Forum Discussion

Nishal_Rai's avatar
Nishal_Rai
Icon for Cirrocumulus rankCirrocumulus
Jun 27, 2023

ASM L7 DoS email alert

Hello Everyone,  Greetings! I've been trying to configure email notifcation when ASM L7 DoS event is triggered in F5 BIG-IP. And as far the configration goes are mentioned below: Created a...
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Jun 28, 2023

    Hi Nishal_Rai , 
    For your inquiry about how bigip AWAD L7 DDoS use the rate-limit prevention.....

    Well , 
    First you have two concepts >>> Detection interval & historical interval 
    Detection interval >>> Avg of TPS in last 10 sec
    Historical interval >>> Avg of TPS in last 1 hour ( Which should be the Legitimate TPS ) 
    Both of intervals updated each 10 sec. 

    Bigip Rate-limit by using simple equation : ( Historical intrval TPS + Configured threshold ) /2 
    For Example : 
    If you configured absolute threshold >> 200 TPS ( Like diagram you have sent above ). 
    and Let we assume historical intraval ( AVG TPS within hour ) >>> 100 TPS 
    So Bigip will rate-limit to 150 TPS. 

    Bigip will rate-limit if the TPS exceeded the absolute threshold , or if the ( Relative threshold + at least TPS ) violated. 

    > btw , you can review it from logs when attack started you can observe the Limit which bigip used when this attack started. 
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    What is the Rate-limit mechanism , I have tested it before I will tell you my findings >>> 
    you have an option to record traffic in your AWAF DDOS profile , Bigip starts to record traffic ( Taking tcpdump ). 
    while looking at recorded Packet capture ( when Attack started ) you will find much traffic receiving RST Packets from Bigip and some samples receive normal responses ( 200 OK ) therefore when using ( Rate-limit ) as a prevension method >>> much traffic will be Reseted from Bigip ip while some of these requests will path through  bigip normally. 

    The Key difference between ( Block ALL and Rate limit ) >>> Block all will show you at Recorded Packet capture file when attack start >> All Traffic from specific source are reseted ( RST Flag enabled ) no traffic Path through bigip , in the other hand ( Rate-limit ) Like I discribed above. 

    Let me know if you have further queries , I will be happy to think with you ^_^