If you have configured DoS protection on the BIG-IP® system, you can view charts, reports, statistics, and event logs that show information about DoS attacks and mitigations in place on the system. For example, you can view a DoS Overview screen that shows at a glance whether or not the system is under attack. The DoS Overview also indicates the impact of DoS attacks on the server's throughput, and RAM and CPU usage.
Other reports show transaction outcomes, and correlate the impact of system detection and the mitigation of DoS attacks. The reports and event logs help you to understand whether the DoS protection you have implemented is protecting your application web site, or whether you need to fine-tune the configuration. You can use the information to provide the intelligence necessary to identify and track DoS attacks. By looking at historical attacks and their trends, you can gain insight into the DoS threats the web site is facing.
You can also define custom reports based on dimensional queries.
This figure shows a sample DoS Overview screen on a system that is having a low-level DoS attack now (the first one listed shows a flag in the duration). Click the Attack ID to display the Transaction Outcomes report which includes details about the attack.
The Overview screen includes information on throughput and RAM and CPU usage. Because the statistics vary from system to system, it is a good idea to become familiar with typical memory and CPU usage and throughput on your system as well as checking for recent attacks.
Sample DoS Overview screen
When displaying DoS transaction outcomes, the charts classify the traffic into the following traffic types.
|Traffic type||What it means|
|Incomplete||Traffic that was dropped by the server because the connection was incomplete or the server did not respond. The system did not perform any DoS mitigation on this traffic. Transactions were reset, and responses were not sent to the client.|
|DoS Blocked||Traffic that was blocked as a result of the mitigation methods (with rate limiting set using request blocking) in the DoS profile.|
|Shun Blocked||Traffic that did not reach the server and was blocked because the IP address is on the network level shun list for having sent highly malicious traffic. As a result, statistics for HTTP transactions from this IP address are estimated because the IP address is blocked at the TCP level and not the HTTP level. This only appears when the dosl7d.shun_list system variable is set to enable.|
|Behavioral Blocked||Traffic that did not reach the server because it was slowed down to an extreme level, and the TCP connection was reset.|
|Behavioral Slowdown||Traffic that was slowed down but not blocked. The TCP connection of a potential attacker sending a lot of traffic was slowed down to lessen the impact on the server.|
|CAPTCHA Mitigation||Traffic that did not respond to a CAPTCHA challenge or responded incorrectly. The challenge is specified in the mitigation methods of the DoS profile.|
|BIG-IP Response||Traffic that is a response to the client from the BIG-IP system.|
|Cached by BIG-IP||Traffic that is served from cache configured in the Web Acceleration profile.|
|Whitelisted||Traffic from IP addresses on the IP Address whitelist in the DoS profile.|
|Passthrough||Traffic that is allowed because it does not constitute a DoS attack.|
This figure shows a sample Transaction Outcomes report for a system on which there have been DoS attacks. The chart shows how the traffic has been handled by the system. It shows aggregated data that is updated every few minutes.
Sample DoS Transaction Outcomes report
You can adjust which elements are listed in the table below the chart. This figure lists the virtual servers that traffic is attempting to access. By clicking one of the virtual servers (or other objects listed), you can drill down to see what is happening with that specific traffic. For example, here attacks are primarily taking place on vip_70, and much of the traffic is being blocked.
You can also open a real-time chart that is constantly updated by clicking the Open Real-Time Charts link. It is a popup screen that you can leave displayed on your computer. It shows the traffic distribution on the system. Here, much of the traffic is being rate limited (shown in red), some is from IP addresses on the whitelist in the DoS profile (shown in turquoise), and the remaining traffic is allowed to pass through the system (shown in green).
Sample DoS real-time chart
You can go back to the DoS Statistics report and change the values for what is displayed using the Display and during settings to see additional information. Viewing different statistical views is useful to understanding and tracking DoS attacks.
In the lower table on the screen, Server Latency (ms) indicates how long it takes (in milliseconds) from the time a request reaches the BIG-IP® system, for it to proceed to the web application server, and return a response. Note that dropped or blocked requests that do not reach the server, do not register latency because there is no full request-response cycle.
This figure shows a sample DoS Application Events log showing information about the events related to several DoS attacks, such as when the attack started and finished, how it was mitigated, the IP address where it originated, the transactions per second during the attack indicating the latency of traffic to the web application, and the attack ID. The attacks have all been mitigated by site-wide or source IP based rate limiting.
Sample DoS Application Events log
You can click the attack ID to display DoS transaction outcomes related to the attack.
|Display Mode||Select whether to display the information as Cumulative or as related to the respective latency range, Per Interval.|
|Unified Scale||Select this check box to display all histograms using a single scale for all URLs, rather than a separate scale for each one.|
|Order by||Select the order in which to display the statistics: by the average server latency, the number of transactions, the histogram latency ranges (in milliseconds), or by how heavy URLs were detected (automatically detected or manually set).|
The URL Latencies report shows how fast your web application returns web pages and can show typical latency for applications (meaning virtual servers associated with a DoS profile) on your system. It can help you to identify slow pages with latency problems that may require additional troubleshooting by application developers.
You can also use the URL Latencies report for the following purposes:
This figure shows a sample URL Latencies report for a system that has two DoS profiles and two virtual servers. It shows the latency for several web pages ranging from 10.97 ms to 2006.07 ms. One page (/DOS/latency2.php) has very high latency and might require some troubleshooting. In this case, the system determined that URL to be "heavy" based on traffic. While investigating the latency of URLs that take longer to display, if it is acceptable, you may decide to add them to the list of heavy URLs in the DoS profile so they do not trigger DoS mitigation.
Sample URL Latencies report