ltm rule event IN DOSL7 ATTACK
iRule(1) BIG-IP TMSH Manual iRule(1)
IN_DOSL7_ATTACK
Triggered when ASM detects that a request violates an ASM security policy for Denial of Service attacks.
DESCRIPTION
Triggered when detects that a request violates an ASM security policy for Denial of Service attacks
As of 11.3, this event replaces the VIOLATION_DOS_ATTACK_STARTED and the ATTACK_TYPE_DOS_ATTACK_STARTED attack type.
The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious
client IP address or destined to a suspicious URL with the exception of the following:
When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any
request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that
are not dropped.
Variable name Variable description $DOSL7_ATTACKER_IP The attacker IP address $DOSL7_MITIGATION Mitigation method
which is applied on the current HTTP request
Examples
when IN_DOSL7_ATTACK {
log local0. "Attacker IP: $DOSL7_ATTACKER_IP"
log local0. "Mitigation: $DOSL7_MITIGATION"
}
log example from /var/log/ltm
Aug 23 05:44:40 tmm info tmm[17073]: Rule /Common/dosl7_irule : Attacker IP: 192.168.172.210
Aug 23 05:44:40 tmm info tmm[17073]: Rule /Common/dosl7_irule : Mitigation: Source IP-Based Rate Limiting
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-11.3.0 --First introduced the event.
BIG-IP 2022-04-12 iRule(1)