Reference: WAF L7 DoS Dashboard

The L7 DoS dashboard provides information L7 DoS security to protected applications.

Ensure you have read Special instructions for L7 Dos Protection before you configure L7 DoS protection. If you do not apply best practices for L7 DoS protection configuration and deployment, the information in the L7 DoS dashboard might be inaccurate.

The L7 DoS protection dashboard provides attack mitigation visibility and reporting before, during, and after an attack. The application status information also provides quick insights to the current status of the application’s stress level and protection configuration from the WAF policy.

The following describes the information found in the dashboard.

Note: For general WAF Web Protection information, see Reference: WAF Web Protection Dashboard

Virtual server status

The top of the dashboard provides current information about the virtual servers with L7 DoS protection.

The virtual server status details the policy and L7 DoS protection configuration, the attack status, and current traffic trends.

image

  • Under Attack - Reports whether the virtual server is currently under L7 DoS attack.

  • Stress Level - A calculation that reflects the impact of traffic to the virtual server. Stress level is on a scale between 0 and 7. Any value higher than 1 indicates application performance impact and is considered an attack.

    • High - Unexpected changes in traffic to the virtual server have potential to impact application performance, and indicates a L7 DoS attack. Within the scale of traffic learning, DoS L7 recognizes traffic flow to the virtual server is higher than expected. If this traffic pattern exceeds the value of 1 on the L7 DoS stress scale, the status of the application is high stress.

    • Normal - Traffic detection is as expected and application performance is not at risk.

  • Requests/s - The average number of requests per second received by your virtual server. This information is based on the data collected over the refresh interval.

  • Mitigations/s - The average number of mitigated requests per second. This information is based on the data collected over the refresh interval.

  • Baseline DPS - The number of learned datagrams per second. This information is based on the data collected over the refresh interval.

  • Learning - When enabled, L7 DoS protection applies behavioral analysis and machine learning of traffic flows to automatically discover and mitigate DoS attacks (depending on mitigation mode). The status of the learning mode indicates whether L7 DoS protection collected enough data to protect the application

    • Ready - L7 DoS protection has collected enough traffic data to establish a baseline and recognize good requests. The ready status is assigned to applications with L7 DoS protection that has both Bad Actors and Signature mitigation enabled.

    • Not Ready - L7 DoS protection has not collected traffic to establish a baseline and recognize good requests.

    • Bad Actors Only – L7 DoS protection has collected enough traffic data to establish a baseline but does not collect data to recognize good requests. The status is assigned to applications with L7 DoS protection that has only Bad Actors mitigation enabled.

  • Mitigation - The virtual server’s WAF policy settings for L7 DoS protection.

    • Standard (Default) - For Bad Actors, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the application server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If Signatures is enabled, this protection setting blocks requests that match detected attack signatures.

    • Conservative - For Bad Actors, the traffic rate is slowed down and L7 DoS protection rate limits requests from anomalous IP addresses based on anomaly detection confidence and the application server’s health.
      If Signatures is enabled, this blocks requests that match the attack signatures.

    • None - Learns and monitors traffic behavior, but no action is taken.

Detected Bad Actors per Geolocation

The Detected Bad Actors per Geolocation map displays the number of bad actors detected (both mitigated and unmitigated) by source IP address.

The bad actor map shows bad actors from all protected applications over the past 30 days.

Virtual Server status charts

Monitor changes in a virutal server’s stress level and traffic over a selected time period.

When selecting a virtual server and time setting, you can monitor the detected attacks over time, outcomes of client requests, and the volume of mitigated requests.

For more information about a specific event observed over a time period, you can review event log details, see: Filtering event logs

Virtual Server Stress Level

Virtual server stress level is an evaluation of baseline traffic to detected behavioral changes that indicate a DoS attack. The application stress level is on a scale from 0-7, where any value above 1 is considered a L7 DoS attack, and can impact the flow of traffic to your application depending on your mitigation settings.

You can use the Virtual Server Stress Level graph to review the attack status of a specific application over a selected period of time.

For more information about the traffic trends to your virtual servers during changes in stress levels, refer to Client Side Transactions and Mitigated Requests per second.

For further details about detected L7 DoS events, go to SecurityEvent LogsL7 DoS .

The example below shows the application service app1 detected application stress levels over the past 7 days:

image

Client Side Transactions

The Client Side Transactions graph shows the number of HTTP requests received by your application over the selected time period.

The following types of traffic are included. You can select or de-select from the legend to filter the graph’s displayed data:

  • Baseline RPS - The average number of requests per second to the application.

  • Successful TPS - The average number of successful transactions per second. These are requests that resulted in a server response.

  • Unsuccessful RPS - The average number of requests that did not complete the request to response transaction.

  • Incoming RPS - The average number of incoming requests per second to the application server.

  • Incoming DPS - THe average number of incoming datagrams per second to the application server.

The example below shows an application’s client side transactions over the past 7 days:

image

Mitigated Requests per second

The Mitigated Requests per second shows the number of HTTP requests to your virtual server that were mitigated by L7 DoS protection over the selected time period.

The following mitigation data is included in the chart. You can select or de-select from the legend to filter the graph’s displayed data:

  • Signature RPS - The average number mitigated requests per second to the virtual server that included attack signatures.

  • Bad Actors - The number of mitigated requests that included bad actor IP addresses.

  • Global RPS (Rate Limit) - The number of requests per second mitigated by rate limiting application traffic. If an attack is detected and mitigation settings are set to standard, global rate limiting may occur to all incoming traffic to prevent server stress.

The example below shows a virtual server’s mitigated requests per second over the past 7 days:

image