based Attack Vectors: Focus on blocking or mitigating attacks based on excessive requests per second from various sources, including IP addresses, device IDs, geolocation, specific URLs, and site-wide traffic.

  • Stress-based Attack Vectors: Focus on detecting and mitigating server overloads caused by excessive traffic. These vectors also address source IP, device ID, geolocation, URLs, and site-wide traffic, with an additional behavioral detection method that identifies deviations from normal traffic behavior.

  • BaDoS (Behavioral DoS): A dynamic, self-adjusting feature that uses the system’s baseline traffic patterns to detect and mitigate potential DoS attacks based on abnormal traffic behavior. It offers different levels of mitigation, from No Mitigation to Aggressive.

PreviousL7 DDoS Attack Protection ConfigurationNextMitigation Techniques for DoS and Bot Protection

Last updated 3 months ago