Layer 7 DoS in Application Security Manager™ (ASM) is set up to automatically add IP addresses to a shun list (also called auto-blacklisting). The BIG-IP® system stops traffic that is thought to be causing a DoS attack, by adding it to a shun list for a limited time. L7 DoS maintains the shun list and auto-blacklisting works at Layer 7 when you configure an L7 DoS profile and attach it to a virtual server.
The DoS profile you create should include all of the DoS mitigations you want to use for the application. For example, you could enable these protections:
Source IP addresses that are thought to be causing a DoS attack based on the mitigations you configured fall into the category of application denial of service blacklist, for which the IP intelligence policy is configured to drop. Together, and using fewer resources, the DoS profile and IP intelligence policy protect the web application from DoS attacks.
The shun list is automatically managed with predefined conditions and thresholds set using system variables. These system variables are set to reasonable values by default. Do not change these variables unless you are an advanced BIG-IP® system user.
|Variable||Default Value||What It Specifies|
|dosl7d.shun_list||enable||Whether to use the shun list to block IP addresses.|
|dosl7d.min_challenge_success_ratio||10%||The minimum percentage of good transactions per IP address (or else the system adds it to the shun list).|
|dosl7d.min_challenge_rps||10||The minimum requests per second before the system can apply shun mitigation.|
|dosl7d.shun_prevention_time||120||The time in seconds (from 1-1000) to keep the IP address on the shun list.|
(tmos)# modify sys db dosl7d.shun_list value disable
Now you have associated both a DoS profile and an IP intelligence policy with the virtual server representing the application. Here's a general idea of what happens next:
If DoS mitigation is performed by URL or device ID, the IP addresses are not shunned at the IP level, but are shunned at Layer 7.