Manual Chapter : Viewing DDoS Reports Statistics and Logs

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 13.0.0
Manual Chapter

Investigating DoS attacks and mitigation

You can display the DoS Dashboard to see whether or not a DoS attack is taking place, and display information about DoS attacks.
  1. On the Main tab, click Security > Reporting > DoS > Dashboard .
    The DoS Dashboard opens and displays real-time information about all DoS attacks on the system. The system displays information about attacks that either started or ended during the last hour, by default.
  2. Review the charts to see if there have been any recent DoS attacks.
  3. At the top of the screen, you can adjust the time frame and refresh details for the statistics.
    Option Description
    Time frame Specifies the time frame for which you want to display HTTP statistics (Last hour, Last day, Last week, and so on, or All to display all data).
    Auto-refresh interval Controls how often the statistics are refreshed on the screen (1 min., 5 min., 10min., or turns refresh Off.
    Refresh button Updates the statistics on the screen immediately.
    Timeline adjuster Shows the actual time frame for which statistics are currently displayed according to the time focus that is selected. On the graphic, drag the handles on either end to change the focus of the statistics.
    As you adjust the time settings, the statistics are updated on the screen.
  4. Initially, the data is unfiltered, and it displays all statistics it has for the time frame selected (Last hour, by default). To filter the data, select one or more dimensions in the right column.
    For example, you can filter by dimensions such as Attack IDs, Applications, Vectors, Countries, and so on. You can select more than one dimension, and one or more instances in a dimension. But note that some combinations are restricted.
    As you select dimensions or instances, the filtered statistics are displayed on the screen.
  5. To view the statistics in table form, expand the dimension, then drag the handle on the dimensions column to the left.
    Tip: To see the full column names, hover over the headings. To expand the table to the full width of the screen to see all of the columns, click the handle.
    Tables containing detailed statistics for the items in the dimensions are displayed.
  6. You can clear all filter selections or those for a dimension.
    • To clear all selections, click the gear icon at the top of the column and select Clear All.
    • To clear selections for a dimension, click the options icon (three horizontal lines to the left of the title), and select Clear Selection.
You can review the details about DoS attacks on the DoS Dashboard and quickly see whether or not you are under attack.

Sample DoS Overview screen

This figure shows a sample DoS Overview screen on a system that is having an attack.

The Overview screen includes information on throughput and RAM and CPU usage. Because the statistics vary from system to system, it is a good idea to become familiar with typical memory and CPU usage and throughput on your system as well as checking for recent attacks.

Sample DDoS overview report

Sample DDoS Overview screen

Click the down arrow next to the protected object (in the Virtual Server column) to find out what type of attack it is. Here you can see the attack is a UDP flood attack.

Events related to an attack

Sample DoS Dashboard

This figure shows a sample DoS Dashboard on a system that is having a low-level DoS attack now.

Sample DoS Dashboard

Sample DoS Dashboard

Displaying DDoS Events logs

You can display DoS Events logs to see whether DDoS attacks have occurred, and view information about the attacks. The logs show details about the DDoS events.
  1. On the Main tab, click Security > Event Logs > DoS .
    The DoS Application Events screen opens, and if Layer 7 DoS attacks were detected, it lists the details about the DoS attack such as the start and end times, how it was detected and mitigated, the attack ID, and so on.
  2. If DoS attacks are listed, review the list of attacks to see what has occurred, when it occurred, the mitigation, and the severity of the attack.
  3. From the event log, click the Attack ID link for an attack or event to display information about the attack in a graphical chart.
  4. To view information about other types of DoS attacks, from the DoS menu, choose another event log to view:
    • For DNS DoS event logs, click DNS Protocol.
    • For SIP DoS event logs, click SIP Protocol.
    • For network firewall DoS event logs, click Network.
    • To view event logs if you are using Auto-Threshold Configuration and have selected Log Auto Threshold Events, click Auto Threshold.
    Many of the vectors set using device configuration, or when creating a protected object, include a setting for Auto-Threshold Configuration. You can log the auto-threshold events to see what values the system is setting based on the traffic it is handling.

Sample DDoS event log

This figure shows a sample DDoS event log on a system that is experiencing UDP flood attack. When the attack exceeds the maximum packets per seconds (50 pps), excess packets are dropped.

Sample DDoS event log

Displaying DoS Application Events logs

You can display DoS Application Events logs to see whether L7 DoS attacks have occurred, and view information about the attacks. The logs show details about the DoS events.
  1. On the Main tab, click Security > Event Logs > DoS > Application Events .
    The DoS Application Events screen opens, and if Layer 7 DoS attacks were detected, it lists the details about the DoS attack such as the start and end times, how it was detected and mitigated, the attack ID, and so on.
  2. If DoS attacks are listed, review the list of attacks to see what has occurred, when it occurred, the mitigation, and the severity of the attack.
  3. From the event log, click the Attack ID link for an attack or event to display information about the attack in a graphical chart.

Viewing DoS transaction outcomes

You can display graphic charts that show transaction outcomes for DoS attacks on web applications that were detected on your system. The charts provide visibility into what caused the attack, IP addresses of the attackers, which applications are being attacked, and how the attacks are being mitigated.
  1. On the Main tab, click Security > Reporting > DoS > Application > Transaction Outcomes .
    The Transaction Outcomes screen opens and displays a graphical chart showing cumulative statistics about DoS attacks detected by the system.
  2. If you want to change the time frame for information shown in the chart, adjust the Display .. during settings.
    You can focus in on requests or responses only, and for the period of time you are interested in.
  3. To see the statistics for a specific time, point anywhere on the chart.
    Information about the transactions at that time pops up on the screen.
  4. If you want to view additional information, under the chart, from Drilldown to select the option for the details you want to see.
    For example, select Client IP Addresses to see the list of IP addresses involved in the attack, the number of transactions initiated by each one, and those which were valid, mitigated, and blocked.
  5. To view a report showing live traffic, click Open Real-Time Charts.
    A popup screen shows DoS statistics in real-time, and it is updated every 10 seconds.
By reviewing DoS Application Statistics, you can investigate the details of an attack. You can become more familiar with what caused the attacks, what applications are most vulnerable, and you see the mitigation methods that are in place. As a result of your investigation, you have more information to help you decide whether you need to tune the DoS configuration and add more protections, or change the thresholds in the DoS profile.
To get additional information if you are recording traffic during attacks, you can view the TCP dumps related to the DoS attacks in /shared/dosl7/tcpdumps.

Sample DoS Transaction Outcomes report

This figure shows a sample Transaction Outcomes report for a system on which there have been DoS attacks. The chart shows how the traffic has been handled by the system. It shows aggregated data that is updated every few minutes.

Sample DoS Transaction Outcomes report

You can adjust which elements are listed in the table below the chart. This figure lists the virtual servers that traffic is attempting to access. By clicking one of the virtual servers (or other objects listed), you can drill down to see what is happening with that specific traffic. For example, here attacks are primarily taking place on vs_210, and much of the traffic is being blocked.

You can also open a real-time chart that is constantly updated by clicking the Open Real-Time Charts link. It is a popup screen that you can leave displayed on your computer. It shows the traffic distribution on the system.

Sample DoS real-time chart

You can go back to the DoS Statistics report and change the values for what is displayed using the Display and during settings to see additional information. Viewing different statistical views is useful to understanding and tracking DoS attacks.

In the lower table on the screen, Latency (ms) indicates how long it takes (in milliseconds) from the time a request reaches the system, for it to proceed to the web application server, and return a response. Note that dropped or blocked requests that do not reach the server, do not register latency because there is no full request-response cycle.

Creating customized DoS reports

You can create a customized DoS reporting screen so that it shows the specific data you are interested in, such as the top DoS attacks and server latency.
  1. On the Main tab, click Security > Reporting > DoS > Application > Custom Page .
    The DoS Custom Page screen opens, and shows default widgets (sections) you may find useful.
  2. Review the charts and tables provided, and click the configuration icon to adjust or delete them, as needed.
    • To modify the widget and change what it displays, click the gear icon and select Settings. On the popup screen, adjust the values that control what is displayed.
    • To remove the widget from the custom page, click the gear icon and select Delete.
  3. To create a new widget to your specifications, click Add Widget.
    The Add New Widget popup screen opens where you can select custom options for what to include, the time frame, and how to display the information.
  4. Continue adjusting the custom page so that it shows the information you want.
    You can drag and drop the widgets to change the order in which they are displayed. You can set the time range for all widgets or for each one separately.
  5. To save the information shown in the custom report to a file or email attachment, click Export and choose your options.
    You can also export the data from a single widget by selecting Export from the configuration icon.
You have created a custom page that includes the information you need to monitor your system. As you use the reports to investigate DoS attacks, you can adjust the custom page to include additional data that you need. You can save the reports or send them to others who want to review the data.