Manual Chapter :
Exporting DoS Attacks via SNMP
Applies To:
Show Versions
BIG-IQ Centralized Management
- 8.2.0, 8.1.0, 8.0.0
Exporting DoS Attacks via SNMP
Exporting reported DoS attacks
Creating DoS alert rules allows you to export DoS attack data via SNMP. Alert rules export all or select DoS attacks detected across your managed BIG-IP devices.
To streamline exported attack information, you can configure alert rules using one or more of the following filters:
- The BIG-IP device/device group that detects the attack
- A known attack vector for a specific protocol
- An attack that exceeds a specified amount of time
- A minimum number of transactions per second (TPS) the attack sends in an attempt to access your protected object(s)
- The consistency in which alerts are sent over the duration of the attack
The alert rules do not filter or impact the DoS attack information listed in the DDoS dashboards or DoS events screens.
Viewing in DoS Alert Rules in BIG-IQ
You can apply multiple rules to meet various security needs for your protected objects. Alerts are displayed on the system alerts screen ().
Create a DoS alert rule
You must have administrative or Network Security manager access privileges to create, modify, or delete a DoS attack alert rule.
You must configure an SNMP agent and SNMP traps to export DoS attack information from BIG-IQ. Refer to
Configure BIG-IQ to Receive Event and Health Alerts from SNMP and SMTP
.By default,
DoS Attack
is enabled in your system Alert Settings (). If this setting is disabled, you will not receive DoS alerts.Configure a rule that allows BIG-IQ to send alerts of DoS attacks via SNMP. Afteryou create an alert rule, the matching attacks are exported to your designated SNMP agent.
- Go to .
- ClickAdd.
- In theNamefield, type a unique name for your DoS alert rule.
- To collect attack information from a specificDeviceorDevice Group, select an option from theDevice Targetfield.TheDevice/Device Groupfield allows you to specify a managed object.
- Use theAttack Vector Protocolfield to filter attacks by a specific vector, by selecting one of the DoS protection protocols:Application,DNS, orNetwork.TheAttack Vectorfield allows you to specify an attack vector for the selected protocol.
- Use theTPSfield to filter attacks by a minimum number of transactions per second by selectingExceeds, and entering a value.
- Use theDurationfield to filter attacks by the minimum amount of time (in minutes) a DoS attack is sustained by selectingAfterand entering a value.
- Use theResent Afterfield to report the status of an ongoing DoS attack by specifying the number of minutes to send updated attack information.
- ClickSave & Close.
The new DoS alert rule appears in the DoS Alert Rules list.
View attack alerts in BIG-IQ, go to (). Select
DoS
from the Type
field to view attacks. Modify DoS alert rules
You must have administrative or Network Security manager access privileges to create, modify, or delete a DoS attack alert rule.
You must configure an SNMP agent and SNMP traps to export DoS attack information from BIG-IQ. Refer to
Configure BIG-IQ to Receive Event and Health Alerts from SNMP and SMTP
.Modify your DoS attack alerts by deleting or modifying DoS attack rules.
- Go to .
- To delete an alert rule, select the check box next to the alert rule name, and clickDelete.
- To modify an alert rule, click the name of the alert rule.The current alert rule configuration is displayed.
- Modify the settings as required.
- Click theSave & Closebutton.
Changes to your alert rules will modify the exported alert information.
