security dos device-config
security dos device-config(1) BIG-IP TMSH Manual security dos device-config(1)
NAME
device-config - Configures the global network DoS profile.
MODULE
security dos
SYNTAX
Configure the global network DoS profile component within the security
dos module using the syntax shown in the following sections.
MODIFY
modify device-config dos-device-config
options:
auto-threshold-sensitivity [field deprecated since 13.0.0]
threshold-sensitivity [low | medium | high]
dos-device-vector {
[vector type] {
default-internal-rate-limit [integer | infinite]
detection-threshold-percent [integer | infinite]
detection-threshold-pps [integer | infinite]
}
packet-types [atomic-frag | bad-packet | dns-a-query | dns-aaaa-query |
dns-any-query | dns-axfr-query | dns-cname-query | dns-ixfr-query |
dns-mx-query | dns-ns-query | dns-other-query | dns-oversize |
dns-ptr-query | dns-response-flood | dns-soa-query | dns-srv-query |
dns-txt-query | exthdr | host-unrch | igmp | ip-overlap-frag |
ipfrag | ipv4-all | ipv4-any-other | ipv4-icmp | ipv6-all |
ipv6-any-other | ipv6-icmp | no-l4 | rthdr0 | sip-ack-method |
sip-bye-method | sip-cancel-method | sip-invite-method |
sip-malformed | sip-message-method | sip-notify-method |
sip-options-method | sip-other-method | sip-prack-method |
sip-publish-method | sip-register-method | sip-subscribe-method |
suspicious | tcp-bad-ack | tcp-half-open | tcp-rst | tcp-syn-only |
tcp-synack | tcp-winsize | tidcmp | udp]
enforce [enabled | disabled]
auto-blacklisting [enabled | disabled]
auto-threshold [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-category [enter name of ip-intelligence category]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
ceiling [integer | infinite]
floor [integer]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
simulate-auto-threshold [enable | disable]
...
}
dynamic-signatures {
detection [disabled | enabled | learn-only]
mitigation [none | low | medium | high]
scrubber-advertisement-period [integer]
scrubber-category [name]
scrubber-enable [yes | no]
}
log-publisher [name]
reset-stats device-config
DISPLAY
list device-config dos-device-config
show running-config device-config dos-device-config
options:
all-properties
dos-device-vector
log-publisher
show device-config dos-device-config
RUN
run device-config dos-device-config auto-threshold-relearn
DESCRIPTION
This component is used to modify or display the global device DoS
profile and statistics for use with network DoS Protection
functionality.
EXAMPLES
modify device-config ...
Modifies the global DoS profile settings.
list device-config
Displays all the properties of the device DoS profile.
run device-config dos-device-config auto-threshold-relearn
Clears the auto-threshold history for all the device auto-threshold
vectors.
OPTIONS
dos-device-vector
Configures attack detection thresholds and rate limit parameters
for network DoS vectors.
enforce
Enable or disable the packet drop action of DOS detection for this
attack type.
log-publisher
Specifies the name of the log publisher which logs translation
events. See help sys log-config for more details on the logging
sub-system.
threshold-sensitivity
Specifies the guidance on how aggressively (how much to pad) to
adjust the "Detection/Rate-limit Threshold". Available settings
are low, medium and high. This setting is used for Autodos and
Behavioral DoS features. Default is set to medium.
dynamic-signatures
Specifies options related to L4 Behavioral DoS (Dynamic
Signatures) feature that is applicable at the global/device level.
These settings are used to learn the characteristic of the traffic
at the device level (across all domains and virtual servers) and
generate dynamic signatures as applicable to detect and mitigate
anomalous traffic.
Following options are configurable for this feature at
global/device level:
detection
Specifies the mode for detection of anomalies in traffic for
the purpose of dynamic signature generation. Following modes
are supported: disabled, enabled and learn-only.
Mode learn-only is same as enabled except that the system
does not generate any logs (or alerts the user). It is used
mainly to learn the baseline thresholds for the traffic.
Default is learn-only.
mitigation
Specifies the mode for mitigation of anomalous traffic
(specified in form of dynamic signatures). Following modes
are supported: none, low, medium and high.
Each mode represents the severity (or aggressiveness) at
which the system should try to mitigate the anomalous
traffic.
Default is none.
scrubber-enable
Specifies the configuration mode for enabling or disabling
the feature to scrub the attack traffic upon dynamic
signature match. Default is no.
scrubber-category
Specifies the IP Intelligence category used for scrubbing the
attack traffic upon dynamic signature match that constitutes
destination IP address component. Default category is
attacked_ips.
scrubber-advertisement-period
Specifies the advertisement period for which the attack
traffic is scrubbed. Default is 300 seconds.
VECTOR TYPES
arp-flood
ARP Flood.
bad-ext-hdr-order
IPv6 extension headers in packet are out of order.
bad-icmp-chksum
Bad ICMP checksum.
bad-icmp-frame
Bad ICMP frames. To see the various reasons why ICMP frames are
classified as bad, please refer to the written documentation.
bad-igmp-frame
Bad IGMP frames. To see the various reasons why IGMP frames are
classified as bad, please refer to the written documentation.
bad-ip-opt
IPv4 option with illegal length.
bad-ipv6-hop-cnt
Bad IPv6 hop count. Terminated packet (cnt==0). Dropped when the
rate hits rate limit.
bad-ipv6-ver
Bad IPv6 version. IP Version in the IPV6 packet is not 6.
bad-sctp-chksum
Bad SCTP Checksum type.
bad-tcp-chksum
Bad TCP checksum.
bad-tcp-flags-all-clr
Bad TCP flags (all TCP header flags cleared).
bad-tcp-flags-all-set
Bad TCP flags (all flags set).
bad-ttl-val
Bad IP TTL value (TTL == 0 for IPv4).
bad-udp-chksum
Bad UDP checksum.
bad-udp-hdr
Bad UDP header. To see the various reasons why UDP headers are
classified as bad, please refer to the written documentation.
bad-ver
Bad IP version 4. IPv4 version in IP header is not 4.
dns-any-query
DNS any query packet.
dns-a-query
DNS A query packet.
dns-ptr-query
DNS PTR query packet.
dns-ns-query
DNS NS query packet.
dns-soa-query
DNS SOA query packet.
dns-cname-query
DNS CNAME query packet.
dns-mx-query
DNS MX query packet.
dns-aaaa-query
DNS AAAA query packet.
dns-txt-query
DNS TXT query packet.
dns-srv-query
DNS SRV query packet.
dns-axfr-query
DNS AXFR query packet.
dns-ixfr-query
DNS IXFR query packet.
dns-malformed
DNS Malformed packet.
dns-other-query
DNS OTHER query packet.
dns-oversize
DNS packet with size > . This sys db tunable is
configurable with Dos.MaxDNSframeSize.
dup-ext-hdr
Duplicate IPv6 extension headers.
ether-brdcst-pkt
Ethernet broadcast packet.
ether-mac-sa-eq-da
Ethernet MAC SA == DA.
ether-multicast-pkt
Ethernet multicast packet.
ext-hdr-too-large
IPv6 extension header size too large. The max IPV6 extension
header size is configurable via the sys db variable
dos.maxipv6extsize.
fin-only-set
TCP header with only the FIN flag set.
flood
A Flood is an attack where multiple (typically many) endpoints
initiate network traffic to a single subnet or receiving endpoint.
hdr-len-gt-l2-len
Header length > L2 length. No room in L2 packet for IPv4 header
(including options).
hdr-len-too-short
Header length too short. IPv4 header length in IP header is less
than 20 bytes.
hop-cnt-leq-one
IPv6 hop count <= and the packet needs to be forwarded.
This sys db tunable is configurable by the sys db variable
tm.minipv6hopcnt.
host-unreachable
ICMP packets of type "Host Unreachable".
icmp-frag-flood
ICMP fragments flood.
icmp-frame-too-large
Packets larger than the maximum ICMP frame size. The max ICMP
frame size is configurable via the sys db variable
dos.maxicmpframesize.
icmpv4-flood
ICMPv4 Flood.
icmpv6-flood
ICMPv6 Flood.
igmp-flood
IGMP Flood.
igmp-frag-flood
IGMP Fragment Flood.
ip-bad-src
IP addr is a broadcast or multicast address.
ip-err-chksum
IP error checksum. IPv4 header checksum error.
ip-frag-flood
IPv4 fragment flood.
ip-len-gt-l2-len
IP length > L2 length. Total length in IPv4 header is greater than
the L3 part length in L2 packet.
ip-overlap-frag
IPv4 overlapping fragments.
ip-short-frag
IPv4 fragments whose payload size is less than the minimum IPv4
Fragment size. The minimum size is configurable via the db
variable tm.minipfragsize.
ip-unk-prot
IP Unknown Protocol type.
ip-opt-frames
IP option frames. IPv4 packets with options. db variable
tm.acceptipoptions must be enabled to receive IP options.
ip-other-frag
The total IPv4 fragments' size has exceeded the reassembly queue
or the maximum IP packet size.
ipv6-atomic-frag
IPv6 frame with frag extension hdr, but the MF and offset fields
are both 0.
ipv6-bad-src
IPv6 src address is a multicast address or IPv6 src or dst addr is
a IPv4 mapped IPv6 address.
ipv6-ext-hdr-frames
IPv6 extended header frames.
ipv6-frag-flood
IPv6 fragment flood.
ipv6-len-gt-l2-len
IPv6 length > L2 length.
ipv6-other-frag
The total IPv6 fragments' size has exceeded the reassembly queue
or the maximum IP packet size.
ipv6-overlap-frag
IPv6 overlapping fragments.
ipv6-short-frag
IPv6 fragments whose payload size is less than the minimum IPv6
Fragment size. The minimum size is configurable via the db
variable tm.minipv6fragsize.
ipv4-mapped-ipv6
IPv4 mapped IPv6 addresses.
land-attack
Land Attack. IP Src Address equals IP Dst Address. Both V4 and V6
are counted.
l2-len-ggt-ip-len
L2 length >> IP length. L2 packet length is much greater than
payload length in IPv4 (L2 length > IP length and L2 length >
minimum packet size).
l4-ext-hdrs-go-end
No L4 (extended headers go to or past the end of frame).
no-l4
No L4. No L4 payload for IPv4.
opt-present-with-illegal-len
TCP Option present with illegal length.
payload-len-ls-l2-len
Payload length < L2 length. Payload length in IPv6 header is less
than L3 part length in L2 packet.
routing-header-type-0
Routing header type 0 present.
sip-malformed
SIP malformed packet
sip-invite-method
SIP INVITE method packet.
sip-ack-method
SIP ACK method packet.
sip-options-method
SIP OPTIONS method packet.
sip-bye-method
SIP BYE method packet.
sip-cancel-method
SIP CANCEL method packet.
sip-register-method
SIP REGISTER method packet.
sip-publish-method
SIP PUBLISH method packet.
sip-notify-method
SIP NOTIFY method packet.
sip-subscribe-method
SIP SUBSCRIBE method packet.
sip-message-method
SIP MESSAGE method packet.
sip-prack-method
SIP PRACK method packet.
sip-uri-limit
Limit SIP URI length.
sip-other-method
SIP OTHER method packet.
sweep
A Sweep is an attack where a single endpoint initiates network
traffic to a large number of receiving endpoints or subnets.
syn-and-fin-set
SYN && FIN set.
tcp-ack-flood
TCP packets with the ACK flag set (for non-existing flows).
tcp-bad-urg
TCP packets with the URG flag set but URG pointer is 0.
tcp-hdr-len-gt-l2-len
TCP header length > L2 length. No room in packet for TCP header
(including options).
tcp-hdr-len-too-short
TCP header length too short (length < 5). The offset field in TCP
header is less than 20 bytes.
tcp-opt-overruns-tcp-hdr
TCP option overruns TCP header.
tcp-syn-flood
TCP header with only the SYN flag set.
tcp-synack-flood
TCP header with only the SYN and ACK flags set.
tcp-rst-flood
TCP header with only the RST flag set.
tcp-psh-flood
TCP header with PUSH flag set.
tcp-window-size
TCP non-RST pkt with window size < . This sys db tunable
is configurable with Dos.TcpLowWindowSize.
tidcmp
ICMP source quench packets.
too-many-ext-hdrs
Too many extended headers. The IPv6 extended headers are more than
4. This number can be set through db variable dos.maxipv6exthdrs.
tcp-syn-oversize
TCP data-SYN with pktlength > dos.maxsynsize which is 128 bytes by
default.
ttl-leq-one
TTL <= . For IPv4 forwarding. This sys db tunable is
configurable by tm.minipttl.
unk-tcp-opt-type
Unknown TCP option type.
udp-flood
UDP Flood.UDP flood vector counts any UDP packets that either
match the UDP Port InclusionList or do not match the UDP Port
ExclusionList. "tmsh modify security dos udp-portlist" can be
used to configure the udp port list.For more info about udp
portlist and how to configure it use "help security dos udp-
portlist"
unk-ipopt-type
Unknown IP option type.
PARAMETERS
default-internal-rate-limit
This parameter is programmed in hardware to limit the traffic to
BIG-IP software. If the hardware DoS support does not exist
software uses default-internal-rate-limit to limit the good
traffic (most of them are flood) to external servers. Bad packets
are always dropped.
If the rate limit value is infinite the rate limit is disabled.
detection-threshold-percent
This parameter specifies relative threshold that uses dynamically
learned 1-hour average rate to detect attacks. If the current rate
(1-minute average) increases the specified percent over the 1-hour
average rate, attack is detected.
If the threshold value is infinite the detection is disabled.
detection-threshold-pps
This parameter specifies absolute threshold value. If the current
rate (1-minute average) is equal or above the threshold value,
attack is detected.
If the threshold value is infinite the detection is disabled.
packet-types
This parameter is used to specify type of packets that will be
classified as Sweep/Flood attacks. There are various types of
packet types that can be specified.
auto-threshold
Enables the auto mode for dos detection and dos mitigation
simulate-auto-threshold
Option to enable/disable auto-threshold simulation by generating
logs if auto-threshold based detection/mitigation would have
kicked in. Only valid in manual mode.
floor
Option to set a minimum value ("floor") for the detection-
threshold-pps for this vector. The range is from 0 (no-floor) to
infinity (no-detection).
ceiling
Option to set a maximum value ("ceiling") for the default-
internal-rate-Limit for this vector. The range is from 0 to
infinity.
auto-blacklisting
Enables automatic blacklisting of offending IPs
blacklist-detection-seconds
Duration in seconds for which the IP has been offending.
blacklist-duration
Duration in seconds for which this IP should be blocked.
blacklist-category
Blacklist category (of IP intelligence) to which this IP should be
added.
bad-actor
Enables per-source IP based bad actor detection
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of this vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of this vector
SEE ALSO
list, modify, security, security dos, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2015. All rights
reserved.
BIG-IP 2016-10-03 security dos device-config(1)