F5 Logo MyF5
Search
  1. MyF5 Home
  2. Monitoring Ongoing DDoS Attacks using BIG-IQ
  3. Detecting DDoS Attack Impact
Manual Chapter : Detecting DDoS Attack Impact

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Detecting DDoS Attack Impact

Detecting the impact of DDoS attacks on protected objects

The DoS profiles configured in Shared Security help prevent DoS (Denial of Service) attacks aimed at the resources that are used for serving the application (the web server, web framework, and the application logic). Ensure that your Network Security, Application Security, and DNS Security are mitigating distributed DoS (DDoS) attacks.
The following data view is only available for managed BIG-IP devices v13.1.0.8 or later. To view Network Firewall reports for BIG-IP devices prior to version 13.1.0.8, go to
Monitoring
REPORTS
Security
Network Security
Reporting
.
By isolating attacks, you can investigate whether you need to:
  • Adjust the protection mode of your DoS profile (mitigating as opposed to monitoring)
  • Edit or reassign a DoS profile
  • Configure additional resources for your BIG-IP devices to maintain their protection services

Isolate ongoing DDoS attacks

Before you can display statistics and protected objects in the Protection Summary screen, you must have:
  • A BIG-IQ data collection device configured for the BIG-IQ device
  • The BIG-IP device located in your network and running a compatible software version
  • Statistics collection enabled for managed BIG-IP devices
  • AVR provisioned on your BIG-IP devices
You isolate the recent and ongoing distributed denial of service (DDoS) attacks based on the target protocol and protection mode. You can use the filters on this screen to identify attacks that might impact your protected objects or BIG-IP devices. Once you isolate an attack that impacts your system objects, you further can evaluate whether mitigation is necessary.
You isolated the recent and ongoing distributed denial of service (DDoS) attacks based on the target protocol and protection mode. You can use the filters on this screen to identify attacks that might impact you protected objects or BIG-IP devices. Once you isolate an attack that impacts your system objects, you further can evaluated whether mitigation is necessary.
  1. Go to
    Monitoring
    DASHBOARDS
    DDoS
    Protection Summary
    .
  2. Locate the ATTACKS area at the top left side of the screen to view a summary of all ongoing DDoS attacks.
  3. To filter DDoS attacks by the targeted protocol, select
    HTTP
    ,
    Network
    , or
    DNS
    .
    The attack information that is displayed varies according to your security provisioning and the BIG-IP software version reporting the attack's data.
  4. To isolate attacks by severity, select one of the severity levels from ATTACK SEVERITY.
    • The Warning alert. The attack's details indicate that an non-mitigated attack would have a moderate impact on your protected objects.
    • The Critical alert. The attack's details indicate that a non-mitigated attack would have a critical impact on your protected objects
  5. To filter attacks by protection mode, specify how to view them:
    • Click
      Mitigated
       to view attacks detected by a DoS profile that is configured to mitigate or block traffic recognized at an attack.
    • Click
      Not Mitigated
       to view attacks detected by a DoS profile that is configured to monitor traffic recognized as an attack.
Next, you can identify the status of protected objects and BIG-IP devices that have reported DoS attacks. With this information, you can evaluate the performance impact of the attack, and whether you need to edit your DoS profile's security configuration.

Protection modes against DDoS attacks

The attack protection mode indicates whether your DoS profile's configuration mitigates or monitors detected attacks based on the security services provisioned on your BIG-IP devices (ASM, DNS, and AFM).

Mitigated

The DoS profile that reported the attack has at least one mitigating element:
  • HTTP protocol (Application Security): One or more operation modes is configured to Blocking.
  • DNS protocol or Network protocol: One or more attack type states is configured to Mitigate.

Not Mitigated

The DoS profile that reported the attack has at least one monitoring element, and no mitigating elements:
  • HTTP protocol (Application Security): One or more operation modes is configured to Transparent.
  • DNS protocol or Network protocol: One or more attack type states is configured to Detect Only or Learn Only.

DDoS attack severity

The severity assigned to the DDoS attacks displayed in the Protection Summary screen (
Monitoring
DASHBOARDS
DDoS
Protection Summary
) have either a Critical or Warning attack score. The score reflects the recently reported correlated attack with the highest attack severity. Severity is based on the following criteria.

Detection Mode

The attack's detection mode (trigger) influences the weight of the attack severity.

IP Ratio

The ratio of different attacking client IP addresses, out of all client IP addresses processed. An increased number of IP addresses attacking indicates a broader attack distribution.

Mitigated traffic

The ratio of mitigated traffic out of all traffic processed.

Rules for correlated DoS attacks

Attacks detected from multiple BIG-IP devices may be correlated with an ongoing attack if they meet the following criteria, per security protocol. You can view correlated attack alerts either in the Attack Details screen (
Monitoring
DASHBOARDS
DDoS
Protection Summary
<Attack_ID>
) or Alert History screen (
Applications
ALERT MANAGEMENT
Alert History
).

HTTP

Reported HTTP attacks correlate if they share the following characteristics:
  • DoS Profile name
  • Device Service Cluster (DSC) name
  • Application

DNS

Reported DNS attacks correlate if they share the following characteristics:
  • DoS Profile name
  • Virtual server name or Device Sync Group
  • Device Service Cluster (DSC) name

Network

Reported DNS attacks correlate if they share the following characteristics:
  • DoS Profile name
  • Virtual server name
    A network attack on a device level correlates attacks with the virtual server name
    Device
    .
  • Device Service Cluster (DSC) name

DDoS attack events

The BIG-IP system defines an attack by assigning an attack ID. The shared characteristics within the DDoS attack's data can correlate different attack IDs across a BIG-IP system environment (see Rules for correlated DoS attacks). These correlated attacks trigger events that allow you to evaluate a single attack's overall status, severity, and system impact. Attack inactivity indicates the end of a DDoS attack, which triggers a cleared event.

Raw attack events

Raw attack events
 report on the basis of a single attack ID reported by the BIG-IP system. Any changes in a raw attack's dimensions or severity are reflected in the raw attack events.

Correlated attack events

Correlated attack events
report on the basis of the raw attack events that comprise a single correlated attack. Correlated events occur as a result of significant modifications to an attack's state across your BIG-IP system environment.
The following modifications change the correlated attack state:
  • A change in the highest reported status out of the active raw attacks that comprise the correlated attack:
    • Attack severity
    • Attack mitigation (this also impacts the corresponding attack trigger).
  • The correlated attack was detected by an additional BIG-IP blade or hostname.
  • The addition or removal of a raw attack.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information