F5BigDdosGlobal CRD¶
The list of parameters to configure F5BigDdosGlobal CRD.
hslPublisher¶
| Parameter | Description |
|---|---|
| hslPublisher | Specifies the endpoint logging server to send logging messages. |
allowList¶
| Parameter | Description | Default |
|---|---|---|
| srcAddressList string |
Specifies the list of source IP addresses excluded from DDoS detection/mitigation. Refers to the AddressList CR. Note: The address must not include prefixes other than 32(IPv4) and 128 (IPv6). |
|
| ipProtocol string |
Specifies the IP protocol allowed by the allowList. Available options: any, icmp, igmp, tcp, udp. |
any |
| entryType string |
Specifies the category to match addresses. Available options: dst-match, src-match, v4-all, v6-all, or all-ip. |
|
| matchingAddress string |
Specifies the criteria to match address for entryType. Note: You can configure src-match or dst-match option to match address. The -all* option is used to consider all the entryType**. |
any |
| dstPort integer |
Specifies the destination port. Note: You can configure only for "tcp" or "udp" ip protocols. The minimum and maximum value are 0 and 65535, respectively. |
0 |
| srcVlan string |
Specifies the name of the source VLAN. | any |
Back reference to Gateway Class object for Gateway API¶
This table lists all the targetRef parameters for object types:
| Parameter | Description | Default |
|---|---|---|
targetRef.groupstring |
Specifies the API group to which the referenced target resource belongs. The maximum length is 255 and supports "^[0-9a-zA-Z._-]+$" pattern. |
gateway.networking.k8s.io |
targetRef.namestring |
Specifies the name of the Kubernetes resource for the GatewayClass. The maximum length is 255 and supports "^[0-9a-zA-Z._-]+$" pattern. Note: This is a required field. |
|
targetRef.kindstring |
Specifies the kind for target resource. | enum: [GatewayClass] |
DoS tuneable parameters¶
This table lists all the dosGlobalOption parameters for object types:
| Parameter | Description | Default |
|---|---|---|
dosGlobalOptionobject |
Specifies CRD fields for configuring global DDoS options. | {} |
dosGlobalOption.commonobject |
Specifies CRD fields for common dos sys db variables. | {} |
dosGlobalOption.common.forceSwDosboolean |
Force SW DoS and not to use HW offload for DoS on HW capable systems. | false |
vectors¶
IPv4 Flood Vectors¶
This table lists all the IPv4 Flood Vectors parameters for object types:
| Parameter | Description | Support for Hardware Acceleration |
|---|---|---|
vectors.ipv4IcmpFlood |
This vector detects or rate-limits IPv4 ICMP flood attacks based on the state and rate-limit configuration. It also supports per-source and per-destination IP detection for bad actor and bad-destination mitigation and detection. | Yes |
vectors.tidcmp |
This vector detects ICMP Source Quench attacks. It is detected or dropped based on the state and rate limit configuration; provides detection and rate limiting per-sourceIP and per-destinationIP, and is subject to ba/bd ICMP source quench packets. | Yes |
vectors.ipv4FrafFlood |
This vector detects the attack when spoofed IPv4 fragments are sent at a very high rate. Detected or dropped based on the state and rate limit configuration, it provides per-sourceIP and per-destinationIP detection and rate limiting. | No |
vectors.ipv4OverlapFrag |
This vector detects attacks when a flood of IPv4 overlapping fragments is received. Detected or ratelimited based on the state and rate limit configuration, it offers per-sourceIP and per-destinationIP detection and rate limiting. | No |
vectors.ipv4LowTtl |
This vector detects the attack when IPv4 packets with low TTL (non zero) values are received. Detection or rate limit is done based on the state and rate limit configuration. It provides per-sourceIP and per-destinationIP detection and rate limiting. This vector is subject to ba/bd. | Yes |
vectors.ipv4NoPayload |
This vector detects the attack with no Layer 4 payload for the IPv4 address. Based on the state and rate-limit configuration, it is detected or ratelimited. Also offers per-sourceIP and per-destinationIP detection and rate limiting. This vector is categorized as ba/bd. | Yes |
vectors.ipv4OptFrame |
This vector detects attack when a flood of too many IPv4 packets with an IP options frame are received. Attack is detected or dropped per the state and rate limit configuration and provides per-sourceIP and per-destinationIP detection and rate limiting. | No |
This table lists all the parameters common for IPv4 Flood vectors.
| Parameter | Description | Default |
|---|---|---|
| type | Specifies the type of DoS Flood Vector to detect and mitigate: udp-flood, ether-brdcst-pkt, ether-multicst-pkt, arp-flood, ip-frag-flood, ipv6-frag-flood, tcp-rst-flood, icmpv4-flood, icmpv6-flood, and tcp-psh-flood. | |
| state string |
Specifies the system’s response when a vector match occurs: detection-only or mitigation. Note: To disable, delete the custom resource. |
detection-only |
| detectionThresholdEps Integer |
Specifies the attack detection threshold in Events Per Second (EPS). When EPS exceeds the threshold, the attack is logged and reported. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the attack detection threshold by Events Per Second (EPS) percentage increase. The system compares the current EPS rate to the average rate from the last hour, and when the percentage is exceeded, the attack is logged and reported. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| rateLimit integer |
Specifies the rate limit in Events Per Second (EPS). When EPS exceeds the threshold, excess events are dropped until the EPS rate does not longer exceed the threshold. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpDetectionEps integer |
Specifies the attack detection threshold in EPS per source IP address. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpLimitEps integer |
Specifies the rate limit in EPS for the configured attack type per source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpDetectionEps integer |
Specifies the attack detection threshold in EPS for the configured attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpLimitEps integer |
Specifies the rate Limit in EPS for the configured attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
IPv4 Error Vectors¶
This table lists all the Error parameters for object types:
| Parameter | Description | Support for Hardware Acceleration |
|---|---|---|
vectors.ipv4BadTtl |
This vector occurs when the time-to-live value is zero for an IPv4 packet. When enabled, an attack is detected and dropped based on the threshold configuration. | Yes |
vectors.ipv4BadVer |
This vector detects the attack when the IP version in the header is not set to 4. When enabled, attack is detected and dropped based on the threshold configuration. | Yes |
vectors.ipv4BadScr |
This vector detects the attack when the source IP is either broadcast or multicast. When enabled, an attack is detected and dropped based on the threshold configuration. | Yes |
vectors.ipv4ErrorChecksum |
This vector detects the attack when an incorrect IPv4 header checksum is observed. When enabled, attack is detected and dropped based on the threshold configuration. | Yes |
vectors.ipv4FragError |
This vector detects attacks with invalid IPv4 fragmentation offset values. When enabled, attack is detected and dropped based on the threshold configuration. | Yes |
vectors.ShortFrag |
This vector detects attacks with too small IPv4 fragment packets. When enabled, an attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv4HdrLenTooShort |
This vector detects attacks with header lengths less than 20 bytes. When enabled, an attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv4HdrLenGtLLen |
This vector detects the attack traffic with no room in the Layer 2 packet for the IPv4 IP header (including options). When enabled, Attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv4OptIllegalLen |
The vector detects the attcack traffic with illegal length in the IP option. When enabled, Attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv4LenGtL2Len |
This vector detects the attack traffic with the total length in the IPv4 header exceeding the Layer 3 length in a Layer 2 packet. When enabled, Attack is detected and dropped based on the threshold configuration. | No |
This table lists all the parameters common for IPv4 error vectors.
| Parameter | Description | Default |
|---|---|---|
| detectionThresholdEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type. | 4294967295 |
| detectionThresholdPercentage integer |
Specifies the IPv6 attack detection percentage increase for the configured attack type. | 4294967295 |
IPv6 Flood Vectors¶
This table lists all the Flood parameters for object types:
| Parameter | Description | Support for Hardware Acceleration |
|---|---|---|
vectors.ipv6L4ExtHdrsGoEnd |
This vector detects attacks with extended headers reaching or surpassing the end of the Layer 4 frame. Based on the state and rate limit configuration, an attack is detected or dropped and provides per-sourceIP and per-destinationIP detection and rate limiting. | Yes |
vectors.ipv6BadExtHdrOrder |
This vector detects attacks with out of ordered extended headers in the IPv6 header. Attack is detected or dropped as per the state and rate limit configuration. | No |
vectors.ipv6IcmpFlood |
This vector detects the IPv6 ICMP flood attack. Attack is detected or rate-limited based on the state and rate limit configuration. Also provides both per-sourceIP and per-destinationIP detection and rate limiting. | No |
vectors.ipv6FragFlood |
This vector detects the attack when spoofed IPv6 fragments are received at a very high rate. Attack is detected or ratelimited based on the state and rate-limit configuration. Also provides both per-sourceIP and per-destinationIP detection and rate-limiting. | Yes |
vectors.ipv6AtomicFrag |
This vector detects attacks with IPv6 fragment headers with M=0 and FragOffset=0. Attack is detected or ratelimited based on the state and rate-limit configuration. Also provides both per-sourceIP and per-destinationIP detection and rate-limiting. | No |
vectors.ipv4MappedIpv6Addr |
This vector detects attacks with an IPv4 address occupying the lowest 32 bits of an IPv6 address. Attack is detected or ratelimited based on the state and rate-limit configuration. | No |
vectors.ipv6RoutingHdrType0 |
This vector detects the attack when IPv6 packets with routing header type zero are received. Attack is detected or ratelimited based on the state and rate-limit configuration. Also provides both per-sourceIP and per-destinationIP detection and rate limiting. | No |
vectors.ipv6LowHopCount |
This vector detects the attack when IPv6 extended header hop count is set to less than or equal to the configured value of ipv6LowHopCount. Attack is detected or dropped according to the state and rate limit configuration. Also provides both per-sourceIP and per-destinationIP detection and rate limiting. | Yes |
vectors.ipv6ExtHdrTooLarge |
This vector detects the attack when we receive packets which have too Large IPv6 Extension Header field based on the configured limit. Attack is detected or ratelimited based on the state and rate-limit configuration. Also provides both per-sourceIP and per-destinationIP detection and rate-limiting. | No |
vectors.ipv6WithExtHdrFrames |
This vector detects attacks with too many IPv6 Extension Headers exceeding the limit configured. Attack is detected or dropped according to the state and rate limit configuration. Also provides both per-sourceIP and per-destinationIP detection and rate limiting. | No |
vectors.ipv6TooManyExtHdrs |
This vector detects attacks with too many IPv6 Extension Headers exceeding the limit configured. Attack is detected or dropped according to the state and rate limit configuration. Also provides both per-sourceIP and per-destinationIP detection and rate limiting. | No |
This table lists all the common config parameters common for IPv6 Flood vectors.
| Parameter | Description | Default |
|---|---|---|
| vectorType | Specifies the type of IPv6 DoS Flood Vector to match: l4-ext-hdrs-go-end, and bad-ext-hdr-order. | |
| state string |
Specifies the response for an IPv6 vector match: detection-only or mitigation. Note: To disable, delete the custom resource. |
detection-only |
detectionThresholdEpsinteger |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
detectionThresholdPercentageinteger |
Specifies the IPv6 attack detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
rateLimitinteger |
Specifies the rate limit in EPS for the configured IPv6 attack type. | 4294967295 |
perSrcIpDetectionEpsinteger |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type per source IP. Note: - The minimum and maximum values are 0 and 4294967295, respectively. - Not applicable to: ipv6BadExtHdrOrder and ipv4MappedIpv6Addr,: |
4294967295 |
perSrcIpLimitEpsinteger |
Specifies the rate limit in EPS for the configured IPv6 attack type source IP. Note: - The minimum and maximum values are 0 and 4294967295, respectively. - Not applicable to: ipv6BadExtHdrOrder and ipv4MappedIpv6 |
4294967295 |
perDstIpDetectionEpsinteger |
Specifies the attack detection threshold in EPS for the configured IPv6 attack type per destination IP. Note: - The minimum and maximum values are 0 and 4294967295, respectively. - Not applicable to: ipv6BadExtHdrOrder and ipv4MappedIpv6 |
4294967295 |
perDstIpLimitEpsinteger |
Specifies the rate Limit in EPS for the configured IPv6 attack type per destination IP. Note: - The minimum and maximum values are 0 and 4294967295, respectively. - Not applicable to: ipv6BadExtHdrOrder and ipv4MappedIpv6 |
4294967295 |
lowHopCount integer |
Specifies the minimum value for the hop count. Note: - The minimum and maximum values are 1 and 4, respectively. - Applicable only to: ipv6LowHopCount |
1 |
maxIpv6ExtHdrSize integer |
Specifies the extension size. Note: - The minimum and maximum values are 0 and 1024, respectively. - Applicable only to: ipv6LowHopCount |
128 |
ipv6ExtHdrFrameTypearray |
The enum options are auth, dstopt, esp, frag, hbh, mobility, route, all Note: Applicable only to: ipv6WithExtHdrFrames |
all |
maxIpv6ExtHdrs integer |
The minimum and maximum values are 0 and 15 respectively. Applicable only to: ipv6TooManyExtHdrs |
4 |
IPv6 Error Vectors¶
This table lists all the Error parameters for object types:
| Parameter | Description | Support for Hardware Acceleration |
|---|---|---|
vectors.ipv6DupExtHdr |
This vector detects attacks with an extension header appearing more than once in an IPv6 packet, excluding the Destination Options extension header. When enabled, an attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv6BadHopCount |
This vector detects attacks with both the terminated (Count=0) and forwarding packet (Count=1) counts set to invalid. When enabled, an attack is detected and dropped based on the threshold configuration. | Yes |
vectors.ipv6BadVersion |
This vector detects attacks with the version not set to 6, in the IPv6 header. When enabled, an attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv6AddrLenGtL2Len |
This vector detects attacks with the IPv6 address length exceeding the Layer 2 length. When enabled, an attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv6PayloadLenLtL2Len |
This vector detects attacks with the specified IPv6 payload length shorter than the Layer 2 length. When enabled, Attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv6BadAddr |
This vector detects the attack with a multicast source IPv6 address. When enabled, an attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv6FragError |
This vector detects attacks with invalid IPv6 fragmentation offset values. When enabled, an attack is detected and dropped based on the threshold configuration. | Yes |
vectors.ipv6FragOverlapError |
This vector detects attacks when IPv6 overlapping fragments are received. When enabled, an attack is detected and dropped based on the threshold configuration. | No |
vectors.ipv6ShortFragError |
This vector detects attacks with the undersized IPv6 fragment packets. When enabled, an attack is detected and dropped based on the threshold configuration. | No |
This table lists all the parameters common for IPv6 error vectors.
| Parameter | Description | Default |
|---|---|---|
| detectionThresholdEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type. | 4294967295 |
| detectionThresholdPercentage integer |
Specifies the IPv6 attack detection percentage increase for the configured attack type. | 4294967295 |
TCP Flood Vectors¶
This table lists all the TCP Flood parameters for object types:
| Parameter | Description | Support for Hardware Acceleration |
|---|---|---|
vectors.tcpRstFlood |
This vector detects the attack with an RST flag set in the TCP packet to tamper with internet communications. It is detected or dropped based on the state and rate limit configuration and provides detection and rate limiting per-sourceIP and per-destinationIP. | Yes |
vectors.tcpFlagsUncommonFlood |
This vector detects attacks with uncommon combinations of flags in the TCP packet to tamper with internet communications. It is detected or dropped based on the state and rate limit configuration and provides detection and rate limiting per-sourceIP and per-destinationIP. Current list of uncommon flag combinations are A00SF [19],AP0S0 [26],AP0SF [27]. | No |
vectors.tcpSynOversize |
This vector detects attack traffic with TCP SYN packets larger than 64 bytes. It is detected or dropped based on the state and rate limit configuration. Provides detection and rate-limiting per-sourceIP and per-destinationIP. | No |
vectors.tcpBadUrg |
This vector detects attack traffic with URG flag set, and the urgent pointer is 0. It is detected or dropped based on the state and rate limit configuration, provides detection and rate limiting per-sourceIP and per-destinationIP. | Yes |
vectors.tcpOptIverrunsTcpHdr |
This vector detects attack traffic with option bits that overrun the TCP header. It is detected or dropped based on the state and rate limit configuration. Provides detection and rate limiting per-sourceIP and per-destinationIP. | No |
vectors.WindowSize |
This vector detects attack traffic with a TCP window size of zero. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. | No |
vectors.nonTcpConnection |
This attack vector targets all connections that are not TCP. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate-limiting. | No |
vectors.tcpOptIlegalLen |
This vector detects attack traffic with an illegal TCP Option length. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. | No |
vectors.synAckFlood |
This vector detects the flood of traffic with both TCP SYN and ACK flags set in the packet. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate-limiting. | Yes |
vectors.synFlood |
This vector detects the flood of traffic with TCP SYN flag set. SYN cookie feature can be enabled for mitigation actions. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. | Yes |
vectors.ackFlood |
This vector detects the flood of traffic with TCP ACK flags set in the packet. Attack is detected or rate-limited based on the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. | Yes |
vectors.TimestampFlood |
This vector detects the flood of traffic with invalid timestamps given for a TCP ACK packet. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate-limiting. | No |
This table lists all the common config parameters common for TCP Flood vectors.
| Parameter | Description | Default |
|---|---|---|
| detectionThresholdEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the IPv6 attack detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| rateLimit integer |
Specifies the rate limit in EPS for the configured IPv6 attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpDetectionEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type per source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpLimitEps integer |
Specifies the rate limit in EPS for the configured IPv6 attack type source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpDetectionEps integer |
Specifies the attack detection threshold in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpLimitEps integer |
Specifies the rate Limit in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| onlyUnsolicited boolean |
If set to True, count only the unsolicited SYN-ACKs that are received. If set to False, count all SYN-ACKs received. Note: This parameter is applicable for synAckFlood. |
true |
| timestampCookie boolean |
If set to true, the timestamp cookie is enabled on all vlans. Note: This parameter is applicable for askTimestampFlood. |
true |
| synCookie object |
When Syn Cookie is enabled, BIGIP sends a cookie in the SynAck response during Syn Flood. TCP flow is only created when the client responds back with the Syn Cookie. In ADoS Mode, valid client entries will be added to verifiedList. Refer to below table for synCookie Parameters Note: This parameter is applicable for synFlood. |
true |
synCookie Parameters
| Parameter | Description | Default |
|---|---|---|
| state string |
Indicates the status of the parameter. Available options: enable or disable | enable |
| verifiedList string |
Valid client entries are added to verifiedList which respond to Syn Cookie. Any change to this parameter in ADoS mode does not affect as verifiedList is always enabled. | enable |
| threshold integer |
Specifies the threshold value. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| hwScrubTime integer |
This option specifies the scrub time in units of minutes for flushing the verifiedList entries from HW. This is supported in ADoS mode only. Note: The minimum and maximum values are 1 and 450, respectively. |
120 |
| verifiedListSkipDos boolean |
If set to true, DoS vectors TCP SYN/ACK flood and TCP RST flood for IPs in the verifiedList is skipped. If verifiedList is not enabled, this option has no effect. This is supported in ADoS mode only. | true |
TCP Error Vectors¶
This table lists all the TCP Error parameters for object types:
| Parameter | Description |
|---|---|
vectors.tcpHdrLenGtL2Len |
This vector detects the attack traffic with TCP header length exceeding the Layer 2 length. When enabled, attack is detected and dropped based on the threshold configuration. |
vectors.tcpHdrLenTooShort |
This vector detects the attack traffic with Data Offset value in the TCP header that is less than 20 bytes. When enabled, attack is detected and dropped based on the threshold configuration. |
vectors.tcpFlagsMalformed |
This vector detects attack traffic with malformed combinations of flags in the TCP header. When enabled, attack is detected and dropped based on the threshold configuration. Current list of malformed flag combinations are 00000 [00],0000F [01],000SF [03],00R0F [05],00RS0 [06], 00RSF [07],0P000 [08],0P00F [09],0P0S0 [10],0P0SF [11], 0PR00 [12],0PR0F [13],0PRS0 [14],0PRSF [15],A0R0F [21], A0RS0 [22],A0RSF [23],APR00 [28],APR0F [29],APRS0 [30], APRSF [31]. |
This table lists all the common config parameters common for TCP Error vectors.
| Parameter | Description | Default |
|---|---|---|
| detectionThresholdEps integer |
Specifies the TCP attack detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the TCP attack detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
UDP Flood Vectors¶
This table lists all the UDP Flood Vectors parameters for object types:
| Parameter | Description | Support for Hardware Acceleration |
|---|---|---|
vectors.udpFlood |
This vector prevents the UDP flood. UDP port lists can be enabled for mitigation. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate-limiting. | Yes |
This table lists all the common config parameters common for UDP Flood Vectors vectors.
| Parameter | Description | Default |
|---|---|---|
| detectionThresholdEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the IPv6 attack detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| rateLimit integer |
Specifies the rate limit in EPS for the configured IPv6 attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpDetectionEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type per source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpLimitEps integer |
Specifies the rate limit in EPS for the configured IPv6 attack type source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpDetectionEps integer |
Specifies the attack detection threshold in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpLimitEps integer |
Specifies the rate Limit in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| udpPortLists Object |
List of the UDP ports, that need to be either excluded or included in detecting the UDP flood. Refer to below table for udpPortLists Parameters |
udpPortLists Parameters
| Parameters | Description | Default |
|---|---|---|
| listType string |
Specifies the list of ports excluded. Available options: - exclude-listed-ports - include-listed-ports |
exclude-listed-ports |
| entries array |
Specify the port and matchDirection. Note: You must specify port. |
UDP Error Vectors¶
This table lists all the UDP Error parameters for object types:
| Parameter | Description | Support for Hardware Acceleration |
|---|---|---|
vectors.badUdpChecksum |
This vector detects attack traffic with incorrect UDP checksums. When enabled, an attack is detected and dropped based on the threshold configuration. | Yes |
vectors.badUdpHdr |
This vector detects attack traffic with a UDP header length greater than the IP length or Layer 2 length. When enabled, attack is detected and dropped based on the threshold configuration. | Yes |
This table lists all the common config parameters common for UDP Error vectors.
| Parameter | Description | Default |
|---|---|---|
| detectionThresholdEps integer |
Specifies the UDP attack detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the UDP attack detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
Common Flood Vectors¶
This table lists all the Common Flood Vectors parameters for object types:
| Parameter | Description |
|---|---|
vectors.noListenerMatch |
This vector detects attack traffic sent to BIGIP, that doesn’t match with any listeners configured. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.uncommonIpProtocols |
This vector detects the configured excluded IP protocols traffic. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate-limiting. |
vectors.unknownIpProtocols |
This vector detects attack traffic with an unknown or undetermined protocol. Attack is detected or dropped according to the state and rate limit configuration. |
This table lists all the common config parameters common for Common Flood vectors.
| Parameter | Description | Default |
|---|---|---|
| detectionThresholdEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the IPv6 attack detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| rateLimit integer |
Specifies the rate limit in EPS for the configured IPv6 attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpDetectionEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type per source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpLimitEps integer |
Specifies the rate limit in EPS for the configured IPv6 attack type source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpDetectionEps integer |
Specifies the attack detection threshold in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpLimitEps integer |
Specifies the rate Limit in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| excludedIpProtcols array |
All the IP protocols that need to be excluded are listed below. These protocols are considered Common IP protocols and should not be detected or mitigated by uncommonIPprotocol vectors. Refer to below table for excludedIpProtcols Parameters. Note: This is applicable for uncommonIpProtocols |
excludedIpProtcols Parameters
| Parameter | Description | Default |
|---|---|---|
| Configuring one or more IP protocol(s) string(s) from the enumerated list will exclude them from being subjected to detection/mitigation threshold by uncommonIPprotocol vector. If nothing is configured, then all the IP protocols defined in the default list will be excluded from being subjected to detection/mitigation threshold by uncommonIpProtocol vector. Enumerated list act as an Universal list of protocols. Item "any" act as wildcard element for the list of IP protocols in mBIP. | ah, any, esp, etherip, gre, hopopt, icmp, igmp,ipcomp, ipip, ipv4, ipv6, ipv6-frag, ipv6-icmp,ipv6-nonxt, ipv6-opts, ipv6-route, mobility-header,ospf, pim, sctp, tcp, udp |
Common Error Vectors¶
This table lists all the Common Error Vectors parameters for object types:
| Parameter | Description |
|---|---|
vectors.landAttack |
This vector detects attack traffic where the Source IP is the same as the destination IP address. When enabled, attack is detected and dropped based on the threshold configuration. |
vectors.badSctpChecksum |
This vector detects attack traffic with incorrect SCTP checksum. When enabled, an attack is detected and dropped based on the threshold configuration. |
This table lists all the common config parameters common for TCP Error vectors.
| Parameter | Description | Default |
|---|---|---|
| detectionThresholdEps integer |
Specifies the common error detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the common error detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
DNS Flood Vectors¶
This table lists all the DNS Flood Vectors parameters for object types:
| Parameter | Description |
|---|---|
vectors.dnsAQuery |
This vector detects DNS packets with Qtype as A_QRY. Attack is detected or dropped based on the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.AaaaQuery |
This vector detects DNS packets with Qtype as AAAA. Attack is detected or dropped according to the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsAnyQuery |
This vector detects DNS packets with Qtype as AAAA. Attack is detected or dropped according to the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsPtrQuery |
This vector detects DNS packets with Qtype as PTR. Attack is detected or dropped per state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsAxfrQuery |
This vector detects DNS packets with Qtype as AXFR. Attack is detected or dropped according to the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsCnameQuery |
This vector detects DNS packets with DNS Qtype as CNAME. Attack is detected or dropped based on the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnslxfrQuery |
This vector detects DNS packets with DNS Qtype as IXFR. Attack is detected or dropped according to the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsMxQuery |
This vector detects the DNS packets with DNS Qtype as MX. Attack is detected or dropped based on the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsNsQuery |
This vector detects DNS packets with DNS Qtype as NS. Attack is detected or dropped according to the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsOtherQuery |
This vector detects DNS packets with DNS Qtype as OTHER. Attack is detected or dropped based on the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsSoaQuery |
This vector detects DNS packets with DNS Qtype as SOA_QRY. Attack is detected or dropped according to the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsSrvQuery |
This vector detects DNS packets with DNS Qtype as SRV. Attack is detected or dropped based on the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.dnsTxtQuery |
This vector detects DNS packets with DNS Qtype as TXT. Attack is detected or dropped according to the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
vectors.oversizedDns |
This vector detects oversized DNS headers. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate-limiting. |
vectors.dnsNxdomainQuery |
This vector detects DNS queries for non-existing domains. Attack is detected or dropped according to the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
This table lists all the common config parameters common for DNS Flood vectors.
| Parameter | Description | Default |
|---|---|---|
| state string |
Specifies the response for DNS vector match: detection-only or mitigation. Note: To disable, delete the custom resource. |
detection-only |
| detectionThresholdEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the IPv6 attack detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| rateLimit integer |
Specifies the rate limit in EPS for the configured IPv6 attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpDetectionEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type per source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpLimitEps integer |
Specifies the rate limit in EPS for the configured IPv6 attack type source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpDetectionEps integer |
Specifies the attack detection threshold in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpLimitEps integer |
Specifies the rate Limit in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| maxDnsSize integer |
Specifies the allowed maximum size for DNS. Note: - The minimum and maximum values are 256 and 8191, respectively. - This is applicable for oversizedDns. |
4096 |
| validDomains | Define the list of domains that the vector should consider as valid domains. |
DNS Error Vectors¶
This table lists all the DNS Error Vectors parameters for object types:
| Parameter | Description |
|---|---|
vectors.dnsMalformed |
This vector detects the malformed DNS packets. When enabled, an attack is detected and dropped based on the threshold configuration. |
vectors.dnsQdCountLimit |
This vector detects DNS packets with a DNS qdcount not equal to 1. When enabled, an attack is detected and dropped based on the threshold configuration. |
vectors.unsolicitedDnsResponse |
This vector detects DNS packets with DNS header flags bit 15 set as 1 (response). When enabled, an attack is detected and dropped based on the threshold configuration. |
This table lists all the common config parameters common for DNS Error Flood vectors.
| Parameter | Description | Default |
|---|---|---|
| detectionThresholdEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the IPv6 attack detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
L2 Flood Vectors¶
This table lists all the L2 Flood Vectors parameters for object types:
| Parameter | Description | Support for Hardware Acceleration |
|---|---|---|
vectors.etherBroadcastPkt |
This vector detects the traffic with broadcast as the Ethernet destination address. Attack is detected or dropped according to the state and rate limit configuration. | Yes |
vectors.etherMulticastPkt |
This vector detects traffic with a multicast set for the Ethernet destination address. Attack is detected or dropped according to the state and rate limit configuration. | Yes |
vectors.arpFlood |
This vector detects the ARP flood in the network. Attack is detected or dropped based on the state and rate limit configuration. | Yes |
vectors.etherSrcEqualDstAddr |
This vector detects traffic with Ethernet MAC source address same as the destination address. When enabled, attack is detected and dropped based on the threshold configuration. | No |
vectors.l2LenGtIpLen |
This vector detects attack traffic with Layer 2 packet length significantly exceeding the payload length in an IPv4 address header, and the Layer 2 length surpasses the minimum packet size. Attack is detected or dropped per the state and rate limit configuration. | No |
vectors.singleEndpointSweep |
Single endpoint vector. This vector tracks packets by their source address. Packets from a specific source that match the packet-type specified in this vector and exceed the rate limit are dropped. |
No |
vectors.singleEndpointFlood |
Single endpoint vector. This vector tracks packets by their destination address. Packets to a specific destination that match the packet-type specified in this vector and exceed the rate limit are dropped. |
No |
vectors.badIcmpChecksum |
ICMP error vector. This vector detects the attack traffic with incorrect ICMP checksum. When enabled, attack is detected and dropped based on the threshold configuration. |
No |
vectors.badIcmpFrame |
ICMP error vector. This vector detects attack traffic where the ICMP frame is of the wrong size, or not among one of the valid IPV4/IPV6 types. When enabled, an attack is detected and dropped based on the threshold configuration. |
No |
vectors.icmpFragFlood |
ICMP flood vector. This vector is detected when a flood of ICMP fragments is observed. Attack is detected or ratelimited based on the state and rate-limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
Yes |
vectors.icmpFrameTooLarge |
ICMP flood vector. This vector is detected when a flood of traffic with the ICMP frame exceeds the default maximum datagram length (1500 bytes). Attack is detected or ratelimited based on the state and rate-limit configuration. |
No |
vectors.hostUnreachable |
ICMP flood vector. This vector is detected when a flood of ICMP traffic with host unreachable error is observed. Attack is detected or ratelimited based on the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
Yes |
vectors.badIgmpFrame |
IGMP error vector. This vector detects the attack traffic with incorrect IGMP frames. When enabled, attack is detected and dropped based on the threshold configuration. |
Yes |
igmpFlood |
IGMP flood vector. This vector is detected when a flood of traffic with the IGMP IPV4 packets with IP protocol number 2 is observed. Attack is detected or ratelimited based on the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate-limiting. |
Yes |
vectors.igmpFragFlood |
IGMP flood vector. This vector is detected when a flood of IGMP fragments is observed. Attack is detected or ratelimited based on the state and rate limit configuration. Provides both per-sourceIP and per-destinationIP detection and rate limiting. |
No |
This table lists all the common config parameters common for L2 Flood vectors.
| Parameter | Description | Default |
|---|---|---|
| Parameter | Description | Default |
| state string |
Specifies the response for DNS vector match: detection-only or mitigation. Note: To disable, delete the custom resource. |
detection-only |
| detectionThresholdEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| detectionThresholdPercentage integer |
Specifies the IPv6 attack detection percentage increase for the configured attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| rateLimit integer |
Specifies the rate limit in EPS for the configured IPv6 attack type. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpDetectionEps integer |
Specifies the IPv6 attack detection threshold in EPS for the configured attack type per source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perSrcIpLimitEps integer |
Specifies the rate limit in EPS for the configured IPv6 attack type source IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpDetectionEps integer |
Specifies the attack detection threshold in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| perDstIpLimitEps integer |
Specifies the rate limit in EPS for the configured IPv6 attack type per destination IP. Note: The minimum and maximum values are 0 and 4294967295, respectively. |
4294967295 |
| packetTypes array |
Define the list of packet types that will be considered for the detection of this vector. |