security dos profile
security dos profile(1) BIG-IP TMSH Manual security dos profile(1)
NAME
profile - Configures a DoS profile.
MODULE
security dos
SYNTAX
Configure the profile component within the security dos module using
the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
app-service [[string] | none]
application [none | add | delete | modify | replace-all-with] {
[sub-profile-name] ... {
options:
bot-defense {
collect-stats [enabled | disabled]
cross-domain-requests [allow-all | validate-bulk | validate-upon-request]
external-domains [none | add | delete | replace-all-with] { [string] ... }
grace-period [integer]
mode [always | disabled | during-attacks]
site-domains [none | add | delete | replace-all-with] { [string] ... }
url-whitelist [none | add | delete | replace-all-with] { [string] ... }
browser-legit-enabled [enabled | disabled]
browser-legit-captcha [enabled | disabled]
}
bot-signatures {
categories [none | add | delete | modify | replace-all-with] {
action {
[block | none | report]
}
}
check [enabled | disabled]
disabled-signatures [none | add | delete | modify | replace-all-with]
}
captcha-response {
failure {
body [string]
type [custom | default]
}
first {
body [string]
type [custom | default]
}
}
geolocations [none | add | delete | modify | replace-all-with] {
options:
[black-listed | white-listed]
}
heavy-urls {
automatic-detection [enabled | disabled]
exclude [none | add | delete | replace-all-with] { [string] ... }
include [none | add | delete | replace-all-with] { [string] ... }
include-list [none | add | delete | replace-all-with] { [string] { [integer] } ... }
latency-threshold [integer]
protection [enabled | disabled]
}
ip-whitelist [none | add | delete | modify | replace-all-with] {
[address ... | address/mask ... ]
}
stress-based {
de-escalation-period [integer]
escalation-period [integer]
geo-captcha-challenge [enabled | disabled]
geo-client-side-defense [enabled | disabled]
geo-minimum-share [integer]
geo-rate-limiting [enabled | disabled]
geo-request-blocking-mode [block-all | rate-limit]
geo-share-increase-rate [integer]
geo-maximum-auto-tps [integer]
geo-minimum-auto-tps [integer]
ip-captcha-challenge [enabled | disabled]
ip-client-side-defense [enabled | disabled]
ip-maximum-tps [integer]
ip-minimum-tps [integer]
ip-rate-limiting [enabled | disabled]
ip-request-blocking-mode [block-all | rate-limit]
ip-tps-increase-rate [integer]
ip-maximum-auto-tps [integer]
ip-minimum-auto-tps [integer]
mode [off | transparent | blocking]
thresholds-mode [manual | automatic]
site-captcha-challenge [enabled | disabled]
site-client-side-defense [enabled | disabled]
site-maximum-tps [integer]
site-minimum-tps [integer]
site-rate-limiting [enabled | disabled]
site-tps-increase-rate [integer]
site-maximum-auto-tps [integer]
site-minimum-auto-tps [integer]
static-url-mitigation [enabled | disabled]
url-captcha-challenge [enabled | disabled]
url-client-side-defense [enabled | disabled]
url-maximum-tps [integer]
url-minimum-tps [integer]
url-rate-limiting [enabled | disabled]
url-tps-increase-rate [integer]
url-maximum-auto-tps [integer]
url-minimum-auto-tps [integer]
url-enable-heavy [enabled | disabled]
device-captcha-challenge [enabled | disabled]
device-client-side-defense [enabled | disabled]
device-maximum-tps [integer]
device-minimum-tps [integer]
device-rate-limiting [enabled | disabled]
device-request-blocking-mode [block-all | rate-limit]
device-tps-increase-rate [integer]
device-maximum-auto-tps [integer]
device-minimum-auto-tps [integer]
behavioral {
dos-detection [enabled | disabled]
mitigation-mode [none | conservative | standard | aggressive ]
signatures [enabled | disabled]
signatures-approved-only [disabled | disabled]
accelerated-signatures [enables | disabled]
tls-signatures [enabled | disabled]
}
}
tcp-dump {
maximum-duration [integer]
maximum-size [integer]
record-traffic [enabled | disabled]
repetition-interval [[integer] | once-per-attack]
}
tps-based {
de-escalation-period [integer]
escalation-period [integer]
geo-captcha-challenge [enabled | disabled]
geo-client-side-defense [enabled | disabled]
geo-minimum-share [integer]
geo-rate-limiting [enabled | disabled]
geo-request-blocking-mode [block-all | rate-limit]
geo-share-increase-rate [integer]
ip-captcha-challenge [enabled | disabled]
ip-client-side-defense [enabled | disabled]
ip-maximum-tps [integer]
ip-minimum-tps [integer]
ip-rate-limiting [enabled | disabled]
ip-request-blocking-mode [block-all | rate-limit]
ip-tps-increase-rate [integer]
ip-maximum-auto-tps [integer]
ip-minimum-auto-tps [integer]
mode [off | transparent | blocking]
thresholds-mode [manual | automatic]
site-captcha-challenge [enabled | disabled]
site-client-side-defense [enabled | disabled]
site-maximum-tps [integer]
site-minimum-tps [integer]
site-rate-limiting [enabled | disabled]
site-tps-increase-rate [integer]
site-maximum-auto-tps [integer]
site-minimum-auto-tps [integer]
static-url-mitigation [enabled | disabled]
url-captcha-challenge [enabled | disabled]
url-client-side-defense [enabled | disabled]
url-maximum-tps [integer]
url-minimum-tps [integer]
url-rate-limiting [enabled | disabled]
url-tps-increase-rate [integer]
url-maximum-auto-tps [integer]
url-minimum-auto-tps [integer]
url-enable-heavy [enabled | disabled]
device-captcha-challenge [enabled | disabled]
device-client-side-defense [enabled | disabled]
device-maximum-tps [integer]
device-minimum-tps [integer]
device-rate-limiting [enabled | disabled]
device-request-blocking-mode [block-all | rate-limit]
device-tps-increase-rate [integer]
device-maximum-auto-tps [integer]
device-minimum-auto-tps [integer]
}
trigger-irule [enabled | disabled]
single-page-application [enabled | disabled]
scrubbing-enable [enabled | disabled]
scrubbing-duration-sec [integer]
rtbh-enable [enabled | disabled]
rtbh-duration-sec [integer]
fastl4-acceleration-profile [fastL4 profile name]
}
}
custom-signatures [none | add | delete | modify | replace-all-with] {
name [string] {
options:
manual-detection-threshold [integer]
manual-mitigation-threshold [integer]
state [detect-only | disabled | learn-only | mitigate]
threshold-mode [fully-automatic | manual | stress-based-mitigation]
}
}
description [string]
dos-network [none | add | delete | modify | replace-all-with] {
[sub-profile-name] ... {
options:
dynamic-signatures {
detection [disabled | enabled | learn-only]
mitigation [none | low | medium | high | manual-multiplier]
scrubber-advertisement-period [integer]
scrubber-category [name]
scrubber-enable [yes | no]
}
multiplier-mitigation-percentage [integer]
network-attack-vector [none | add | delete | modify | replace-all-with] {
attack-type [ext-hdr-too-large | hop-cnt-low | host-unreachable |
icmpv4-flood | icmpv6-flood | icmp-frag | ip-frag-flood |
ip-opt-frames | ipv6-ext-hdr-frames | ipv6-frag-flood |
non-tcp-connection | opt-present-with-illegal-len | sweep |
tcp-half-open | tcp-opt-overruns-tcp-hdr | tcp-psh-flood |
tcp-rst-flood |tcp-syn-flood | tcp-synack-flood | tcp-syn-oversize |
tcp-bad-urg | tcp-window-size | tidcmp | too-many-ext-hdrs |
udp-flood | unk-tcp-opt-type]
options:
enforce [disabled | enabled]
auto-blacklisting [disabled | enabled]
auto-threshold [disabled | enabled ]
allow-upstream-scrubbing [disabled | enabled]
attacked-dst [disabled | enabled]
auto-scrubbing [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
blacklist-category [enter name of ip-intelligence category]
multiplier-mitigation-percentage [integer]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
per-dst-ip-detection-pps [integer]
per-dst-ip-limit-pps [integer]
scrubbing-category [[category name] | none]
scrubbing-detection-seconds [integer]
scrubbing-duration [integer]
rate-increase [integer]
rate-limit [integer | infinite]
rate-threshold [integer | infinite]
packet-types [suspicious | ipfrag | exthdr | tcp-syn-only |
tcp-synack | tcp-rst | host-unrch | tidcmp | icmp | udp-flood |
dns-query-a | dns-query-aaaa | dns-query-any | dns-query-axfr |
dns-query-cname | dns-query-ixfr | dns-query-mx | dns-query-ns
| dns-query-other | dns-query-ptr | dns-query-soa |
dns-query-srv | dns-query-src | dns-query-txt | sip-method-ack
| sip-method-cancel | sip-method-message | sip-method-options |
sip-method-prack | sip-method-register | sip-method-bye |
sip-method-invite | sip-method-notify | sip-method-other |
sip-method-publish | sip-method-subscribe ]
state [disabled | learn-only | detect-only | mitigate]
suspicious [ false | true ]
threshold-mode [manual | stress-based-mitigation | fully-automatic]
}
}
}
protocol-dns [none | add | delete | modify | replace-all-with] {
[sub-profile-name] ... {
options:
dns-query-vector [none | add | delete | modify | replace-all-with] {
query-type [a | aaaa | any | axfr | cname | ixfr | mx | ns | nxdomain |
other | ptr | soa | srv | txt ]
options:
enforce [disabled | enabled]
auto-blacklisting [disabled | enabled]
auto-threshold [disabled | enabled ]
allow-upstream-scrubbing [disabled | enabled]
attacked-dst [disabled | enabled]
auto-scrubbing [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
blacklist-category [enter name of ip-intelligence category]
multiplier-mitigation-percentage [integer]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
per-dst-ip-detection-pps [integer]
per-dst-ip-limit-pps [integer]
scrubbing-category [[category name] | none]
scrubbing-detection-seconds [integer]
scrubbing-duration [integer]
rate-increase [integer]
rate-limit [integer | infinite]
rate-threshold [integer | infinite]
state [disabled | learn-only | detect-only | mitigate]
suspicious [ false | true ]
threshold-mode [manual | stress-based-mitigation | fully-automatic]
valid-domains [none | add | delete ] replace-all-with] {
[domain-name] ...
}
}
multiplier-mitigation-percentage [integer]
prot-err-attack-detection [integer]
prot-err-atck-rate-incr [integer]
}
}
protocol-sip [none | add | delete | modify | replace-all-with] {
[sub-profile-name] ... {
options:
multiplier-mitigation-percentage [integer]
prot-err-atck-rate-increase [integer]
prot-err-atck-rate-threshold [integer]
prot-err-attack-detection [integer]
sip-attack-vector [none | add | delete | modify | replace-all-with] {
type [ack | cancel | message | options | prack | register
| bye | invite | notify | other | publish | subscribe | uri-limit]
options:
enforce [disabled | enabled]
auto-blacklisting [disabled | enabled]
auto-threshold [disabled | enabled ]
allow-upstream-scrubbing [disabled | enabled]
attacked-dst [disabled | enabled]
auto-scrubbing [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
blacklist-category [enter name of ip-intelligence category]
multiplier-mitigation-percentage [integer]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
per-dst-ip-detection-pps [integer]
per-dst-ip-limit-pps [integer]
scrubbing-category [[category name] | none]
scrubbing-detection-seconds [integer]
scrubbing-duration [integer]
rate-increase [integer]
rate-limit [integer | infinite]
rate-threshold [integer | infinite]
state [disabled | learn-only | detect-only | mitigate]
suspicious [ false | true ]
threshold-mode [manual | manual-multiplier-mitigation | stress-based-mitigation | fully-automatic]
}
}
}
whitelist [enter addresses list name]
http-whitelist [enter addresses list name]
reset-stats profile [ [ [name] | [glob] | [regex] ] ... ]
options:
dos-dnsnxdomain-stat
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
show profile [ [ [name] | [glob] | [regex] ] ... ]
options:
dns-nxdomain-stat
field-fmt
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete
a DoS profile for use with DoS Protection functionality.
EXAMPLES
create profile my_dos_profile
Creates a custom DoS profile named my_dos_profile with initial
settings.
list profile
Displays the properties of all DoS profiles.
OPTIONS
app-service
Specifies the name of the application service to which the profile
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the profile. Only the application
service can modify or delete the profile.
application
Adds, deletes, or replaces a single Application Security sub-
profile. You can configure the following options for Application
Security:
bot-defense
Specifies properties of proactive bot defense in Application
Security. You can configure the following options for
Proactive Bot Defense:
collect-stats
Enables or disables domain statistics collection.
cross-domain-requests
Specifies a cross-domain requests handling mode. The
options are:
allow-all
Allows all cross-domain requests. This is the
default value.
validate-bulk
System validates domains in bulk: the cookies for
the related domains are created together with the
cookie for the current domain, by generating
challenges in iframes - one per each domain.
validate-upon-request
System validates domains upon request: the cookie
for the related domain is generated when a request
arrives to an unqualified URL without a cookie.
external-domains
Configures a list of external domains that are allowed
to link to resources of this website.
grace-period
Specifies the length of grace period (in seconds) in
which only the Simple Bot Prevention is enforced.
mode Specifies a mode of proactive bot defense. The options
are:
always
Specifies that the proactive bot defense is always
enabled.
disabled
Specifies that the proactive bot defense is
disabled. This is the default value.
during-attacks
Specifies that the proactive bot defense is enabled
only during attacks.
site-domains
Configures a list of domains that are part of the
website.
url-whitelist
Configures a list of URLs to exclude from the proactive
bot defense.
browser-legit-enabled
Enables or disables the proactive bot defense validation
of browser legitimacy and blocking of requests from
suspicious clients.
browser-legit-captcha
Enables or disables the browser legitimacy detection
improvement using CAPTCHA. In order to enable it, you
must first enable browser-legit-enabled.
bot-signatures
Specifies settings of Bot Signatures in Application Security.
You can configure the following options for Bot Signatures:
categories
Specifies the action for each Bot Signature Category.
You can configure the following options for each Bot
Signature Category:
action
Specifies the action for the Bot Signature
Category. The possible actions are none, block and
report.
check
Enables or disables the checking of Bot Signature,
allowing bots to be detected.
disabled-categories
Configures a list of disabled Bot Signatures.
captcha-response
Specifies properties of the CAPTCHA response in Application
Security. You can configure the following options for CAPTCHA
Response Settings:
failure
Specifies properties of a failed CAPTCHA response. You
can configure the following options for a failed CAPTCHA
response:
body Configures a failed CAPTCHA response body.
type Configures a type of a failed CAPTCHA response
body. You can configure the following options for a
failed CAPTCHA response type:
custom
Configures a custom failed CAPTCHA response
type.
default
Configures a default failed CAPTCHA response
type.
first
Specifies properties of the first CAPTCHA response. You
can configure the following options for the first
CAPTCHA response:
body Configures the first CAPTCHA response body.
type Configures a type of the first CAPTCHA response
body. You can configure the following options for
the first CAPTCHA response type:
custom
Configures a custom first CAPTCHA response
type.
default
Configures a default first CAPTCHA response
type.
geolocations
Configures a list of blacklisted/whitelisted Geolocations.
You can configure the following options for each Geolocation:
[black-listed | white-listed]
Specifies a type of Geolocation.
heavy-urls
Specifies heavy URL protection in Application Security. You
can configure the following options for heavy URL protection:
automatic-detection
Enables or disables automatic heavy URL detection. In
order to enable it, you must first enable protection.
exclude
Configures a list of URLs (or wildcards) to exclude from
the heavy URLs.
include
(Deprecated, use include-list) Configures a list of URLs
to include in the heavy URLs.
include-list
Configures a list of URLs to include in the heavy URLs.
latency-threshold
Specifies the latency threshold for automatic heavy URL
detection (in milliseconds).
protection
(Deprecated, use stress/tps.url-enable-heavy) Enables or
disables heavy URL protection. To enable it, you must
additionally enable one of the following DoS URL-based
prevention policy methods: url-client-side-defense or
url-rate-limiting. This can be done for either tps-based
or stress-based anomaly protection.
ip-whitelist
Attribute ip-whitelist is deprecated in version 13.0.0;
consider using http-whitelist instead. Adds, deletes, or
replaces a set of IP addresses and subnets in the whitelist
of Application Security.
name Specifies a dummy name for enabled Application Security. This
option is required for the operations create, delete, modify,
and replace-all-with.
stress-based
Specifies Stress-based anomaly in Application Security. You
can configure the following options for Stress-based anomaly:
de-escalation-period
Specifies the de-escalation period (in seconds) in
Stress-based anomaly.
escalation-period
Specifies the escalation period (in seconds) in Stress-
based anomaly.
geo-captcha-challenge
Enables or disables Geolocation-based CAPTCHA challenge
in Stress-based anomaly.
geo-client-side-defense
Enables or disables Geolocation-based client side
integrity defense in Stress-based anomaly.
geo-minimum-share
Specifies the minimum traffic share for detection in
Geolocation detection criteria of Stress-based anomaly.
geo-rate-limiting
Enables or disables Geolocation-based rate limiting in
Stress-based anomaly.
geo-request-blocking-mode
Specifies a Geolocation-based request blocking mode of
Stress-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from
the respective Geolocation.
rate-limit
Specifies that the system blocks requests from the
respective Geolocation based on the traffic share
ratio. This is the default value.
geo-share-increase-rate
Specifies the percentage by which TPS increased in
Geolocation detection criteria of Stress-based anomaly.
ip-captcha-challenge
Enables or disables Source IP-based CAPTCHA challenge in
Stress-based anomaly.
ip-client-side-defense
Enables or disables Source IP-based client side
integrity defense in Stress-based anomaly.
ip-maximum-tps
Specifies the amount which TPS reached in IP detection
criteria of Stress-based anomaly.
ip-minimum-tps
Specifies the minimum TPS threshold for detection in IP
detection criteria of Stress-based anomaly.
ip-rate-limiting
Enables or disables Source IP-based rate limiting in
Stress-based anomaly.
ip-request-blocking-mode
Specifies a Source IP-based request blocking mode of
Stress-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from
the respective Source IP address.
rate-limit
Specifies that the system blocks requests from the
respective Source IP address based on the traffic
share ratio. This is the default value.
ip-tps-increase-rate
Specifies the percentage by which TPS increased in IP
detection criteria of Stress-based anomaly.
mode Specifies an operation mode of Stress-based anomaly. The
options are:
off Specifies that the system does not check for DoS
attacks. This is the default value.
transparent
Specifies that when the system detects an attack,
it displays the attack data on the Reporting DoS
Attacks screen. In transparent mode the system does
not drop requests either from the attacking IP
address, or to attacked URLs.
blocking
Specifies that when the system detects an attack,
in addition to displaying the attack data on the
Reporting DoS Attacks screen, the system also drops
either connections from the attacking IP address,
or requests to attacked URLs.
site-captcha-challenge
Enables or disables Site-wide CAPTCHA challenge in
Stress-based anomaly.
site-client-side-defense
Enables or disables Site-wide client side integrity
defense in Stress-based anomaly.
site-maximum-tps
Specifies the amount which TPS reached in Site-wide
detection criteria of Stress-based anomaly.
site-minimum-tps
Specifies the minimum TPS threshold for detection in
Site-wide detection criteria of Stress-based anomaly.
site-rate-limiting
Enables or disables Site-wide rate limiting in Stress-
based anomaly.
site-tps-increase-rate
Specifies the percentage by which TPS increased in Site-
wide detection criteria of Stress-based anomaly.
static-url-mitigation
Enables or disables Static URL mitigation in Stress-
based anomaly.
url-captcha-challenge
Enables or disables URL-based CAPTCHA challenge in
Stress-based anomaly.
url-client-side-defense
Enables or disables URL-based client side integrity
defense in Stress-based anomaly.
url-maximum-tps
Specifies the amount which TPS reached in URL detection
criteria of Stress-based anomaly.
url-minimum-tps
Specifies the minimum TPS threshold for detection in URL
detection criteria of Stress-based anomaly.
url-rate-limiting
Enables or disables URL-based rate limiting in Stress-
based anomaly.
url-tps-increase-rate
Specifies the percentage by which TPS increased in URL
detection criteria of Stress-based anomaly.
behavioral
Specifies properties of Behavioral Detection in Stress-
based anomaly. You can configure the following options
for Behavioral Detection:
dos-detection
Enables or disables the Behavior Based Detection.
mitigation-mode
Specifies mitigation impact on suspicious bad
actors/requests. None: Learns and monitors traffic
behavior, but no action is taken. Conservative
protection:If enabled, slows
down and rate limits requests from anomalous IP
addresses based on its anomaly detection confidence
and the server's health. If enabled, blocks requests that match the
attack signatures. Standard protection:If enabled, slows down requests from
anomalous IP addresses based on its anomaly
detection confidence and the server's health. Rate
limits requests from anomalous IP addresses and, if
necessary, rate limits all requests based on the
servers health. Limits the number of concurrent
connections from anomalous IP addresses and, if
necessary, limits the number of all concurrent
connections based on the server's health. If
enabled, blocks
requests that match the attack signatures.
Aggressive protection:If
enabled, slows down requests from anomalous IP
addresses based on its anomaly detection confidence
and the server's health. Rate limits requests from
anomalous IP addresses and, if necessary, rate
limits all requests based on the servers health.
Limits the number of concurrent connections from
anomalous IP addresses and, if necessary, limits
the number of all concurrent connections based on
the server's health. Proactively performs all
protection actions (even before an attack).
Increases the impact of the protection techniques.
If enabled, blocks
requests that match the attack signatures.
Increases the impact of blocked requests.
signatures
Enables or disables signature usage and mitigation.
signatures-approved-only
Allows to use only manually approved signatures.
accelerated-signatures
Enables or disables signatures detection before the
connection establishment. Automatically enables
syn-cookie mechanism during attack.
tls-signatures
Enables or disables tls signatures detection before
the connection establishment.
tcp-dump
Specifies properties of traffic recording during attacks in
Application Security. You can configure the following options
for Record Traffic During Attacks:
maximum-duration
Specifies the TCP dump maximum duration (in seconds).
maximum-size
Specifies the TCP dump maximum size (in megabytes).
record-traffic
Enables or disables traffic recording during attacks.
repetition-interval
Specifies the TCP dump repetition interval (in seconds).
tps-based
Specifies TPS-based anomaly in Application Security. You can
configure the following options for TPS-based anomaly:
de-escalation-period
Specifies the de-escalation period (in seconds) in TPS-
based anomaly.
escalation-period
Specifies the escalation period (in seconds) in TPS-
based anomaly.
geo-captcha-challenge
Enables or disables Geolocation-based CAPTCHA challenge
in TPS-based anomaly.
geo-client-side-defense
Enables or disables Geolocation-based client side
integrity defense in TPS-based anomaly.
geo-minimum-share
Specifies the minimum traffic share for detection in
Geolocation detection criteria of TPS-based anomaly.
geo-rate-limiting
Enables or disables Geolocation-based rate limiting in
TPS-based anomaly.
geo-request-blocking-mode
Specifies a Geolocation-based request blocking mode of
TPS-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from
the respective Geolocation.
rate-limit
Specifies that the system blocks requests from the
respective Geolocation based on the traffic share
ratio. This is the default value.
geo-share-increase-rate
Specifies the percentage by which TPS increased in
Geolocation detection criteria of TPS-based anomaly.
ip-captcha-challenge
Enables or disables Source IP-based CAPTCHA challenge in
TPS-based anomaly.
ip-client-side-defense
Enables or disables Source IP-based client side
integrity defense in TPS-based anomaly.
ip-maximum-tps
Specifies the amount which TPS reached in IP detection
criteria of TPS-based anomaly.
ip-minimum-tps
Specifies the minimum TPS threshold for detection in IP
detection criteria of TPS-based anomaly.
ip-rate-limiting
Enables or disables Source IP-based rate limiting in
TPS-based anomaly.
ip-request-blocking-mode
Specifies a Source IP-based request blocking mode of
TPS-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from
the respective Source IP address.
rate-limit
Specifies that the system blocks requests from the
respective Source IP address based on the traffic
share ratio. This is the default value.
ip-tps-increase-rate
Specifies the percentage by which TPS increased in IP
detection criteria of TPS-based anomaly.
mode Specifies an operation mode of TPS-based anomaly. The
options are:
off Specifies that the system does not check for DoS
attacks. This is the default value.
transparent
Specifies that when the system detects an attack,
it displays the attack data on the Reporting DoS
Attacks screen. In transparent mode the system does
not drop requests either from the attacking IP
address, or to attacked URLs.
blocking
Specifies that when the system detects an attack,
in addition to displaying the attack data on the
Reporting DoS Attacks screen, the system also drops
either connections from the attacking IP address,
or requests to attacked URLs.
site-captcha-challenge
Enables or disables Site-wide CAPTCHA challenge in TPS-
based anomaly.
site-client-side-defense
Enables or disables Site-wide client side integrity
defense in TPS-based anomaly.
site-maximum-tps
Specifies the amount which TPS reached in Site-wide
detection criteria of TPS-based anomaly.
site-minimum-tps
Specifies the minimum TPS threshold for detection in
Site-wide detection criteria of TPS-based anomaly.
site-rate-limiting
Enables or disables Site-wide rate limiting in TPS-based
anomaly.
site-tps-increase-rate
Specifies the percentage by which TPS increased in Site-
wide detection criteria of TPS-based anomaly.
static-url-mitigation
Enables or disables Static URL mitigation in TPS-based
anomaly.
url-captcha-challenge
Enables or disables URL-based CAPTCHA challenge in TPS-
based anomaly.
url-client-side-defense
Enables or disables URL-based client side integrity
defense in TPS-based anomaly.
url-maximum-tps
Specifies the amount which TPS reached in URL detection
criteria of TPS-based anomaly.
url-minimum-tps
Specifies the minimum TPS threshold for detection in URL
detection criteria of TPS-based anomaly.
url-rate-limiting
Enables or disables URL-based rate limiting in TPS-based
anomaly.
url-tps-increase-rate
Specifies the percentage by which TPS increased in URL
detection criteria of TPS-based anomaly.
trigger-irule
Specifies, when enabled, that the system activates an
Application DoS iRule event. The default value is disabled.
single-page-application
Specifies, when enabled, that the system supports a Single Page
Applications. The default value is disabled.
fastl4-acceleration-profile
Specifies a fastL4 profile that used for DOS acceleration. None -
if disable acceleration.
scrubbing-enable
Specifies whether to enable Traffic Scrubbing during attacks by
advertising BGP routes. This requires configuration of security
scrubber profile, and will function even when the mode is set to
transparent.
scrubbing-duration-sec
Specifies the duration of the Traffic Scrubbing BGP route
advertisement, in seconds. This is used when scrubbing-enable is
enabled.
rtbh-enable
Specifies whether to enable Remote Triggered Black Hole (RTBH) of
attacking IPs by advertising BGP routes. This requires
configuration of security blacklist-publisher, and will function
even when the Operation Mode is set to transparent.
rtbh-duration-sec
Specifies the duration of the RTBH BGP route advertisement, in
seconds. This is used when rtbh-enable is enabled.
description
User defined description.
protocol-dns
Adds, deletes, or replaces a single Protocol DNS Security sub-
profile. You can configure the following options for Protocol DNS
Security:
name Specifies a dummy name for enabled Protocol DNS Security. This
option is required for the operations create, delete, modify, and
replace-all-with.
dynamic-signatures
Specifies options related to DNS Behavioral DoS (Dynamic
Signatures) feature per virtual server by virtue of attaching a
dos profile to a virtual server. Following options are
configurable for this feature:
detection
Specifies the mode for detection of anomalies in traffic for
the purpose of dynamic signature generation. Following modes
are supported: disabled, enabled and learn-only.
Mode learn-only is same as enabled except that the system
does not generate any logs (or alerts the user). It is used
mainly to learn the baseline thresholds for the traffic.
Default is disabled.
mitigation
Specifies the mode for mitigation of anomalous traffic
(specified in form of dynamic signatures). Following modes
are supported: none, low, medium and high.
Each mode represents the severity (or aggressiveness) at
which the system should try to mitigate the anomalous
traffic.
Default is none.
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of all the vectors in
the dns dos profile in percentage when using manual-multiplier-
mitigation mode.
dns-query-vector
Adds, deletes, or replaces Protocol DNS DoS vectors. You can
configure the following options for DNS query vectors:
query-type
Specifies the vector (DNS query) type for DoS attack
detection.
enforce
This option is deprecated in version 13.1.0 and is replaced
by state. Enable or disable the packet drop action of DOS
detection for this attack type.
auto-threshold
This option is deprecated in version 13.1.0 and is replaced
by threshold-mode. Enables the auto threshold mode for dos
detection and dos mitigation. The default value is disabled.
allow-upstream-scrubbing
Enables allow upstream scrubbing. The default value is
disabled.
attacked-dst
Enables attacked-destination. The default value is disabled.
auto-scrubbing
Enables specifying destination IP scrubbing. The default
value is disabled.
bad-actor
Enables per-source IP based bad actor detection
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific
vector in percentage when using manual-multiplier-mitigation
mode, The default value used is inherited from the dns dos
profile.
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of this
vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of this vector
per-dst-ip-detection-pps
Specifies the attack detection threshold (pps) per
destination IP. The default value is infinite.
per-dst-ip-limit-pps.
Specifies the attack mitigation threshold (pps) per
destination IP. The default value is infinite.
scrubbing-category
Specifies per-DstIP scrubbing category. The default value is
none.
scrubbing-detection-seconds
Specifies duration in seconds for which the destination IP
has been offended/attacked. The default value is 10.
scrubbing-duration
Specifies duration in seconds for which this IP should be
scrubbed. The default value is 900.
rate-increase
Specifies the rate increase for DoS attack detection.
rate-limit
Specifies the rate limit for DoS attack detection. If the
value is infinite the detection is disabled.
rate-threshold
Specifies the rate threshold for DoS attack detection. If
the value is infinite the detection is disabled.
state
Specifies the run time state of this signature. The options
are the same as those in network-attack-vector.
suspicious
Specifies if the vector considers all packets or only
unsolicited packets. The default value is false.
threshold-mode
Enables the threshold mode for dos detection and dos
mitigation. The default value is manual. The options are the
same as those in network-attack-vector.
prot-err-attack-detection
Specifies if protocol errors attack detection is enabled or not.
Eg: Malformed, Malicious DoS attacks.
prot-err-atck-rate-incr
Specifies the protocol errors rate increase for DoS attack
detection.
protocol-sip
Adds, deletes, or replaces a single Protocol SIP Security sub-
profile. You can configure the following options for Protocol SIP
Security:
name Specifies a dummy name for enabled Protocol SIP Security. This
option is required for the operations create, delete, modify, and
replace-all-with.
prot-err-atck-rate-increase
Specifies the protocol errors rate increase for DoS attack
detection.
prot-err-atck-rate-threshold
Specifies the protocol errors rate threshold for DoS attack
detection.
prot-err-attack-detection
Specifies if protocol errors attack detection is enabled or not.
Eg: Malformed packets DoS attacks.
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of all the vectors in
the sip dos profile in percentage when using manual-multiplier-
mitigation mode.
sip-attack-vector
Adds, deletes, or replaces Protocol SIP DoS vectors. You can
configure the following options for SIP method vectors:
type Specifies the vector type (SIP method) for DoS attack
detection.
enforce
This option is deprecated in version 13.1.0 and is replaced
by state. Enable or disable the packet drop action of DOS
detection for this attack type.
auto-threshold
This option is deprecated in version 13.1.0 and is replaced
by threshold-mode. Enables the auto threshold mode for dos
detection and dos mitigation. The default value is disabled.
allow-upstream-scrubbing
Enables allow upstream scrubbing. The default value is
disabled.
attacked-dst
Enables attacked-destination. The default value is disabled.
auto-scrubbing
Enables specifying destination IP scrubbing. The default
value is disabled.
bad-actor
Enables per-source IP based bad actor detection
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific
vector in percentage when using manual-multiplier-mitigation
mode, The default value used is inherited from the sip dos
profile.
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of this
vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of this vector
per-dst-ip-detection-pps
Specifies the attack detection threshold (pps) per
destination IP. The default value is infinite.
per-dst-ip-limit-pps.
Specifies the attack mitigation threshold (pps) per
destination IP. The default value is infinite.
scrubbing-category
Specifies per-DstIP scrubbing category. The default value is
none.
scrubbing-detection-seconds
Specifies duration in seconds for which the destination IP
has been offended/attacked. The default value is 10.
scrubbing-duration
Specifies duration in seconds for which this IP should be
scrubbed. The default value is 900.
rate-increase
Specifies the rate increase for DoS attack detection.
rate-limit
Specifies the rate limit for DoS attack detection. If the
value is infinite the detection is disabled.
rate-threshold
Specifies the rate threshold for DoS attack detection. If
the value is infinite the detection is disabled.
state
Specifies the run time state of this signature. The options
are the same as those in network-attack-vector.
suspicious
Specifies if the vector considers all packets or only
unsolicited packets. The default value is false.
threshold-mode
Enables the threshold mode for dos detection and dos
mitigation. The default value is manual. The options are the
same as that in network-attack-vector.
dos-network
Adds, deletes, or replaces a single Network DoS Security sub-
profile. You can configure the following options for Network DoS
Security:
name Specifies a dummy name for enabled Network DoS Security. This
option is required for the operations create, delete, modify,
and replace-all-with.
dynamic-signatures
Specifies options related to L4 Behavioral DoS (Dynamic
Signatures) feature per virtual server by virtue of attaching
a dos profile to a virtual server. Following options are
configurable for this feature:
detection
Specifies the mode for detection of anomalies in traffic
for the purpose of dynamic signature generation.
Following modes are supported: disabled, enabled and
learn-only.
Mode learn-only is same as enabled except that the
system does not generate any logs (or alerts the user).
It is used mainly to learn the baseline thresholds for
the traffic.
Default is disabled.
mitigation
Specifies the mode for mitigation of anomalous traffic
(specified in form of dynamic signatures). Following
modes are supported: none, low, medium and high.
Each mode represents the severity (or aggressiveness) at
which the system should try to mitigate the anomalous
traffic.
Default is none.
scrubber-enable
Specifies the configuration mode for enabling or
disabling the feature to scrub the attack traffic upon
dynamic signature match. Default is no.
scrubber-category
Specifies the IP Intelligence category used for
scrubbing the attack traffic upon dynamic signature
match that constitutes destination IP address component.
Default category is attacked_ips.
scrubber-advertisement-period
Specifies the advertisement period for which the attack
traffic is scrubbed. Default is 300 seconds.
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of all the vectors
in the network dos profile in percentage when using manual-
multiplier-mitigation mode.
network-attack-vector
Adds, deletes, or replaces Network Attack DoS vectors. You
can configure the following options for Network Attack
vectors:
attack-type
Specifies the vector type (Network Attack) for DoS
attack detection.
enforce
This option is deprecated in version 13.1.0 and is
replaced by state. Enable or disable the packet drop
action of DOS detection for this attack type.
auto-threshold
This option is deprecated in version 13.1.0 and is
replaced by threshold-mode. Enables the auto threshold
mode for dos detection and dos mitigation. The default
value is disabled.
rate-increase
Specifies the rate increase for DoS attack detection.
rate-limit
Specifies the rate limit for DoS attack detection. If
the value is infinite the detection is disabled.
rate-threshold
Specifies the rate threshold for DoS attack detection.
If the value is infinite the detection is disabled.
packet-types
Specifies the packet types for Sweep attack vector.
allow-upstream-scrubbing
Enables allow upstream scrubbing. The default value is
disabled.
attacked-dst
Enables attacked-destination. The default value is
disabled.
auto-scrubbing
Enables specifying destination IP scrubbing. The default
value is disabled.
bad-actor
Enables per-source IP based bad actor detection
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this
specific vector in percentage when using manual-
multiplier-mitigation mode, The default value used is
inherited from the network dos profile.
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of this
vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of this
vector
per-dst-ip-detection-pps
Specifies the attack detection threshold (pps) per
destination IP. The default value is infinite.
per-dst-ip-limit-pps.
Specifies the attack mitigation threshold (pps) per
destination IP. The default value is infinite.
scrubbing-category
Specifies per-DstIP scrubbing category. The default
value is none.
scrubbing-detection-seconds
Specifies duration in seconds for which the destination
IP has been offended/attacked. The default value is 10.
scrubbing-duration
Specifies duration in seconds for which this IP should
be scrubbed. The default value is 900.
state
Specifies the run time state of this signature.
The options are:
disabled
Do not learn, do not collect stats.
learn-only
Learn/Collect stats, but do not "detect" ("alarm"
in ASM-speak) any attacks,
detect-only
Learn/Collect stats/detect, but do not mitigate
(rate-limit/drop, challenge, etc.) any attacks.
mitigate
Learn/Collect stats/detect/mitigate (using
whichever mitigations are configured).
threshold-mode
Enables the threshold mode for dos detection and dos
mitigation. The default value is manual.
The options are:
manual
Specifies the manual thresholds.
stress-based-mitigation
Specifies the manual detection ("alarm")threshold,
but mitigation threshold is stress-based.
fully-automatic
Specifies both the detection ("alarm") and
mitigation thresholds are automatically computed.
manual-multiplier-mitigation
Specifies the detection ("alarm") threshold is
automatically computed. The mitigation threshold is
calculated by the detection threshold multiplies
the multiplier-mitigation-percentage.
whitelist
Specifies the Dos srcIP whitelist configuration.
http-whitelist
Specifies the IP addresses and subnets whitelist configuration for
Application Security (Overrides the global whitelist).
custom-signatures
Specifies options related to L4 Behavioral DoS Signatures feature
per virtual server by virtue of attaching one or more signatures
objects. Following options are configurable for this feature:
threshold-mode
Specifies the mode for setting the rate limit thresholds to
be used for the matching traffic. Following modes are
supported: manual, fully-automatic and stress-based-
mitigation. Default is manual.
state
Specifies the operational state of the attached signature.
The states supported are: disabled, learn-only, detect-only
and mitigate. Default is disabled.
suspicious
Specifies if the vector considers all packets or only
unsolicited packets. The default value is false.
manual-detection-threshold
Specifies the attack detection threshold of the attached
signature.
Default is infinite.
manual-mitigation-threshold
Specifies the attack mitigation threshold of the attached
signature.
Default is infinite.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component
resides.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, regex, security,
security dos, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013, 2015. All rights
reserved.
BIG-IP 2018-07-19 security dos profile(1)