f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
DOS_Profile.application.stressBasedDetection.badActor - Use TLS patterns as part of host identification
Environment
- Application Services Version: 3.34.0
- BIG-IP Version: 15.1.5
Summary
There does not appear an option to enable the "Use TLS patterns as part of host identification" option when creating a DDoS Profile https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schemaref/DOS_Profile.schema.json.html?highlight=stressbaseddetection#dos-profile-application-stressbaseddetection-badactor-object
acceleratedSignaturesEnabled | Enables signature detection before the connection establishment detectionEnabled | Enables traffic behavior, server’s capacity learning, and anomaly detection mitigationMode | Specifies mitigation impact on suspicious bad actors/requests signatureDetectionEnabled | Enables request signature detection tlsSignaturesEnabled | Enables tls signature detection before the connection establishment useApprovedSignaturesOnly | Limits request signature detection to approved signatures only
Steps To Reproduce
Steps to reproduce the behavior:
- Submit the following declaration:
{
"class": "ADC",
"schemaVersion": "3.34.0",
"id": "DOS_Profile",
"Sample_dos_01": {
"class": "Tenant",
"DOSApp": {
"class": "Application",
"Service": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.1"
],
"profileDOS": {
"use": "DOS_Profile2"
}
},
"DOS_Profile2": {
"class": "DOS_Profile",
"application": {
"stressBasedDetection": {
"badActor": {
"detectionEnabled": true,
"mitigationMode": "standard",
"signatureDetectionEnabled": true,
"tlsSignaturesEnabled": true,
"useApprovedSignaturesOnly": false
},
"operationMode": "blocking",
"thresholdsMode": "automatic",
"escalationPeriod": 120,
"deEscalationPeriod": 7200,
"sourceIP": {
"rateLimitingEnabled": false
},
"url": {
"rateLimitingEnabled": false
}
}
}
}
}
}
}
- Observe the following error response:
{
"results": [
{
"code": 200,
"message": "success",
"lineCount": 19,
"host": "localhost",
"tenant": "Sample_dos_01",
"runTime": 2854
}
],
"declaration": {
"Sample_dos_01": {
"class": "Tenant",
"DOSApp": {
"class": "Application",
"Service": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.1"
],
"profileDOS": {
"use": "DOS_Profile2"
}
},
"DOS_Profile2": {
"class": "DOS_Profile",
"application": {
"stressBasedDetection": {
"badActor": {
"detectionEnabled": true,
"mitigationMode": "standard",
"signatureDetectionEnabled": true,
"tlsSignaturesEnabled": true,
"useApprovedSignaturesOnly": false
},
"operationMode": "blocking",
"thresholdsMode": "automatic",
"escalationPeriod": 120,
"deEscalationPeriod": 7200,
"sourceIP": {
"rateLimitingEnabled": false
},
"url": {
"rateLimitingEnabled": false
}
}
}
}
}
},
"class": "ADC",
"schemaVersion": "3.34.0",
"id": "DOS_Profile",
"updateMode": "selective",
"controls": {
"archiveTimestamp": "2022-02-08T10:24:58.348Z"
}
}
}
Expected Behavior
Options to be able to use TLS fingerprinting to identify Bad Actor Hosts
Actual Behavior
No option available
Thank you for your feedback. Since this is a request to expose a tmsh property that AS3 does not yet support, I am changing this to a feature request.
@bwearp please can send me the required tmsh command you need to be added to AS3. Please contact me at [email protected]
