Any resource to learn the database key value of F5 BIG-IP ASM DoS protection
Hello Everyone,
Greetings!
There has been a lot of false positive regarding the behavioral and L7 DoS attacks on F5-protected services, and it has been a challenging task to point out the specific threshold values causing false positives in behavioral and L7 DoS attacks. I came across an article suggesting adjusting the 'adm.health.sensitivity' database key to mitigate false positives Ref: https://my.f5.com/manage/s/article/K21040310
I'm seeking resources or a list detailing such kind of database keys' functionalities within F5 Big-IP ASM, and any methods to monitor and modify those parameter values based on the client request, especially concerning behavioral protection in F5 Big-IP ASM DoS protection.
Any guidance or shared knowledge on this matter would be immensely appreciated.
There is no one sigle doumentation i saw that describes the function of all the sys db variables, what I do in case i need i get a list and try to find the closest match of the words, like for asm modules i keep seaching the different variables for keyword asm ,
These keys and their default values can be viewed via tmsh: tmsh list sys db [DB KEY]
These keys can be modified as follows: tmsh modify sys db [DB KEY]
Note: DB key values are automatically applied to a system without the need for a save sys config.
On v16.1.4.1 here you can see all SYS DB paramaeters using following command in TMSH mode:
list sys db Display all 2509 items? (y/n) y
Once you select the parameter take a backup or note down the default value before changing.
Once done you can change the parameter in tmsh mode using following
modify sys db
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db as Configuration Items: asm.asm_malicious_sources_monitoring_interval asm.fictive_url asm.brute_force_bypass_non_qualified_url asm.http_security_headers asm.brute_force_end_attack_verification_time asm.ignore_bewaf asm.brute_force_max_tmstat_entries asm.inject_apm_do_not_touch asm.brute_force_monitoring_interval asm.inject_referrer_hook asm.connlimit asm.mobile_ua asm.cookie_prefix asm.restrict_asm_logs_access asm.cookie_revision_base asm.risk_engine.salt.restart asm.cookie_suffix_base asm.session_transactions_sampling_rate asm.credential_stuffing_service asm.strict_transport_policy asm.cs_challenge_length asm.strip_asm_cookies asm.cs_qualified_urls asm.time_to_free_idle_umus_in_sec asm.cshui_susp_event_bot_score asmconffailure.enabled asm.csrf_rerun_interval asmconffailure.haaction.primary asm.fastl4_allow asmconffailure.haaction.secondary root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimit Display all 2509 items? (y/n) n
Options: reset-to-default Properties: value { root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimit
The following DB keys were added in version 14, to make our captcha feature more robust:
sys db dosl7.captcha_case_sensitivity { default-value "disable" scf-config "true" value "disable" value-range "disable enable" }
sys db dosl7.captcha_challenge_type { default-value "characters" scf-config "false" value "characters" value-range "arithmetic characters random" }
sys db dosl7.captcha_characters_pool { default-value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789" scf-config "true" value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789" value-range "string" }
sys db dosl7.captcha_length_max { default-value "6" scf-config "true" value "6" value-range "unsigned integer min:1 max:10" }
sys db dosl7.captcha_length_min { default-value "6" scf-config "true" value "6" value-range "unsigned integer min:1 max:10" }
sys db dosl7.captcha_lines_max { default-value "5" scf-config "true" value "5" value-range "unsigned integer min:0 max:20" }
sys db dosl7.captcha_lines_min { default-value "5" scf-config "true" value "5" value-range "unsigned integer min:0 max:20" }
sys db dosl7.captcha_max_cpu_prc { default-value "90" scf-config "true" value "90" value-range "unsigned integer min:0 max:100" }
sys db dosl7.captcha_noise_max { default-value "2" scf-config "true" value "2" value-range "unsigned integer min:0 max:10" }
sys db dosl7.captcha_noise_min { default-value "2" scf-config "true" value "2" value-range "unsigned integer min:0 max:10" }
sys db dosl7.captcha_perturbation_max { default-value "85" scf-config "true" value "85" value-range "unsigned integer min:10 max:100" }
sys db dosl7.captcha_perturbation_min { default-value "85" scf-config "true" value "85" value-range "unsigned integer min:10 max:100" }
sys db dosl7.captcha_transparency_percentage_max { default-value "20" scf-config "true" value "20" value-range "unsigned integer min:0 max:85" }
sys db dosl7.captcha_transparency_percentage_min { default-value "20" scf-config "true" value "20" value-range "unsigned integer min:0 max:85" }
These are the dos related SYS DB settings that you can search more
Hi Nishal_Rai, F5_Design_Engineer provides some great information here. There isn't a catch-all document that describes all the db keys, and I'd be cautious to mess around with any of them, particularly in a production environment, that aren't documented in a knowledge article on MyF5 or covered in an article here on DevCentral without the guidance of a support exchange.
It's a Seen behavior which is caused by a known issue tracked with the bug ID 922597, not sure which OS version you are using in your environment.
For older software versions default adm.health.sensitivity default value is 50. In newer versions it was increased to 500 in order to minimize false-positives.
Bug ID 922597: BADOS default sensitivity of 50 creates false positive attack on some sites
In my test box 16.1.4.1 it has been already fixed as follows by default value as 500
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db adm.health.sensitivity value sys db adm.health.sensitivity { value "500" }
Recommended Actions
If your db parameter value anythig other than 500 then you may have to modify the default sensitivity value from 50 to 500, sometimes even to 1000 that oyu need to find out the suitable number for your environment. Try first to go with 500, if that does not work you can try incresing this value.
Connect to CLI
First check the sensitivity value tmsh list sys db adm.health.sensitivity value
Change the sensitivity value to 500
tmsh modify sys db adm.health.sensitivity value 500
Thank you for the links about the bugs in f5 big-ip causing false positives in ASM DoS protection.
Is there any other bugs triggering such false positives in F5 ASM DoS protection, like you've mentioned in the above one.
The current version of F5 BIG-IP- 16.1.4.1. and, such similar issue of L7 DoS false positives are being triggered:
Regarding the adm.health.sensitivity value, the value by default was 500, and the issue still persisted when I modified to 1000, so I increased it to 1200.
I just want to know, does this change affects to all the dos profiles enforced, if so, can I specify the particular dos profile to enforce, such custom value where most of the false positives get triggered.
Since the global changes in the sensitivity level might affect the other enforced DoS profile services to accurately identify the l7 dos attacks.