Manual Chapter : Exporting DoS Attacks via SNMP

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.0.0
Manual Chapter

Exporting DoS Attacks via SNMP

Exporting reported DoS attacks

Creating DoS alert rules allows you to export DoS attack data via SNMP. Alert rules export all or select DoS attacks detected across your managed BIG-IP devices.
To streamline exported attack information, you can configure alert rules using one or more of the following filters:
  • The BIG-IP device/device group that detects the attack
  • A known attack vector for a specific protocol
  • An attack that exceeds a specified amount of time
  • A minimum number of transactions per second (TPS) the attack sends in an attempt to access your protected object(s)
  • The consistency in which alerts are sent over the duration of the attack
The alert rules do not filter or impact the DoS attack information listed in the DDoS dashboards or DoS events screens.

Viewing in DoS Alert Rules in BIG-IQ

You can apply multiple rules to meet various security needs for your protected objects. Alerts are displayed on the system alerts screen (
Monitoring
ALERTS & NOTIFICATIONS
).

Create a DoS alert rule

You must have administrative or Network Security manager access privileges to create, modify, or delete a DoS attack alert rule.
You must configure an SNMP agent and SNMP traps to export DoS attack information from BIG-IQ. Refer to
Configure BIG-IQ to Receive Event and Health Alerts from SNMP and SMTP
.
By default,
DoS Attack
is enabled in your system Alert Settings (
Monitoring
ALERTS & NOTIFICATIONS
). If this setting is disabled, you will not receive DoS alerts.
Configure a rule that allows BIG-IQ to send alerts of DoS attacks via SNMP. Afteryou create an alert rule, the matching attacks are exported to your designated SNMP agent.
  1. Go to
    Monitoring
    Events
    DoS
    DoS Alert Rules
    .
  2. Click
    Add
    .
  3. In the
    Name
    field, type a unique name for your DoS alert rule.
  4. To collect attack information from a specific
    Device
    or
    Device Group
    , select an option from the
    Device Target
    field.
    The
    Device/Device Group
    field allows you to specify a managed object.
  5. Use the
    Attack Vector Protocol
    field to filter attacks by a specific vector, by selecting one of the DoS protection protocols:
    Application,
    DNS
    , or
    Network
    .
    The
    Attack Vector
    field allows you to specify an attack vector for the selected protocol.
  6. Use the
    TPS
    field to filter attacks by a minimum number of transactions per second by selecting
    Exceeds
    , and entering a value.
  7. Use the
    Duration
    field to filter attacks by the minimum amount of time (in minutes) a DoS attack is sustained by selecting
    After
    and entering a value.
  8. Use the
    Resent After
    field to report the status of an ongoing DoS attack by specifying the number of minutes to send updated attack information.
  9. Click
    Save & Close
    .
The new DoS alert rule appears in the DoS Alert Rules list.
View attack alerts in BIG-IQ, go to (
Monitoring
ALERTS & NOTIFICATIONS
). Select
DoS
from the
Type
field to view attacks.

Modify DoS alert rules

You must have administrative or Network Security manager access privileges to create, modify, or delete a DoS attack alert rule.
You must configure an SNMP agent and SNMP traps to export DoS attack information from BIG-IQ. Refer to
Configure BIG-IQ to Receive Event and Health Alerts from SNMP and SMTP
.
Modify your DoS attack alerts by deleting or modifying DoS attack rules.
  1. Go to
    Monitoring
    EVENTS
    DoS
    DoS Attack Rules
    .
  2. To delete an alert rule, select the check box next to the alert rule name, and click
    Delete
    .
  3. To modify an alert rule, click the name of the alert rule.
    The current alert rule configuration is displayed.
  4. Modify the settings as required.
  5. Click the
    Save & Close
    button.
Changes to your alert rules will modify the exported alert information.