F5 ASM - Denial of Service (DoS) Mitigation

From time to time, I talk about techniques and methods of DoS attacks with workmates and customers, and when we speak about it, most of them always think about DDoS Attacks where a botnet flood the targeted server with excessive bandwidth consumption. However, we shouldn’t forget that an attacker can also make services unavailable with just requesting heavy URLs. Therefore, it’s not necessary to have lots of resources, neither a botnet, to make services unavailable because it can also be accomplish with a simple DoS Attack.

Mainly, there are three DoS attack categories: volumetric attacks, computational attacks and application attacks. Firstly, volumetric attacks, like UDP Flood Attacks or Amplification DDoS Attacks, which are the most known DoS attacks. Secondly, computational attacks, like SYN Flood Attacks, are less known than volumetric attacks where attackers want to exhaust resources such as firewall session tables. Finally, application attacks, like HTTP Flood Attacks, are easy to execute with DoS attack tools such as LOIC or slowloris. However, these last attacks are little known by companies and most of them even don’t know how to mitigate it nor which mitigation tools are on the market.

DoS Attacks Categories

When we are mitigating DoS attacks, it’s important to have a good classification between malicious traffic and legitimate traffic because the mitigation process could also block legitimate users when DoS mitigation tools are not well configured. In addition, DoS attacks are increasingly sophisticated and targeted which are delivered in SSL traffic as well against servers and applications. As a result, behavioural analytics, ultra-fast automated detection and comprehensive protection are required for a good mitigation strategy.

F5 BIG-IP WAF is also able to detect and block DoS attacks. We can watch in the next video how I configure a DoS profile to detect and block attacks based in TPS (Transactions Per Second). When the bot iMacros requests two transactions per second, the DoS profile blocks requests and the DoS attack is stopped. In addition, the video shows how to block DoS attacks with a CAPTCHA challenge to find out who is behind the web server whether a bot or a human being. Last but not least, DoS reporting are very important to know what’s going on and what happened in the services.

Regards my friends and don’t forget to protect your services.


  1. David, de tu experiencia ASM puede manejar ataques DDoS volumétricos?

    Porque se que los de aplicación y los de cómputo los mitiga sin problemas.


  2. Buenas Leonardo,

    lo ideal sería bloquear el ataque volumétrico en la capa 3 o 4. Por tanto, para esta tarea sería mejor un cortafuegos de red. Por ejemplo el módulo AFM de F5.

    Dependiendo de la dimensión del ataque, puede llegar a ser muy complejo de bloquear. A veces puede requerir cambio de rutas BGP en el proveedor de acceso a Internet.

    El módulo ASM de F5 está especializado como firewall de aplicaciones WEB, por tanto, trabaja bien en capa 7.

    Gracias, y cualquier aportación es bienvenida!!



Enregistrer un commentaire