security dos profile
security dos profile(1) BIG-IP TMSH Manual security dos profile(1)
NAME
profile - Configures a DoS profile.
MODULE
security dos
SYNTAX
Configure the profile component within the security dos module using
the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
app-service [[string] | none]
application [none | add | delete | modify | replace-all-with] {
name [string] {
options:
bot-defense {
collect-stats [enabled | disabled]
cross-domain-requests [allow-all | validate-bulk | validate-upon-request]
external-domains [none | add | delete | replace-all-with] { [string] ... }
grace-period [integer]
mode [always | disabled | during-attacks]
site-domains [none | add | delete | replace-all-with] { [string] ... }
url-whitelist [none | add | delete | replace-all-with] { [string] ... }
browser-legit-enabled [enabled | disabled]
browser-legit-captcha [enabled | disabled]
}
bot-signatures {
categories [none | add | delete | modify | replace-all-with] {
action {
[block | none | report]
}
}
check [enabled | disabled]
disabled-signatures [none | add | delete | modify | replace-all-with]
}
captcha-response {
failure {
body [string]
type [custom | default]
}
first {
body [string]
type [custom | default]
}
}
geolocations [none | add | delete | modify | replace-all-with] {
options:
[black-listed | white-listed]
}
heavy-urls {
automatic-detection [enabled | disabled]
exclude [none | add | delete | replace-all-with] { [string] ... }
include [none | add | delete | replace-all-with] { [string] ... }
include-list [none | add | delete | replace-all-with] { [string] { [integer] } ... }
latency-threshold [integer]
protection [enabled | disabled]
}
ip-whitelist [none | add | delete | modify | replace-all-with] {
[address ... | address/mask ... ]
}
stress-based {
de-escalation-period [integer]
escalation-period [integer]
geo-captcha-challenge [enabled | disabled]
geo-client-side-defense [enabled | disabled]
geo-minimum-share [integer]
geo-rate-limiting [enabled | disabled]
geo-request-blocking-mode [block-all | rate-limit]
geo-share-increase-rate [integer]
geo-maximum-auto-tps [integer]
geo-minimum-auto-tps [integer]
ip-captcha-challenge [enabled | disabled]
ip-client-side-defense [enabled | disabled]
ip-maximum-tps [integer]
ip-minimum-tps [integer]
ip-rate-limiting [enabled | disabled]
ip-request-blocking-mode [block-all | rate-limit]
ip-tps-increase-rate [integer]
ip-maximum-auto-tps [integer]
ip-minimum-auto-tps [integer]
mode [off | transparent | blocking]
thresholds-mode [manual | automatic]
site-captcha-challenge [enabled | disabled]
site-client-side-defense [enabled | disabled]
site-maximum-tps [integer]
site-minimum-tps [integer]
site-rate-limiting [enabled | disabled]
site-tps-increase-rate [integer]
site-maximum-auto-tps [integer]
site-minimum-auto-tps [integer]
static-url-mitigation [enabled | disabled]
url-captcha-challenge [enabled | disabled]
url-client-side-defense [enabled | disabled]
url-maximum-tps [integer]
url-minimum-tps [integer]
url-rate-limiting [enabled | disabled]
url-tps-increase-rate [integer]
url-maximum-auto-tps [integer]
url-minimum-auto-tps [integer]
url-enable-heavy [enabled | disabled]
device-captcha-challenge [enabled | disabled]
device-client-side-defense [enabled | disabled]
device-maximum-tps [integer]
device-minimum-tps [integer]
device-rate-limiting [enabled | disabled]
device-request-blocking-mode [block-all | rate-limit]
device-tps-increase-rate [integer]
device-maximum-auto-tps [integer]
device-minimum-auto-tps [integer]
behavioral {
dos-detection [enabled | disabled]
slowdown-incoming-requests [enabled | disabled]
rate-limit-incoming-requests [enabled | disabled]
connection-limit-requests [enabled | disabled]
traffic-burst-protection [enabled | disabled]
mitigation-mode [enabled | disabled]
}
}
tcp-dump {
maximum-duration [integer]
maximum-size [integer]
record-traffic [enabled | disabled]
repetition-interval [[integer] | once-per-attack]
}
tps-based {
de-escalation-period [integer]
escalation-period [integer]
geo-captcha-challenge [enabled | disabled]
geo-client-side-defense [enabled | disabled]
geo-minimum-share [integer]
geo-rate-limiting [enabled | disabled]
geo-request-blocking-mode [block-all | rate-limit]
geo-share-increase-rate [integer]
ip-captcha-challenge [enabled | disabled]
ip-client-side-defense [enabled | disabled]
ip-maximum-tps [integer]
ip-minimum-tps [integer]
ip-rate-limiting [enabled | disabled]
ip-request-blocking-mode [block-all | rate-limit]
ip-tps-increase-rate [integer]
ip-maximum-auto-tps [integer]
ip-minimum-auto-tps [integer]
mode [off | transparent | blocking]
thresholds-mode [manual | automatic]
site-captcha-challenge [enabled | disabled]
site-client-side-defense [enabled | disabled]
site-maximum-tps [integer]
site-minimum-tps [integer]
site-rate-limiting [enabled | disabled]
site-tps-increase-rate [integer]
site-maximum-auto-tps [integer]
site-minimum-auto-tps [integer]
static-url-mitigation [enabled | disabled]
url-captcha-challenge [enabled | disabled]
url-client-side-defense [enabled | disabled]
url-maximum-tps [integer]
url-minimum-tps [integer]
url-rate-limiting [enabled | disabled]
url-tps-increase-rate [integer]
url-maximum-auto-tps [integer]
url-minimum-auto-tps [integer]
url-enable-heavy [enabled | disabled]
device-captcha-challenge [enabled | disabled]
device-client-side-defense [enabled | disabled]
device-maximum-tps [integer]
device-minimum-tps [integer]
device-rate-limiting [enabled | disabled]
device-request-blocking-mode [block-all | rate-limit]
device-tps-increase-rate [integer]
device-maximum-auto-tps [integer]
device-minimum-auto-tps [integer]
}
trigger-irule [enabled | disabled]
single-page-application [enabled | disabled]
}
}
description [string]
dos-network [none | add | delete | modify | replace-all-with] {
name [string] {
options:
dynamic-signatures {
detection [disabled | enabled | learn-only]
mitigation [none | low | medium | high]
scrubber-advertisement-period [integer]
scrubber-category [name]
scrubber-enable [yes | no]
}
network-attack-vector [none | add | delete | modify | replace-all-with] {
attack-type [ext-hdr-too-large | hop-cnt-low | host-unreachable |
icmpv4-flood | icmpv6-flood | icmp-frag | ip-frag-flood |
ip-opt-frames | ipv6-ext-hdr-frames | ipv6-frag-flood |
opt-present-with-illegal-len | sweep | tcp-half-open |
tcp-opt-overruns-tcp-hdr | tcp-psh-flood | tcp-rst-flood |
tcp-syn-flood | tcp-synack-flood | tcp-syn-oversize |
tcp-bad-urg | tcp-window-size | tidcmp | too-many-ext-hdrs |
udp-flood | unk-tcp-opt-type]
options:
enforce [disabled | enabled]
auto-blacklisting [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
blacklist-category [enter name of ip-intelligence category]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
rate-increase [integer]
rate-limit [integer]
rate-threshold [integer]
packet-types [suspicious | ipfrag | exthdr | tcp-syn-only |
tcp-synack | tcp-rst | host-unrch | tidcmp | icmp | udp-flood |
dns-query-a | dns-query-aaaa | dns-query-any | dns-query-axfr |
dns-query-cname | dns-query-ixfr | dns-query-mx | dns-query-ns
| dns-query-other | dns-query-ptr | dns-query-soa |
dns-query-srv | dns-query-src | dns-query-txt | sip-method-ack
| sip-method-cancel | sip-method-message | sip-method-options |
sip-method-prack | sip-method-register | sip-method-bye |
sip-method-invite | sip-method-notify | sip-method-other |
sip-method-publish | sip-method-subscribe ]
}
}
}
protocol-dns [none | add | delete | modify | replace-all-with] {
name [string] {
options:
dns-query-vector [none | add | delete | modify | replace-all-with] {
query-type [a | aaaa | any | axfr | cname | ixfr | mx | ns |
other | ptr | soa | srv | txt ]
options:
enforce [disabled | enabled]
auto-blacklisting [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
blacklist-category [enter name of ip-intelligence category]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
rate-increase [integer]
rate-limit [integer]
rate-threshold [integer]
}
prot-err-attack-detection [integer]
prot-err-atck-rate-incr [integer]
}
}
protocol-sip [none | add | delete | modify | replace-all-with] {
name [string] {
options:
prot-err-atck-rate-increase [integer]
prot-err-atck-rate-threshold [integer]
prot-err-attack-detection [integer]
sip-method-vector [none | add | delete | modify | replace-all-with] {
method-type [ack | cancel | message | options | prack | register
| bye | invite | notify | other | publish | subscribe | uri-limit]
options:
enforce [disabled | enabled]
auto-blacklisting [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
blacklist-category [enter name of ip-intelligence category]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
rate-increase [integer]
rate-limit [integer]
rate-threshold [integer]
}
}
}
whitelist [enter addresses list name]
http-whitelist [enter addresses list name]
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete
a DoS profile for use with DoS Protection functionality.
EXAMPLES
create profile my_dos_profile
Creates a custom DoS profile named my_dos_profile with initial
settings.
list profile
Displays the properties of all DoS profiles.
OPTIONS
app-service
Specifies the name of the application service to which the profile
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the profile. Only the application
service can modify or delete the profile.
application
Adds, deletes, or replaces a single Application Security sub-
profile. You can configure the following options for Application
Security:
bot-defense
Specifies properties of proactive bot defense in Application
Security. You can configure the following options for
Proactive Bot Defense:
collect-stats
Enables or disables domain statistics collection.
cross-domain-requests
Specifies a cross-domain requests handling mode. The
options are:
allow-all
Allows all cross-domain requests. This is the
default value.
validate-bulk
System validates domains in bulk: the cookies for
the related domains are created together with the
cookie for the current domain, by generating
challenges in iframes - one per each domain.
validate-upon-request
System validates domains upon request: the cookie
for the related domain is generated when a request
arrives to an unqualified URL without a cookie.
external-domains
Configures a list of external domains that are allowed
to link to resources of this website.
grace-period
Specifies the length of grace period (in seconds) in
which only the Simple Bot Prevention is enforced.
mode Specifies a mode of proactive bot defense. The options
are:
always
Specifies that the proactive bot defense is always
enabled.
disabled
Specifies that the proactive bot defense is
disabled. This is the default value.
during-attacks
Specifies that the proactive bot defense is enabled
only during attacks.
site-domains
Configures a list of domains that are part of the
website.
url-whitelist
Configures a list of URLs to exclude from the proactive
bot defense.
browser-legit-enabled
Enables or disables the proactive bot defense validation
of browser legitimacy and blocking of requests from
suspicious clients.
browser-legit-captcha
Enables or disables the browser legitimacy detection
improvement using CAPTCHA. In order to enable it, you
must first enable browser-legit-enabled.
bot-signatures
Specifies settings of Bot Signatures in Application Security.
You can configure the following options for Bot Signatures:
categories
Specifies the action for each Bot Signature Category.
You can configure the following options for each Bot
Signature Category:
action
Specifies the action for the Bot Signature
Category. The possible actions are none, block and
report.
check
Enables or disables the checking of Bot Signature,
allowing bots to be detected.
disabled-categories
Configures a list of disabled Bot Signatures.
captcha-response
Specifies properties of the CAPTCHA response in Application
Security. You can configure the following options for CAPTCHA
Response Settings:
failure
Specifies properties of a failed CAPTCHA response. You
can configure the following options for a failed CAPTCHA
response:
body Configures a failed CAPTCHA response body.
type Configures a type of a failed CAPTCHA response
body. You can configure the following options for a
failed CAPTCHA response type:
custom
Configures a custom failed CAPTCHA response
type.
default
Configures a default failed CAPTCHA response
type.
first
Specifies properties of the first CAPTCHA response. You
can configure the following options for the first
CAPTCHA response:
body Configures the first CAPTCHA response body.
type Configures a type of the first CAPTCHA response
body. You can configure the following options for
the first CAPTCHA response type:
custom
Configures a custom first CAPTCHA response
type.
default
Configures a default first CAPTCHA response
type.
geolocations
Configures a list of blacklisted/whitelisted Geolocations.
You can configure the following options for each Geolocation:
[black-listed | white-listed]
Specifies a type of Geolocation.
heavy-urls
Specifies heavy URL protection in Application Security. You
can configure the following options for heavy URL protection:
automatic-detection
Enables or disables automatic heavy URL detection. In
order to enable it, you must first enable protection.
exclude
Configures a list of URLs (or wildcards) to exclude from
the heavy URLs.
include
(Deprecated, use include-list) Configures a list of URLs
to include in the heavy URLs.
include-list
Configures a list of URLs to include in the heavy URLs.
latency-threshold
Specifies the latency threshold for automatic heavy URL
detection (in milliseconds).
protection
(Deprecated, use stress/tps.url-enable-heavy) Enables or
disables heavy URL protection. To enable it, you must
additionally enable one of the following DoS URL-based
prevention policy methods: url-client-side-defense or
url-rate-limiting. This can be done for either tps-based
or stress-based anomaly protection.
ip-whitelist
Attribute ip-whitelist is deprecated in version 13.0.0;
consider using http-whitelist instead. Adds, deletes, or
replaces a set of IP addresses and subnets in the whitelist
of Application Security.
name Specifies a dummy name for enabled Application Security. This
option is required for the operations create, delete, modify,
and replace-all-with.
stress-based
Specifies Stress-based anomaly in Application Security. You
can configure the following options for Stress-based anomaly:
de-escalation-period
Specifies the de-escalation period (in seconds) in
Stress-based anomaly.
escalation-period
Specifies the escalation period (in seconds) in Stress-
based anomaly.
geo-captcha-challenge
Enables or disables Geolocation-based CAPTCHA challenge
in Stress-based anomaly.
geo-client-side-defense
Enables or disables Geolocation-based client side
integrity defense in Stress-based anomaly.
geo-minimum-share
Specifies the minimum traffic share for detection in
Geolocation detection criteria of Stress-based anomaly.
geo-rate-limiting
Enables or disables Geolocation-based rate limiting in
Stress-based anomaly.
geo-request-blocking-mode
Specifies a Geolocation-based request blocking mode of
Stress-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from
the respective Geolocation.
rate-limit
Specifies that the system blocks requests from the
respective Geolocation based on the traffic share
ratio. This is the default value.
geo-share-increase-rate
Specifies the percentage by which TPS increased in
Geolocation detection criteria of Stress-based anomaly.
ip-captcha-challenge
Enables or disables Source IP-based CAPTCHA challenge in
Stress-based anomaly.
ip-client-side-defense
Enables or disables Source IP-based client side
integrity defense in Stress-based anomaly.
ip-maximum-tps
Specifies the amount which TPS reached in IP detection
criteria of Stress-based anomaly.
ip-minimum-tps
Specifies the minimum TPS threshold for detection in IP
detection criteria of Stress-based anomaly.
ip-rate-limiting
Enables or disables Source IP-based rate limiting in
Stress-based anomaly.
ip-request-blocking-mode
Specifies a Source IP-based request blocking mode of
Stress-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from
the respective Source IP address.
rate-limit
Specifies that the system blocks requests from the
respective Source IP address based on the traffic
share ratio. This is the default value.
ip-tps-increase-rate
Specifies the percentage by which TPS increased in IP
detection criteria of Stress-based anomaly.
mode Specifies an operation mode of Stress-based anomaly. The
options are:
off Specifies that the system does not check for DoS
attacks. This is the default value.
transparent
Specifies that when the system detects an attack,
it displays the attack data on the Reporting DoS
Attacks screen. In transparent mode the system does
not drop requests either from the attacking IP
address, or to attacked URLs.
blocking
Specifies that when the system detects an attack,
in addition to displaying the attack data on the
Reporting DoS Attacks screen, the system also drops
either connections from the attacking IP address,
or requests to attacked URLs.
site-captcha-challenge
Enables or disables Site-wide CAPTCHA challenge in
Stress-based anomaly.
site-client-side-defense
Enables or disables Site-wide client side integrity
defense in Stress-based anomaly.
site-maximum-tps
Specifies the amount which TPS reached in Site-wide
detection criteria of Stress-based anomaly.
site-minimum-tps
Specifies the minimum TPS threshold for detection in
Site-wide detection criteria of Stress-based anomaly.
site-rate-limiting
Enables or disables Site-wide rate limiting in Stress-
based anomaly.
site-tps-increase-rate
Specifies the percentage by which TPS increased in Site-
wide detection criteria of Stress-based anomaly.
static-url-mitigation
Enables or disables Static URL mitigation in Stress-
based anomaly.
url-captcha-challenge
Enables or disables URL-based CAPTCHA challenge in
Stress-based anomaly.
url-client-side-defense
Enables or disables URL-based client side integrity
defense in Stress-based anomaly.
url-maximum-tps
Specifies the amount which TPS reached in URL detection
criteria of Stress-based anomaly.
url-minimum-tps
Specifies the minimum TPS threshold for detection in URL
detection criteria of Stress-based anomaly.
url-rate-limiting
Enables or disables URL-based rate limiting in Stress-
based anomaly.
url-tps-increase-rate
Specifies the percentage by which TPS increased in URL
detection criteria of Stress-based anomaly.
behavioral
Specifies properties of Behavioral Detection in Stress-
based anomaly. You can configure the following options
for Behavioral Detection:
dos-detection
Enables or disables the Behavior Based Detection.
slowdown-incoming-requests
Enables or disables the slowdown of incoming
requests from the detected suspicious clients. In
order to enable it, you must first enable dos-
detection and anomaly-detection.
rate-limit-incoming-requests
Enables or disables the rate limit of incoming
requests from the detected suspicious clients. In
order to enable it, you must first enable dos-
detection.
connection-limit-requests
Enables or disables the connection limit of
incoming requests from the detected suspicious
clients. In order to enable it, you must first
enable dos-detection.
traffic-burst-protection
Enables or disables the mitigation even before
detecting a severe server health, in proportion to
the detected server health. In order to enable it,
you must first enable dos-detection.
mitigation-mode
Increase a mitigation impact according to selected
mitigation methods.
tcp-dump
Specifies properties of traffic recording during attacks in
Application Security. You can configure the following options
for Record Traffic During Attacks:
maximum-duration
Specifies the TCP dump maximum duration (in seconds).
maximum-size
Specifies the TCP dump maximum size (in megabytes).
record-traffic
Enables or disables traffic recording during attacks.
repetition-interval
Specifies the TCP dump repetition interval (in seconds).
tps-based
Specifies TPS-based anomaly in Application Security. You can
configure the following options for TPS-based anomaly:
de-escalation-period
Specifies the de-escalation period (in seconds) in TPS-
based anomaly.
escalation-period
Specifies the escalation period (in seconds) in TPS-
based anomaly.
geo-captcha-challenge
Enables or disables Geolocation-based CAPTCHA challenge
in TPS-based anomaly.
geo-client-side-defense
Enables or disables Geolocation-based client side
integrity defense in TPS-based anomaly.
geo-minimum-share
Specifies the minimum traffic share for detection in
Geolocation detection criteria of TPS-based anomaly.
geo-rate-limiting
Enables or disables Geolocation-based rate limiting in
TPS-based anomaly.
geo-request-blocking-mode
Specifies a Geolocation-based request blocking mode of
TPS-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from
the respective Geolocation.
rate-limit
Specifies that the system blocks requests from the
respective Geolocation based on the traffic share
ratio. This is the default value.
geo-share-increase-rate
Specifies the percentage by which TPS increased in
Geolocation detection criteria of TPS-based anomaly.
ip-captcha-challenge
Enables or disables Source IP-based CAPTCHA challenge in
TPS-based anomaly.
ip-client-side-defense
Enables or disables Source IP-based client side
integrity defense in TPS-based anomaly.
ip-maximum-tps
Specifies the amount which TPS reached in IP detection
criteria of TPS-based anomaly.
ip-minimum-tps
Specifies the minimum TPS threshold for detection in IP
detection criteria of TPS-based anomaly.
ip-rate-limiting
Enables or disables Source IP-based rate limiting in
TPS-based anomaly.
ip-request-blocking-mode
Specifies a Source IP-based request blocking mode of
TPS-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from
the respective Source IP address.
rate-limit
Specifies that the system blocks requests from the
respective Source IP address based on the traffic
share ratio. This is the default value.
ip-tps-increase-rate
Specifies the percentage by which TPS increased in IP
detection criteria of TPS-based anomaly.
mode Specifies an operation mode of TPS-based anomaly. The
options are:
off Specifies that the system does not check for DoS
attacks. This is the default value.
transparent
Specifies that when the system detects an attack,
it displays the attack data on the Reporting DoS
Attacks screen. In transparent mode the system does
not drop requests either from the attacking IP
address, or to attacked URLs.
blocking
Specifies that when the system detects an attack,
in addition to displaying the attack data on the
Reporting DoS Attacks screen, the system also drops
either connections from the attacking IP address,
or requests to attacked URLs.
site-captcha-challenge
Enables or disables Site-wide CAPTCHA challenge in TPS-
based anomaly.
site-client-side-defense
Enables or disables Site-wide client side integrity
defense in TPS-based anomaly.
site-maximum-tps
Specifies the amount which TPS reached in Site-wide
detection criteria of TPS-based anomaly.
site-minimum-tps
Specifies the minimum TPS threshold for detection in
Site-wide detection criteria of TPS-based anomaly.
site-rate-limiting
Enables or disables Site-wide rate limiting in TPS-based
anomaly.
site-tps-increase-rate
Specifies the percentage by which TPS increased in Site-
wide detection criteria of TPS-based anomaly.
static-url-mitigation
Enables or disables Static URL mitigation in TPS-based
anomaly.
url-captcha-challenge
Enables or disables URL-based CAPTCHA challenge in TPS-
based anomaly.
url-client-side-defense
Enables or disables URL-based client side integrity
defense in TPS-based anomaly.
url-maximum-tps
Specifies the amount which TPS reached in URL detection
criteria of TPS-based anomaly.
url-minimum-tps
Specifies the minimum TPS threshold for detection in URL
detection criteria of TPS-based anomaly.
url-rate-limiting
Enables or disables URL-based rate limiting in TPS-based
anomaly.
url-tps-increase-rate
Specifies the percentage by which TPS increased in URL
detection criteria of TPS-based anomaly.
trigger-irule
Specifies, when enabled, that the system activates an
Application DoS iRule event. The default value is disabled.
single-page-application
Specifies, when enabled, that the system supports a Single Page
Applications. The default value is disabled.
description
User defined description.
protocol-dns
Adds, deletes, or replaces a single Protocol DNS Security sub-
profile. You can configure the following options for Protocol DNS
Security:
name Specifies a dummy name for enabled Protocol DNS Security. This
option is required for the operations create, delete, modify,
and replace-all-with.
dns-query-vector
Adds, deletes, or replaces Protocol DNS DoS vectors. You can
configure the following options for DNS query vectors:
query-type
Specifies the vector (DNS query) type for DoS attack
detection.
enforce
Enable or disable the packet drop action of DOS detection
for this attack type.
bad-actor
Enables per-source IP based bad actor detection
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of this
vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of this
vector
rate-increase
Specifies the rate increase for DoS attack detection.
rate-limit
Specifies the rate limit for DoS attack detection.
rate-threshold
Specifies the rate threshold for DoS attack detection.
prot-err-attack-detection
Specifies if protocol errors attack detection is enabled or
not. Eg: Malformed, Malicious DoS attacks.
prot-err-atck-rate-incr
Specifies the protocol errors rate increase for DoS attack
detection.
protocol-sip
Adds, deletes, or replaces a single Protocol SIP Security sub-
profile. You can configure the following options for Protocol SIP
Security:
name Specifies a dummy name for enabled Protocol SIP Security. This
option is required for the operations create, delete, modify,
and replace-all-with.
prot-err-atck-rate-increase
Specifies the protocol errors rate increase for DoS attack
detection.
prot-err-atck-rate-threshold
Specifies the protocol errors rate threshold for DoS attack
detection.
prot-err-attack-detection
Specifies if protocol errors attack detection is enabled or
not. Eg: Malformed packets DoS attacks.
sip-method-vector
Adds, deletes, or replaces Protocol SIP DoS vectors. You can
configure the following options for SIP method vectors:
method-type
Specifies the vector type (SIP method) for DoS attack
detection.
enforce
Enable or disable the packet drop action of DOS detection
for this attack type.
bad-actor
Enables per-source IP based bad actor detection
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of this
vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of this
vector
rate-increase
Specifies the rate increase for DoS attack detection.
rate-limit
Specifies the rate limit for DoS attack detection.
rate-threshold
Specifies the rate threshold for DoS attack detection.
dos-network
Adds, deletes, or replaces a single Network DoS Security sub-
profile. You can configure the following options for Network
DoS Security:
name Specifies a dummy name for enabled Network DoS Security.
This option is required for the operations create,
delete, modify, and replace-all-with.
dynamic-signatures
Specifies options related to L4 Behavioral DoS (Dynamic
Signatures) feature per virtual server by virtue of
attaching a dos profile to a virtual server. Following
options are configurable for this feature:
detection
Specifies the mode for detection of anomalies in
traffic for the purpose of dynamic signature
generation. Following modes are supported:
disabled, enabled and learn-only.
Mode learn-only is same as enabled except that the
system does not generate any logs (or alerts the
user). It is used mainly to learn the baseline
thresholds for the traffic.
Default is disabled.
mitigation
Specifies the mode for mitigation of anomalous
traffic (specified in form of dynamic signatures).
Following modes are supported: none, low, medium and
high.
Each mode represents the severity (or
aggressiveness) at which the system should try to
mitigate the anomalous traffic.
Default is none.
scrubber-enable
Specifies the configuration mode for enabling or
disabling the feature to scrub the attack traffic
upon dynamic signature match. Default is no.
scrubber-category
Specifies the IP Intelligence category used for
scrubbing the attack traffic upon dynamic signature
match that constitutes destination IP address
component. Default category is attacked_ips.
scrubber-advertisement-period
Specifies the advertisement period for which the
attack traffic is scrubbed. Default is 300 seconds.
network-attack-vector
Adds, deletes, or replaces Network Attack DoS vectors.
You can configure the following options for Network
Attack vectors:
attack-type
Specifies the vector type (Network Attack) for DoS
attack detection.
enforce
Enable or disable the packet drop action of DOS
detection for this attack type.
rate-increase
Specifies the rate increase for DoS attack
detection.
rate-limit
Specifies the rate limit for DoS attack detection.
rate-threshold
Specifies the rate threshold for DoS attack
detection.
packet-types
Specifies the packet types for Sweep attack vector.
bad-actor
Enables per-source IP based bad actor detection
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of
this vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of
this vector
whitelist
Specifies the Dos srcIP whitelist configuration.
http-whitelist
Specifies the IP addresses and subnets whitelist configuration
for Application Security (Overrides the global whitelist).
glob Displays the items that match the glob expression. See help
glob for a description of glob expression syntax.
name Specifies a unique name for the component. This option is
required for the commands create, delete, and modify.
partition
Displays the administrative partition within which the
component resides.
regex
Displays the items that match the regular expression. The
regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular
expression. See help regex for a description of regular
expression syntax.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, regex, security,
security dos, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013, 2015. All rights
reserved.
POD ERRORS
Hey! The above document had some coding errors, which are explained
below:
Around line 950:
'=item' outside of any '=over'
BIG-IP 2016-09-29 security dos profile(1)