security dos dos-signature¶

security dos dos-signature(1) BIG-IP TMSH Manual security dos dos-signature(1)

NAME
dos-signature - Configures DoS Behavioral Signature(s).

MODULE
security dos

SYNTAX
Configure the dos-signature component within the security dos module using the syntax shown in the following
sections.

CREATE/MODIFY
create dos-signature [name]
modify dos-signature [name]
options:
alias [string]
app-service [string | none]
approval-state [ unapproved | manually-approved ]
parent-context-type [device | virtual-server | device-netflow]
parent-context [string]
parent-profile [string]
description [string]
family [dns| network | http | tls]
hardware-offload [ disabled | enabled ]
manual-detection-threshold [integer]
manual-mitigation-threshold [integer]
multiplier-mitigation-percentage [integer]
origin [dynamic-bdos | user-defined]
predicates [list of struct(string, string, string)]
shareability-state [not-shareable | fully-shareable ]
state [disabled | learn-only | detect-only | mitigate]
tags [list of string]
threshold-mode [manual | manual-multiplier-mitigation | stress-based-mitigation | fully-automatic]
type [dynamic | persistent]

DISPLAY
list dos-signature [name]

DELETE
delete dos-signature [name]

DESCRIPTION
You can use the dos-signature component to modify or display a DoS signature.

EXAMPLES
create security dos dos-signature Sig_Device_ToS type persistent family http origin user-defined state
disabled

This example shows how to create a DoS signature named Sig_Device_ToS

list security dos dos-signature Sig_Device_ToS

This example shows how to display a DoS signature named Sig_Device_ToS

modify dos-signature Sig_Device_TTL manual-detection-threshold 10000 manual-mitigation-threshold 4294967295

This examples show how to modify the manual detection and mitigation threshold of a DoS signature named
Sig_Device_TTL

delete security dos dos-signature Sig_Device_ToS

This example shows how to delete a DoS signature named Sig_Device_ToS

OPTIONS
alias
Specifies the alias name of a signature. The default is empty string.

app-service
Specifies the application service that the object belongs to.

approval-state
Specifies whether or not the signature has been reviewed for quality/correctness. For a persistent
signature with dns or network family, the default is manually-approved. Otherwise, the default is
unapproved.

User can't modify approval-state for a dynamic signature with dns or network family.

The options are:

unapproved
Specifies the signature is not approved.

manually-approved
Specifies the signature has been reviewed for quality/correctness.

parent-context-type
Specifies the type of the context for which this signature has been generated.

The available options:

device
Specifies the context type is a DoS device.

virtual-server
Specifies the type of the context is a Virtual Server.

device-netflow
Specifies the context type is Netflow device.

For a dynamic type signature, it is required field and it is not allowed to be modified once specified.

For persistent type signature, it can't be reset once it is set. The default is unspecified.

For persistent type signature with dns or network family, this field is not applicable.

parent-context
Specifies the context for which this signature has been generated. The default is empty string.

This field is based on parent-context-type. If parent-context-type is device, it must be constant
"Device". If parent-context-type is device-netflow, it must be constant "NetFlow".

For a dynamic type signature, it can't be empty and it is not allowed to be modified once specified.

For persistent type signature, it can't be reset once it is set.

For persistent type signature with dns or network family, this field is not applicable.

parent-profile
Specifies the profile for which this signature has been generated. The default is empty string.

This field is based on parent-context-type. If parent-context-type is device or device-netflow, it must
be constant "/Common/dos-device-config".

For a dynamic type signature, it can't be empty and it is not allowed to be modified once specified.

For a persistent type signature, it can't be reset once it is set.

This field is required for a persistent type signature with dns or network family and non-shareable
shareability-state.

description
Specifies user defined description for this signature.

family
Specifies the family this signature belongs to. This is a require field for creation. The options are
dns, network, http

It is not allowed to be modified once it is created.

hardware-offload
Enables or disables hardware offloading on the dynamic and persistent network family signature. The
default value is enabled.

manual-detection-threshold
Specifies the manual threshold (Events Per Second) above which the traffic is declared as an attack. The
default is infinite(4294967295).

This field is taken effective only when threshold-mode attribute is set to manual. For a signature with
http family, it should be always 0.

For a persistent signature with dns or network family, this field is not applicable and it should be
always default value.

For a dynamic signature with dns or network family, this field can't be changed if threshold-mode is
fully-automic.

manual-mitigation-threshold
Specifies the manual threshold (Events Per Second) above which the system rate limits (drops) the traffic
that matches this signature. The default is infinite(4294967295).

This field is taken effective only when threshold-mode attribute is set to manual. For a signature with
http family, it should be always 0.

For a persistent signature with dns or network family, this field is not applicable and it should be
always default value.

For a dynamic signature with dns or network family, this field can't be changed if threshold-mode is
fully-automic.

For a signature with parent-context-type is device-netflow, this field must be infinite(4294967295).

multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific dos signature in percentage when using manual-
multiplier-mitigation mode. The default value is inherited from the corresponding device level/profile
mitigation multiplier value of the same dos family.

origin
Specifies the origin where this signature is generated from. The options are dynamic-bdos and user-
defined. The default is user-defined.

It is not allowed to be modified once it is created.

predicates
Specifies list of predicates that constitutes this signature. Each predicate contains 3 string fields:
metric, operator, and arguments. It is required field.

User can't add/modify predicates for a dynamic signature with dns or network family.

shareability-state
Specifies whether or not the signature can be used by Contexts (Virtual Servers) other than the one that
created the signature. For a persistent signature with dns or network, the default is fully-shareable.
Otherwise, the default is not-shareable.

User can't modify shareability-state for a dynamic signature with dns or network family.

This field can't be changed from fully-shareable to not-shareable if the signature is referred.

The options are:

not-shareable
Specifies the signature can only be used by context which created it.

fully-shareable
Specifies the signature can be used by contexts other than the one that created it.

state
Specifies the deployment state of this signature. The default is disabled.

The options are:

disabled
Do not learn, do not collect stats.

learn-only
Learn/Collect stats, but do not "detect" ("alarm" in ASM-speak) any attacks,

detect-only
Learn/Collect stats/detect, but do not mitigate (rate-limit/drop, challenge, etc.) any attacks.

mitigate
Learn/Collect stats/detect/mitigate (using whichever mitigation(s) are configured).

For a persistent signature with dns or network family, this field is not applicable and it should be
always default value.

For a dynamic signature with dns or network family, learn-only is not allowed.

For a signature with http family, only learn-only or mitigate is allowed.

tags Specifies list of tags of this signature. The default is empty.

threshold-mode
Specifies the threshold mode for DoS detection and mitigation. The default is manual.

The options are:

manual
Specifies the manual thresholds.

stress-based-mitigation
Specifies the manual detection ("alarm") threshold, but mitigation threshold is stress-based. This
option is not available for a signature with http family or for a signature with parent-context-type
being device-netflow.

fully-automatic
Specifies both the detection ("alarm") and mitigation thresholds are automatically computed. This
option is not available for a signature with http family.

manual-multiplier-mitigation
Specifies the detection ("alarm") threshold is automatically computed. The mitigation threshold is
calculated by the detection threshold multiplies the multiplier-mitigation-percentage.

For a persistent signature with dns or network family, this field is not applicable and it should be
always default value.

For a signature with parent-context-type is device-netflow, this field can't be stress-based-mitigation.

For a signature with http family, this field can't be stress-based-mitigation or fully-automatic.

type Specifies the type of this signature. The options are dynamic and persistent. The default is persistent.

It is not allowed to be changed from persistent to dynamic. User can't create dynamic signature but can
modify and delete it.

SEE ALSO
edit, list, modify, security, security dos, tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.

BIG-IP 2019-05-21 security dos dos-signature(1)