Manual Chapter : Viewing DoS Reports Statistics and Logs

Applies To:

Show Versions Show Versions


  • 13.0.0
Manual Chapter

Overview: Viewing DoS reports and logs

Once you have configured DoS protection on the BIG-IP® system, you can view charts, reports, statistics and event logs that show information about DoS attacks and mitigations in place on the system ( Security > Reporting > DoS ). For example, you can view the DoS Dashboard screen, which shows at-a-glance whether or not the system is under attack, the type of attack and IP addresses of the source and destination of monitored traffic. The DoS Dashboard screen also indicates the impact of DoS attacks on your virtual servers, in addition to overall system health.

The DoS Analysis screen you can view reports of transaction outcomes, and correlate the impact of system detection and the mitigation of DoS attacks to system health and performance indicators. The reports and event logs on the DoS Analysis screen help you to understand whether the DoS protection you have implemented is protecting your application's performance, or whether you need to fine-tune the configuration. In addition, you can adjust the time line to view historical attacks and their trends, which can provide insight into the DoS threats your application commonly faces.

Investigating DoS attacks and mitigation

Before you can investigate DoS attacks, you need to have created a DoS profile so that the system is capturing the analytics on the system. You must associate the DoS profile with one or more virtual servers.
You can display the DoS Dashboard to see whether or not a DoS attack is taking place, and display information about DoS attacks.
  1. On the Main tab, click Security > Reporting > DoS > Dashboard .
    The DoS Dashboard opens and displays real-time information about all DoS attacks on the system. The system displays information about attacks that either started or ended during the last hour, by default.
  2. Review the charts to see if there have been any recent DoS attacks.
  3. At the top of the screen, you can adjust the time frame and refresh details for the statistics.
    Option Description
    Time frame Specifies the time frame for which you want to display HTTP statistics (Last hour, Last day, Last week, and so on, or All to display all data).
    Auto-refresh interval Controls how often the statistics are refreshed on the screen (1 min., 5 min., 10min., or turns refresh Off.
    Refresh button Updates the statistics on the screen immediately.
    Timeline adjuster Shows the actual time frame for which statistics are currently displayed according to the time focus that is selected. On the graphic, drag the handles on either end to change the focus of the statistics.
    As you adjust the time settings, the statistics are updated on the screen.
  4. Initially, the data is unfiltered, and it displays all statistics it has for the time frame selected (Last hour, by default). To filter the data, select one or more dimensions in the right column.
    For example, you can filter by dimensions such as Attack IDs, Applications, Vectors, Countries, and so on. You can select more than one dimension, and one or more instances in a dimension. But note that some combinations are restricted.
    As you select dimensions or instances, the filtered statistics are displayed on the screen.
  5. To view the statistics in table form, expand the dimension, then drag the handle on the dimensions column to the left.
    Tip: To see the full column names, hover over the headings. To expand the table to the full width of the screen to see all of the columns, click the handle.
    Tables containing detailed statistics for the items in the dimensions are displayed.
  6. You can clear all filter selections or those for a dimension.
    • To clear all selections, click the gear icon at the top of the column and select Clear All.
    • To clear selections for a dimension, click the options icon (three horizontal lines to the left of the title), and select Clear Selection.
  7. To view an analysis of your DoS activity, click Security > Reporting > DoS > Analysis .
You can review the details about DoS attacks on the DoS Dashboard and Analysis screens to quickly see whether or not you are under attack and view an analysis of DoS activity.

Sample DoS Dashboards

This figure shows a sample DoS Dashboard on a system that is having a low-level DoS attack now.

Sample DoS Dashboard

Sample DoS Dashboard

This figure shows a sample DoS Dashboard showing DoS attacks that occurred during the last week. Three of the attacks were critical but all were mitigated within minutes.

Sample DoS Dashboard showing attacks

Displaying DoS Application Event logs

You can display DoS Application Event logs to see whether L7 DoS attacks have occurred, and view information about the attacks. The logs show details about the DoS events.
  1. On the Main tab, click Security > Event Logs > DoS > Application Events .
    The DoS Application Events screen opens, and if Layer 7 DoS attacks were detected, it lists the details about the DoS attack such as the start and end times, how it was detected and mitigated, the attack ID, and so on.
  2. If DoS attacks are listed, review the list of attacks to see what has occurred, when it occurred, the mitigation, and the severity of the attack.
  3. From the event log, click the Attack ID link for an attack or event to display information about the attack in a graphical chart.

Viewing URL Latencies reports

For the URL Latencies report to include useful information, you need to have created a DoS profile and associated it with the application's virtual server for the system to capture the latency statistics for the application.
You can display a report that shows information about the latency of traffic to specific web pages in your application. The report lists the latency for each URL separately, and one row lists the latency for all URLs combined. You can use this report to check that the latency threshold that you used is close to the value in the latency histogram column for all traffic.
  1. On the Main tab, click Security > Reporting > DoS > URL Latencies .
    The URL Latencies reporting screen opens.
  2. From the Time Period list, select the time period for which you want to view URL latency, or specify a custom time range.
  3. If you want to filter the information by virtual server, DoS profile, URL, or detection criteria, specify the ones for which you want to view the URL latency, and click Filter.
    By default, the report displays information for all items.
  4. Adjust the chart display options as you want.
    Display Option Description
    Display Mode Select whether to display the information as Cumulative or as related to the respective latency range, Per Interval.
    Unified Scale Select this check box to display all histograms using a single scale for all URLs, rather than a separate scale for each one.
    Order by Select the order in which to display the statistics: by the average server latency, the number of transactions, the histogram latency ranges (in milliseconds), or by how heavy URLs were detected (automatically detected or manually set).
  5. Review the latency statistics.
    • The report shows the latency for the most active URLs.
    • The Aggregated row summarizes the statistics for the URLs not included in the report.
    • The Overall Summary shows the latency of all traffic.
  6. To focus in on the specific latency details for one row, click the latency histogram.
    A magnified view of the histogram is displayed in a separate window. The latency histogram shows the percentage of transactions for each range of latency (0-2 ms, 2-4 ms, and so on up to 10000 ms or 10 seconds).

The URL Latencies report shows how fast your web application returns web pages and can show typical latency for applications (meaning virtual servers associated with a DoS profile) on your system. It can help you to identify slow pages with latency problems that may require additional troubleshooting by application developers.

You can also use the URL Latencies report for the following purposes:

  • To determine the threshold latencies, especially the heaviness threshold.
    Tip: Set the heaviness threshold to approximately 90-95% of the latency distribution for the site. Filter the data by site (that is, by virtual server and DoS profile), and check the latency distribution in the histogram of the Total row.
  • To track the current heavy URLs. You can add or remove manually configured heavy URLs depending on the information in the report.
  • To monitor the latency distribution.

Sample URL Latencies report

This figure shows a sample URL Latencies report for a system that has two DoS profiles and two virtual servers. It shows the latency for several web pages ranging from 10.97 ms to 2006.07 ms. One page (/DOS/latency2.php) has very high latency and might require some troubleshooting. In this case, the system determined that URL to be "heavy" based on traffic. While investigating the latency of URLs that take longer to display, if it is acceptable, you may decide to add them to the list of heavy URLs in the DoS profile so they do not trigger DoS mitigation.

Sample URL Latencies report

Sample URL Latencies report

Creating customized DoS reports

You can create a customized DoS reporting screen so that it shows the specific data you are interested in, such as the top DoS attacks and server latency.
  1. On the Main tab, click Security > Reporting > DoS > Custom Page .
    The DoS Custom Page screen opens, and shows default widgets (sections) you may find useful.
  2. Review the charts and tables provided, and click the configuration icon to adjust or delete them, as needed.
    • To modify the widget and change what it displays, click the gear icon and select Settings. On the popup screen, adjust the values that control what is displayed.
    • To remove the widget from the custom page, click the gear icon and select Delete.
  3. To create a new widget to your specifications, click Add Widget.
    The Add New Widget popup screen opens where you can select custom options for what to include, the time frame, and how to display the information.
  4. Continue adjusting the custom page so that it shows the information you want.
    You can drag and drop the widgets to change the order in which they are displayed. You can set the time range for all widgets or for each one separately.
  5. To save the information shown in the custom report to a file or email attachment, click Export and choose your options.
    You can also export the data from a single widget by selecting Export from the configuration icon.
You have created a custom page that includes the information you need to monitor your system. As you use the reports to investigate DoS attacks, you can adjust the custom page to include additional data that you need. You can save the reports or send them to others who want to review the data.

Logging bot defense requests

You can create a logging profile to log bot defense requests on systems set up to do proactive bot defense.
  1. On the Main tab, click Security > Event Logs > Logging Profiles .
    The Logging Profiles list screen opens.
  2. Click Create.
    The New Logging Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. Select Bot Defense.
  5. To log bot defense attacks locally, select Local Publisher.
  6. To send the log to a remote reporting server (such as Splunk, Arcsight, or syslog), from Remote Publisher, select the name of the publisher.
  7. Select which requests to include in the log:
    • Log Illegal Requests: Requests that failed the proactive bot defense tests, such as suspicious browser or wrong CAPTCHA responses. Note that JS challenges that are never responded to are not included here.
    • Log Captcha Challenged Requests: Requests that are responded to a Captcha challenge as part of the suspicious browser tests.
    • Log Challenged Requests: Requests that are responded to with a JS challenge for new clients or clients renewing their cookies.
    • Log Bot Signature Matched Requests: Requests that matched any of the Bot signatures with the action block or report.
    • Log Legal Requests: Requests that passed through.
  8. Click Finished.
  9. Associate this logging profile with the virtual server being protected with bot defense:
    1. Go to Local Traffic > Virtual Servers , then click the virtual server.
    2. Under Security, select Policies.
    3. In the Log Profile setting, move the log profile from Available to Selected.
    4. Click Update.
  10. After passing traffic, you can view the bot defense event log: Click Security > Event Logs > Bot Defense .
    Use the arrow keys to scroll to see the full details for each bot defense request.