ASM DDOS Protection

Most features can be configured to block or limit based on source IP as well as other criteria so that genuine users are not affected. Whitelisting is also possible to ensure identified genuine users are not affected.

the point is , when threshold are reached ASM will block all ips , attackers & no attackers , does ASM has mechanism to differentiate between attackers & non attackers when DDOS ?

So for DoS protection on the ASM there is two threasholds.

 

 

Per IP

 

In this case the ASM will block only the offending that crosses the latency or TPS threshold that you have set for an individual IP address.

 

 

Per URL:

 

In this case my understanding is that once the total latency or TPS threshold is crossed for a single URL that the ASM will throttle requests to the historical average. I do not believe there is delineation between attacking IP addresses and legitimate traffic, as the it is just looking at traffic rates to a single URL on your site and trying to keep those in check. This way some legitimate traffic should get through but most likely some will get stopped.

 

 

The protection on the ASM seems to me to be more DoS related rather than DDoS related

Thanks , but F5 Documents updates that it is DDOS prevention not only DOS , sothat i was asking ...

How the ASM responds to a DoS attack depends on the Prevention Policy configuration:

 

- If you select 'Source IP-Based Rate Limiting', then only offending IP addresses are affected

 

- If you select 'Source IP-Based Client-Side Integrity Defense' then offending IP addresses will have their connections evaluated

 

Choosing either of the two methods above will allow you to configure the IP Detection Criteria values.

 

- If you select 'URL-Based Rate Limiting' then all connections made to a particular URL will be affected, including both normal and exploit related traffic.

 

- If you select 'URL-Based Client-Side Integrity Defense', then all connections to a particular URL will be evaluated, presumably affecting only those sessions coming from bots/scripts.

 

Choosing either of the two methods above will allow you to configure the URL Detection Criteria values.

 

'URL-Based Client-Side Integrity Defense' is your best choice if you are looking for Distributed DoS protection.

 

Hi All,

 

I have a question on the below info.

 

Per URL:

 

In this case my understanding is that once the total latency or TPS threshold is crossed for a single URL that the ASM will throttle requests to the historical average. I do not believe there is delineation between attacking IP addresses and legitimate traffic, as the it is just looking at traffic rates to a single URL on your site and trying to keep those in check. This way some legitimate traffic should get through but most likely some will get stopped.

 

 

We are testing some F5 ASM URL based throtteling rules on F5 to protect our backend servers.

 

Every time when F5 detects the DoS attack, it starts allowing approx. 3-5 TPS traffic to backend servers. So I am not understanding on basis it is arriving to that figure.

 

Also please provide me the following info,

 

Where can I check the Historical average parameter in F5 server......? and

 

Is there any way to modify/clear the same ...? If yes, how......!!!

 

 

Regards

 

Govindraj B H