TTechclick ⚡ XP 0% All lessons
F5 · BIG-IP ASM · L7 DoS ProtectionInteractive · L1 / L2 / L3

F5 L7 DoS Protection — TPS, Stress-Based & Behavioral DoS

It's a Flipkart festival sale. Traffic to the checkout app jumps 20×. A naive transaction-rate guard panics and starts blocking real shoppers — a self-inflicted outage. Meanwhile the servers were perfectly healthy. This lesson shows you the smarter way: the F5 BIG-IP Advanced WAF (formerly ASM) DoS profile and its three detection methods — TPS-based, Stress-based, and machine-learning Behavioral DoS — so you stop a real L7 flood without ever mistaking your own customers for an attack.

📅 2026-06-02 · ⏱ 11 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline · maps to F5 303

⚡ Quick Answer

Learn F5 BIG-IP Advanced WAF (formerly ASM) L7 DoS protection the AI-era way — the DoS profile's three detection methods (TPS-based, Stress-based, Behavioral DoS), Transparent vs Blocking modes, mitigation actions, and why stress-based beats raw TPS. 11 min.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Where L7 DoS Lives

The DoS profile ▸ Application Security tab, the virtual server, and why L7 ≠ network DDoS.

 2

TPS-Based Detection

Detection vs history interval, "TPS increased by" + "TPS reached", and the false-positive trap.

 3

Stress & Behavioral DoS

Server latency + a suspicious entity. ML-learned baseline, dynamic signatures, BADoS.

 4

Modes & Mitigation

Transparent vs Blocking, client-side integrity → CAPTCHA → block, mitigation levels, validate.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A pure TPS-based profile blocks real shoppers during a Flipkart flash sale, while the servers stay healthy. Why?

Answered in Path 2 — TPS-Based Detection. (Spoiler: rate alone can't tell a sale from a flood.)

2. Stress-based detection sees latency climb. Will it mitigate on latency alone?

Answered in Path 3 — Stress & Behavioral DoS.

3. You set Operation Mode to Transparent and a flood hits. What does BIG-IP do?

Answered in Path 4 — Modes & Mitigation. Transparent = see, don't act.

Most engineers think…

"L7 DoS protection means I count requests per second, and when the number gets high, I block."

Wrong — and that wrong instinct is how you take yourself down. A raw transaction-per-second threshold can't tell a genuine Flipkart festival sale from a botnet flood; both look like "lots of requests, fast". Crank the threshold low and you block paying customers on your busiest day. Real L7 DoS protection asks a smarter question: is the server actually buckling? The F5 BIG-IP Advanced WAF (formerly ASM) DoS profile gives you three detection methods — TPS, stress-based, and machine-learning behavioral — so mitigation fires on a real attack, not on success. This lesson builds that instinct.

① Where L7 DoS lives — the DoS profile, not the network

Picture a stadium turnstile. A naive guard counts heads per minute and slams the gate when the count spikes — but a sold-out match looks exactly like a stampede to a head-counter. A wiser guard watches whether the gate itself is buckling, and learns what a normal Saturday rush feels like. That difference — counting vs sensing strain — is the whole story of F5 L7 DoS.

First, scope. This lesson is strictly Layer-7 application DoS — HTTP/HTTPS request floods, slow-and-low attacks, and resource-exhausting requests. It is configured in the DoS profile under its Application Security settings, and the profile is attached to a virtual server. Network/transport DDoS (SYN floods, UDP amplification) lives in a different place (the AFM/device DoS profile) and is out of scope here.

The DoS profile's Application Security tab gives you three detection methods: TPS-based, Stress-based, and Behavioral DoS (BADoS). You can run them together. The art is knowing which one decides, and in which mode.

👉 So far: L7 DoS is configured in the DoS profile ▸ Application Security tab and attached to a virtual server; it has three detection methods. Next, follow a request to the moment a detection method decides.
Figure 1 — A request reaches the DoS profile: three detectors decide, one mode acts
A left-to-right architecture diagram. HTTP requests from untrusted clients hit a BIG-IP virtual server that has a DoS profile attached. The DoS profile's Application Security settings run three detection methods in parallel: TPS-based detection, stress-based detection, and Behavioral DoS, which compares against a machine-learned baseline. If an attack is detected, the operation mode decides the outcome: Transparent only logs and reports, while Blocking applies mitigation actions such as client-side integrity defense, CAPTCHA, request blocking and rate limiting. A green note marks that legitimate clients pass through. Follow an HTTP request to the moment the DoS profile decides Untrusted / attacker Detection / decision Allowed (legit) Key insight HTTP requests bots + real users mixed Virtual server DoS profile attached Application Security tab Three detection methods (run together) ① TPS-based rate ratio detect vs history ② Stress-based server latency + suspicious entity ③ Behavioral ML baseline + dynamic sigs Operation Mode = Transparent detect · log · report only — no drop Mode = Blocking mitigation actually applies Mitigation: client-side integrity → CAPTCHA → request blocking / rate limiting scoped by Source IP · Device ID · Geolocation · URL · Site-Wide Legit clients pass through browsers solve the JS challenge silently Network/L3-4 DDoS is a separate device DoS profile (AFM) — this is strictly the L7 Application Security path.
Three detectors run together; the Operation Mode decides whether a match is merely seen (Transparent) or actually stopped (Blocking). Mitigation escalates from a silent JS challenge up to blocking.

Sneha at Infosys faces this

Sneha built a DoS profile, attached it to the virtual server, ran a load test — and nothing was detected or mitigated. The profile "doesn't work".

Likely cause

The DoS profile is enabled but the Application Security detection methods are all Off, or Operation Mode is set to Transparent so it only logs — it never mitigates.

Diagnosis

Open the profile and confirm a detection method is enabled and the mode is right.

Security ▸ DoS Protection ▸ DoS Profiles ▸ profile ▸ Application Security
Fix

Enable a detection method (TPS or Stress-based), then set Operation Mode = Blocking once you've baselined in Transparent. Confirm the profile is bound to the right virtual server.

Verify

Re-run the test. Security ▸ Reporting ▸ DoS ▸ DoS Visibility now shows the attack, the detection method, and the mitigation that fired.

▶ Watch a flood hit a Blocking profile — then watch Transparent mode let it through

Rahul at TCS runs a DoS profile in Blocking mode. Press Play for the healthy detect-and-mitigate path, then Break it to see what Transparent mode does to the same attack.

① FLOODA botnet POSTs /login at 12,000 TPS from many source IPs
② DETECTDetection interval TPS spikes far above the history baseline → attack flagged
③ CHALLENGEMode = Blocking → client-side integrity defense: real browsers solve it, scripts can't
④ MITIGATEClients that fail the challenge are rate-limited / blocked; the app stays up
Press Play to step through the healthy detect-challenge-mitigate path. Then press Break it.
Quick check · Q1 of 10

A TPS-based DoS profile blocked thousands of real shoppers during a Flipkart festival sale, even though the servers were healthy. What is the root cause?

Correct: b. TPS counts rate, nothing else. A real crowd raises the rate exactly like a flood, so a pure TPS threshold mistakes success for an attack. Stress-based detection avoids this by requiring a server-latency increase before it calls traffic an attack.

Pause & Predict

TPS-based detection compares a recent request rate against a baseline rate. What two time windows do you think F5 uses for "recent" vs "baseline", and roughly how long is each? Type your guess.

Answer: The detection interval is a short-term average of recent requests/sec (updated about every 10 seconds); the history interval is a long-term average over roughly the past hour. TPS-based detection fires when the short interval rises sharply over the long baseline — that's the "TPS increased by" ratio. Exactly Path 2.

② TPS-based detection — counting the turnstile

The simplest detector is the turnstile counter. TPS-based detection watches the transaction rate and fires when it spikes. It is the most intuitive method — and the one with the most false positives if you misuse it.

The clever part is that it doesn't use a single fixed number. It compares two moving averages:

An attack is flagged when the short interval jumps sharply over the long baseline. You express that with two thresholds, per scope:

You can apply detection by Source IP, by Device ID, by Geolocation, by URL, or Site-Wide — so you can catch "one IP hammering one URL" separately from "the whole site is flooded".

Analogy: a head-counter at a turnstile. It knows a normal Monday is ~50 people/min (history). When it suddenly sees 800/min (detection), it shouts "attack!". The flaw is obvious — a real festival crowd also pushes 800/min, and the counter can't tell the difference. That's the false-positive trap, and it's exactly why stress-based detection exists.

Pro tip — use both thresholds, and the right scope

Set "TPS increased by" for the relative spike and "TPS reached" for the absolute ceiling — the ratio handles steady-state, the ceiling catches a flood that arrives before a baseline is learned. Scope by Source IP to pin a single attacker without touching healthy site-wide traffic. But remember: pure TPS still can't tell a sale from a flood. Treat it as a fast first signal, not the final word.

👉 So far: TPS-based detection compares a short detection interval against a long history interval, with "increased by" and "reached" thresholds. Its weakness is it can't tell a crowd from an attack. Next, see the rate ratio decide — then break it.
Figure 2 — Same traffic spike: TPS-only blocks the sale, stress-based lets it through
A before-and-after comparison panel. Both panels show the same Flipkart festival traffic spike where transactions per second jump well above the history baseline. In the top panel, TPS-based detection alone treats the spike as an attack and blocks real shoppers, even though server latency is normal — a false positive. In the bottom panel, stress-based detection sees the same spike but checks server latency, finds it normal, and allows the traffic, so the sale succeeds. The key insight is that stress-based detection adds server latency as a second condition. One Flipkart festival spike. Two detectors. Opposite outcomes. TPS-based detection ALONE — control sees only rate history baseline detection ↑ 20× "rate spiked → attack" latency never checked BLOCKS shoppers false positive ✗ Stress-based detection — control also senses server strain same spike, same rate server latency: flat / normal rate high BUT latency OK → not an attack ALLOWS the sale app stays up ✓ The aha: stress-based adds a second condition — server latency. High rate + healthy server = a crowd, not an attack.
Control OFF (TPS-only) blocks your own customers on the biggest sales day. Control ON (stress-based) checks whether the server is actually buckling first — so a real spike sails through.

Priya at Flipkart faces this

Priya set a low "TPS reached" threshold in Blocking mode "to be safe". On the next festival sale, legitimate shoppers got challenged and dropped. The business escalated hard.

Likely cause

Pure TPS-based Blocking with an absolute ceiling far below the legitimate peak. A real crowd crossed the line and was mitigated as an attack — even though servers were healthy.

DiagnosisSecurity ▸ DoS Protection ▸ DoS Profiles ▸ profile ▸ Application Security ▸ TPS-based Detection
Fix

Enable Stress-based Detection so mitigation triggers only when server latency rises, raise the TPS ceiling above the real sales peak, and rely on the "TPS increased by" ratio plus stress — not a low absolute number alone.

Verify

Replay the sale-day traffic in Transparent first. DoS Visibility shows zero mitigation on the healthy spike, while a synthetic flood (high rate + induced latency) still gets caught.

F5 Advanced WAF Architecture & Deployment F5 ASM Hands-on Simulator
Quick check · Q2 of 10

In the F5 DoS profile, what is the difference between the detection interval and the history interval for TPS-based detection?

Correct: c. The detection interval is "right now" (a short recent average, refreshed about every 10 seconds); the history interval is your normal baseline over roughly the past hour. A sharp rise of the short interval over the long one is the "TPS increased by" trigger.

Pause & Predict

Stress-based detection is coming next. You want a detector that does NOT fire on a healthy traffic spike. What extra signal — beyond request rate — could the BIG-IP measure to know the server is genuinely in trouble? Type your guess.

Answer: Server latency — how long the backend takes to respond. Stress-based detection watches latency and treats traffic as an attack only when latency rises and at least one entity (a source IP, URL, geolocation, or site-wide) looks suspicious. A healthy spike raises rate but not latency, so it's left alone. That's Path 3.

③ Stress-based & Behavioral DoS — sensing strain, then learning normal

TPS counts. The smarter methods sense and learn.

Stress-based detection — wait for the server to actually buckle

Stress-based detection watches server latency. Critically, it does not mitigate on latency alone — F5's own rule is that it takes a latency increase and at least one suspicious source IP, device ID, URL, heavy URL, geolocation, or site-wide entry for the activity to be considered an attack. Two conditions, not one.

That second condition is the whole point. A genuine Flipkart sale raises rate but the well-provisioned backend stays fast — latency is flat — so stress-based stays quiet. A real flood drives latency up and concentrates on a suspicious entity, so it fires. You can run thresholds in Automatic (BIG-IP self-tunes from observed latency) or Manual mode.

Analogy: instead of counting people at the turnstile, the guard watches whether the gate is bending. A packed-but-orderly crowd doesn't bend the gate; a crush does.

Behavioral DoS (BADoS) — auto-learn normal, build dynamic signatures

Behavioral DoS is the machine-learning method, enabled within the stress-based settings. It continuously learns the typical behavior of normal traffic, then combines that learned baseline with server stress to spot anomalies — "what changed, and who caused the congestion?".

It has two engines you toggle:

The mitigation is phased: BADoS first applies a global rate limit just to protect the server, then — once it has computed dynamic signatures — narrows to block only traffic matching those signatures. As the server recovers, the thresholds re-calculate against current health. It gets more accurate the longer it runs.

Analogy: BADoS is the veteran guard who has worked every match for years. They know exactly what a normal Saturday crowd feels like, so when something is off they can describe the troublemaker precisely ("hoodie, gate 4, pushing") — that description is the dynamic signature.

👉 So far: stress-based = latency + a suspicious entity (two conditions); Behavioral DoS learns normal and builds dynamic signatures, mitigating with a global rate-limit first, then signature-only blocking. Next, a side-by-side so you pick the right method fast.
Figure 3 — TPS vs Stress-based vs Behavioral DoS — when to use which
Three columns compare TPS-based, stress-based, and Behavioral DoS detection across what each one watches, what triggers an attack, whether it self-learns, false-positive risk, and a typical use. TPS-based watches transaction rate and triggers on a rate ratio with no learning and medium-to-high false-positive risk; stress-based watches server latency and triggers on latency plus a suspicious entity with low risk; Behavioral DoS uses a machine-learned baseline and dynamic signatures with the lowest risk. Pick the method by what it senses and your false-positive tolerance Watches Triggers on Self-learns? False-positive risk Typical use TPS-based Stress-based Behavioral (BADoS) Transaction rate Server latency Learned behavior + stress rate ratio / absolute "reached" latency ↑ AND a suspicious entity anomaly vs the ML baseline No — you set thresholds Auto or Manual thresholds Yes — continuous ML Medium–High Low Lowest (signatures) "one IP hammering" fast, blunt first signal "is the app buckling?" spike-safe baseline "zero-day flood, no rule" surgical, self-tuning Rule of thumb: run Stress-based + Behavioral DoS together; use TPS as a fast coarse signal. Latency > rate; learned > configured.
TPS is your blunt first signal. Stress-based is spike-safe (latency-aware). Behavioral DoS is the surgical, self-learning method with dynamic signatures. Run them together.

▶ Watch Behavioral DoS learn, detect, and build a dynamic signature

Karthik at Wipro enables BADoS on the app. Play the learn-then-mitigate flow, then Break it to see the classic premature-mitigation mistake.

① LEARNBADoS watches normal traffic for hours and builds an ML baseline of what "normal" looks like
② DETECTLatency climbs + traffic deviates from the baseline → BADoS flags an anomaly
③ GLOBAL LIMITFirst mitigation: a global rate limit just to keep the server alive
④ SIGNATUREBADoS computes a dynamic signature → now blocks only matching attack traffic; real users freed
Press Play for the correct learn-detect-signature flow. Then press Break it.

The detection methods & key controls — tap each card

Each card front names the control; the back gives you the "so what" — when to reach for it.

🔢
TPS-based
tap to flip

Detection interval vs history interval; "TPS increased by" + "TPS reached". So what: fast, blunt first signal — but can't tell a sale from a flood. Don't run it alone in Blocking.

📈
Stress-based
tap to flip

Needs server latency ↑ AND a suspicious entity (IP/URL/geo/site-wide). So what: spike-safe — a healthy crowd raises rate but not latency, so it's left alone.

🧠
Behavioral DoS
tap to flip

Learns normal with ML, builds dynamic request signatures, mitigates global-limit-then-signature. So what: catches zero-day floods with no pre-written rule — surgical, self-tuning.

🚦
Operation Mode
tap to flip

Transparent = detect/log/report only; Blocking = actually mitigate. So what: always baseline in Transparent first, then flip to Blocking — or you mitigate a healthy spike.

Quick check · Q3 of 10

Stress-based detection sees server latency climb, but no single source IP, URL, or geolocation looks suspicious. Will it mitigate?

Correct: d. Two conditions, by design: latency must rise and a suspicious entity must be present. Latency alone is deliberately not enough — that's what stops a healthy spike (or a slow backend day) from being mitigated as an attack.

Pause & Predict

You're about to enable a brand-new DoS profile on a production Flipkart virtual server. Before you flip it to Blocking — what one thing could it silently break, and what mode should you use first instead? Type your guess.

Answer: A healthy traffic spike (a sale, a salary-day login rush) could be mitigated as an attack. Start in Transparent mode (and Behavioral DoS in No Mitigation / learning), watch the DoS Visibility reports to build a baseline, tune thresholds, then switch to Blocking. Going straight to aggressive Blocking is how you take yourself down on your busiest day.

④ Operation Mode & mitigation — see it, then stop it

Detection decides whether something is an attack. The Operation Mode decides what BIG-IP does about it. This is the single most misunderstood toggle on the profile.

Mitigation actions — escalate gently

When a detection method fires in Blocking mode, BIG-IP doesn't just hard-drop everyone. It escalates:

Each is scoped by Source IP, Device ID, Geolocation, URL, or Site-Wide, so you pin the attacker without punishing the whole site. This is why client-side integrity is such a powerful first step — most volumetric L7 floods are bots that fail it instantly.

Behavioral DoS mitigation levels — and where the signatures live

Behavioral DoS adds its own Mitigation setting on top of the mode:

The auto-generated dynamic signatures appear under Security ▸ DoS Protection ▸ Signatures (tick the Dynamic box). Each can be in Mitigate, Detect Only, Learn Only, or Disabled — so you can watch a signature form before you let it block.

https://192.168.10.20/tmui — BIG-IP Configuration Utility
Security » DoS Protection : DoS Profiles » dos-flipkart-app » Application Security
Application Security › General Settings
① Operation Mode
② TPS-based Detection — TPS increased by & TPS reached
③ Stress-based Detection — uses server latency
④ Behavioral & Stress-based Bad Actors + Request Signatures
🖥️ Recreated for clarity — your BIG-IP console matches this. The four numbered pins are the exact fields this lesson changes: ① Operation Mode (Transparent→Blocking), ② TPS-based, ③ Stress-based, ④ Behavioral & Stress-based mitigation level.

tmsh — the same profile from the CLI

The GUI is the day-job, but the same settings exist in tmsh. Useful for review, automation, and the 303 exam.

tmsh — inspect the L7 DoS profile on a virtual server
root@(bigip-flipkart)(cfg-sync)(tmos)# list ltm virtual vs_checkout_443 profiles
root@(bigip-flipkart)(cfg-sync)(tmos)# list security dos profile dos-flipkart-app application
Expected output
ltm virtual vs_checkout_443 {
    profiles { dos-flipkart-app { } http { } websecurity { } }
}
security dos profile dos-flipkart-app {
    application {
        flipkart-app {
            mode blocking
            tps-based { mode blocking }
            stress-based { mode blocking }
            behavioral { mitigation standard }
        }
    }
}
The trap behind a "working" profile

Don't start in Blocking. A new DoS profile surprises you — a salary-day login rush or a flash sale spikes traffic exactly like an attack. Start in Transparent (and Behavioral DoS in No Mitigation), watch DoS Visibility to see what would have been mitigated, tune thresholds, then switch to Blocking. Going straight to aggressive Blocking is how a healthy spike becomes a self-inflicted outage.

👉 So far: Operation Mode = Transparent (see) or Blocking (act); mitigation escalates from a silent JS challenge to CAPTCHA to blocking; BADoS adds No-Mitigation/Conservative/Standard/Aggressive. Next, prove it works.

▶ Watch the mitigation escalation — gentle first, hard only if needed

A flood hits a Blocking profile. Play to see mitigation escalate from a silent challenge up to blocking, then Break it to see the cost of skipping straight to Block All.

① DETECTEDStress-based fires: latency up + one Source IP range is suspicious
② CHALLENGEClient-Side Integrity Defense — real browsers solve the JS silently, bots can't
③ CAPTCHAClients that fail JS but look human-ish get a CAPTCHA step
④ BLOCKPersistent failers get rate-limited / blocked by Source IP — legit users untouched
Press Play for the healthy gentle-to-hard escalation. Then press Break it.

Aditya at HCL faces this

Aditya tuned a great DoS profile in the lab, but in production it never mitigates a real flood — DoS Visibility shows the attack detected but no action taken.

Likely cause

Operation Mode is Transparent. Detection works (that's why the attack appears in reports), but Transparent only logs — it never drops or challenges. Mitigation requires Blocking.

DiagnosisSecurity ▸ DoS Protection ▸ DoS Profiles ▸ profile ▸ Application Security ▸ check Operation Mode
Fix

Switch Operation Mode to Blocking (and set Behavioral DoS mitigation from No Mitigation to Standard). Confirm the profile is bound to the correct virtual server.

Verify

Re-test; DoS Visibility now shows the attack and the mitigation that fired (challenge / rate-limit / block), with the matched signature.

Verify it worked — the report that ends the argument

Never claim a DoS profile works from the config screen. Run a safe synthetic flood in a lab window, then open Security ▸ Reporting ▸ DoS ▸ DoS Visibility, filter on the virtual server + last hour, and read which detection method fired, the mitigation applied, and any matched dynamic signature. If the report shows detection but no mitigation, your Operation Mode is Transparent — not the cloud, not the attack.

tmsh — confirm the attack and mitigation that fired
root@(bigip-flipkart)(tmos)# show security dos virtual name vs_checkout_443
root@(bigip-flipkart)(tmos)# show security dos application-attack
Expected output
Security::DoS Application Attack
  Profile: dos-flipkart-app   VS: vs_checkout_443
  Attack ID: 9f3c-2026   State: Mitigating
  Detection: Stress-based + Behavioral   Trigger: latency↑ + Source IP 203.0.113.0/24
  Mitigation: Client-Side Integrity → Rate-limit (Source IP)
  Dynamic signature: dosl7_sig_4471  matched 98.6% of attack traffic
# Detection but no mitigation row → Operation Mode is Transparent. No attack row at all → profile not bound to the VS.
Quick check · Q4 of 10

You set the DoS profile Operation Mode to Transparent. An obvious L7 flood arrives. What does BIG-IP do?

Correct: a. Transparent = see, don't act. Detection, logging and reporting all run, but no mitigation is applied. That's exactly why it's the safe baseline mode — flip to Blocking only after you've confirmed the profile won't mitigate healthy spikes.
Figure 4 — F5 L7 DoS build cheat-sheet (screenshot this)
A grid of six cheat-sheet tiles covering the L7 DoS build order: attach the DoS profile to the virtual server and open Application Security; enable TPS-based detection with the detection-vs-history thresholds; enable stress-based detection which needs latency plus a suspicious entity; enable Behavioral DoS which learns normal and builds dynamic signatures; choose the Operation Mode Transparent first then Blocking; and choose the mitigation action escalating from client-side integrity to CAPTCHA to request blocking. A golden-rule footer states: latency beats rate, baseline in Transparent first, validate in DoS Visibility. Build order → the one decision that matters at each step ① Attach the profile DoS profile → virtual server open Application Security L7 only, not network DDoS ② TPS-based detection vs history interval "increased by" + "reached" can't tell sale from flood ③ Stress-based uses server latency latency↑ AND suspicious spike-safe; Auto / Manual ④ Behavioral DoS ML learns normal traffic dynamic signatures, BADoS global-limit then signature ⑤ Operation Mode Transparent = see only Blocking = actually mitigate baseline Transparent first ⑥ Mitigation client-side integrity (JS) → CAPTCHA → block / limit scope by IP / URL / geo GOLDEN RULE Latency beats raw rate. Baseline in Transparent first, then Blocking. Validate every profile in DoS Visibility — never from the config screen. Scope detection & mitigation by: Source IP · Device ID · Geolocation · URL · Site-Wide | report of truth: Security ▸ Reporting ▸ DoS ▸ DoS Visibility
Six steps, six decisions, one golden rule. Screenshot this — it's the card you'll glance at while building a DoS profile.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from F5 techdocs + DevCentral, scoped to BIG-IP Advanced WAF L7 DoS. For a live prod issue, paste your DoS Visibility export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Apply

Which F5 DoS profile detection method auto-learns a baseline of normal traffic and builds dynamic request signatures using machine learning?

Correct: b. Behavioral DoS continuously learns the baseline and builds dynamic request signatures. TPS and stress-based use thresholds you configure (Auto or Manual) — they don't learn signatures.
Q6 · Apply

Behavioral DoS detects an attack. In what order does it mitigate?

Correct: a. BADoS applies a global rate limit first just to keep the server alive, then narrows to signature-only blocking — minimising impact on legitimate users on the same URLs.
Q7 · Analyze

You're enabling a brand-new L7 DoS profile on a production Flipkart virtual server. What's the safest first move?

Correct: c. Transparent + No Mitigation lets you learn what would have been mitigated without risking a healthy spike. Straight-to-Blocking with a low threshold (a) is how a flash sale becomes a self-inflicted outage.
Q8 · Analyze

Aditya enables Behavioral DoS with Request Signatures Detection. Where does he see the auto-generated signatures, and what does Aggressive mode change?

Correct: b. Dynamic signatures live under Security ▸ DoS Protection ▸ Signatures (tick Dynamic). Conservative is gentlest; Aggressive does everything Standard does plus proactive action and stronger blocking of matched requests.
Q9 · Evaluate

A 2025 F5 advisory (e.g. CVE-2025-54858 / CVE-2025-61935) describes the bd process terminating under certain requests when an Advanced WAF policy is configured. Why does this matter for DoS planning?

Correct: c. The control plane that mitigates must itself stay up. A crash of bd is a denial of service on your defense, so keeping BIG-IP patched is a real part of DoS resilience — not an afterthought.
Q10 · Evaluate

For a banking app at HDFC where false positives are unacceptable, an engineer proposes pure TPS-based Blocking with a low threshold "to be safe". Sound design?

Correct: c. A low pure-TPS threshold in Blocking mode is precisely what blocks real users on a busy day. Latency-aware stress-based plus learned Behavioral DoS triggers only when the server is genuinely stressed — and Transparent-first proves it before you go live.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does stress-based detection avoid the false positives that pure TPS-based detection suffers? Then compare to the expert version.

Expert version: TPS-based detection only counts request rate, so a genuine traffic spike (a Flipkart sale, a salary-day login rush) looks identical to a flood and gets mitigated as an attack. Stress-based detection adds a second condition — it requires a server-latency increase and at least one suspicious entity (source IP, URL, geolocation, site-wide) before declaring an attack. A healthy spike raises rate but not latency, so it's left alone. If your answer mentioned "it checks whether the server is actually stressed, not just the rate", you've got it.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

BIG-IP Advanced WAF (formerly ASM)
F5's web application firewall. Advanced WAF = ASM plus L7 Behavioral DoS, Bot Defense, credential-stuffing/brute-force protection and DataSafe. ASM went End-of-Sale 01-Apr-2021; existing ASM customers on BIG-IP ≥14.1 under support can reactivate to Advanced WAF free. The TMUI menu still says "Security ▸ Application Security".
L7 (application-layer) DoS
An attack that floods HTTP/HTTPS requests to exhaust the app or backend. Configured in the DoS profile's Application Security settings — distinct from L3/L4 network DDoS (the device/AFM DoS profile).
DoS profile
The BIG-IP object holding the L7 DoS detection methods and Operation Mode, attached to a virtual server. Path: Security ▸ DoS Protection ▸ DoS Profiles ▸ profile ▸ Application Security.
TPS-based detection
Detects attacks by transaction rate — comparing a short detection interval (~10s) against a long history interval (~1 hour) via "TPS increased by" (ratio) and "TPS reached" (absolute).
Stress-based detection
Detects attacks using server latency. Requires a latency increase AND at least one suspicious entity (source IP, device ID, URL, heavy URL, geolocation, or site-wide). Thresholds run Automatic or Manual.
Behavioral DoS (BADoS)
Machine-learning detection inside stress-based settings. Learns normal traffic, identifies bad actors, and generates dynamic request signatures. Mitigation levels: No Mitigation / Conservative / Standard / Aggressive.
Dynamic request signature
A signature BADoS auto-builds during an attack that matches only the malicious requests, so legitimate users on the same URLs aren't blocked. Seen under Security ▸ DoS Protection ▸ Signatures (Dynamic).
Operation Mode
Transparent = detect, log and report only (no mitigation); Blocking = mitigation actions actually apply. Always baseline in Transparent first.
Client-Side Integrity Defense
A JavaScript challenge that real browsers solve silently while scripted bots can't — the gentle first mitigation step before CAPTCHA or request blocking.
303 — BIG-IP ASM Specialist
The F5 certification this series maps to: 90 minutes, 80 questions, pass 245/350. Validates design, implementation, maintenance and troubleshooting of BIG-IP ASM / Advanced WAF.

📚 Sources

  1. F5 techdocs — Preventing DoS Attacks on Applications (BIG-IP 17.0): DoS profile Application Security, TPS-based vs Stress-based detection, detection/history interval, Operation Mode Transparent/Blocking, mitigation actions, heavy URL. techdocs.f5.com/en-us/bigip-17-0-0/big-ip-asm-implementations/preventing-dos-attacks-on-applications.html
  2. F5 techdocs (BIG-IQ 7.1) — About Behavioral DoS protection: Bad Actors Behavior Detection, Request Signatures Detection, and the No Mitigation / Conservative / Standard / Aggressive mitigation levels (exact behaviors quoted). techdocs.f5.com
  3. F5 DevCentral / F5 Agility & clouddocs DDoS labs — Configuring L7 Behavioral DoS Protection & Request Signatures (Module 3–4): "BaDoS first mitigates with a global rate limit… then blocks only traffic matching dynamic signatures"; signatures under Security ▸ DoS Protection ▸ Signatures (Dynamic); states Mitigate / Detect Only / Learn Only / Disabled. community.f5.com · clouddocs.f5.com
  4. Community write-up — "F5 BIG-IP ASM — L7 DDoS attack Protection (TPS, Behavioral & Stress-Based detection)" (DevCentral technical forum) and Nishal Rai's field walkthrough (nishalrai.com.np/posts/f5asm-l7ddos). community.f5.com
  5. F5 — Protecting Apps from DDoS and API Attacks with BIG-IP Advanced WAF (product blog) & BIG-IP Advanced WAF product page (Advanced WAF = ASM + L7 Behavioral DoS + Bot Defense + brute-force + DataSafe; ASM EoS 01-Apr-2021). f5.com
  6. F5 Quarterly Security Notification (October 2025, K000156572) and CVEs CVE-2025-54858 / CVE-2025-61935bd process termination with an Advanced WAF/ASM policy configured (availability impact). my.f5.com
  7. F5 Certification — 303 — BIG-IP ASM Specialist Exam Blueprint (90 min, 80 questions; design/implement/maintain/troubleshoot ASM/Advanced WAF, incl. L7 DoS). techdocs.f5.com · education.f5.com/exams/big-ip-asm-specialist-303

What's next?

You can now find L7 DoS in the DoS profile, tell TPS-based from Stress-based from Behavioral DoS, and pick the right Operation Mode and mitigation. Both detection and bot challenges live in the same DoS profile — but the next lesson zooms into the part this blog deliberately left out: Proactive Bot Defense and bot classification.

Next · F5 Bot Defense & Proactive Bot Defense → Practice on exam.techclick.in →