security dos device-config
security dos device-config(1) BIG-IP TMSH Manual security dos device-config(1)
NAME
device-config - Configures the global network DoS profile.
MODULE
security dos
SYNTAX
Configure the global network DoS profile component within the security dos module using the syntax shown in the following
sections.
MODIFY
modify device-config dos-device-config
options:
auto-threshold-sensitivity [field deprecated since 13.0.0]
ip-uncommon-protolist [string]
threshold-sensitivity [low | medium | high]
custom-signatures [none | add | delete | modify | replace-all-with] {
name [string] {
options:
manual-detection-threshold [integer]
manual-mitigation-threshold [integer]
state [disabled | learn-only | detect-only | mitigate]
threshold-mode [fully-automatic | manual | manual-multiplier-mitigation | stress-based-mitigation]
}
}
dos-device-vector {
[vector type] {
allow-advertisement [disabled | enabled ]
allow-upstream-scrubbing [disabled | enabled ]
attacked-dst [disabled | enabled]
auto-blacklisting [enabled | disabled]
auto-scrubbing [disabled | enabled ]
auto-threshold [disabled | enabled ]
bad-actor [disabled | enabled]
blacklist-category [enter name of ip-intelligence category]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
ceiling [integer | infinite]
default-internal-rate-limit [integer | infinite]
detection-threshold-percent [integer | infinite]
detection-threshold-pps [integer | infinite]
enforce [enabled | disabled] [field deprecated since 13.1.0]
floor [integer]
multiplier_mitigation_percentage [integer]
packet-types [add | delete | replace-all-with] {
[atomic-frag | bad-packet | dns-a-query | dns-a-query | dns-aaaa-query |
dns-any-query | dns-axfr-query | dns-cname-query | dns-ixfr-query |
dns-mx-query | dns-ns-query | dns-other-query | dns-oversize |
dns-ptr-query | dns-response-flood | dns-soa-query | dns-srv-query |
dns-txt-query | exthdr | host-unrch | igmp | ip-overlap-frag |
ipfrag | ipv4-all | ipv4-any-other | ipv4-icmp | ipv6-all |
ipv6-any-other | ipv6-icmp | no-l4 | rthdr0 | sip-ack-method |
sip-bye-method | sip-cancel-method | sip-invite-method |
sip-malformed | sip-message-method | sip-notify-method |
sip-options-method | sip-other-method | sip-prack-method |
sip-publish-method | sip-register-method | sip-subscribe-method | sip-uri-limit |
suspicious | tcp-bad-ack | tcp-psh-flood | tcp-rst | tcp-syn-only |
tcp-synack | tcp-winsize | tidcmp | udp]
packet-types none
per-dst-ip-detection-pps [integer]
per-dst-ip-limit-pps [integer]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
scrubbing-category [ enter name of scrubbing category | "none" ]
scrubbing-detection-seconds [ integer ]
scrubbing-duration [ integer ]
simulate-auto-threshold [enable | disable]
state [disabled | learn-only | detect-only | mitigate]
suspicious [ false | true ]
threshold-mode [manual | stress-based-mitigation | fully-automatic | manual-multiplier-mitigation]
valid-domains [add | delete | replace-all-with] {
[domain names] ...
}
valid-domains none
}
}
dynamic-signatures {
detection [disabled | enabled | learn-only] [field deprecated since 13.1.0]
mitigation [none | low | medium | high] [field deprecated since 13.1.0]
scrubber-advertisement-period [integer] [field deprecated since 13.1.0]
scrubber-category [name] [field deprecated since 13.1.0]
scrubber-enable [yes | no] [field deprecated since 13.1.0]
network {
detection [disabled | enabled | learn-only]
mitigation [none | low | medium | high | manual-multiplier]
scrubber-advertisement-period [integer]
scrubber-category [name]
scrubber-enable [yes | no]
}
dns {
detection [disabled | enabled | learn-only]
mitigation [none | low | medium | high | manual-multiplier]
}
}
dns-dos-mitigation-percentage [integer]
log-publisher [name]
network-dos-mitigation-percentage [integer]
sip-dos-mitigation-percentage [integer]
syn-cookie-dsr-flow-reset-by [bigip | client | none]
syn-cookie-whitelist [disabled | enabled]
tscookie-vlans
[add | delete | replace-all-with] {
[vlan name] ...
}
tscookie-vlans [default | none]
reset-stats device-config dos-device-config
options:
dns-nxdomain-stat
DISPLAY
list device-config dos-device-config
show running-config device-config dos-device-config
options:
all-properties
non-default-properties
one-line
show device-config dos-device-config
options:
dns-nxdomain-stat
field-fmt
query-valid-domain [domain-name]
RUN
run device-config
options:
auto-threshold-relearn
dns-nxdomain-relearn
dynamic-signatures-history-relearn
DESCRIPTION
This component is used to modify or display the global device DoS profile and statistics for use with network DoS
Protection functionality.
EXAMPLES
modify device-config ...
Modifies the global DoS profile settings.
list device-config
Displays all the properties of the device DoS profile.
run device-config dos-device-config auto-threshold-relearn
Clears the auto-threshold history for all the device auto-threshold vectors.
run device-config dos-device-config dns-nxdomain-relearn
Clears the dns-nxdomain history for all the device dns-nxdomain vectors.
run device-config dos-device-config dynamic-signatures-history-relearn
Clears the dynamic-signatures history for all the device dynamic-signatures vectors.
show device-config dos-device-config dns-nxdomain-stat
Displays the dns-nxdomain statistics for the device.
reset-stats device-config dos-device-config dns-nxdomain-stat
Resets the dns-nxdomain statistics for the device.
OPTIONS
auto-threshold-sensitivity
This option is deprecated in version 13.0.0.
dos-device-vector
Configures attack detection thresholds and rate limit parameters for network DoS vectors.
log-publisher
Specifies the name of the log publisher which logs translation events. See help sys log-config for more details on the
logging sub-system.
ip-uncommon-protolist
Specifies the name of an IP uncommon protocol list component. The default is /Common/ip-uncommon-protolist. This is
ready-only field.
threshold-sensitivity
Specifies the guidance on how aggressively (how much to pad) to adjust the "Detection/Rate-limit Threshold". Available
settings are low, medium and high. This setting is used for Autodos and Behavioral DoS features. Default is set to
medium.
network-dos-mitigation-percentage
Specifies the mitigaiton multiplier value of all the device network dos vector in percentage in the manual-multiplier-
mitigation mode.
dns-dos-mitigation-percentage
Specifies the mitigaiton multiplier value of all the device dns dos vector in percentage in the manual-multiplier-
mitigation mode.
sip-dos-mitigation-percentage
Specifies the mitigaiton multiplier value of all the device sip dos vector in percentage in the manual-multiplier-
mitigation mode.
syn-cookie-dsr-flow-reset-by
Specifies how TCP SYN Flood is handled when syn-cookie-whitelist is enabled and the attack is detected in Direct
Server Return(DSR) mode. The default value is none.
syn-cookie-whitelist
Specifies whether or not to use a SYN Cookie WhiteList when doing software SYN Cookies. This means not doing a SYN
Cookie for the same src IP address if it has been done already in the previous tm.flowstate.timeout (30) seconds. The
default value is disabled.
dynamic-signatures
Specifies options related to L4-L7 Behavioral DoS (Dynamic Signatures) feature that is applicable at the global/device
level. These settings are used to learn the characteristic of the traffic at the device level (across all domains and
virtual servers) and generate dynamic signatures as applicable to detect and mitigate anomalous traffic.
Following options are configurable for this feature at global/device level:
network
detection
Specifies the mode for detection of anomalies in traffic for the purpose of dynamic signature generation.
Following modes are supported: disabled, enabled and learn-only.
Mode learn-only is same as enabled except that the system does not generate any logs (or alerts the user).
It is used mainly to learn the baseline thresholds for the traffic.
Default is disabled.
mitigation
Specifies the mode for mitigation of anomalous traffic (specified in form of dynamic signatures). Following
modes are supported: none, low, medium and high.
Each mode represents the severity (or aggressiveness) at which the system should try to mitigate the
anomalous traffic.
Default is none.
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific dos signature in percentage when using manual-
multiplier-mitigation mode. The default value is inherited from the corresponding device level/profile
mitigation multiplier value of the same dos family.
scrubber-enable
Specifies the configuration mode for enabling or disabling the feature to scrub the attack traffic upon
dynamic signature match. Default is no.
scrubber-category
Specifies the IP Intelligence category used for scrubbing the attack traffic upon dynamic signature match
that constitutes destination IP address component. Default category is attacked_ips.
scrubber-advertisement-period
Specifies the advertisement period for which the attack traffic is scrubbed. Default is 300 seconds.
dns
detection
Specifies the mode for detection of anomalies in traffic for the purpose of dynamic signature generation.
Following modes are supported: disabled, enabled and learn-only.
Mode learn-only is same as enabled except that the system does not generate any logs (or alerts the user).
It is used mainly to learn the baseline thresholds for the traffic.
Default is disabled.
mitigation
Specifies the mode for mitigation of anomalous traffic (specified in form of dynamic signatures). Following
modes are supported: none, low, medium and high.
Each mode represents the severity (or aggressiveness) at which the system should try to mitigate the
anomalous traffic.
Default is none.
custom-signatures
Specifies options related to L4 Behavioral DoS Signatures feature that is applicable at the global/device level.
Signatures can be added to a dos-profile and the signature criteria will be used for detection and mitigation of
anomalous traffic.
Following options are configurable for each signature added:
threshold-mode
Specifies the mode for setting the rate limit thresholds to be used for the matching traffic. Following modes are
supported: manual, fully-automatic, manual-multiplier-mitigation and stress-based-mitigation. Default is manual.
state
Specifies the operational state of the attached signature. The states supported are: disabled, learn-only,
detect-only and mitigate. Default is disabled.
manual-detection-threshold
Specifies manual detection threshold for a custom signature. It is applicable only if threshold-mode is set to
either manual or stress-based-mitigation
Default is infinite.
manual-mitigation-threshold
Specifies manual mitigation threshold for a custom signature. It is applicable on ly if threshold-mode is set to
either manual or stress-based-mitigation
Default is infinite.
tscookie-vlans
Specifies the VLANs on which we will do TCP timestamp cookie based validation of TCP ACK packets and use the TCP BAD
ACK DoS vector to mitigate a TCP ACK flood attack.
VECTOR TYPES
arp-flood
ARP Flood.
bad-ext-hdr-order
IPv6 extension headers in packet are out of order.
bad-icmp-chksum
Bad ICMP checksum.
bad-icmp-frame
Bad ICMP frames. To see the various reasons why ICMP frames are classified as bad, please refer to the written
documentation.
bad-igmp-frame
Bad IGMP frames. To see the various reasons why IGMP frames are classified as bad, please refer to the written
documentation.
bad-ip-opt
IPv4 option with illegal length.
bad-ipv6-hop-cnt
Bad IPv6 hop count. Terminated packet (cnt==0). Dropped when the rate hits rate limit.
bad-ipv6-ver
Bad IPv6 version. IP Version in the IPV6 packet is not 6.
bad-sctp-chksum
Bad SCTP Checksum type.
bad-tcp-chksum
Bad TCP checksum.
bad-tcp-flags-all-clr
Bad TCP flags (all TCP header flags cleared).
bad-tcp-flags-all-set
Bad TCP flags (all flags set).
bad-ttl-val
Bad IP TTL value (TTL == 0 for IPv4).
bad-udp-chksum
Bad UDP checksum.
bad-udp-hdr
Bad UDP header. To see the various reasons why UDP headers are classified as bad, please refer to the written
documentation.
bad-ver
Bad IP version 4. IPv4 version in IP header is not 4.
dns-a-query
DNS A query packet.
dns-aaaa-query
DNS AAAA query packet.
dns-any-query
DNS any query packet.
dns-axfr-query
DNS AXFR query packet.
dns-cname-query
DNS CNAME query packet.
dns-ixfr-query
DNS IXFR query packet.
dns-malformed
DNS Malformed packet.
dns-mx-query
DNS MX query packet.
dns-ns-query
DNS NS query packet.
dns-nxdomain-query
DNS NXDOMAIN query packet.
dns-other-query
DNS OTHER query packet.
dns-oversize
DNS packet with size > . This sys db tunable is configurable with Dos.MaxDNSframeSize.
dns-ptr-query
DNS PTR query packet.
dns-qdcount-limit
DNS QDCOUNT LIMIT query packet.
dns-response-flood
DNS RESPONSE FLOOD query packet.
dns-soa-query
DNS SOA query packet.
dns-txt-query
DNS TXT query packet.
dns-srv-query
DNS SRV query packet.
dup-ext-hdr
Duplicate IPv6 extension headers.
ether-brdcst-pkt
Ethernet broadcast packet.
ether-mac-sa-eq-da
Ethernet MAC SA == DA.
ether-multicast-pkt
Ethernet multicast packet.
ext-hdr-too-large
IPv6 extension header size too large. The max IPV6 extension header size is configurable via the sys db variable
dos.maxipv6extsize.
fin-only-set
TCP header with only the FIN flag set.
flood
A Flood is an attack where multiple (typically many) endpoints initiate network traffic to a single subnet or
receiving endpoint.
hdr-len-gt-l2-len
Header length > L2 length. No room in L2 packet for IPv4 header (including options).
hdr-len-too-short
Header length too short. IPv4 header length in IP header is less than 20 bytes.
hop-cnt-leq-one
IPv6 hop count <= and the packet needs to be forwarded. This sys db tunable is configurable by the sys db
variable tm.minipv6hopcnt.
host-unreachable
ICMP packets of type "Host Unreachable".
icmp-frag-flood
ICMP fragments flood.
icmp-frame-too-large
Packets larger than the maximum ICMP frame size. The max ICMP frame size is configurable via the sys db variable
dos.maxicmpframesize.
icmpv4-flood
ICMPv4 Flood.
icmpv6-flood
ICMPv6 Flood.
igmp-flood
IGMP Flood.
igmp-frag-flood
IGMP Fragment Flood.
ip-bad-src
IP addr is a broadcast or multicast address.
ip-err-chksum
IP error checksum. IPv4 header checksum error.
ip-frag-flood
IPv4 fragment flood.
ip-len-gt-l2-len
IP length > L2 length. Total length in IPv4 header is greater than the L3 part length in L2 packet.
ip-overlap-frag
IPv4 overlapping fragments.
ip-short-frag
IPv4 fragments whose payload size is less than the minimum IPv4 Fragment size. The minimum size is configurable via
the db variable tm.minipfragsize.
ip-unk-prot
IP Unknown Protocol type.
ip-opt-frames
IP option frames. IPv4 packets with options. db variable tm.acceptipoptions must be enabled to receive IP options.
ip-other-frag
The total IPv4 fragments' size has exceeded the reassembly queue or the maximum IP packet size.
ipv6-atomic-frag
IPv6 frame with frag extension hdr, but the MF and offset fields are both 0.
ipv6-bad-src
IPv6 src address is a multicast address or IPv6 src or destination address is a IPv4 mapped IPv6 address.
ipv6-ext-hdr-frames
IPv6 extended header frames.
ipv6-frag-flood
IPv6 fragment flood.
ipv6-len-gt-l2-len
IPv6 length > L2 length.
ipv6-other-frag
The total IPv6 fragments' size has exceeded the reassembly queue or the maximum IP packet size.
ipv6-overlap-frag
IPv6 overlapping fragments.
ipv6-short-frag
IPv6 fragments whose payload size is less than the minimum IPv6 Fragment size. The minimum size is configurable via
the db variable tm.minipv6fragsize.
ipv4-mapped-ipv6
IPv4 mapped IPv6 addresses.
land-attack
Land Attack. IP Src Address equals IP Dst Address. Both V4 and V6 are counted.
l2-len-ggt-ip-len
L2 length >> IP length. L2 packet length is much greater than payload length in IPv4 (L2 length > IP length and L2
length > minimum packet size).
l4-ext-hdrs-go-end
No L4 (extended headers go to or past the end of frame).
no-l4
No L4. No L4 payload for IPv4.
opt-present-with-illegal-len
TCP Option present with illegal length.
payload-len-ls-l2-len
Payload length < L2 length. Payload length in IPv6 header is less than L3 part length in L2 packet.
routing-header-type-0
Routing header type 0 present.
sip-malformed
SIP malformed packet
sip-invite-method
SIP INVITE method packet.
sip-ack-method
SIP ACK method packet.
sip-options-method
SIP OPTIONS method packet.
sip-bye-method
SIP BYE method packet.
sip-cancel-method
SIP CANCEL method packet.
sip-register-method
SIP REGISTER method packet.
sip-publish-method
SIP PUBLISH method packet.
sip-notify-method
SIP NOTIFY method packet.
sip-subscribe-method
SIP SUBSCRIBE method packet.
sip-message-method
SIP MESSAGE method packet.
sip-prack-method
SIP PRACK method packet.
sip-uri-limit
Limit SIP URI length.
sip-other-method
SIP OTHER method packet.
sweep
A Sweep is an attack where a single endpoint initiates network traffic to a large number of receiving endpoints or
subnets.
syn-and-fin-set
SYN && FIN set.
tcp-ack-flood
TCP packets with the ACK flag set (for non-existing flows).
tcp-bad-urg
TCP packets with the URG flag set but URG pointer is 0.
tcp-hdr-len-gt-l2-len
TCP header length > L2 length. No room in packet for TCP header (including options).
tcp-hdr-len-too-short
TCP header length too short (length < 5). The offset field in TCP header is less than 20 bytes.
tcp-opt-overruns-tcp-hdr
TCP option overruns TCP header.
tcp-syn-flood
TCP header with only the SYN flag set.
tcp-synack-flood
TCP header with only the SYN and ACK flags set.
tcp-rst-flood
TCP header with only the RST flag set.
tcp-psh-flood
TCP header with PUSH flag set.
tcp-window-size
TCP non-RST pkt with window size < . This sys db tunable is configurable with Dos.TcpLowWindowSize.
tidcmp
ICMP source quench packets.
too-many-ext-hdrs
Too many extended headers. The IPv6 extended headers are more than 4. This number can be set through db variable
dos.maxipv6exthdrs.
tcp-syn-oversize
TCP data-SYN with pktlength > dos.maxsynsize which is 128 bytes by default.
ttl-leq-one
TTL <= . For IPv4 forwarding. This sys db tunable is configurable by tm.minipttl.
unk-tcp-opt-type
Unknown TCP option type.
udp-flood
UDP Flood.UDP flood vector counts any UDP packets that either match the UDP Port InclusionList or do not match the UDP
Port ExclusionList. "tmsh modify security dos udp-portlist" can be used to configure the udp port list.For more info
about udp portlist and how to configure it use "help security dos udp-portlist"
unk-ipopt-type
Unknown IP option type.
ip-uncommon-proto
ip-uncommon-proto vectors counts packets whose protocol is specified in configured ip-uncommon-protolist.
PARAMETERS
allow-advertisement
Enables allow advertisement. The default is disabled.
allow-upstream-scrubbing
Enables allow upstream scrubbing. The default value is disabled.
attacked-dst
Enables attacked-destination. The default value is disabled.
auto-blacklisting
Enables automatic blacklisting of offending source IPs. The default value is disabled.
auto-scrubbing
Enables specifying destination IP scrubbing. The default value is disabled.
auto-threshold
This option is deprecated in version 13.1.0 and is replaced by threshold-mode. Enables the auto threshold mode for
dos detection and dos mitigation. The default value is disabled.
bad-actor
Enables per-source IP based bad actor detection. The default value is disabled.
blacklist-category
Blacklist category (of IP intelligence) to which this IP should be added. The default value is none.
blacklist-detection-seconds
Duration in seconds for which the IP has been offending. The default value is 60.
blacklist-duration
Duration in seconds for which this IP should be blocked. The default value is 14400.
ceiling
Option to set a maximum value ("ceiling") for the default-internal-rate-Limit for this vector. The range is from 0 to
infinity.
default-internal-rate-limit
This parameter is programmed in hardware to limit the traffic to BIG-IP software. If the hardware DoS support does not
exist software uses default-internal-rate-limit to limit the good traffic (most of them are flood) to external
servers. Bad packets are always dropped.
If the rate limit value is infinite the rate limit is disabled. The default value is 100000.
detection-threshold-percent
This parameter specifies relative threshold that uses dynamically learned 1-hour average rate to detect attacks. If
the current rate (1-minute average) increases the specified percent over the 1-hour average rate, attack is detected.
If the threshold value is infinite the detection is disabled. The default value is 500.
detection-threshold-pps
This parameter specifies absolute threshold value. If the current rate (1-minute average) is equal or above the
threshold value, attack is detected.
If the threshold value is infinite the detection is disabled. The default value is 100000.
enforce
This option is deprecated in version 13.1.0 and is replaced by state. Enable or disable the packet drop action of DOS
detection for this attack type.
floor
Option to set a minimum value ("floor") for the detection-threshold-pps for this vector. The range is from 0 (no-
floor) to infinity (no-detection). The default value is 5000.
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific vector in percentage when using manual-multiplier-
mitigation mode, The default value used is inherited from the network dos profile.
packet-types
This parameter is used to specify type of packets that will be classified as Sweep/Flood attacks. There are various
types of packet types that can be specified. The default value is none.
per-dst-ip-detection-pps
Specifies the attack detection threshold (pps) per destination IP. The default value is infinite.
per-dst-ip-limit-pps.
Specifies the attack mitigation threshold (pps) per destination IP. The default value is infinite.
per-source-ip-detection-pps
Specifies the attack detection threshold (pps) per source IP. The default value is infinite.
per-source-ip-limit-pps
Specifies the attack mitigation threshold (pps) per source IP. The default value is infinite.
scrubbing-category
Specifies per-DstIP scrubbing category. The default value is none.
scrubbing-detection-seconds
Specifies duration in seconds for which the destination IP has been offended/attacked. The default value is 10.
scrubbing-duration
Specifies duration in seconds for which this IP should be scrubbed. The default value is 900.
simulate-auto-threshold
Option to enable/disable auto-threshold simulation by generating logs if auto-threshold based detection/mitigation
would have kicked in. Only valid in manual mode. The default value is disabled.
state
Specifies the run time state of this signature. The default value is mitigate.
The options are:
disabled
Do not learn, do not collect stats.
learn-only
Learn/Collect stats, but do not "detect" ("alarm" in ASM-speak) any attacks,
detect-only
Learn/Collect stats/detect, but do not mitigate (rate-limit/drop, challenge, etc.) any attacks.
mitigate
Learn/Collect stats/detect/mitigate (using whichever mitigations are configured).
suspicious
Specifies if the vector considers all packets or only unsolicited packets. The default value is false.
threshold-mode
Enables the threshold mode for DoS detection and DoS mitigation. The default value is manual.
The options are:
manual
Specifies the manual thresholds.
stress-based-mitigation
Specifies the manual detection ("alarm")threshold, but mitigation threshold is stress-based.
fully-automatic
Specifies both the detection ("alarm") and mitigation thresholds are automatically computed.
manual-multiplier-mitigation
Specifies the detection ("alarm") threshold is automatically computed. The mitigation threshold is calculated by
the detection threshold multiplies the multiplier-mitigation-percentage.
valid-domains
Adds, deletes, modifies, or replaces a set of valid fully qualified domain names (FQDNs).
SEE ALSO
list, modify, security, security dos, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2015. All rights reserved.
BIG-IP 2019-07-24 security dos device-config(1)