NGINX App Protect DoS 3.0
Here you can find the release information for F5 NGINX App Protect DoS v3.0. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications.
September 21, 2022
- L4 mitigation (with eBPF)
- DoS Live Activity Monitoring with requests mitigation graphs
- DoS Live Activity Monitoring support for multi-instances NGINX App Protect DoS setups (multi-VMs, multi-replicas)
- app-protect-dos-27+3.0.3-1.el7.ngx.el7.ngx.x86_64.rpm
- app-protect-dos-27+3.0.3-1.el8.ngx.el8.ngx.x86_64.rpm
- app-protect-dos_27+3.0.3-1~buster_amd64.deb
- app-protect-dos_27+3.0.3-1~bullseye_amd64.deb
- app-protect-dos_27+3.0.3-1~bionic_amd64.deb
- app-protect-dos_27+3.0.3-1~focal_amd64.deb
- app-protect-dos-27.3.0.3-r1.apk
- NGINX Plus R27
- 
L4 (eBPF) mitigation helps mitigate volumetric attacks by slowing down the opening of TCP connections by the attackers. It is recommended to deploy NGINX App Protect DoS with L4 (eBPF) mitigation at the perimeter network or behind L3 load balancer. Installing NGINX App Protect DoS with L4 (eBPF) mitigation behind L4/L7 load balancer may result in the load balancer’s starvation during an attack. 
- 
If NGINX App Protect WAF is installed, app protect should be disabled for the location of DoS Live Activity Monitoring API. For example: shelllocation /api { app_protect_enable off; app_protect_dos_api; }
- 
Misconfiguration of app_protect_dos_monitorpotentially can cause a false attack declaration. Port configuration should correspond to the port the server listens to.For example: shellserver { listen 8080; location / { app_protect_dos_monitor "myservice.com:8080"; } }
- 
proxy_request_bufferingoff is not supported.
- 
gRPC and HTTP/2 protection require active monitoring of the protected service. The directive app_protect_dos_monitoris mandatory for these use cases, otherwise, the attack will not be detected.
- 
TLS fingerprint feature is not used in CentOS 7.4 and RHEL 7 / UBI 7 due to the old OpenSSL version. The required OpenSSL version is 1.1.1 or higher. 
- 
Slow POST attack always mitigates with block action while other types of attacks can also be mitigated with redirection or JS challenges. 
- 
The recommended option of running NGINX Plus in a Docker Container is with the daemon offflag. It’s mandatory for UBI 8.