F5 DoS for NGINX Arbitrator 1.1.0
Here you can find the release information for F5 DoS for NGINX Arbitrator v1.1.0.
December 1, 2021
This release is focused on security and stability.
-
Improve security by enabling the arbitrator to work as a non-root user.
-
Remove operating system dependencies to work as a native service utilizing golang.
- Special characters like a slash inside the protected object name prevented Arbitrator to save the state file.
-
The current release upgrades Arbitrator service only. This change is agnostic to F5 DoS for NGINX functionalities.
-
proxy_request_bufferingoff is not supported. -
gRPC and HTTP/2 protection require active monitoring of the protected service. The directive
app_protect_dos_monitoris mandatory for these use cases, otherwise, the attack will not be detected. -
gRPC and HTTP/2 protection are available only on Debian 10, Ubuntu 18.04, and Ubuntu 20.04 platforms. For the rest of the platforms, F5 DoS for NGINX does not protect gRPC and HTTP/2 services. The traffic is bypassed.
-
TLS fingerprint feature is not used in CentOS 7.4 due to the old OpenSSL version. The required OpenSSL version is 1.1.1 or higher.
-
Slow POST attack always mitigates with block action while other types of attacks can also be mitigated with redirection or JS challenges.
-
New optional configuration parameters of the directive
app_protect_dos_monitorto support gRPC and HTTP/2 protocols. -
Added new fields in Security Log:
baseline_dps(datagrams per second) instead ofbaseline_tps,incoming_datagramssuccessful_responsesinstead ofsuccessful_transactionsunsuccessful_requestsinstead ofunsuccessful_requests_count.
-
In the case of an upgrade from the previous
app-protect-dosversion, it’s necessary to remove the oldnginx-plusand install the newapp-protect-dosthat will install a correspondent version ofnginx-plusas described in the F5 DoS for NGINX Deployment Guide.