PercontextDDoS Reference¶

The Percontext DDoS Custom Resource (CR) configuration parameters. Each heading below represents the top-level parameter element. For example, to set the listType, use udpPortlist.listType.

hslPublisher¶

Parameter	Description
`hslPublisher`	Specifies the endpoint logging server to send logging messages. References the F5BigLogHslpub CR by `metadata.name` parameter.

allowList¶

Parameter	Description
`srcAddressList`	Specifies the F5BigCneAddresslist CR by `metadata.name` containing the source IP addresses to be excluded from DoS detection/mitigation.
`ipProtocol`	Specifies the IP protocol allowed by the allowlist: any (default), icmp, igmp, tcp, udp.
`entryType`	Specifies what the allowList match is based on: destination-match, source-match, v4-all, v6-all, or all-ip.
`matchingAddress`	Specifies a destination IP address when entryType is destination-match, or source IP address when entryType is source-match.
`dstPort`	Specifies a destination service port the allowList matches. The default values is 0 for all ports.
`srcVlan`	Specifies the name of the source VLAN the allowList matches. The default value is any for all VLANs.

vectors¶

Parameter	Description
`ipv4IcmpFlood`	IPv4 flood vector. This vector detects or rate-limits IPv4 ICMP flood attacks based on the state and rate-limit configuration. It also supports per-source and per-destination IP detection for bad actor and bad destination mitigation and detection.
`ipv4FragFlood`	IPv4 flood vector. This vector detects the attack when spoofed IPv4 fragments are sent at a very high rate. Detected or dropped based on the state and rate limit configuration, it provides per-sourceIP and per-destinationIP detection and rate limiting.
`ipv6IcmpFlood`	IPv6 flood vector. This vector detects the IPv6 ICMP flood attack. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`ipv6FragFlood`	IPv6 flood vector. This vector detects the attack when spoofed IPv6 fragments are received at a very high rate. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`ipv6LowHopCount`	IPv6 flood vector. This vector detects the attack when IPv6 extended header hop count set to less than or equal to the configured value of ipv6LowHopCount. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`ipv6ExtHdrTooLarge`	IPv6 flood vector. This vector detects the attack when we receive packets which have too Large IPv6 Extension Header field based on the configured limit. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`ipv6WithExtHdrFrames`	IPv6 flood vector. This vector detects the attack with too many IPv6 Extension Headers surpassing the limit configured. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`ipv6TooManyExtHdrs`	IPv6 flood vector. This vector detects the attack with too many IPv6 Extension Headers surpassing the limit configured. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`udpFlood`	UDP flood vector. This vector prevents the UDP flood. UDP port list can be enabled for mitigation. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`tcpRstFlood`	TCP flood vector. This vector detects the attack with RST flag set in the TCP packet to tamper with internet communications. It is detected or dropped based on the state and rate limit configuration and provides detection and rate limiting per-sourceIP and per-destinationIP.
`tcpSynOversize`	TCP flood vector. This vector detects the attack traffic with TCP SYN packets larger than 64 bytes. It is detected or dropped based on the state and rate limit configuration, provides detection and rate limiting per-sourceIP and per-destinationIP.
`tcpBadUrg`	TCP flood vector. This vector detects the attack traffic with URG flag set, and the urgent pointer is 0. It is detected or dropped based on the state and rate limit configuration, provides detection and rate limiting per-sourceIP and per-destinationIP.
`tcpOptOverrunsTcpHdr`	TCP flood vector. This vector detects the attack traffic with option bits that overrun the TCP header. It is detected or dropped based on the state and rate limit configuration, provides detection and rate limiting per-sourceIP and per-destinationIP.
`tcpWindowSize`	TCP flood vector. This vector detects the attack traffic with TCP window size zero. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`synAckFlood`	TCP flood vector. This vector detects the flood of traffic with both TCP SYN and ACK flags set in the packet. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`synFlood`	TCP flood vector. This vector detects the flood of traffic with TCP SYN flag set. SYN cookie feature can be enabled for mitigative actions. Attack is detected or ratelimited based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsAQuery`	DNS flood vector. This vector detects the DNS packets with Qtype as A_QRY. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsAaaaQuery`	DNS flood vector. This vector detects the DNS packets with Qtype as AAAA. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsAnyQuery`	DNS flood vector. This vector detects the DNS packets with Qtype as ANY_QRY. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsPtrQuery`	DNS flood vector. This vector detects the DNS packets with Qtype as PTR. Attack is detected or dropped per the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsAxfrQuery`	DNS flood vector. This vector detects the DNS packets with Qtype as AXFR. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsCnameQuery`	DNS flood vector. This vector detects the DNS packets with DNS Qtype as CNAME. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsIxfrQuery`	DNS flood vector. This vector detects the DNS packets with DNS Qtype as IXFR. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsMxQuery`	DNS flood vector. This vector detects the DNS packets with DNS Qtype as MX. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsNsQuery`	DNS flood vector. This vector detects the DNS packets with DNS Qtype as NS. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsOtherQuery`	DNS flood vector. This vector detects the DNS packets with DNS Qtype as OTHER. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsSoaQuery`	DNS flood vector. This vector detects the DNS packets with DNS Qtype as SOA_QRY. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsSrvQuery`	DNS flood vector. This vector detects the DNS packets with DNS Qtype as SRV. Attack is detected or dropped based on the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsTxtQuery`	DNS flood vector. This vector detects the DNS packets with DNS Qtype as TXT. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.
`dnsNxdomainQuery`	DNS flood vector. This vector detects the DNS query for non existing domains. Attack is detected or dropped according to the state and rate limit configuration, provides both per-sourceIP and per-destinationIP detection and rate limiting.

The following are commonly used configuration parameters for Vectors.

Properties	Description

`state`	Specifies the system's response when a vector match occurs: detection-only (default) or mitigation. To disable, delete the custom resource.
`detectionThresholdEps`	Specifies the attack detection threshold in Events Per Second (EPS). When EPS exceeds the threshold, the attack is logged and reported. The default value is 4294967295.
`detectionThresholdPercentage`	Specifies the attack detection threshold by Events Per Second (EPS) percentage increase. The system compares the current EPS rate to the average rate from the last hour, and when the percentage is exceeded, the attack is logged and reported. The default value is 4294967295.
`rateLimit`	Specifies the rate limit in Events Per Second (EPS). When EPS exceeds the threshold, excess events are dropped until the EPS rate no longer exceeds the threshold. The default value is 4294967295.
`perSourceIpDetectionEps`	Specifies the attack detection threshold in EPS per source IP address. The default value is 4294967295.
`perSourceIpLimitEps`	Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
`perDstIpDetectionEps`	Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
`perDstIpLimitEps`	Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.

The properties listed below are configuration parameters that are specifically used for Vectors.

Synflood

Properties	Description
`synCookie`	When Syn Cookie is enabled, BIGIP sends a cookie in the SynAck response during Syn Flood. TCP flow is only created when the client responds back with the Syn Cookie. The default state is enable, default verfiedList is enable and threshold default is 4294967295

dnsNxdomainQuery

Properties	Description
`validDomains`	Define the list of domains that the vector should consider as valid domains. default 0.

Previous Next