security dos device-config¶

security dos device-config(1) BIG-IP TMSH Manual security dos device-config(1)

NAME
device-config - Configures the global network DoS profile.

MODULE
security dos

SYNTAX
Configure the global network DoS profile component within the security
dos module using the syntax shown in the following sections.

MODIFY
modify device-config dos-device-config
options:
auto-threshold-sensitivity [field deprecated since 13.0.0]
ip-uncommon-protolist [string]
threshold-sensitivity [low | medium | high]
custom-signatures [none | add | delete | modify | replace-all-with] {
name [string] {
options:
manual-detection-threshold [integer]
manual-mitigation-threshold [integer]
state [disabled | learn-only | detect-only | mitigate]
threshold-mode [fully-automatic | manual | manual-multiplier-mitigation | stress-based-mitigation]
}
}
dos-device-vector {
[vector type] {
allow-advertisement [disabled | enabled ]
allow-upstream-scrubbing [disabled | enabled ]
attacked-dst [disabled | enabled]
auto-blacklisting [enabled | disabled]
auto-scrubbing [disabled | enabled ]
auto-threshold [disabled | enabled ]
bad-actor [disabled | enabled]
blacklist-category [enter name of ip-intelligence category]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
ceiling [integer | infinite]
default-internal-rate-limit [integer | infinite]
detection-threshold-percent [integer | infinite]
detection-threshold-pps [integer | infinite]
enforce [enabled | disabled] [field deprecated since 13.1.0]
floor [integer]
multiplier_mitigation_percentage [integer]
packet-types [add | delete | replace-all-with] {
[atomic-frag | bad-packet | dns-a-query | dns-a-query | dns-aaaa-query |
dns-any-query | dns-axfr-query | dns-cname-query | dns-ixfr-query |
dns-mx-query | dns-ns-query | dns-other-query | dns-oversize |
dns-ptr-query | dns-response-flood | dns-soa-query | dns-srv-query |
dns-txt-query | exthdr | host-unrch | igmp | ip-overlap-frag |
ipfrag | ipv4-all | ipv4-any-other | ipv4-icmp | ipv6-all |
ipv6-any-other | ipv6-icmp | no-l4 | rthdr0 | sip-ack-method |
sip-bye-method | sip-cancel-method | sip-invite-method |
sip-malformed | sip-message-method | sip-notify-method |
sip-options-method | sip-other-method | sip-prack-method |
sip-publish-method | sip-register-method | sip-subscribe-method | sip-uri-limit |
suspicious | tcp-bad-ack | tcp-psh-flood | tcp-rst | tcp-syn-only |
tcp-synack | tcp-winsize | tidcmp | udp]
packet-types none
per-dst-ip-detection-pps [integer]
per-dst-ip-limit-pps [integer]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
scrubbing-category [ enter name of scrubbing category | "none" ]
scrubbing-detection-seconds [ integer ]
scrubbing-duration [ integer ]
simulate-auto-threshold [enable | disable]
state [disabled | learn-only | detect-only | mitigate]
suspicious [ false | true ]
threshold-mode [manual | stress-based-mitigation | fully-automatic | manual-multiplier-mitigation]
valid-domains [add | delete | replace-all-with] {
[domain names] ...
}
valid-domains none
}
}
dynamic-signatures {
detection [disabled | enabled | learn-only] [field deprecated since 13.1.0]
mitigation [none | low | medium | high] [field deprecated since 13.1.0]
scrubber-advertisement-period [integer] [field deprecated since 13.1.0]
scrubber-category [name] [field deprecated since 13.1.0]
scrubber-enable [yes | no] [field deprecated since 13.1.0]
network {
detection [disabled | enabled | learn-only]
mitigation [none | low | medium | high | manual-multiplier]
scrubber-advertisement-period [integer]
scrubber-category [name]
scrubber-enable [yes | no]
}
dns {
detection [disabled | enabled | learn-only]
mitigation [none | low | medium | high | manual-multiplier]
}
}
dns-dos-mitigation-percentage [integer]
network-dos-mitigation-percentage [integer]
sip-dos-mitigation-percentage [integer]
log-publisher [name]

reset-stats device-config dos-device-config
options:
dns-nxdomain-stat

DISPLAY
list device-config dos-device-config
show running-config device-config dos-device-config
options:
all-properties
non-default-properties
one-line

show device-config dos-device-config
options:
dns-nxdomain-stat
field-fmt
query-valid-domain [domain-name]

RUN
run device-config
options:
auto-threshold-relearn
dns-nxdomain-relearn
dynamic-signatures-history-relearn

DESCRIPTION
This component is used to modify or display the global device DoS
profile and statistics for use with network DoS Protection
functionality.

EXAMPLES
modify device-config ...

Modifies the global DoS profile settings.

list device-config

Displays all the properties of the device DoS profile.

run device-config dos-device-config auto-threshold-relearn

Clears the auto-threshold history for all the device auto-threshold
vectors.

run device-config dos-device-config dns-nxdomain-relearn

Clears the dns-nxdomain history for all the device dns-nxdomain
vectors.

run device-config dos-device-config dynamic-signatures-history-relearn

Clears the dynamic-signatures history for all the device dynamic-
signatures vectors.

show device-config dos-device-config dns-nxdomain-stat

Displays the dns-nxdomain statistics for the device.

reset-stats device-config dos-device-config dns-nxdomain-stat

Resets the dns-nxdomain statistics for the device.

OPTIONS
auto-threshold-sensitivity
This option is deprecated in version 13.0.0.

dos-device-vector
Configures attack detection thresholds and rate limit parameters
for network DoS vectors.

log-publisher
Specifies the name of the log publisher which logs translation
events. See help sys log-config for more details on the logging
sub-system.

ip-uncommon-protolist
Specifies the name of an IP uncommon protocol list component. The
default is /Common/ip-uncommon-protolist. This is ready-only
field.

threshold-sensitivity
Specifies the guidance on how aggressively (how much to pad) to
adjust the "Detection/Rate-limit Threshold". Available settings
are low, medium and high. This setting is used for Autodos and
Behavioral DoS features. Default is set to medium.

network-dos-mitigation-percentage
Specifies the mitigaiton multiplier value of all the device
network dos vector in percentage in the manual-multiplier-
mitigation mode.

dns-dos-mitigation-percentage
Specifies the mitigaiton multiplier value of all the device dns
dos vector in percentage in the manual-multiplier-mitigation mode.

sip-dos-mitigation-percentage
Specifies the mitigaiton multiplier value of all the device sip
dos vector in percentage in the manual-multiplier-mitigation mode.

dynamic-signatures
Specifies options related to L4-L7 Behavioral DoS (Dynamic
Signatures) feature that is applicable at the global/device level.
These settings are used to learn the characteristic of the traffic
at the device level (across all domains and virtual servers) and
generate dynamic signatures as applicable to detect and mitigate
anomalous traffic.

Following options are configurable for this feature at
global/device level:

network
detection
Specifies the mode for detection of anomalies in traffic
for the purpose of dynamic signature generation.
Following modes are supported: disabled, enabled and
learn-only.

Mode learn-only is same as enabled except that the
system does not generate any logs (or alerts the user).
It is used mainly to learn the baseline thresholds for
the traffic.

Default is disabled.

mitigation
Specifies the mode for mitigation of anomalous traffic
(specified in form of dynamic signatures). Following
modes are supported: none, low, medium and high.

Each mode represents the severity (or aggressiveness) at
which the system should try to mitigate the anomalous
traffic.

Default is none.

multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this
specific dos signature in percentage when using manual-
multiplier-mitigation mode. The default value is
inherited from the corresponding device level/profile
mitigation multiplier value of the same dos family.

scrubber-enable
Specifies the configuration mode for enabling or
disabling the feature to scrub the attack traffic upon
dynamic signature match. Default is no.

scrubber-category
Specifies the IP Intelligence category used for
scrubbing the attack traffic upon dynamic signature
match that constitutes destination IP address component.
Default category is attacked_ips.

scrubber-advertisement-period
Specifies the advertisement period for which the attack
traffic is scrubbed. Default is 300 seconds.

dns
detection
Specifies the mode for detection of anomalies in traffic
for the purpose of dynamic signature generation.
Following modes are supported: disabled, enabled and
learn-only.

Mode learn-only is same as enabled except that the
system does not generate any logs (or alerts the user).
It is used mainly to learn the baseline thresholds for
the traffic.

Default is disabled.

mitigation
Specifies the mode for mitigation of anomalous traffic
(specified in form of dynamic signatures). Following
modes are supported: none, low, medium and high.

Each mode represents the severity (or aggressiveness) at
which the system should try to mitigate the anomalous
traffic.

Default is none.

custom-signatures
Specifies options related to L4 Behavioral DoS Signatures feature
that is applicable at the global/device level. Signatures can be
added to a dos-profile and the signature criteria will be used for
detection and mitigation of anomalous traffic.

Following options are configurable for each signature added:

threshold-mode
Specifies the mode for setting the rate limit thresholds to
be used for the matching traffic. Following modes are
supported: manual, fully-automatic, manual-multiplier-
mitigation and stress-based-mitigation. Default is manual.

state
Specifies the operational state of the attached signature.
The states supported are: disabled, learn-only, detect-only
and mitigate. Default is disabled.

manual-detection-threshold
Specifies manual detection threshold for a custom signature.
It is applicable only if threshold-mode is set to either
manual or stress-based-mitigation

Default is infinite.

manual-mitigation-threshold
Specifies manual mitigation threshold for a custom signature.
It is applicable on ly if threshold-mode is set to either
manual or stress-based-mitigation

Default is infinite.

VECTOR TYPES
arp-flood
ARP Flood.

bad-ext-hdr-order
IPv6 extension headers in packet are out of order.

bad-icmp-chksum
Bad ICMP checksum.

bad-icmp-frame
Bad ICMP frames. To see the various reasons why ICMP frames are
classified as bad, please refer to the written documentation.

bad-igmp-frame
Bad IGMP frames. To see the various reasons why IGMP frames are
classified as bad, please refer to the written documentation.

bad-ip-opt
IPv4 option with illegal length.

bad-ipv6-hop-cnt
Bad IPv6 hop count. Terminated packet (cnt==0). Dropped when the
rate hits rate limit.

bad-ipv6-ver
Bad IPv6 version. IP Version in the IPV6 packet is not 6.

bad-sctp-chksum
Bad SCTP Checksum type.

bad-tcp-chksum
Bad TCP checksum.

bad-tcp-flags-all-clr
Bad TCP flags (all TCP header flags cleared).

bad-tcp-flags-all-set
Bad TCP flags (all flags set).

bad-ttl-val
Bad IP TTL value (TTL == 0 for IPv4).

bad-udp-chksum
Bad UDP checksum.

bad-udp-hdr
Bad UDP header. To see the various reasons why UDP headers are
classified as bad, please refer to the written documentation.

bad-ver
Bad IP version 4. IPv4 version in IP header is not 4.

dns-a-query
DNS A query packet.

dns-aaaa-query
DNS AAAA query packet.

dns-any-query
DNS any query packet.

dns-axfr-query
DNS AXFR query packet.

dns-cname-query
DNS CNAME query packet.

dns-ixfr-query
DNS IXFR query packet.

dns-malformed
DNS Malformed packet.

dns-mx-query
DNS MX query packet.

dns-ns-query
DNS NS query packet.

dns-nxdomain-query
DNS NXDOMAIN query packet.

dns-other-query
DNS OTHER query packet.

dns-oversize
DNS packet with size > . This sys db tunable is
configurable with Dos.MaxDNSframeSize.

dns-ptr-query
DNS PTR query packet.

dns-qdcount-limit
DNS QDCOUNT LIMIT query packet.

dns-response-flood
DNS RESPONSE FLOOD query packet.

dns-soa-query
DNS SOA query packet.

dns-txt-query
DNS TXT query packet.

dns-srv-query
DNS SRV query packet.

dup-ext-hdr
Duplicate IPv6 extension headers.

ether-brdcst-pkt
Ethernet broadcast packet.

ether-mac-sa-eq-da
Ethernet MAC SA == DA.

ether-multicast-pkt
Ethernet multicast packet.

ext-hdr-too-large
IPv6 extension header size too large. The max IPV6 extension
header size is configurable via the sys db variable
dos.maxipv6extsize.

fin-only-set
TCP header with only the FIN flag set.

flood
A Flood is an attack where multiple (typically many) endpoints
initiate network traffic to a single subnet or receiving endpoint.

hdr-len-gt-l2-len
Header length > L2 length. No room in L2 packet for IPv4 header
(including options).

hdr-len-too-short
Header length too short. IPv4 header length in IP header is less
than 20 bytes.

hop-cnt-leq-one
IPv6 hop count <= and the packet needs to be forwarded.
This sys db tunable is configurable by the sys db variable
tm.minipv6hopcnt.

host-unreachable
ICMP packets of type "Host Unreachable".

icmp-frag-flood
ICMP fragments flood.

icmp-frame-too-large
Packets larger than the maximum ICMP frame size. The max ICMP
frame size is configurable via the sys db variable
dos.maxicmpframesize.

icmpv4-flood
ICMPv4 Flood.

icmpv6-flood
ICMPv6 Flood.

igmp-flood
IGMP Flood.

igmp-frag-flood
IGMP Fragment Flood.

ip-bad-src
IP addr is a broadcast or multicast address.

ip-err-chksum
IP error checksum. IPv4 header checksum error.

ip-frag-flood
IPv4 fragment flood.

ip-len-gt-l2-len
IP length > L2 length. Total length in IPv4 header is greater than
the L3 part length in L2 packet.

ip-overlap-frag
IPv4 overlapping fragments.

ip-short-frag
IPv4 fragments whose payload size is less than the minimum IPv4
Fragment size. The minimum size is configurable via the db
variable tm.minipfragsize.

ip-unk-prot
IP Unknown Protocol type.

ip-opt-frames
IP option frames. IPv4 packets with options. db variable
tm.acceptipoptions must be enabled to receive IP options.

ip-other-frag
The total IPv4 fragments' size has exceeded the reassembly queue
or the maximum IP packet size.

ipv6-atomic-frag
IPv6 frame with frag extension hdr, but the MF and offset fields
are both 0.

ipv6-bad-src
IPv6 src address is a multicast address or IPv6 src or destination
address is a IPv4 mapped IPv6 address.

ipv6-ext-hdr-frames
IPv6 extended header frames.

ipv6-frag-flood
IPv6 fragment flood.

ipv6-len-gt-l2-len
IPv6 length > L2 length.

ipv6-other-frag
The total IPv6 fragments' size has exceeded the reassembly queue
or the maximum IP packet size.

ipv6-overlap-frag
IPv6 overlapping fragments.

ipv6-short-frag
IPv6 fragments whose payload size is less than the minimum IPv6
Fragment size. The minimum size is configurable via the db
variable tm.minipv6fragsize.

ipv4-mapped-ipv6
IPv4 mapped IPv6 addresses.

land-attack
Land Attack. IP Src Address equals IP Dst Address. Both V4 and V6
are counted.

l2-len-ggt-ip-len
L2 length >> IP length. L2 packet length is much greater than
payload length in IPv4 (L2 length > IP length and L2 length >
minimum packet size).

l4-ext-hdrs-go-end
No L4 (extended headers go to or past the end of frame).

no-l4
No L4. No L4 payload for IPv4.

opt-present-with-illegal-len
TCP Option present with illegal length.

payload-len-ls-l2-len
Payload length < L2 length. Payload length in IPv6 header is less
than L3 part length in L2 packet.

routing-header-type-0
Routing header type 0 present.

sip-malformed
SIP malformed packet

sip-invite-method
SIP INVITE method packet.

sip-ack-method
SIP ACK method packet.

sip-options-method
SIP OPTIONS method packet.

sip-bye-method
SIP BYE method packet.

sip-cancel-method
SIP CANCEL method packet.

sip-register-method
SIP REGISTER method packet.

sip-publish-method
SIP PUBLISH method packet.

sip-notify-method
SIP NOTIFY method packet.

sip-subscribe-method
SIP SUBSCRIBE method packet.

sip-message-method
SIP MESSAGE method packet.

sip-prack-method
SIP PRACK method packet.

sip-uri-limit
Limit SIP URI length.

sip-other-method
SIP OTHER method packet.

sweep
A Sweep is an attack where a single endpoint initiates network
traffic to a large number of receiving endpoints or subnets.

syn-and-fin-set
SYN && FIN set.

tcp-ack-flood
TCP packets with the ACK flag set (for non-existing flows).

tcp-bad-urg
TCP packets with the URG flag set but URG pointer is 0.

tcp-hdr-len-gt-l2-len
TCP header length > L2 length. No room in packet for TCP header
(including options).

tcp-hdr-len-too-short
TCP header length too short (length < 5). The offset field in TCP
header is less than 20 bytes.

tcp-opt-overruns-tcp-hdr
TCP option overruns TCP header.

tcp-syn-flood
TCP header with only the SYN flag set.

tcp-synack-flood
TCP header with only the SYN and ACK flags set.

tcp-rst-flood
TCP header with only the RST flag set.

tcp-psh-flood
TCP header with PUSH flag set.

tcp-window-size
TCP non-RST pkt with window size < . This sys db tunable
is configurable with Dos.TcpLowWindowSize.

tidcmp
ICMP source quench packets.

too-many-ext-hdrs
Too many extended headers. The IPv6 extended headers are more than
4. This number can be set through db variable dos.maxipv6exthdrs.

tcp-syn-oversize
TCP data-SYN with pktlength > dos.maxsynsize which is 128 bytes by
default.

ttl-leq-one
TTL <= . For IPv4 forwarding. This sys db tunable is
configurable by tm.minipttl.

unk-tcp-opt-type
Unknown TCP option type.

udp-flood
UDP Flood.UDP flood vector counts any UDP packets that either
match the UDP Port InclusionList or do not match the UDP Port
ExclusionList. "tmsh modify security dos udp-portlist" can be
used to configure the udp port list.For more info about udp
portlist and how to configure it use "help security dos udp-
portlist"

unk-ipopt-type
Unknown IP option type.

ip-uncommon-proto
ip-uncommon-proto vectors counts packets whose protocol is
specified in configured ip-uncommon-protolist.

PARAMETERS
allow-advertisement
Enables allow advertisement. The default is disabled.

allow-upstream-scrubbing
Enables allow upstream scrubbing. The default value is disabled.

attacked-dst
Enables attacked-destination. The default value is disabled.

auto-blacklisting
Enables automatic blacklisting of offending source IPs. The
default value is disabled.

auto-scrubbing
Enables specifying destination IP scrubbing. The default value is
disabled.

auto-threshold
This option is deprecated in version 13.1.0 and is replaced by
threshold-mode. Enables the auto threshold mode for dos
detection and dos mitigation. The default value is disabled.

bad-actor
Enables per-source IP based bad actor detection. The default value
is disabled.

blacklist-category
Blacklist category (of IP intelligence) to which this IP should be
added. The default value is none.

blacklist-detection-seconds
Duration in seconds for which the IP has been offending. The
default value is 60.

blacklist-duration
Duration in seconds for which this IP should be blocked. The
default value is 14400.

ceiling
Option to set a maximum value ("ceiling") for the default-
internal-rate-Limit for this vector. The range is from 0 to
infinity.

default-internal-rate-limit
This parameter is programmed in hardware to limit the traffic to
BIG-IP software. If the hardware DoS support does not exist
software uses default-internal-rate-limit to limit the good
traffic (most of them are flood) to external servers. Bad packets
are always dropped.

If the rate limit value is infinite the rate limit is disabled.
The default value is 100000.

detection-threshold-percent
This parameter specifies relative threshold that uses dynamically
learned 1-hour average rate to detect attacks. If the current rate
(1-minute average) increases the specified percent over the 1-hour
average rate, attack is detected.

If the threshold value is infinite the detection is disabled. The
default value is 500.

detection-threshold-pps
This parameter specifies absolute threshold value. If the current
rate (1-minute average) is equal or above the threshold value,
attack is detected.

If the threshold value is infinite the detection is disabled. The
default value is 100000.

enforce
This option is deprecated in version 13.1.0 and is replaced by
state. Enable or disable the packet drop action of DOS detection
for this attack type.

floor
Option to set a minimum value ("floor") for the detection-
threshold-pps for this vector. The range is from 0 (no-floor) to
infinity (no-detection). The default value is 5000.

multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific vector
in percentage when using manual-multiplier-mitigation mode, The
default value used is inherited from the network dos profile.

packet-types
This parameter is used to specify type of packets that will be
classified as Sweep/Flood attacks. There are various types of
packet types that can be specified. The default value is none.

per-dst-ip-detection-pps
Specifies the attack detection threshold (pps) per destination IP.
The default value is infinite.

per-dst-ip-limit-pps.
Specifies the attack mitigation threshold (pps) per destination
IP. The default value is infinite.

per-source-ip-detection-pps
Specifies the attack detection threshold (pps) per source IP. The
default value is infinite.

per-source-ip-limit-pps
Specifies the attack mitigation threshold (pps) per source IP. The
default value is infinite.

scrubbing-category
Specifies per-DstIP scrubbing category. The default value is none.

scrubbing-detection-seconds
Specifies duration in seconds for which the destination IP has
been offended/attacked. The default value is 10.

scrubbing-duration
Specifies duration in seconds for which this IP should be
scrubbed. The default value is 900.

simulate-auto-threshold
Option to enable/disable auto-threshold simulation by generating
logs if auto-threshold based detection/mitigation would have
kicked in. Only valid in manual mode. The default value is
disabled.

state
Specifies the run time state of this signature. The default value
is mitigate.

The options are:

disabled
Do not learn, do not collect stats.

learn-only
Learn/Collect stats, but do not "detect" ("alarm" in ASM-
speak) any attacks,

detect-only
Learn/Collect stats/detect, but do not mitigate
(rate-limit/drop, challenge, etc.) any attacks.

mitigate
Learn/Collect stats/detect/mitigate (using whichever
mitigations are configured).

suspicious
Specifies if the vector considers all packets or only unsolicited
packets. The default value is false.

threshold-mode
Enables the threshold mode for DoS detection and DoS mitigation.
The default value is manual.

The options are:

manual
Specifies the manual thresholds.

stress-based-mitigation
Specifies the manual detection ("alarm")threshold, but
mitigation threshold is stress-based.

fully-automatic
Specifies both the detection ("alarm") and mitigation
thresholds are automatically computed.

manual-multiplier-mitigation
Specifies the detection ("alarm") threshold is automatically
computed. The mitigation threshold is calculated by the
detection threshold multiplies the multiplier-mitigation-
percentage.

valid-domains
Adds, deletes, modifies, or replaces a set of valid fully
qualified domain names (FQDNs).

SEE ALSO
list, modify, security, security dos, show, tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.

BIG-IP 2018-08-27 security dos device-config(1)