PercontextDDoS Reference

The Percontext DDoS Custom Resource (CR) configuration parameters. Each heading below represents the top-level parameter element. For example, to set the listType, use udpPortlist.listType.

hslPublisher

Parameter Description
hslPublisher Specifies the endpoint logging server to send logging messages. References the F5BigLogHslpub CR by metadata.name parameter.

allowList

Parameter Description
srcAddressList Specifies the F5BigCneAddresslist CR by metadata.name containing the source IP addresses to be excluded from DoS detection/mitigation.
ipProtocol Specifies the IP protocol allowed by the allowlist: any (default), icmp, igmp, tcp, udp.
entryType Specifies what the allowList match is based on: destination-match, source-match, v4-all, v6-all, or all-ip.
matchingAddress Specifies a destination IP address when entryType is destination-match, or source IP address when entryType is source-match.
dstPort Specifies a destination service port the allowList matches. The default values is 0 for all ports.
srcVlan Specifies the name of the source VLAN the allowList matches. The default value is any for all VLANs.

vectors

Parameter Description
ipv4IcmpFlood IPv4 flood vector. This vector detects or rate-limits IPv4 ICMP flood attacks based on the state and rate-limit configuration. It also supports per-source and per-destination IP detection for bad actor and bad destination mitigation and detection.
ipv4FragFlood IPv4 flood vector. This vector detects the attack when spoofed IPv4 fragments are sent at a very high rate. Detected or dropped based on the state and rate limit configuration, it provides per-sourceIP and per-destinationIP detection and rate limiting.
ipv6IcmpFlood IPv6 flood vector. This vector detects the IPv6 ICMP flood attack. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
ipv6FragFlood IPv6 flood vector. This vector detects the attack when spoofed IPv6 fragments are received at a very high rate. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
ipv6LowHopCount IPv6 flood vector. This vector detects the attack when IPv6 extended header hop count set to less than or equal to the configured value of ipv6LowHopCount. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
ipv6ExtHdrTooLarge IPv6 flood vector. This vector detects the attack when we receive packets which have too Large IPv6 Extension Header field based on the configured limit. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
ipv6WithExtHdrFrames IPv6 flood vector. This vector detects the attack with too many IPv6 Extension Headers surpassing the limit configured. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
ipv6TooManyExtHdrs IPv6 flood vector. This vector detects the attack with too many IPv6 Extension Headers surpassing the limit configured. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
udpFlood UDP flood vector. This vector prevents the UDP flood. UDP port list can be enabled for mitigation. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
tcpRstFlood TCP flood vector. This vector detects the attack with RST flag set in the TCP packet to tamper with internet communications. It is detected or dropped based on the state and rate limit configuration and provides detection and rate limiting per-sourceIP and per-destinationIP.
tcpSynOversize TCP flood vector. This vector detects the attack traffic with TCP SYN packets larger than 64 bytes. It is detected or dropped based on the state and rate limit configuration, provides detection and rate limiting per-sourceIP and per-destinationIP.
tcpBadUrg TCP flood vector. This vector detects the attack traffic with URG flag set, and the urgent pointer is 0. It is detected or dropped based on the state and rate limit configuration, provides detection and rate limiting per-sourceIP and per-destinationIP.
tcpOptOverrunsTcpHdr TCP flood vector. This vector detects the attack traffic with option bits that overrun the TCP header. It is detected or dropped based on the state and rate limit configuration, provides detection and rate limiting per-sourceIP and per-destinationIP.
tcpWindowSize TCP flood vector. This vector detects the attack traffic with TCP window size zero. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
synAckFlood TCP flood vector. This vector detects the flood of traffic with both TCP SYN and ACK flags set in the packet. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
synFlood TCP flood vector. This vector detects the flood of traffic with TCP SYN flag set. SYN cookie feature can be enabled for mitigative actions. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsAQuery DNS flood vector. This vector detects the DNS packets with Qtype as A_QRY. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsAaaaQuery DNS flood vector. This vector detects the DNS packets with Qtype as AAAA. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsAnyQuery DNS flood vector. This vector detects the DNS packets with Qtype as ANY_QRY. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsPtrQuery DNS flood vector. This vector detects the DNS packets with Qtype as PTR. Attack is detected or dropped per the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsAxfrQuery DNS flood vector. This vector detects the DNS packets with Qtype as AXFR. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsCnameQuery DNS flood vector. This vector detects the DNS packets with DNS Qtype as CNAME. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsIxfrQuery DNS flood vector. This vector detects the DNS packets with DNS Qtype as IXFR. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsMxQuery DNS flood vector. This vector detects the DNS packets with DNS Qtype as MX. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsNsQuery DNS flood vector. This vector detects the DNS packets with DNS Qtype as NS. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsOtherQuery DNS flood vector. This vector detects the DNS packets with DNS Qtype as OTHER. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsSoaQuery DNS flood vector. This vector detects the DNS packets with DNS Qtype as SOA_QRY. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsSrvQuery DNS flood vector. This vector detects the DNS packets with DNS Qtype as SRV. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsTxtQuery DNS flood vector. This vector detects the DNS packets with DNS Qtype as TXT. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
dnsNxdomainQuery DNS flood vector. This vector detects the DNS query for non existing domains. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.

The following are commonly used configuration parameters for Vectors.

Properties Description
state Specifies the system's response when a vector match occurs: detection-only (default) or mitigation. To disable, delete the custom resource.
detectionThresholdEps Specifies the attack detection threshold in Events Per Second (EPS). When EPS exceeds the threshold, the attack is logged and reported. The default value is 4294967295.
detectionThresholdPercentage Specifies the attack detection threshold by Events Per Second (EPS) percentage increase. The system compares the current EPS rate to the average rate from the last hour, and when the percentage is exceeded, the attack is logged and reported. The default value is 4294967295.
rateLimit Specifies the rate limit in Events Per Second (EPS). When EPS exceeds the threshold, excess events are dropped until the EPS rate no longer exceeds the threshold. The default value is 4294967295.
perSourceIpDetectionEps Specifies the attack detection threshold in EPS per source IP address. The default value is 4294967295.
perSourceIpLimitEps Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
perDstIpLimitEps Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.

The properties listed below are configuration parameters that are specifically used for Vectors.

Synflood

Properties Description
synCookie When Syn Cookie is enabled, BIGIP sends a cookie in the SynAck response during Syn Flood. TCP flow is only created when the client responds back with the Syn Cookie. The default state is enable, default verfiedList is enable and threshold default is 4294967295

dnsNxdomainQuery

Properties Description
validDomains Define the list of domains that the vector should consider as valid domains. default 0.