Forum Discussion
2 Replies
- natheCirrocumulus
Wasfi, F5s new Silverline ASM solution would be an alternative to Arbor's solution. I'm not fully aware of all the feature set but worth taking a look.
See:
https://f5.com/products/platforms/silverline
Hope this helps,
N
- samstepCirrocumulus
I don't know how Arbor does what you are describing - it does not make much sense to me.
I think your ISP is going to be first to know that the your WAN link between them and you is flooded :)
Don't forget that it will be your ISP's switches and firewalls taking the extra traffic first before it reaches you.
You notifying ISP that your pipe to them is overwhelmed is a bit like you calling your electricity company to tell them that you are consuming too much electricity asking them to reduce the voltage :)
What ASM can go for you is rate-limit the traffic from the offending IP addresses or to rate-limit the connections to the overwhelmed URL - this is all a part of the ASM DoS configuration:
If you need to notify some external system that you are under DoS attack you can always use things like iRules/SNMP traps/E-mails/sideband connections to send a notification in the event of the DOS violations being triggered on your ASM.
These are the SNMP traps:
bigipAsmDosAttackDetected - DoS attack detected by Application Security Module
OID number: OID number: .1.3.6.1.4.1.3375.2.4.0.91
bigipAsmBruteForceAttackDetected - Brute force attack detected by Application Security Module
OID number: OID number: .1.3.6.1.4.1.3375.2.4.0.92
You can configure your network monitoring system to look for these SNMP traps to take necessary actions.
Also if you are subscribed to a cloud-based DDoS protections service (the likes of Akamai/CloudFlare) they will detect and stop most of the attacks before it reaches your network and ASM.
Hope this helps,
Sam