security dos dos-signature
security dos dos-signature(1) BIG-IP TMSH Manual security dos dos-signature(1)
NAME
dos-signature - Configures DoS Behavioral Signature(s).
MODULE
security dos
SYNTAX
Configure the dos-signature component within the security dos module using the syntax shown in the following sections.
CREATE/MODIFY
create dos-signature [name]
modify dos-signature [name]
options:
alias [string]
app-service [string | none]
approval-state [ unapproved | manually-approved ]
parent-context-type [device | virtual-server | device-netflow]
parent-context [string]
parent-profile [string]
description [string]
family [dns| network | http | tls]
hardware-offload [ disabled | enabled ]
manual-detection-threshold [integer]
manual-mitigation-threshold [integer]
multiplier-mitigation-percentage [integer]
origin [dynamic-bdos | user-defined]
predicates [list of struct(string, string, string)]
shareability-state [not-shareable | fully-shareable ]
state [disabled | learn-only | detect-only | mitigate]
tags [list of string]
threshold-mode [manual | manual-multiplier-mitigation | stress-based-mitigation | fully-automatic]
type [dynamic | persistent]
DISPLAY
list dos-signature [name]
DELETE
delete dos-signature [name]
DESCRIPTION
You can use the dos-signature component to modify or display a DoS signature.
EXAMPLES
create security dos dos-signature Sig_Device_ToS type persistent family http origin user-defined state disabled
This example shows how to create a DoS signature named Sig_Device_ToS
list security dos dos-signature Sig_Device_ToS
This example shows how to display a DoS signature named Sig_Device_ToS
modify dos-signature Sig_Device_TTL manual-detection-threshold 10000 manual-mitigation-threshold 4294967295
This examples show how to modify the manual detection and mitigation threshold of a DoS signature named Sig_Device_TTL
delete security dos dos-signature Sig_Device_ToS
This example shows how to delete a DoS signature named Sig_Device_ToS
OPTIONS
alias
Specifies the alias name of a signature. The default is empty string.
app-service
Specifies the application service that the object belongs to.
approval-state
Specifies whether or not the signature has been reviewed for quality/correctness. For a persistent signature with dns
or network family, the default is manually-approved. Otherwise, the default is unapproved.
User can't modify approval-state for a dynamic signature with dns or network family.
The options are:
unapproved
Specifies the signature is not approved.
manually-approved
Specifies the signature has been reviewed for quality/correctness.
parent-context-type
Specifies the type of the context for which this signature has been generated.
The available options:
device
Specifies the context type is a DoS device.
virtual-server
Specifies the type of the context is a Virtual Server.
device-netflow
Specifies the context type is Netflow device.
For a dynamic type signature, it is required field and it is not allowed to be modified once specified.
For persistent type signature, it can't be reset once it is set. The default is unspecified.
For persistent type signature with dns or network family, this field is not applicable.
parent-context
Specifies the context for which this signature has been generated. The default is empty string.
This field is based on parent-context-type. If parent-context-type is device, it must be constant "Device". If parent-
context-type is device-netflow, it must be constant "NetFlow".
For a dynamic type signature, it can't be empty and it is not allowed to be modified once specified.
For persistent type signature, it can't be reset once it is set.
For persistent type signature with dns or network family, this field is not applicable.
parent-profile
Specifies the profile for which this signature has been generated. The default is empty string.
This field is based on parent-context-type. If parent-context-type is device or device-netflow, it must be constant
"/Common/dos-device-config".
For a dynamic type signature, it can't be empty and it is not allowed to be modified once specified.
For a persistent type signature, it can't be reset once it is set.
This field is required for a persistent type signature with dns or network family and non-shareable shareability-
state.
description
Specifies user defined description for this signature.
family
Specifies the family this signature belongs to. This is a require field for creation. The options are dns, network,
http
It is not allowed to be modified once it is created.
hardware-offload
Enables or disables hardware offloading on the dynamic and persistent network family signature. The default value is
enabled.
manual-detection-threshold
Specifies the manual threshold (Events Per Second) above which the traffic is declared as an attack. The default is
infinite(4294967295).
This field is taken effective only when threshold-mode attribute is set to manual. For a signature with http family,
it should be always 0.
For a persistent signature with dns or network family, this field is not applicable and it should be always default
value.
For a dynamic signature with dns or network family, this field can't be changed if threshold-mode is fully-automic.
manual-mitigation-threshold
Specifies the manual threshold (Events Per Second) above which the system rate limits (drops) the traffic that matches
this signature. The default is infinite(4294967295).
This field is taken effective only when threshold-mode attribute is set to manual. For a signature with http family,
it should be always 0.
For a persistent signature with dns or network family, this field is not applicable and it should be always default
value.
For a dynamic signature with dns or network family, this field can't be changed if threshold-mode is fully-automic.
For a signature with parent-context-type is device-netflow, this field must be infinite(4294967295).
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific dos signature in percentage when using manual-multiplier-
mitigation mode. The default value is inherited from the corresponding device level/profile mitigation multiplier
value of the same dos family.
origin
Specifies the origin where this signature is generated from. The options are dynamic-bdos and user-defined. The
default is user-defined.
It is not allowed to be modified once it is created.
predicates
Specifies list of predicates that constitutes this signature. Each predicate contains 3 string fields: metric,
operator, and arguments. It is required field.
User can't add/modify predicates for a dynamic signature with dns or network family.
shareability-state
Specifies whether or not the signature can be used by Contexts (Virtual Servers) other than the one that created the
signature. For a persistent signature with dns or network, the default is fully-shareable. Otherwise, the default is
not-shareable.
User can't modify shareability-state for a dynamic signature with dns or network family.
This field can't be changed from fully-shareable to not-shareable if the signature is referred.
The options are:
not-shareable
Specifies the signature can only be used by context which created it.
fully-shareable
Specifies the signature can be used by contexts other than the one that created it.
state
Specifies the deployment state of this signature. The default is disabled.
The options are:
disabled
Do not learn, do not collect stats.
learn-only
Learn/Collect stats, but do not "detect" ("alarm" in ASM-speak) any attacks,
detect-only
Learn/Collect stats/detect, but do not mitigate (rate-limit/drop, challenge, etc.) any attacks.
mitigate
Learn/Collect stats/detect/mitigate (using whichever mitigation(s) are configured).
For a persistent signature with dns or network family, this field is not applicable and it should be always default
value.
For a dynamic signature with dns or network family, learn-only is not allowed.
For a signature with http family, only learn-only or mitigate is allowed.
tags Specifies list of tags of this signature. The default is empty.
threshold-mode
Specifies the threshold mode for DoS detection and mitigation. The default is manual.
The options are:
manual
Specifies the manual thresholds.
stress-based-mitigation
Specifies the manual detection ("alarm") threshold, but mitigation threshold is stress-based. This option is not
available for a signature with http family or for a signature with parent-context-type being device-netflow.
fully-automatic
Specifies both the detection ("alarm") and mitigation thresholds are automatically computed. This option is not
available for a signature with http family.
manual-multiplier-mitigation
Specifies the detection ("alarm") threshold is automatically computed. The mitigation threshold is calculated by
the detection threshold multiplies the multiplier-mitigation-percentage.
For a persistent signature with dns or network family, this field is not applicable and it should be always default
value.
For a signature with parent-context-type is device-netflow, this field can't be stress-based-mitigation.
For a signature with http family, this field can't be stress-based-mitigation or fully-automatic.
type Specifies the type of this signature. The options are dynamic and persistent. The default is persistent.
It is not allowed to be changed from persistent to dynamic. User can't create dynamic signature but can modify and
delete it.
SEE ALSO
edit, list, modify, security, security dos, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2017. All rights reserved.
BIG-IP 2019-05-21 security dos dos-signature(1)