IN_DOSL7_ATTACK¶
Description¶
Triggered when ASM detects that a request violates an
ASM security policy for Denial of Service attacks
As of 11.3, this event replaces the
VIOLATION_DOS_ATTACK_STARTED
event and the ATTACK_TYPE_DOS_ATTACK_STARTED attack
type.
The event is invoked on each HTTP request that is involved in a DoS
attack–that is, a request that comes from a suspicious client IP
address or destined to a suspicious URL with the exception of the
following:
- When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request.
- When in CAPTCHA or rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.
When in transparent mode, the event is invoked for every request. This
is the most common intended use case for this event: enabling the
administrator to implement a proprietary prevention policy.
Variable name | Variable description |
---|---|
$DOSL7_ATTACKER_IP | The attacker IP address |
$DOSL7_MITIGATION | Mitigation method which is applied on the current HTTP request |
Warning
Deprecated in BIG-IP Next v20.0.1
Examples¶
when IN_DOSL7_ATTACK {
log local0. "Attacker IP: $DOSL7_ATTACKER_IP"
log local0. "Mitigation: $DOSL7_MITIGATION"
}
log example from /var/log/ltm
Aug 23 05:44:40 tmm info tmm[17073]: Rule /Common/dosl7_irule : Attacker IP: 192.168.172.210
Aug 23 05:44:40 tmm info tmm[17073]: Rule /Common/dosl7_irule : Mitigation: Source IP-Based Rate Limiting