Security::ProfileDoS

Introduced : BIG-IP_v11.3.0
The ProfileDoS interface enables you to manipulate a DoS profile. Use this interface to prevent Denial of Service (DoS) attacks. DoS profile consists of three parts (layers): Application Security, Protocol (DNS) Security and Protocol SIP Security. Each part can be enabled or disabled by means of creating or deleting the corresponding sub-profile. In Application Security you can configure: - The circumstances under which the system considers traffic to be a DoS attack. - How the system handles a DoS attack. The system considers traffic to be an Application DoS attack based on the following calculations: - Transaction rate detection interval: The average number of requests per second sent for a specific URL, or by a specific IP address. This number is calculated by the system, by default, every minute and updated every second. - Transaction rate history interval: The average number of requests per second sent for a specific URL, or by a specific IP address. This number is calculated by the system, by default, every hour and updated every minute. - Latency detection interval: The average time it takes for the system to respond to a request for a specific URL, over the last minute. This average is updated every second. - Latency history interval: The average time it takes for the system to respond to a request for a specific URL, over the last hour. This average is updated every minute. In this sub-profile you must select whether the system prevents DoS attacks based on the client side (TPS-based anomaly) or/and the server side (Latency-based anomaly). The system&aposs DoS attack prevention works differently for every anomaly you select. - In TPS-based anomaly: If the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage you configure in this sub-profile (the TPS increase rate), the system detects the URL to be under attack, or the IP address to be attacking. In order to stop the attack, the system drops some requests from the detected IP address and/to the attacked URL. - In Latency-based anomaly: If the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage you configure in this sub-profile (the TPS increase rate), the system suspects the URL to be under attack, or the IP address to be suspicious. If the ratio of the latency detection interval to the latency history interval is greater than the specific percentage you configure in this sub-profile (the latency increase rate), the system detects that this URL is under attack. In order to stop the attack, the system drops some requests from the suspicious IP address and/or to the suspicious URL. The Protocol DNS Security sub-profile allows you to specify DNS Query Vectors to be considered for DoS attack detection. You can also select whether or not to consider Malformed and Malicious DNS packets for DoS attack detection, and configure values at which to start dropping these packets. A Protocol SIP Security sub-profile allows the user to configure SIP Attack Vectors that are to be considered for DoS attack detection. It also provides the capability to enable detection of Malformed SIP packet DoS attacks. The detection sensitivity for each of the configured DoS vectors can also be set.

Methods


Structures

Structure

Description

DNSQueryVectorStatisticEntry

A struct that describes statistics for a particular DNS Query Vector.

DNSQueryVectorStatistics

A struct that describes DNS Query Vector statistics and timestamp.

NetworkAttackVectorStatisticEntry

A struct that describes statistics for a particular Network Attack Vector.

NetworkAttackVectorStatistics

A struct that describes Network Attack Vector statistics and timestamp.

SIPAttackVectorStatisticEntry

A struct that describes statistics for a particular SIP Vector.

SIPAttackVectorStatistics

A struct that describes Vector statistics and timestamp.


Enumerations

Enumeration Description
Anomaly Anomaly - Specifies whether an interface method manipulates DoS attack detection/prevention settings based on the client side (TPS-based) or the server side (Latency). Note that there are no fields with such type in the profile, it is intended only to reuse the same methods for different anomalies.
DNSQuery A list of DNS Query Vectors.
NetworkAttackVector A list of Network Attack Vectors for use in a DoS profile.
OperationMode Operation mode - Specifies how the system reacts when it detects an attack for every anomaly.
SIPAttackVector A list of SIP Attack Vectors for use in a DoS profile.

Exceptions

Exception Description

Constants

Constant Type Value Description

Aliases

Alias Type Description
DNSQuerySequence DNSQuery [] A sequence of DNS Query Vectors.
DNSQuerySequenceSequence DNSQuery [] [] A sequence of sequence of DNS Query Vectors.
DNSQuerySequenceSequenceSequence DNSQuery [] [] [] A sequence of sequence of sequence of DNS Query Vectors.
DNSQueryVectorStatisticEntrySequence DNSQueryVectorStatisticEntry [] A sequence of DNS Query Vector statistics.
DNSQueryVectorStatisticsSequence DNSQueryVectorStatistics [] An alias for a sequence of DNS Query Vector statistics.
DNSQueryVectorStatisticsSequenceSequence DNSQueryVectorStatistics [] [] An alias for a sequence of sequence of DNS Query Vector statistics.
NetworkAttackVectorSequence NetworkAttackVector [] A sequence of Network Attack Vectors.
NetworkAttackVectorSequenceSequence NetworkAttackVector [] [] A sequence of sequence of Network Attack Vectors.
NetworkAttackVectorSequenceSequenceSequence NetworkAttackVector [] [] [] A sequence of sequence of sequence of Network Attack Vectors.
NetworkAttackVectorStatisticEntrySequence NetworkAttackVectorStatisticEntry [] A sequence of Network Attack Vector statistics.
NetworkAttackVectorStatisticsSequence NetworkAttackVectorStatistics [] An alias for a sequence of Network Attack Vector statistics.
NetworkAttackVectorStatisticsSequenceSequence NetworkAttackVectorStatistics [] [] An alias for a sequence of sequence of Network Attack Vector statistics.
OperationModeSequence OperationMode [] A sequence of operation modes.
OperationModeSequenceSequence OperationMode [] [] A sequence of a sequence of operation modes.
SIPAttackVectorSequence SIPAttackVector [] A sequence of SIP Attack Vectors.
SIPAttackVectorSequenceSequence SIPAttackVector [] [] A sequence of sequence of SIP Attack Vectors.
SIPAttackVectorSequenceSequenceSequence SIPAttackVector [] [] [] A sequence of sequence of sequence of SIP Attack Vectors.
SIPAttackVectorStatisticEntrySequence SIPAttackVectorStatisticEntry [] A sequence of SIP Vector statistics.
SIPAttackVectorStatisticsSequence SIPAttackVectorStatistics [] An alias for a sequence of Vector statistics.
SIPAttackVectorStatisticsSequenceSequence SIPAttackVectorStatistics [] [] An alias for a sequence of sequence of Vector statistics.

See Also

iControl ::
iControl :: Security :: ProfileDoS

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code


Copyright © 1996-2012, F5 Networks, Inc. All rights reserved.

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.