ltm rule event IN DOSL7 ATTACKΒΆ

iRule(1)		      BIG-IP TMSH Manual		      iRule(1)



IN_DOSL7_ATTACK
       Triggered when ASM detects that a request violates an ASM security
       policy for Denial of Service attacks.

DESCRIPTION
       Triggered when detects that a request violates an ASM security policy
       for Denial of Service attacks

       As of 11.3, this event replaces the VIOLATION_DOS_ATTACK_STARTED and
       the ATTACK_TYPE_DOS_ATTACK_STARTED attack type.

       The event is invoked on each HTTP request that is involved in a DoS
       attack--that is, a request that comes from a suspicious client IP
       address or destined to a suspicious URL with the exception of the
       following:

       When the attack prevention mode is CS challenge (client IP address or
       requested URL) the event is not triggered for any request.  When in
       rate limit mode (client IP address or requested URL) the event is
       invoked only for attack requests that are not dropped.

       When in transparent mode, the event is invoked for every request. This
       is the most common intended use case for this event: enabling the
       administrator to implement a proprietary prevention policy.

       Variable name	   Variable description $DOSL7_ATTACKER_IP  The
       attacker IP address $DOSL7_MITIGATION   Mitigation method which is
       applied on the current HTTP request

Examples
	when IN_DOSL7_ATTACK {
	    log local0. "Attacker IP: $DOSL7_ATTACKER_IP"
	    log local0. "Mitigation: $DOSL7_MITIGATION"
	}

	log example from /var/log/ltm
	Aug 23 05:44:40 tmm info tmm[17073]: Rule /Common/dosl7_irule : Attacker IP: 192.168.172.210
	Aug 23 05:44:40 tmm info tmm[17073]: Rule /Common/dosl7_irule : Mitigation: Source IP-Based Rate Limiting

HINTS
SEE ALSO
CHANGE LOG
       @BIGIP-11.3.0 --First introduced the event.



BIG-IP				  2017-01-31			      iRule(1)