Manual Chapter : Viewing DDoS Reports Statistics and Logs

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 12.1.0
Manual Chapter

Investigating DoS attacks and mitigation

You can display a DoS Overview report that tells you whether or not a DoS attack is taking place, and shows information about the impact of DoS attacks on your system throughput and memory.
  1. On the Main tab, click Security > Reporting > DoS .
    The DoS Overview screen opens and displays real-time information about all DoS attacks on the system. The system displays attacks that either started or ended during the last hour, by default.
  2. Review the Recent Attacks log, Throughput, and RAM & CPU usage charts to see if there have been any recent DoS attacks.
    The Recent Attacks log lists recent DoS attacks and shows a flag for an attack in progress. The log includes the most recent 100 events per protocol for application and network attacks. So up to 200 attacks may be shown in the charts.
  3. If the information you are looking for is not shown, next to Logged Attacks, try increasing the time period selected.
    You can also filter the attacks to view only those which have High, Medium, or Low Impact by clicking the appropriate tab.
  4. To focus on specific details in the charts, point on the charts at the time you are interested in.
    The system displays the details about what was happening at that time in a tooltip. For example, pointing on the throughput chart at a specific time displays the number of bits in and bits out at that time.
  5. To learn more about attacks that have occurred, in the Recent Attacks log, click the Attack ID number.
    The system displays events associated with the attack. If there are more than 100 events, you can see a link to the Event Log, which you can click to see more events.
You can review the details about DoS attacks on the DoS Overview screen and quickly see whether or not you are under attack.

Sample DoS Overview screen

This figure shows a sample DoS Overview screen on a system that is having an attack.

The Overview screen includes information on throughput and RAM and CPU usage. Because the statistics vary from system to system, it is a good idea to become familiar with typical memory and CPU usage and throughput on your system as well as checking for recent attacks.

Sample DDoS overview report

Sample DDoS Overview screen

Click the down arrow next to the protected object (in the Virtual Server column) to find out what type of attack it is. Here you can see the attack is a UDP flood attack.

Events related to an attack

Displaying DDoS Events logs

You can display DoS Events logs to see whether DDoS attacks have occurred, and view information about the attacks. The logs show details about the DDoS events.
  1. On the Main tab, click Security > Event Logs > DoS .
    The DoS Application Events screen opens, and if Layer 7 DoS attacks were detected, it lists the details about the DoS attack such as the start and end times, how it was detected and mitigated, the attack ID, and so on.
  2. If DoS attacks are listed, review the list of attacks to see what has occurred, when it occurred, the mitigation, and the severity of the attack.
  3. From the event log, click the Attack ID link for an attack or event to display information about the attack in a graphical chart.
  4. To view information about other types of DoS attacks, from the DoS menu, choose another event log to view:
    • For DNS DoS event logs, click DNS Protocol.
    • For SIP DoS event logs, click SIP Protocol.
    • For network firewall DoS event logs, click Network.
    • To view event logs if you are using Auto-Threshold Configuration and have selected Log Auto Threshold Events, click Auto Threshold.
    Many of the vectors set using device configuration, or when creating a protected object, include a setting for Auto-Threshold Configuration. You can log the auto-threshold events to see what values the system is setting based on the traffic it is handling.

Sample DDoS event log

This figure shows a sample DDoS event log on a system that is experiencing UDP flood attack. When the attack exceeds the maximum packets per seconds (50 pps), excess packets are dropped.

Sample DDoS event log

Displaying DoS Application Events logs

You can display DoS Application Events logs to see whether L7 DoS attacks have occurred, and view information about the attacks. The logs show details about the DoS events.
  1. On the Main tab, click Security > Event Logs > DoS > Application Events .
    The DoS Application Events screen opens, and if Layer 7 DoS attacks were detected, it lists the details about the DoS attack such as the start and end times, how it was detected and mitigated, the attack ID, and so on.
  2. If DoS attacks are listed, review the list of attacks to see what has occurred, when it occurred, the mitigation, and the severity of the attack.
  3. From the event log, click the Attack ID link for an attack or event to display information about the attack in a graphical chart.

Viewing DoS transaction outcomes

You can display graphic charts that show transaction outcomes for DoS attacks on web applications that were detected on your system. The charts provide visibility into what caused the attack, IP addresses of the attackers, which applications are being attacked, and how the attacks are being mitigated.
  1. On the Main tab, click Security > Reporting > DoS > Application > Transaction Outcomes .
    The Transaction Outcomes screen opens and displays a graphical chart showing cumulative statistics about DoS attacks detected by the system.
  2. If you want to change the time frame for information shown in the chart, adjust the Display .. during settings.
    You can focus in on requests or responses only, and for the period of time you are interested in.
  3. To see the statistics for a specific time, point anywhere on the chart.
    Information about the transactions at that time pops up on the screen.
  4. If you want to view additional information, under the chart, from Drilldown to select the option for the details you want to see.
    For example, select Client IP Addresses to see the list of IP addresses involved in the attack, the number of transactions initiated by each one, and those which were valid, mitigated, and blocked.
  5. To view a report showing live traffic, click Open Real-Time Charts.
    A popup screen shows DoS statistics in real-time, and it is updated every 10 seconds.
By reviewing DoS Application Statistics, you can investigate the details of an attack. You can become more familiar with what caused the attacks, what applications are most vulnerable, and you see the mitigation methods that are in place. As a result of your investigation, you have more information to help you decide whether you need to tune the DoS configuration and add more protections, or change the thresholds in the DoS profile.
To get additional information if you are recording traffic during attacks, you can view the TCP dumps related to the DoS attacks in /shared/dosl7/tcpdumps.

Sample DoS Transaction Outcomes report

This figure shows a sample Transaction Outcomes report for a system on which there have been DoS attacks. The chart shows how the traffic has been handled by the system. It shows aggregated data that is updated every few minutes.

Sample DoS Transaction Outcomes report

You can adjust which elements are listed in the table below the chart. This figure lists the virtual servers that traffic is attempting to access. By clicking one of the virtual servers (or other objects listed), you can drill down to see what is happening with that specific traffic. For example, here attacks are primarily taking place on vs_210, and much of the traffic is being blocked.

You can also open a real-time chart that is constantly updated by clicking the Open Real-Time Charts link. It is a popup screen that you can leave displayed on your computer. It shows the traffic distribution on the system.

Sample DoS real-time chart

You can go back to the DoS Statistics report and change the values for what is displayed using the Display and during settings to see additional information. Viewing different statistical views is useful to understanding and tracking DoS attacks.

In the lower table on the screen, Latency (ms) indicates how long it takes (in milliseconds) from the time a request reaches the system, for it to proceed to the web application server, and return a response. Note that dropped or blocked requests that do not reach the server, do not register latency because there is no full request-response cycle.

Creating customized DoS reports

You can create a customized DoS reporting screen so that it shows the specific data you are interested in, such as the top DoS attacks and server latency.
  1. On the Main tab, click Security > Reporting > DoS > Application > Custom Page .
    The DoS Custom Page screen opens, and shows default widgets (sections) you may find useful.
  2. Review the charts and tables provided, and click the configuration icon to adjust or delete them, as needed.
    • To modify the widget and change what it displays, click the gear icon and select Settings. On the popup screen, adjust the values that control what is displayed.
    • To remove the widget from the custom page, click the gear icon and select Delete.
  3. To create a new widget to your specifications, click Add Widget.
    The Add New Widget popup screen opens where you can select custom options for what to include, the time frame, and how to display the information.
  4. Continue adjusting the custom page so that it shows the information you want.
    You can drag and drop the widgets to change the order in which they are displayed. You can set the time range for all widgets or for each one separately.
  5. To save the information shown in the custom report to a file or email attachment, click Export and choose your options.
    You can also export the data from a single widget by selecting Export from the configuration icon.
You have created a custom page that includes the information you need to monitor your system. As you use the reports to investigate DoS attacks, you can adjust the custom page to include additional data that you need. You can save the reports or send them to others who want to review the data.