Once you have configured DoS protection on the BIG-IP® system, you can view charts, reports, statistics and event logs that show information about DoS attacks and mitigations in place on the system (). For example, you can view the DoS Dashboard screen, which shows at-a-glance whether or not the system is under attack, the type of attack and IP addresses of the source and destination of monitored traffic. The DoS Dashboard screen also indicates the impact of DoS attacks on your virtual servers, in addition to overall system health.
The DoS Analysis screen you can view reports of transaction outcomes, and correlate the impact of system detection and the mitigation of DoS attacks to system health and performance indicators. The reports and event logs on the DoS Analysis screen help you to understand whether the DoS protection you have implemented is protecting your application's performance, or whether you need to fine-tune the configuration. In addition, you can adjust the time line to view historical attacks and their trends, which can provide insight into the DoS threats your application commonly faces.
Investigating DoS attacks and mitigation
Before you can investigate DoS attacks, you need to have created a DoS profile so that the system is capturing the analytics on the system. You must associate the DoS profile with one or more virtual servers.
You can use the DoS Dashboard screen for an overview of DoS attack activity on your BIG-IP® system, and corresponding system information during DoS attacks.
- On the Main tab, click .
Tip: For quick navigation to the DoS Dashboard screen, on the Main tab to go .
The DoS Dashboard screen opens and displays system information about all DoS attacks over a default time range.
- Use the time settings at the top of the screen to set a time range or refresh the information on screen.
To immediately update the statistics on screen, adjust the time range or refresh settings.
Note: Time range settings are persistent when navigating between the DoS Dashboard and Analysis screens.
Time Focus |
Select the time range of the displayed data. Note: Additional time options become available as your system gathers more data.
|
Currently Selected Time Range |
Displays the current time range of the displayed data. |
Auto-Refresh Interval Selector |
Select how frequently the data on this screen is refreshed. |
Manual Refresh |
Click Refresh to trigger an immediate refresh of the displayed data. |
Manual Time Adjustment Handles |
Set the data to a specific window of time within the currently selected time range. Use the handles at either end of the time line to define the specific time you want to examine. Use the handle above the time line to display data that is outside the selected time range. Note: Adjusting the time range to display previous data stops the auto-refresh so you can focus on a specific data point.
|
You can zoom into a specific time range within a chart. Select an area within the chart and then click the magnifying glass icon.
Note: Selecting a time range within the chart stops the screen's auto-refresh settings.
- Review the charts and tables that provide high-level information about your system's status.
Tip: You can filter the entire screen's displayed data to correspond with a specific data point by selecting entities in the charts, tables or map.
- Review the Attack Duration and Attacks areas for recent or ongoing DoS attacks.
- Review the Attack Duration area to determine the duration of each DoS attack over the selected time period, including ongoing attacks. In the Attack Duration chart, each horizontal bar represents an individual attack and indicates the start and end time of the attack, and the severity.
An ongoing attack extends to the end of the chart.
You can view additional attack information in the chart:
- Hover over an individual attack to view attack details, including Attack ID, Mitigation, Severity, Trigger and Vector.
- Hover over the chart area to view the number of attacks that occurred at a specific time in the chart legend.
- Review the Attacks area to determine the distribution of DoS attacks over the selected time period.
- Review the Virtual Servers area to determine the impact of DoS attack's on your system's virtual servers.
- Use the # of Virtual Servers table to view a breakdown of your virtual servers health status according to each virtual server's latency, client concurrent connections and throughput.
- Use the Virtual Servers Health chart to view a breakdown of virtual servers according to health score for each performance indicator that is used to evaluate health status.
- Use the table in this area to examine the health and corresponding attack details for each virtual server.
- Review the tiles in the System Health area for a quick view of your BIG-IP system's health status. Each health tile is color coded according to the overall severity of each parameter for the entire system. Severity ranges are as follows: Good, Moderate, Unhealthy and Critical.
Note: In a multi-blade system, each health parameter also displays the slots with the highest system activity.
- Review the Countries area for information about the geolocation of traffic handled by your BIG-IP system.
- To view more details of your DoS activity, click .
Tip: From the Dashboard, you can automatically filter specific Attack IDs or Virtual Servers in the DoS Analysis screen, by selecting the chart icon (
) from a table row.
You can continue to review the system snapshot using the DoS Dashboard screen. As a result, you become more familiar with you system's activities during DoS attacks. You can also view the statistics in graphical charts and in tables, focusing on the specific data you need using attack and dimension filters.
Analyzing DoS impact on your system
Before you can investigate DoS attacks, you need to have created a DoS profile so that the system is capturing the analytics on the system. You must associate the DoS profile with one or more virtual servers.
You can use the DoS Analysis screen to analyze the impact of DoS attacks on your BIG-IP® system, traffic, or to detect any system performance issues.
- On the Main tab, click .
The DoS Analysis screen displays the aggregated statistics of system information for the selected time period.
Tip: To drill down into specific system information in the charts, use the settings in the Dimensions pane to highlight data of interest.
- Use the time settings at the top of the screen to set a time range or refresh the information on screen.
To immediately update the statistics on screen, adjust the time range or refresh settings.
Note: Time range settings are persistent when navigating between the DoS Dashboard and Analysis screens.
Time Focus |
Select the time range of the displayed data. Note: Additional time options become available as your system gathers more data.
|
Currently Selected Time Range |
Displays the current time range of the displayed data. |
Auto-Refresh Interval Selector |
Select how frequently the data on this screen is refreshed. |
Manual Refresh |
Click Refresh to trigger an immediate refresh of the displayed data. |
Manual Time Adjustment Handles |
Set the data to a specific window of time within the currently selected time range. Use the handles at either end of the time line to define the specific time you want to examine. Use the handle above the time line to display data that is outside the selected time range. Note: Adjusting the time range to display previous data stops the auto-refresh so you can focus on a specific data point.
|
You can zoom into a specific time range within a chart. Select an area within the chart and then click the magnifying glass icon.
Note: Selecting a time range within the chart stops the screen's auto-refresh settings.
- Review the BIG-IP Health area to detect any BIG-IP device health issues.
- Use the Memory Usage (GB) chart to analyze the distribution of system memory that is currently in use.
Note: In a multi-blade system, the chart displays the system average of all blades.
- Use the Top Busiest CPU Cores (%) chart to view the percent usage of the top five busiest TMM CPU cores. If your BIG-IP system has five CPU cores or fewer, this chart displays all active TMM CPU cores.
Note: In a multi-blade system, the chart displays the top five busiest slots of all CPU cores.
- Review the Virtual Servers area to define the health or performance status of your virtual servers. Select a single entity from the Virtual Servers dimension to display data.
Important: The statistics displayed in the Virtual Servers charts represent the metrics that are specific to a single virtual server, and are not affected by all dimension filters.
- Use the Average New Connections (conn/s) chart to analyze the average number of new system connections per second.
- Use the Average Concurrent Connections (conn/s) chart to analyze the average number of simultaneous connections per second that your BIG-IP system maintains.
- Use the Connections Activity chart to analyze the average number of unsuccessful connections out of all attempted transactions and why the transaction was unsuccessful.
- Use the Average Throughput in bits/s chart to analyze the average number of bits transferred per second during each part of the transaction process.
- Use the Total Health chart to determine the health score of your virtual servers. The health score is a percent value, where a higher score indicates good virtual server health. The total score is calculated using the pre-defined thresholds for CPU, memory, throughput and connections.
- Use the Max Number of Attacks chart to analyze the number and type of detected attacks over the selected time period.
- Use the Distinct Count of IPs chart to analyze the number of concurrent connecting IP addresses to a single virtual server, and the number of IP addresses that were deemed as malicious by the BIG-IP system.
- Review the Attacks area to analyze the characteristics of a single attack.
Note: Select a single entity from the Attack IDs dimension to display data.
- Review the HTTP area for application traffic activity and to evaluate how DoS attacks impact traffic performance.
- Use the Transaction Outcomes (Average TPS) chart to analyze the outcome assigned by the BIG-IP system to the application request and response exchange.
- Use the Server Latency (ms) chart to determine the time required for a server response once the BIG-IP system sends a request.
- Use the Throughput (bps) chart to determine the average number of bytes per second processed by the BIG-IP system during application requests and responses.
- Use the Client Types chart to analyze the means by which HTTP requests are initiated.
- Review the Network area to evaluate the number and type of network transactions that were monitored by the BIG-IP system.
- Review the DNS Transaction Outcomes area to evaluate the outcome assigned by the BIG-IP system to the DNS request and response exchange.
- Review the SIP Transaction Outcomes area to evaluate the outcome assigned by the BIG-IP system to the SIP request and response exchange.
You can continue to review system statistics on the entire system to monitor activity during, or after DoS attacks. You can focus on the specific data you need using the filters and comparison chart option provided in the Dimensions pane.
Viewing URL Latencies reports
For the URL Latencies report to include useful information, you need to have created a DoS profile and associated it with the application's virtual server for the system to capture the latency statistics for the application.
You can display a report that shows information about the latency of traffic to specific web pages in your application. The report lists the latency for each URL separately, and one row lists the latency for all URLs combined. You can use this report to check that the latency threshold that you used is close to the value in the latency histogram column for all traffic.
- On the Main tab, click .
The URL Latencies reporting screen opens.
- From the Time Period list, select the time period for which you want to view URL latency, or specify a custom time range.
- If you want to filter the information by virtual server, DoS profile, URL, or detection criteria, specify the ones for which you want to view the URL latency, and click Filter.
By default, the report displays information for all items.
- Adjust the chart display options as you want.
Display Option |
Description |
---|
Display Mode |
Select whether to display the information as Cumulative or as related to the respective latency range, Per Interval. |
Unified Scale |
Select this check box to display all histograms using a single scale for all URLs, rather than a separate scale for each one. |
Order by |
Select the order in which to display the statistics: by the average server latency, the number of transactions, the histogram latency ranges (in milliseconds), or by how heavy URLs were detected (automatically detected or manually set). |
- Review the latency statistics.
- The report shows the latency for the most active URLs.
- The Aggregated row summarizes the statistics for the URLs not included in the report.
- The Overall Summary shows the latency of all traffic.
- Use the Latency Histogram, to the far right of the URL row, to view the percentage of URL traffic at each window of recorded latency time (in ms).
- To focus in on the specific latency details for a URL, click the latency histogram.
A magnified view of the histogram is displayed in a separate window. The latency histogram displays the number of successful HTTP transaction outcomes for each range of latency (0-2 ms, 2-4 ms, and so on up to 10000 ms or 10 seconds).
The URL Latencies report shows how fast your web application returns web pages and can show typical latency for applications on your system (application data is recorded through virtual servers associated with a DoS profile) . It can help you to identify slow pages with latency issues that may require additional troubleshooting by application developers.
Sample URL Latencies report
This figure shows a sample URL Latencies report for a system that has two DoS profiles and two virtual servers. It shows the latency for several web pages ranging from 10.97 ms to 2006.07 ms. One page (/DOS/latency2.php) has very high latency and might require some troubleshooting. In this case, the system determined that URL to be "heavy" based on traffic. While investigating the latency of URLs that take longer to display, if it is acceptable, you may decide to add them to the list of Ignored URLs in the DoS profile so they do not trigger DoS mitigation.
Sample URL Latencies report
Creating customized DoS reports
You can create a customized DoS reporting screen so that it shows the specific data you are interested in, such as the top DoS attacks and server latency.
- On the Main tab, click .
The DoS Custom Page screen opens, and shows default widgets (sections) you may find useful.
- Review the charts and tables provided, and click the configuration icon to adjust or delete them, as needed.
- To modify the widget and change what it displays, click the gear icon and select Settings. On the popup screen, adjust the values that control what is displayed.
- To remove the widget from the custom page, click the gear icon and select Delete.
- To create a new widget to your specifications, click Add Widget.
The Add New Widget popup screen opens where you can select custom options for what to include, the time frame, and how to display the information.
- Continue adjusting the custom page so that it shows the information you want.
You can drag and drop the widgets to change the order in which they are displayed. You can set the time range for all widgets or for each one separately.
- To save the information shown in the custom report to a file or email attachment, click Export and choose your options.
You can also export the data from a single widget by selecting Export from the configuration icon.
You have created a custom page that includes the information you need to monitor your system. As you use the reports to investigate DoS attacks, you can adjust the custom page to include additional data that you need. You can save the reports or send them to others who want to review the data.