F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. F5 DDoS Hybrid Defender
  4. DDoS Hybrid Defender 14.0.0: Setup
  5. Viewing DDoS Reports Statistics and Logs
Manual Chapter : Viewing DDoS Reports Statistics and Logs

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 14.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Viewing DDoS Reports, Statistics, and Logs

Reviewing statistics about ongoing attacks

The DoS Overview screen shows a snapshot of statistics about ongoing network, DNS, and SIP attacks, and allows you to adjust the vector settings for those attacks. It does not include HTTP statistics.
  1. Review the DoS attack information in the table.
    The information is initially filtered by DoS Attack and shows consistent or severe attacks.
  2. To view the information by different contexts, for Filter Type, select another filter.
    When you select filters other than DoS Attack, the DoS Overview shows ongoing attacks and any configuration changes that have occurred. For example, if filtering by Protected Object, you will see attacks on that specific object and any configuration changes that were made to it. The Device DoS filter shows all Device DoS vectors, regardless of attack state.
  3. To view the settings and thresholds used to determine an attack, select one of the attacks listed and click << on the upper right to open the Properties pane.
  4. In the Properties pane, adjust the settings as needed.
    For example, if you notice that normal activity is being considered an attack, you can raise the thresholds for that vector in the Properties pane. Or, you can disable a vector, allowing traffic, until you investigate further.
  5. When you finish adjusting the settings, click Commit Changes to System.
You can continue to review DoS attack details using the DoS Overview screen to become more familiar with the types of attacks your network is experiencing, examining attack status, average traffic levels, dropped packets, and current thresholds. You may also want to review relevant settings for the protected object, protection profile, or device protection to further tune DoS protection. You can investigate further by looking at the charts and event logs on the Main tab under Visibility.

Investigating DDoS attacks and mitigation

On the DoS Dashboard, you can display an overview of DoS attack activity and review corresponding system information on the system.
  1. Use the time settings at the top of the screen to set a time range or refresh the information on screen.
    To immediately update the statistics on screen, adjust the time range or refresh settings.
    Time Focus Select the time range of the displayed data.
    Note: Additional time options become available as your system gathers more data.
    Currently Selected Time Range Displays the current time range of the displayed data.
    Auto-Refresh Interval Selector Select how frequently the data on this screen is refreshed.
    Manual Refresh Click Refresh to trigger an immediate refresh of the displayed data.
    Manual Time Adjustment Handles Set the data to a specific window of time within the currently selected time range. Use the handles at either end of the time line to define the specific time you want to examine. Use the handle above the time line to display data that is outside the selected time range.
    Note: Adjusting the time range to display previous data stops the auto-refresh so you can focus on a specific data point.
    You can zoom into a specific time range within a chart. Select an area within the chart and then click the magnifying glass icon.
    Note: Selecting a time range within the chart stops the screen's auto-refresh settings.
  2. Review the charts and tables that provide high-level information about your system's status.
    Tip: You can filter the entire screen's displayed data to correspond with a specific data point by selecting entities in the charts, tables or map.
  3. Review the Attack Duration and Attacks areas for recent or ongoing DoS attacks.
  4. Review the Attack Duration area to determine the duration of each DoS attack over the selected time period, including ongoing attacks. In the Attack Duration chart, each horizontal bar represents an individual attack and indicates the start and end time of the attack, and the severity.
    An ongoing attack extends to the end of the chart.
    You can view additional attack information in the chart:
    • Hover over an individual attack to view attack details, including Attack ID, Mitigation, Severity, Trigger and Vector.
    • Hover over the chart area to view the number of attacks that occurred at a specific time in the chart legend.
  5. Review the Attacks area to determine the distribution of DoS attacks over the selected time period.
    • Use the # of Attacks table to view a breakdown of the number of attacks according to the attack severity.
      Note: You can select one or more values in this table to filter the entire screen according to an attack severity level.
    • Use the # of Attacks per Protocol chart to view the breakdown of attacks according to severity of attack and transaction protocol.
    • Use the table in this area to examine the details of each attack, according to Attack ID.
      Note: You can view more information by hovering over the table's data.
  6. Review the Virtual Servers area to determine the impact of DDoS attacks on your system's protected objects.
    • Use the Virtual Servers table to view a breakdown of your protected objects' health status according to each protected object's latency, client concurrent connections and throughput.
    • Use the Virtual Servers Health chart to view a breakdown of protected objects according to health score for each performance indicator that is used to evaluate health status.
    • Use the table in this area to examine the health and corresponding attack details for each protected object.
  7. Review the tiles in the System Health area for a quick view of your BIG-IP system's health status. Each health tile is color coded according to the overall severity of each parameter for the entire system. Severity ranges are as follows: Good, Moderate, Unhealthy and Critical.
    Note: In a multi-blade system, each health parameter also displays the slots with the highest system activity.
    • Use the TMM CPU Usage tile to determine the status of the TMM's CPU usage, and if the system has crossed any critical thresholds.
      Note: You can select from the drop-down icon to view a list of the busiest cores. For a multi-blade system, a list of the busiest cores is available for each slot.
    • Use the Memory Usage tile to determine your system's average TMM memory usage (out of total RAM allocated to TMM processes), and if the system has crossed any critical thresholds.
    • Use the Client Throughput tile to determine the average rate of bits per seconds transmitted during client-side transactions with your BIG-IP system.
    • Use the Client Connections tile to determine the average number of client concurrent connections with your BIG-IP system over the selected time period.
  8. Review the Countries area for geolocation information regarding the traffic handled by your BIG-IP system.
    • Filter location information by client IP or the intended destination IP. Select Source to filter by client IP/country or Destination(Network) to filter by the server IP/country.
    • Use the map to evaluate the global distribution of traffic, and the frequency of attacks from a country origin or destination. Countries are color-coded according to the frequency of attacks. You can select a country within the map to filter the entire screen by IPs from that destination or origin.
      Note: Countries in grey do not have sufficient traffic information.
    • Use the table in this area to examine the traffic information by country.
  9. To view more details of your DoS activity, click Security > Reporting > DoS > Analysis .
    Tip: From the Dashboard, you can automatically filter specific Attack IDs or Virtual Servers in the DoS Analysis screen, by selecting the chart icon) from a table row.
You can continue to review the system snapshot using the DoS Dashboard screen. As a result, you become more familiar with system activities during DoS attacks. You can also view the statistics in graphical charts and in tables, focusing on the specific data you need using attack and dimension filters.

Sample DoS Dashboards

This figure shows a sample DoS Dashboard on a system that is having a low-level DoS attack now.

Sample DoS Dashboard

Sample DoS Dashboard

This figure shows a sample DoS Dashboard showing DoS attacks that occurred during the last week. Three of the attacks were critical but all were mitigated within minutes.

Sample DoS Dashboard showing attacks

Displaying DDoS Event logs

You can display DoS Event logs to see whether DDoS attacks have occurred, and view information about the attacks. The logs show details about the DDoS events.
  1. If DoS attacks are listed, review the list of attacks to see what has occurred, when it occurred, the mitigation, and the severity of the attack.
  2. To view information about other types of DoS attacks, from the DoS menu on the bar at the top, choose another event log to view:
    • For DNS DoS event logs, click DNS Protocol.
    • For SIP DoS event logs, click SIP Protocol.
    • For network firewall DoS event logs, click Network.
    • To view event logs if using automatic threshold configuration and you selected Log Auto Threshold Events, click Auto Threshold.

Displaying DoS Application Events logs

You can display DoS Application Events logs to see whether L7 DoS attacks have occurred, and view information about the attacks. The logs show details about the DoS events.
  1. On the Main tab, click Security > Event Logs > DoS > Application Events .
    The DoS Application Events screen opens, and if Layer 7 DoS attacks were detected, it lists the details about the DoS attack such as the start and end times, how it was detected and mitigated, the attack ID, and so on.
  2. If DoS attacks are listed, review the list of attacks to see what has occurred, when it occurred, the mitigation, and the severity of the attack.

Creating customized DoS reports

You can create a customized DoS reporting screen so that it shows the specific data you are interested in, such as the top DoS attacks and server latency.
  1. On the Main tab, click Security > Reporting > DoS > Custom Page .
    The DoS Custom Page screen opens, and shows default widgets (sections) you may find useful.
  2. Review the charts and tables provided, and click the configuration icon to adjust or delete them, as needed.
    • To modify the widget and change what it displays, click the gear icon and select Settings. On the popup screen, adjust the values that control what is displayed.
    • To remove the widget from the custom page, click the gear icon and select Delete.
  3. To create a new widget to your specifications, click Add Widget.
    The Add New Widget popup screen opens where you can select custom options for what to include, the time frame, and how to display the information.
  4. Continue adjusting the custom page so that it shows the information you want.
    You can drag and drop the widgets to change the order in which they are displayed. You can set the time range for all widgets or for each one separately.
  5. To save the information shown in the custom report to a file or email attachment, click Export and choose your options.
    You can also export the data from a single widget by selecting Export from the configuration icon.
You have created a custom page that includes the information you need to monitor your system. As you use the reports to investigate DoS attacks, you can adjust the custom page to include additional data that you need. You can save the reports or send them to others who want to review the data.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information