F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. F5 DDoS Hybrid Defender
  4. F5 DDoS Hybrid Defender 13.1.0: Setup
  5. Viewing DDoS Reports Statistics and Logs
Manual Chapter : Viewing DDoS Reports Statistics and Logs

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 13.1.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Investigating DoS attacks and mitigation

You can use the DoS Dashboard screen for an overview of DoS attack activity on your BIG-IP® system, and corresponding system information during DoS attacks.
  1. On the Main tab, click Security > Reporting > DoS > Dashboard .
    Tip: For quick navigation to the DoS Dashboard screen, on the Main tab to go Statistics > DoS Visibility .
    The DoS Dashboard screen opens and displays system information about all DoS attacks over a default time range.
  2. Use the time settings at the top of the screen to set a time range or refresh the information on screen.
    To immediately update the statistics on screen, adjust the time range or refresh settings.
    Time Focus Select the time range of the displayed data.
    Note: Additional time options become available as your system gathers more data.
    Currently Selected Time Range Displays the current time range of the displayed data.
    Auto-Refresh Interval Selector Select how frequently the data on this screen is refreshed.
    Manual Refresh Click Refresh to trigger an immediate refresh of the displayed data.
    Manual Time Adjustment Handles Set the data to a specific window of time within the currently selected time range. Use the handles at either end of the time line to define the specific time you want to examine. Use the handle above the time line to display data that is outside the selected time range.
    Note: Adjusting the time range to display previous data stops the auto-refresh so you can focus on a specific data point.
    You can zoom into a specific time range within a chart. Select an area within the chart and then click the magnifying glass icon.
    Note: Selecting a time range within the chart stops the screen's auto-refresh settings.
  3. Review the charts and tables that provide high-level information about your system's status.
    Tip: You can filter the entire screen's displayed data to correspond with a specific data point by selecting entities in the charts, tables or map.
  4. Review the Attack Duration and Attacks areas for recent or ongoing DoS attacks.
  5. Review the Attack Duration area to determine the duration of each DoS attack over the selected time period, including ongoing attacks. In the Attack Duration chart, each horizontal bar represents an individual attack and indicates the start and end time of the attack, and the severity.
    An ongoing attack extends to the end of the chart.
    You can view additional attack information in the chart:
    • Hover over an individual attack to view attack details, including Attack ID, Mitigation, Severity, Trigger and Vector.
    • Hover over the chart area to view the number of attacks that occurred at a specific time in the chart legend.
  6. Review the Attacks area to determine the distribution of DoS attacks over the selected time period.
    • Use the # of Attacks table to view a breakdown of the number of attacks according to the attack severity.
      Note: You can select one or more values in this table to filter the entire screen according to an attack severity level.
    • Use the # of Attacks per Protocol chart to view the breakdown of attacks according to severity of attack and transaction protocol.
    • Use the table in this area to examine the details of each attack, according to Attack ID.
      Note: You can view more information by hovering over the table's data.
  7. Review the Virtual Servers area to determine the impact of DoS attack's on your system's virtual servers.
    • Use the # of Virtual Servers table to view a breakdown of your virtual servers health status according to each virtual server's latency, client concurrent connections and throughput.
    • Use the Virtual Servers Health chart to view a breakdown of virtual servers according to health score for each performance indicator that is used to evaluate health status.
    • Use the table in this area to examine the health and corresponding attack details for each virtual server.
  8. Review the tiles in the System Health area for a quick view of your BIG-IP system's health status. Each health tile is color coded according to the overall severity of each parameter for the entire system. Severity ranges are as follows: Good, Moderate, Unhealthy and Critical.
    Note: In a multi-blade system, each health parameter also displays the slots with the highest system activity.
    • Use the TMM CPU Usage tile to determine the status of the TMM's CPU usage, and if the system has crossed any critical thresholds.
      Note: You can select from the drop-down icon to view a list of the busiest cores. For a multi-blade system, a list of the busiest cores is available for each slot.
    • Use the Memory Usage tile to determine your system's average TMM memory usage (out of total RAM allocated to TMM processes), and if the system has crossed any critical thresholds.
    • Use the Client Throughput tile to determine the average rate of bits per seconds transmitted during client-side transactions with your BIG-IP system.
    • Use the Client Connections tile to determine the average number of client concurrent connections with your BIG-IP system over the selected time period.
  9. Review the Countries area for information about the geolocation of traffic handled by your BIG-IP system.
    • Filter location information by client IP or the intended destination IP. Select Source to filter by client IP/country or Destination(Network) to filter by the server IP/country.
    • Use the map to evaluate the global distribution of traffic, and the frequency of attacks from a country origin or destination. Countries are color-coded according to the frequency of attacks. You can select a country within the map to filter the entire screen by IPs from that destination or origin.
      Note: Countries in grey do not have sufficient traffic information.
    • Use the table in this area to examine the traffic information by country.
  10. To view more details of your DoS activity, click Security > Reporting > DoS > Analysis .
    Tip: From the Dashboard, you can automatically filter specific Attack IDs or Virtual Servers in the DoS Analysis screen, by selecting the chart icon () from a table row.
You can continue to review the system snapshot using the DoS Dashboard screen. As a result, you become more familiar with you system's activities during DoS attacks. You can also view the statistics in graphical charts and in tables, focusing on the specific data you need using attack and dimension filters.

Sample DoS Dashboards

This figure shows a sample DoS Dashboard on a system that is having a low-level DoS attack now.

Sample DoS Dashboard

Sample DoS Dashboard

This figure shows a sample DoS Dashboard showing DoS attacks that occurred during the last week. Three of the attacks were critical but all were mitigated within minutes.

Sample DoS Dashboard showing attacks

Displaying DDoS Event logs

You can display DoS Event logs to see whether DDoS attacks have occurred, and view information about the attacks. The logs show details about the DDoS events.
  1. On the Main tab, click Security > Event Logs > DoS .
    The DoS Application Events screen opens, and if Layer 7 DoS attacks were detected, it lists the details about the DoS attack such as the start and end times, how it was detected and mitigated, the attack ID, and so on.
  2. If DoS attacks are listed, review the list of attacks to see what has occurred, when it occurred, the mitigation, and the severity of the attack.
  3. From the event log, click the Attack ID link for an attack or event to display information about the attack in a graphical chart.
  4. To view information about other types of DoS attacks, from the DoS menu, choose another event log to view:
    • For DNS DoS event logs, click DNS Protocol.
    • For SIP DoS event logs, click SIP Protocol.
    • For network firewall DoS event logs, click Network.
    • To view event logs if you are using Auto-Threshold Configuration and have selected Log Auto Threshold Events, click Auto Threshold.
    Many of the vectors set using device configuration, or when creating a protected object, include a setting for Auto-Threshold Configuration. You can log the auto-threshold events to see what values the system is setting based on the traffic it is handling.

Displaying DoS Application Events logs

You can display DoS Application Events logs to see whether L7 DoS attacks have occurred, and view information about the attacks. The logs show details about the DoS events.
  1. On the Main tab, click Security > Event Logs > DoS > Application Events .
    The DoS Application Events screen opens, and if Layer 7 DoS attacks were detected, it lists the details about the DoS attack such as the start and end times, how it was detected and mitigated, the attack ID, and so on.
  2. If DoS attacks are listed, review the list of attacks to see what has occurred, when it occurred, the mitigation, and the severity of the attack.
  3. From the event log, click the Attack ID link for an attack or event to display information about the attack in a graphical chart.

Creating customized DoS reports

You can create a customized DoS reporting screen so that it shows the specific data you are interested in, such as the top DoS attacks and server latency.
  1. On the Main tab, click Security > Reporting > DoS > Application > Custom Page .
    The DoS Custom Page screen opens, and shows default widgets (sections) you may find useful.
  2. Review the charts and tables provided, and click the configuration icon to adjust or delete them, as needed.
    • To modify the widget and change what it displays, click the gear icon and select Settings. On the popup screen, adjust the values that control what is displayed.
    • To remove the widget from the custom page, click the gear icon and select Delete.
  3. To create a new widget to your specifications, click Add Widget.
    The Add New Widget popup screen opens where you can select custom options for what to include, the time frame, and how to display the information.
  4. Continue adjusting the custom page so that it shows the information you want.
    You can drag and drop the widgets to change the order in which they are displayed. You can set the time range for all widgets or for each one separately.
  5. To save the information shown in the custom report to a file or email attachment, click Export and choose your options.
    You can also export the data from a single widget by selecting Export from the configuration icon.
You have created a custom page that includes the information you need to monitor your system. As you use the reports to investigate DoS attacks, you can adjust the custom page to include additional data that you need. You can save the reports or send them to others who want to review the data.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information