security dos profile
security dos profile(1) BIG-IP TMSH Manual security dos profile(1)
NAME
profile - Configures a DoS profile.
MODULE
security dos
SYNTAX
Configure the profile component within the security dos module using the syntax shown in the following
sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
app-service [[string] | none]
application [none | add | delete | modify | replace-all-with] {
[sub-profile-name] ... {
options:
bot-defense {
collect-stats [enabled | disabled]
cross-domain-requests [allow-all | validate-bulk | validate-upon-request]
external-domains [none | add | delete | replace-all-with] { [string] ... }
grace-period [integer]
mode [always | disabled | during-attacks]
site-domains [none | add | delete | replace-all-with] { [string] ... }
url-whitelist [none | add | delete | replace-all-with] { [string] ... }
browser-legit-enabled [enabled | disabled]
browser-legit-captcha [enabled | disabled]
}
bot-signatures {
categories [none | add | delete | modify | replace-all-with] {
action {
[block | none | report]
}
}
check [enabled | disabled]
disabled-signatures [none | add | delete | modify | replace-all-with]
}
captcha-response {
failure {
body [string]
type [custom | default]
}
first {
body [string]
type [custom | default]
}
}
geolocations [none | add | delete | modify | replace-all-with] {
options:
[black-listed | white-listed]
}
heavy-urls {
automatic-detection [enabled | disabled]
exclude [none | add | delete | replace-all-with] { [string] ... }
include [none | add | delete | replace-all-with] { [string] ... }
include-list [none | add | delete | replace-all-with] { [string] { [integer] } ... }
latency-threshold [integer]
protection [enabled | disabled]
}
ip-whitelist [none | add | delete | modify | replace-all-with] {
[address ... | address/mask ... ]
}
stress-based {
de-escalation-period [integer]
escalation-period [integer]
geo-captcha-challenge [enabled | disabled]
geo-client-side-defense [enabled | disabled]
geo-minimum-share [integer]
geo-rate-limiting [enabled | disabled]
geo-request-blocking-mode [block-all | rate-limit]
geo-share-increase-rate [integer]
geo-maximum-auto-tps [integer]
geo-minimum-auto-tps [integer]
ip-captcha-challenge [enabled | disabled]
ip-client-side-defense [enabled | disabled]
ip-maximum-tps [integer]
ip-minimum-tps [integer]
ip-rate-limiting [enabled | disabled]
ip-request-blocking-mode [block-all | rate-limit]
ip-tps-increase-rate [integer]
ip-maximum-auto-tps [integer]
ip-minimum-auto-tps [integer]
mode [off | transparent | blocking]
thresholds-mode [manual | automatic]
site-captcha-challenge [enabled | disabled]
site-client-side-defense [enabled | disabled]
site-maximum-tps [integer]
site-minimum-tps [integer]
site-rate-limiting [enabled | disabled]
site-tps-increase-rate [integer]
site-maximum-auto-tps [integer]
site-minimum-auto-tps [integer]
static-url-mitigation [enabled | disabled]
url-captcha-challenge [enabled | disabled]
url-client-side-defense [enabled | disabled]
url-maximum-tps [integer]
url-minimum-tps [integer]
url-rate-limiting [enabled | disabled]
url-tps-increase-rate [integer]
url-maximum-auto-tps [integer]
url-minimum-auto-tps [integer]
url-enable-heavy [enabled | disabled]
device-captcha-challenge [enabled | disabled]
device-client-side-defense [enabled | disabled]
device-maximum-tps [integer]
device-minimum-tps [integer]
device-rate-limiting [enabled | disabled]
device-request-blocking-mode [block-all | rate-limit]
device-tps-increase-rate [integer]
device-maximum-auto-tps [integer]
device-minimum-auto-tps [integer]
behavioral {
dos-detection [enabled | disabled]
mitigation-mode [none | conservative | standard | aggressive ]
signatures [enabled | disabled]
signatures-approved-only [disabled | disabled]
accelerated-signatures [enables | disabled]
tls-signatures [enabled | disabled]
tls-fp [enabled | disabled]
}
}
tcp-dump {
maximum-duration [integer]
maximum-size [integer]
record-traffic [enabled | disabled]
repetition-interval [[integer] | once-per-attack]
}
tps-based {
de-escalation-period [integer]
escalation-period [integer]
geo-captcha-challenge [enabled | disabled]
geo-client-side-defense [enabled | disabled]
geo-minimum-share [integer]
geo-rate-limiting [enabled | disabled]
geo-request-blocking-mode [block-all | rate-limit]
geo-share-increase-rate [integer]
ip-captcha-challenge [enabled | disabled]
ip-client-side-defense [enabled | disabled]
ip-maximum-tps [integer]
ip-minimum-tps [integer]
ip-rate-limiting [enabled | disabled]
ip-request-blocking-mode [block-all | rate-limit]
ip-tps-increase-rate [integer]
ip-maximum-auto-tps [integer]
ip-minimum-auto-tps [integer]
mode [off | transparent | blocking]
thresholds-mode [manual | automatic]
site-captcha-challenge [enabled | disabled]
site-client-side-defense [enabled | disabled]
site-maximum-tps [integer]
site-minimum-tps [integer]
site-rate-limiting [enabled | disabled]
site-tps-increase-rate [integer]
site-maximum-auto-tps [integer]
site-minimum-auto-tps [integer]
static-url-mitigation [enabled | disabled]
url-captcha-challenge [enabled | disabled]
url-client-side-defense [enabled | disabled]
url-maximum-tps [integer]
url-minimum-tps [integer]
url-rate-limiting [enabled | disabled]
url-tps-increase-rate [integer]
url-maximum-auto-tps [integer]
url-minimum-auto-tps [integer]
url-enable-heavy [enabled | disabled]
device-captcha-challenge [enabled | disabled]
device-client-side-defense [enabled | disabled]
device-maximum-tps [integer]
device-minimum-tps [integer]
device-rate-limiting [enabled | disabled]
device-request-blocking-mode [block-all | rate-limit]
device-tps-increase-rate [integer]
device-maximum-auto-tps [integer]
device-minimum-auto-tps [integer]
}
trigger-irule [enabled | disabled]
single-page-application [enabled | disabled]
scrubbing-enable [enabled | disabled]
scrubbing-duration-sec [integer]
rtbh-enable [enabled | disabled]
rtbh-duration-sec [integer]
fastl4-acceleration-profile [fastL4 profile name]
}
}
custom-signatures [none | add | delete | modify | replace-all-with] {
name [string] {
options:
manual-detection-threshold [integer]
manual-mitigation-threshold [integer]
state [detect-only | disabled | learn-only | mitigate]
threshold-mode [fully-automatic | manual | stress-based-mitigation]
}
}
description [string]
dos-network [none | add | delete | modify | replace-all-with] {
[sub-profile-name] ... {
options:
dynamic-signatures {
detection [disabled | enabled | learn-only]
mitigation [none | low | medium | high | manual-multiplier]
scrubber-advertisement-period [integer]
scrubber-category [name]
scrubber-enable [yes | no]
}
multiplier-mitigation-percentage [integer]
network-attack-vector [none | add | delete | modify | replace-all-with] {
attack-type [ext-hdr-too-large | hop-cnt-low | host-unreachable |
icmpv4-flood | icmpv6-flood | icmp-frag | ip-frag-flood |
ip-opt-frames | ipv6-ext-hdr-frames | ipv6-frag-flood |
non-tcp-connection | opt-present-with-illegal-len | sweep |
tcp-half-open | tcp-opt-overruns-tcp-hdr | tcp-psh-flood |
tcp-rst-flood |tcp-syn-flood | tcp-synack-flood | tcp-syn-oversize |
tcp-bad-urg | tcp-window-size | tidcmp | too-many-ext-hdrs |
udp-flood | unk-tcp-opt-type]
options:
enforce [disabled | enabled]
auto-blacklisting [disabled | enabled]
auto-threshold [disabled | enabled ]
allow-upstream-scrubbing [disabled | enabled]
attacked-dst [disabled | enabled]
auto-scrubbing [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
blacklist-category [enter name of ip-intelligence category]
multiplier-mitigation-percentage [integer]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
per-dst-ip-detection-pps [integer]
per-dst-ip-limit-pps [integer]
scrubbing-category [[category name] | none]
scrubbing-detection-seconds [integer]
scrubbing-duration [integer]
rate-increase [integer]
rate-limit [integer | infinite]
rate-threshold [integer | infinite]
packet-types [suspicious | ipfrag | exthdr | tcp-syn-only |
tcp-synack | tcp-rst | host-unrch | tidcmp | icmp | udp-flood |
dns-query-a | dns-query-aaaa | dns-query-any | dns-query-axfr |
dns-query-cname | dns-query-ixfr | dns-query-mx | dns-query-ns
| dns-query-other | dns-query-ptr | dns-query-soa |
dns-query-srv | dns-query-src | dns-query-txt | sip-method-ack
| sip-method-cancel | sip-method-message | sip-method-options |
sip-method-prack | sip-method-register | sip-method-bye |
sip-method-invite | sip-method-notify | sip-method-other |
sip-method-publish | sip-method-subscribe ]
state [disabled | learn-only | detect-only | mitigate]
suspicious [ false | true ]
threshold-mode [manual | stress-based-mitigation | fully-automatic]
}
}
}
protocol-dns [none | add | delete | modify | replace-all-with] {
[sub-profile-name] ... {
options:
dns-query-vector [none | add | delete | modify | replace-all-with] {
query-type [a | aaaa | any | axfr | cname | ixfr | mx | ns | nxdomain |
other | ptr | soa | srv | txt ]
options:
enforce [disabled | enabled]
auto-blacklisting [disabled | enabled]
auto-threshold [disabled | enabled ]
allow-upstream-scrubbing [disabled | enabled]
attacked-dst [disabled | enabled]
auto-scrubbing [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
blacklist-category [enter name of ip-intelligence category]
multiplier-mitigation-percentage [integer]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
per-dst-ip-detection-pps [integer]
per-dst-ip-limit-pps [integer]
scrubbing-category [[category name] | none]
scrubbing-detection-seconds [integer]
scrubbing-duration [integer]
rate-increase [integer]
rate-limit [integer | infinite]
rate-threshold [integer | infinite]
state [disabled | learn-only | detect-only | mitigate]
suspicious [ false | true ]
threshold-mode [manual | stress-based-mitigation | fully-automatic]
valid-domains [none | add | delete ] replace-all-with] {
[domain-name] ...
}
}
multiplier-mitigation-percentage [integer]
prot-err-attack-detection [integer]
prot-err-atck-rate-incr [integer]
}
}
protocol-sip [none | add | delete | modify | replace-all-with] {
[sub-profile-name] ... {
options:
multiplier-mitigation-percentage [integer]
prot-err-atck-rate-increase [integer]
prot-err-atck-rate-threshold [integer]
prot-err-attack-detection [integer]
sip-attack-vector [none | add | delete | modify | replace-all-with] {
type [ack | cancel | message | options | prack | register
| bye | invite | notify | other | publish | subscribe | uri-limit]
options:
enforce [disabled | enabled]
auto-blacklisting [disabled | enabled]
auto-threshold [disabled | enabled ]
allow-upstream-scrubbing [disabled | enabled]
attacked-dst [disabled | enabled]
auto-scrubbing [disabled | enabled]
bad-actor [disabled | enabled]
blacklist-detection-seconds [integer]
blacklist-duration [integer]
blacklist-category [enter name of ip-intelligence category]
multiplier-mitigation-percentage [integer]
per-source-ip-detection-pps [integer]
per-source-ip-limit-pps [integer]
per-dst-ip-detection-pps [integer]
per-dst-ip-limit-pps [integer]
scrubbing-category [[category name] | none]
scrubbing-detection-seconds [integer]
scrubbing-duration [integer]
rate-increase [integer]
rate-limit [integer | infinite]
rate-threshold [integer | infinite]
state [disabled | learn-only | detect-only | mitigate]
suspicious [ false | true ]
threshold-mode [manual | manual-multiplier-mitigation | stress-based-mitigation | fully-automatic]
}
}
}
whitelist [enter addresses list name]
http-whitelist [enter addresses list name]
reset-stats profile [ [ [name] | [glob] | [regex] ] ... ]
options:
dos-dnsnxdomain-stat
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
show profile [ [ [name] | [glob] | [regex] ] ... ]
options:
dns-nxdomain-stat
field-fmt
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete a DoS profile for use with DoS
Protection functionality.
EXAMPLES
create profile my_dos_profile
Creates a custom DoS profile named my_dos_profile with initial settings.
list profile
Displays the properties of all DoS profiles.
OPTIONS
app-service
Specifies the name of the application service to which the profile belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the profile. Only the application service can modify or delete the profile.
application
Adds, deletes, or replaces a single Application Security sub-profile. You can configure the following
options for Application Security:
bot-defense
Specifies properties of proactive bot defense in Application Security. You can configure the
following options for Proactive Bot Defense:
collect-stats
Enables or disables domain statistics collection.
cross-domain-requests
Specifies a cross-domain requests handling mode. The options are:
allow-all
Allows all cross-domain requests. This is the default value.
validate-bulk
System validates domains in bulk: the cookies for the related domains are created together
with the cookie for the current domain, by generating challenges in iframes - one per each
domain.
validate-upon-request
System validates domains upon request: the cookie for the related domain is generated when
a request arrives to an unqualified URL without a cookie.
external-domains
Configures a list of external domains that are allowed to link to resources of this website.
grace-period
Specifies the length of grace period (in seconds) in which only the Simple Bot Prevention is
enforced.
mode Specifies a mode of proactive bot defense. The options are:
always
Specifies that the proactive bot defense is always enabled.
disabled
Specifies that the proactive bot defense is disabled. This is the default value.
during-attacks
Specifies that the proactive bot defense is enabled only during attacks.
site-domains
Configures a list of domains that are part of the website.
url-whitelist
Configures a list of URLs to exclude from the proactive bot defense.
browser-legit-enabled
Enables or disables the proactive bot defense validation of browser legitimacy and blocking of
requests from suspicious clients.
browser-legit-captcha
Enables or disables the browser legitimacy detection improvement using CAPTCHA. In order to
enable it, you must first enable browser-legit-enabled.
bot-signatures
Specifies settings of Bot Signatures in Application Security. You can configure the following
options for Bot Signatures:
categories
Specifies the action for each Bot Signature Category. You can configure the following options
for each Bot Signature Category:
action
Specifies the action for the Bot Signature Category. The possible actions are none, block
and report.
check
Enables or disables the checking of Bot Signature, allowing bots to be detected.
disabled-categories
Configures a list of disabled Bot Signatures.
captcha-response
Specifies properties of the CAPTCHA response in Application Security. You can configure the
following options for CAPTCHA Response Settings:
failure
Specifies properties of a failed CAPTCHA response. You can configure the following options for
a failed CAPTCHA response:
body Configures a failed CAPTCHA response body.
type Configures a type of a failed CAPTCHA response body. You can configure the following
options for a failed CAPTCHA response type:
custom
Configures a custom failed CAPTCHA response type.
default
Configures a default failed CAPTCHA response type.
first
Specifies properties of the first CAPTCHA response. You can configure the following options for
the first CAPTCHA response:
body Configures the first CAPTCHA response body.
type Configures a type of the first CAPTCHA response body. You can configure the following
options for the first CAPTCHA response type:
custom
Configures a custom first CAPTCHA response type.
default
Configures a default first CAPTCHA response type.
geolocations
Configures a list of blacklisted/whitelisted Geolocations. You can configure the following options
for each Geolocation:
[black-listed | white-listed]
Specifies a type of Geolocation.
heavy-urls
Specifies heavy URL protection in Application Security. You can configure the following options for
heavy URL protection:
automatic-detection
Enables or disables automatic heavy URL detection. In order to enable it, you must first enable
protection.
exclude
Configures a list of URLs (or wildcards) to exclude from the heavy URLs.
include
(Deprecated, use include-list) Configures a list of URLs to include in the heavy URLs.
include-list
Configures a list of URLs to include in the heavy URLs.
latency-threshold
Specifies the latency threshold for automatic heavy URL detection (in milliseconds).
protection
(Deprecated, use stress/tps.url-enable-heavy) Enables or disables heavy URL protection. To
enable it, you must additionally enable one of the following DoS URL-based prevention policy
methods: url-client-side-defense or url-rate-limiting. This can be done for either tps-based or
stress-based anomaly protection.
ip-whitelist
Attribute ip-whitelist is deprecated in version 13.0.0; consider using http-whitelist instead.
Adds, deletes, or replaces a set of IP addresses and subnets in the whitelist of Application
Security.
name Specifies a dummy name for enabled Application Security. This option is required for the operations
create, delete, modify, and replace-all-with.
stress-based
Specifies Stress-based anomaly in Application Security. You can configure the following options for
Stress-based anomaly:
de-escalation-period
Specifies the de-escalation period (in seconds) in Stress-based anomaly.
escalation-period
Specifies the escalation period (in seconds) in Stress-based anomaly.
geo-captcha-challenge
Enables or disables Geolocation-based CAPTCHA challenge in Stress-based anomaly.
geo-client-side-defense
Enables or disables Geolocation-based client side integrity defense in Stress-based anomaly.
geo-minimum-share
Specifies the minimum traffic share for detection in Geolocation detection criteria of Stress-
based anomaly.
geo-rate-limiting
Enables or disables Geolocation-based rate limiting in Stress-based anomaly.
geo-request-blocking-mode
Specifies a Geolocation-based request blocking mode of Stress-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from the respective Geolocation.
rate-limit
Specifies that the system blocks requests from the respective Geolocation based on the
traffic share ratio. This is the default value.
geo-share-increase-rate
Specifies the percentage by which TPS increased in Geolocation detection criteria of Stress-
based anomaly.
ip-captcha-challenge
Enables or disables Source IP-based CAPTCHA challenge in Stress-based anomaly.
ip-client-side-defense
Enables or disables Source IP-based client side integrity defense in Stress-based anomaly.
ip-maximum-tps
Specifies the amount which TPS reached in IP detection criteria of Stress-based anomaly.
ip-minimum-tps
Specifies the minimum TPS threshold for detection in IP detection criteria of Stress-based
anomaly.
ip-rate-limiting
Enables or disables Source IP-based rate limiting in Stress-based anomaly.
ip-request-blocking-mode
Specifies a Source IP-based request blocking mode of Stress-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from the respective Source IP address.
rate-limit
Specifies that the system blocks requests from the respective Source IP address based on
the traffic share ratio. This is the default value.
ip-tps-increase-rate
Specifies the percentage by which TPS increased in IP detection criteria of Stress-based
anomaly.
mode Specifies an operation mode of Stress-based anomaly. The options are:
off Specifies that the system does not check for DoS attacks. This is the default value.
transparent
Specifies that when the system detects an attack, it displays the attack data on the
Reporting DoS Attacks screen. In transparent mode the system does not drop requests either
from the attacking IP address, or to attacked URLs.
blocking
Specifies that when the system detects an attack, in addition to displaying the attack
data on the Reporting DoS Attacks screen, the system also drops either connections from
the attacking IP address, or requests to attacked URLs.
site-captcha-challenge
Enables or disables Site-wide CAPTCHA challenge in Stress-based anomaly.
site-client-side-defense
Enables or disables Site-wide client side integrity defense in Stress-based anomaly.
site-maximum-tps
Specifies the amount which TPS reached in Site-wide detection criteria of Stress-based anomaly.
site-minimum-tps
Specifies the minimum TPS threshold for detection in Site-wide detection criteria of Stress-
based anomaly.
site-rate-limiting
Enables or disables Site-wide rate limiting in Stress-based anomaly.
site-tps-increase-rate
Specifies the percentage by which TPS increased in Site-wide detection criteria of Stress-based
anomaly.
static-url-mitigation
Enables or disables Static URL mitigation in Stress-based anomaly.
url-captcha-challenge
Enables or disables URL-based CAPTCHA challenge in Stress-based anomaly.
url-client-side-defense
Enables or disables URL-based client side integrity defense in Stress-based anomaly.
url-maximum-tps
Specifies the amount which TPS reached in URL detection criteria of Stress-based anomaly.
url-minimum-tps
Specifies the minimum TPS threshold for detection in URL detection criteria of Stress-based
anomaly.
url-rate-limiting
Enables or disables URL-based rate limiting in Stress-based anomaly.
url-tps-increase-rate
Specifies the percentage by which TPS increased in URL detection criteria of Stress-based
anomaly.
behavioral
Specifies properties of Behavioral Detection in Stress-based anomaly. You can configure the
following options for Behavioral Detection:
dos-detection
Enables or disables the Behavior Based Detection.
mitigation-mode
Specifies mitigation impact on suspicious bad actors/requests. None: Learns and monitors
traffic behavior, but no action is taken. Conservative protection:If enabled, slows down and rate limits requests from anomalous IP addresses based
on its anomaly detection confidence and the server's health. If enabled, blocks requests that match the attack signatures. Standard
protection:If enabled, slows down requests from anomalous IP
addresses based on its anomaly detection confidence and the server's health. Rate limits
requests from anomalous IP addresses and, if necessary, rate limits all requests based on
the servers health. Limits the number of concurrent connections from anomalous IP
addresses and, if necessary, limits the number of all concurrent connections based on the
server's health. If enabled, blocks requests that match the
attack signatures. Aggressive protection:If enabled, slows down
requests from anomalous IP addresses based on its anomaly detection confidence and the
server's health. Rate limits requests from anomalous IP addresses and, if necessary, rate
limits all requests based on the servers health. Limits the number of concurrent
connections from anomalous IP addresses and, if necessary, limits the number of all
concurrent connections based on the server's health. Proactively performs all protection
actions (even before an attack). Increases the impact of the protection techniques. If
enabled, blocks requests that match the attack signatures.
Increases the impact of blocked requests.
signatures
Enables or disables signature usage and mitigation.
signatures-approved-only
Allows to use only manually approved signatures.
accelerated-signatures
Enables or disables signatures detection before the connection establishment.
Automatically enables syn-cookie mechanism during attack.
tls-signatures
Enables or disables tls signatures detection before the connection establishment.
tls-fp
Enables or disables TLS patterns as an extension of bad actors detection.
tcp-dump
Specifies properties of traffic recording during attacks in Application Security. You can configure
the following options for Record Traffic During Attacks:
maximum-duration
Specifies the TCP dump maximum duration (in seconds).
maximum-size
Specifies the TCP dump maximum size (in megabytes).
record-traffic
Enables or disables traffic recording during attacks.
repetition-interval
Specifies the TCP dump repetition interval (in seconds).
tps-based
Specifies TPS-based anomaly in Application Security. You can configure the following options for
TPS-based anomaly:
de-escalation-period
Specifies the de-escalation period (in seconds) in TPS-based anomaly.
escalation-period
Specifies the escalation period (in seconds) in TPS-based anomaly.
geo-captcha-challenge
Enables or disables Geolocation-based CAPTCHA challenge in TPS-based anomaly.
geo-client-side-defense
Enables or disables Geolocation-based client side integrity defense in TPS-based anomaly.
geo-minimum-share
Specifies the minimum traffic share for detection in Geolocation detection criteria of TPS-
based anomaly.
geo-rate-limiting
Enables or disables Geolocation-based rate limiting in TPS-based anomaly.
geo-request-blocking-mode
Specifies a Geolocation-based request blocking mode of TPS-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from the respective Geolocation.
rate-limit
Specifies that the system blocks requests from the respective Geolocation based on the
traffic share ratio. This is the default value.
geo-share-increase-rate
Specifies the percentage by which TPS increased in Geolocation detection criteria of TPS-based
anomaly.
ip-captcha-challenge
Enables or disables Source IP-based CAPTCHA challenge in TPS-based anomaly.
ip-client-side-defense
Enables or disables Source IP-based client side integrity defense in TPS-based anomaly.
ip-maximum-tps
Specifies the amount which TPS reached in IP detection criteria of TPS-based anomaly.
ip-minimum-tps
Specifies the minimum TPS threshold for detection in IP detection criteria of TPS-based
anomaly.
ip-rate-limiting
Enables or disables Source IP-based rate limiting in TPS-based anomaly.
ip-request-blocking-mode
Specifies a Source IP-based request blocking mode of TPS-based anomaly. The options are:
block-all
Specifies that the system blocks all requests from the respective Source IP address.
rate-limit
Specifies that the system blocks requests from the respective Source IP address based on
the traffic share ratio. This is the default value.
ip-tps-increase-rate
Specifies the percentage by which TPS increased in IP detection criteria of TPS-based anomaly.
mode Specifies an operation mode of TPS-based anomaly. The options are:
off Specifies that the system does not check for DoS attacks. This is the default value.
transparent
Specifies that when the system detects an attack, it displays the attack data on the
Reporting DoS Attacks screen. In transparent mode the system does not drop requests either
from the attacking IP address, or to attacked URLs.
blocking
Specifies that when the system detects an attack, in addition to displaying the attack
data on the Reporting DoS Attacks screen, the system also drops either connections from
the attacking IP address, or requests to attacked URLs.
site-captcha-challenge
Enables or disables Site-wide CAPTCHA challenge in TPS-based anomaly.
site-client-side-defense
Enables or disables Site-wide client side integrity defense in TPS-based anomaly.
site-maximum-tps
Specifies the amount which TPS reached in Site-wide detection criteria of TPS-based anomaly.
site-minimum-tps
Specifies the minimum TPS threshold for detection in Site-wide detection criteria of TPS-based
anomaly.
site-rate-limiting
Enables or disables Site-wide rate limiting in TPS-based anomaly.
site-tps-increase-rate
Specifies the percentage by which TPS increased in Site-wide detection criteria of TPS-based
anomaly.
static-url-mitigation
Enables or disables Static URL mitigation in TPS-based anomaly.
url-captcha-challenge
Enables or disables URL-based CAPTCHA challenge in TPS-based anomaly.
url-client-side-defense
Enables or disables URL-based client side integrity defense in TPS-based anomaly.
url-maximum-tps
Specifies the amount which TPS reached in URL detection criteria of TPS-based anomaly.
url-minimum-tps
Specifies the minimum TPS threshold for detection in URL detection criteria of TPS-based
anomaly.
url-rate-limiting
Enables or disables URL-based rate limiting in TPS-based anomaly.
url-tps-increase-rate
Specifies the percentage by which TPS increased in URL detection criteria of TPS-based anomaly.
trigger-irule
Specifies, when enabled, that the system activates an Application DoS iRule event. The default value
is disabled.
single-page-application
Specifies, when enabled, that the system supports a Single Page Applications. The default value is
disabled.
fastl4-acceleration-profile
Specifies a fastL4 profile that used for DOS acceleration. None - if disable acceleration.
scrubbing-enable
Specifies whether to enable Traffic Scrubbing during attacks by advertising BGP routes. This requires
configuration of security scrubber profile, and will function even when the mode is set to transparent.
scrubbing-duration-sec
Specifies the duration of the Traffic Scrubbing BGP route advertisement, in seconds. This is used when
scrubbing-enable is enabled.
rtbh-enable
Specifies whether to enable Remote Triggered Black Hole (RTBH) of attacking IPs by advertising BGP
routes. This requires configuration of security blacklist-publisher, and will function even when the
Operation Mode is set to transparent.
rtbh-duration-sec
Specifies the duration of the RTBH BGP route advertisement, in seconds. This is used when rtbh-enable is
enabled.
description
User defined description.
protocol-dns
Adds, deletes, or replaces a single Protocol DNS Security sub-profile. You can configure the following
options for Protocol DNS Security:
name Specifies a dummy name for enabled Protocol DNS Security. This option is required for the operations
create, delete, modify, and replace-all-with.
dynamic-signatures
Specifies options related to DNS Behavioral DoS (Dynamic Signatures) feature per virtual server by virtue
of attaching a dos profile to a virtual server. Following options are configurable for this feature:
detection
Specifies the mode for detection of anomalies in traffic for the purpose of dynamic signature
generation. Following modes are supported: disabled, enabled and learn-only.
Mode learn-only is same as enabled except that the system does not generate any logs (or alerts the
user). It is used mainly to learn the baseline thresholds for the traffic.
Default is disabled.
mitigation
Specifies the mode for mitigation of anomalous traffic (specified in form of dynamic signatures).
Following modes are supported: none, low, medium and high.
Each mode represents the severity (or aggressiveness) at which the system should try to mitigate the
anomalous traffic.
Default is none.
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of all the vectors in the dns dos profile in percentage when
using manual-multiplier-mitigation mode.
dns-query-vector
Adds, deletes, or replaces Protocol DNS DoS vectors. You can configure the following options for DNS
query vectors:
query-type
Specifies the vector (DNS query) type for DoS attack detection.
enforce
This option is deprecated in version 13.1.0 and is replaced by state. Enable or disable the packet
drop action of DOS detection for this attack type.
auto-threshold
This option is deprecated in version 13.1.0 and is replaced by threshold-mode. Enables the auto
threshold mode for dos detection and dos mitigation. The default value is disabled.
allow-upstream-scrubbing
Enables allow upstream scrubbing. The default value is disabled.
attacked-dst
Enables attacked-destination. The default value is disabled.
auto-scrubbing
Enables specifying destination IP scrubbing. The default value is disabled.
bad-actor
Enables per-source IP based bad actor detection
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific vector in percentage when using manual-
multiplier-mitigation mode, The default value used is inherited from the dns dos profile.
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of this vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of this vector
per-dst-ip-detection-pps
Specifies the attack detection threshold (pps) per destination IP. The default value is infinite.
per-dst-ip-limit-pps.
Specifies the attack mitigation threshold (pps) per destination IP. The default value is infinite.
scrubbing-category
Specifies per-DstIP scrubbing category. The default value is none.
scrubbing-detection-seconds
Specifies duration in seconds for which the destination IP has been offended/attacked. The default
value is 10.
scrubbing-duration
Specifies duration in seconds for which this IP should be scrubbed. The default value is 900.
rate-increase
Specifies the rate increase for DoS attack detection.
rate-limit
Specifies the rate limit for DoS attack detection. If the value is infinite the detection is
disabled.
rate-threshold
Specifies the rate threshold for DoS attack detection. If the value is infinite the detection is
disabled.
state
Specifies the run time state of this signature. The options are the same as those in network-
attack-vector.
suspicious
Specifies if the vector considers all packets or only unsolicited packets. The default value is
false.
threshold-mode
Enables the threshold mode for dos detection and dos mitigation. The default value is manual. The
options are the same as those in network-attack-vector.
prot-err-attack-detection
Specifies if protocol errors attack detection is enabled or not. Eg: Malformed, Malicious DoS attacks.
prot-err-atck-rate-incr
Specifies the protocol errors rate increase for DoS attack detection.
protocol-sip
Adds, deletes, or replaces a single Protocol SIP Security sub-profile. You can configure the following
options for Protocol SIP Security:
name Specifies a dummy name for enabled Protocol SIP Security. This option is required for the operations
create, delete, modify, and replace-all-with.
prot-err-atck-rate-increase
Specifies the protocol errors rate increase for DoS attack detection.
prot-err-atck-rate-threshold
Specifies the protocol errors rate threshold for DoS attack detection.
prot-err-attack-detection
Specifies if protocol errors attack detection is enabled or not. Eg: Malformed packets DoS attacks.
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of all the vectors in the sip dos profile in percentage when
using manual-multiplier-mitigation mode.
sip-attack-vector
Adds, deletes, or replaces Protocol SIP DoS vectors. You can configure the following options for SIP
method vectors:
type Specifies the vector type (SIP method) for DoS attack detection.
enforce
This option is deprecated in version 13.1.0 and is replaced by state. Enable or disable the packet
drop action of DOS detection for this attack type.
auto-threshold
This option is deprecated in version 13.1.0 and is replaced by threshold-mode. Enables the auto
threshold mode for dos detection and dos mitigation. The default value is disabled.
allow-upstream-scrubbing
Enables allow upstream scrubbing. The default value is disabled.
attacked-dst
Enables attacked-destination. The default value is disabled.
auto-scrubbing
Enables specifying destination IP scrubbing. The default value is disabled.
bad-actor
Enables per-source IP based bad actor detection
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific vector in percentage when using manual-
multiplier-mitigation mode, The default value used is inherited from the sip dos profile.
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of this vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of this vector
per-dst-ip-detection-pps
Specifies the attack detection threshold (pps) per destination IP. The default value is infinite.
per-dst-ip-limit-pps.
Specifies the attack mitigation threshold (pps) per destination IP. The default value is infinite.
scrubbing-category
Specifies per-DstIP scrubbing category. The default value is none.
scrubbing-detection-seconds
Specifies duration in seconds for which the destination IP has been offended/attacked. The default
value is 10.
scrubbing-duration
Specifies duration in seconds for which this IP should be scrubbed. The default value is 900.
rate-increase
Specifies the rate increase for DoS attack detection.
rate-limit
Specifies the rate limit for DoS attack detection. If the value is infinite the detection is
disabled.
rate-threshold
Specifies the rate threshold for DoS attack detection. If the value is infinite the detection is
disabled.
state
Specifies the run time state of this signature. The options are the same as those in network-
attack-vector.
suspicious
Specifies if the vector considers all packets or only unsolicited packets. The default value is
false.
threshold-mode
Enables the threshold mode for dos detection and dos mitigation. The default value is manual. The
options are the same as that in network-attack-vector.
dos-network
Adds, deletes, or replaces a single Network DoS Security sub-profile. You can configure the following
options for Network DoS Security:
name Specifies a dummy name for enabled Network DoS Security. This option is required for the operations
create, delete, modify, and replace-all-with.
dynamic-signatures
Specifies options related to L4 Behavioral DoS (Dynamic Signatures) feature per virtual server by
virtue of attaching a dos profile to a virtual server. Following options are configurable for this
feature:
detection
Specifies the mode for detection of anomalies in traffic for the purpose of dynamic signature
generation. Following modes are supported: disabled, enabled and learn-only.
Mode learn-only is same as enabled except that the system does not generate any logs (or alerts
the user). It is used mainly to learn the baseline thresholds for the traffic.
Default is disabled.
mitigation
Specifies the mode for mitigation of anomalous traffic (specified in form of dynamic
signatures). Following modes are supported: none, low, medium and high.
Each mode represents the severity (or aggressiveness) at which the system should try to
mitigate the anomalous traffic.
Default is none.
scrubber-enable
Specifies the configuration mode for enabling or disabling the feature to scrub the attack
traffic upon dynamic signature match. Default is no.
scrubber-category
Specifies the IP Intelligence category used for scrubbing the attack traffic upon dynamic
signature match that constitutes destination IP address component. Default category is
attacked_ips.
scrubber-advertisement-period
Specifies the advertisement period for which the attack traffic is scrubbed. Default is 300
seconds.
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of all the vectors in the network dos profile in
percentage when using manual-multiplier-mitigation mode.
network-attack-vector
Adds, deletes, or replaces Network Attack DoS vectors. You can configure the following options for
Network Attack vectors:
attack-type
Specifies the vector type (Network Attack) for DoS attack detection.
enforce
This option is deprecated in version 13.1.0 and is replaced by state. Enable or disable the
packet drop action of DOS detection for this attack type.
auto-threshold
This option is deprecated in version 13.1.0 and is replaced by threshold-mode. Enables the
auto threshold mode for dos detection and dos mitigation. The default value is disabled.
rate-increase
Specifies the rate increase for DoS attack detection.
rate-limit
Specifies the rate limit for DoS attack detection. If the value is infinite the detection is
disabled.
rate-threshold
Specifies the rate threshold for DoS attack detection. If the value is infinite the detection
is disabled.
packet-types
Specifies the packet types for Sweep attack vector.
allow-upstream-scrubbing
Enables allow upstream scrubbing. The default value is disabled.
attacked-dst
Enables attacked-destination. The default value is disabled.
auto-scrubbing
Enables specifying destination IP scrubbing. The default value is disabled.
bad-actor
Enables per-source IP based bad actor detection
multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific vector in percentage when using
manual-multiplier-mitigation mode, The default value used is inherited from the network dos
profile.
per-source-ip-detection-pps
Bad actor detection rate (for single IP address) of this vector
per-source-ip-limit-pps
Bad actor allowed rate (for single IP address) of this vector
per-dst-ip-detection-pps
Specifies the attack detection threshold (pps) per destination IP. The default value is
infinite.
per-dst-ip-limit-pps.
Specifies the attack mitigation threshold (pps) per destination IP. The default value is
infinite.
scrubbing-category
Specifies per-DstIP scrubbing category. The default value is none.
scrubbing-detection-seconds
Specifies duration in seconds for which the destination IP has been offended/attacked. The
default value is 10.
scrubbing-duration
Specifies duration in seconds for which this IP should be scrubbed. The default value is 900.
state
Specifies the run time state of this signature.
The options are:
disabled
Do not learn, do not collect stats.
learn-only
Learn/Collect stats, but do not "detect" ("alarm" in ASM-speak) any attacks,
detect-only
Learn/Collect stats/detect, but do not mitigate (rate-limit/drop, challenge, etc.) any
attacks.
mitigate
Learn/Collect stats/detect/mitigate (using whichever mitigations are configured).
threshold-mode
Enables the threshold mode for dos detection and dos mitigation. The default value is manual.
The options are:
manual
Specifies the manual thresholds.
stress-based-mitigation
Specifies the manual detection ("alarm")threshold, but mitigation threshold is stress-
based.
fully-automatic
Specifies both the detection ("alarm") and mitigation thresholds are automatically
computed.
manual-multiplier-mitigation
Specifies the detection ("alarm") threshold is automatically computed. The mitigation
threshold is calculated by the detection threshold multiplies the multiplier-mitigation-
percentage.
whitelist
Specifies the Dos srcIP whitelist configuration.
http-whitelist
Specifies the IP addresses and subnets whitelist configuration for Application Security (Overrides the
global whitelist).
custom-signatures
Specifies options related to L4 Behavioral DoS Signatures feature per virtual server by virtue of
attaching one or more signatures objects. Following options are configurable for this feature:
threshold-mode
Specifies the mode for setting the rate limit thresholds to be used for the matching traffic.
Following modes are supported: manual, fully-automatic and stress-based-mitigation. Default is
manual.
state
Specifies the operational state of the attached signature. The states supported are: disabled,
learn-only, detect-only and mitigate. Default is disabled.
suspicious
Specifies if the vector considers all packets or only unsolicited packets. The default value is
false.
manual-detection-threshold
Specifies the attack detection threshold of the attached signature.
Default is infinite.
manual-mitigation-threshold
Specifies the attack mitigation threshold of the attached signature.
Default is infinite.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
partition
Displays the administrative partition within which the component resides.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, regex, security, security dos, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013, 2015. All rights reserved.
BIG-IP 2019-09-08 security dos profile(1)