Percontext DDoS


The Percontext DDoS Custom Resource Definition (CRD) configures the Traffic Management Microkernel (TMM) Proxy Pod to protect applications from Denial of Service / Distributed Denial of Service (Dos/DDoS) attacks. Using custom packet signatures, the Percontext DDoS inspects all application traffic processed by the TMM Proxy Pod, to detect, report and/or mitigate DoS/DDoS events. Percontext DDoS is a subset of Global DDoS. It enables to protect each application or virtual server.

There are two Custom Resource Definition (CRD) available for configuring DDoS: Global DDoS (F5BigDdosGlobal) and Percontext DDoS (F5BigDdosProfile). The Global DDoS CRD should be used for specific functionality on a global level, while the Percontext DDoS CRD can be used for virtual server level protection.

This document guides you through understanding, configuring and installing a simple Percontext DDoS CR.

DDoS Scaling

To protect against both global and virtual DoS vectors. For global vectors, we protect the entire BIG-IP instance, with thresholds and limits that are per TMM pod. However, for virtual vectors, we protect a specific application (virtual server). Since the virtual server exists on all pods, and we have a DAG behind the instance, we need to divide certain thresholds and limits by the current number of pods.

The rate limit, detection threshold, and BD rate limit and threshold are divided by the number of TMM pods. However, we don’t divide the BA rate limit and threshold by the number of pods since the DAG will cause the same packets to go to the same TMM.

CR Parameters

The tables below describe the Percontext DDoS CRD sections used in this document. For the full list of parameters, refer to the PercontextDDoS Reference.


Parameter Description
hslPublisher Specifies the endpoint logging server to send logging messages. References the F5BigLogHslpub CR by parameter.


Allows you to exclude specific types of traffic from DDoS mitigations.

Parameter Description
allowList Specifies the F5BigCneAddresslist by containing the source IP addresses to exclude from DDoS detection/mitigation.


DDoS attack vectors are the methods or techniques used by attackers to carry out a Distributed Denial of Service (DDoS) attack.

Parameter Description
vectors Specifies the type of Vector to detect and mitigate. Refer to PercontextDDoS Referencefor a full list.

CR Example for Percontext DDoS

apiVersion: ""
kind: F5BigDdosProfile
  name: "cnf-dns-ddos"
  namespace: "cnf-gateway"
  hslPublisher: "cnf-hsl-pub"
    srcAddressList: "outbound-nat"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The Percontext DDoS shortName is vddos.

View CR instance:

kubectl get vddos -n <namespace>

View CR configuration:

kubectl get vddos -n <namespace> -o yaml

Multiple TMM Proxy Pods

When Dos/DDoS attacks are detected, the attack is identified using a unique attack identifier (attack-ID). To ensure the attack-ID can be shared across multiple TMM Proxy Pods, avoiding duplicate attack-ID entries, the dSSM Database must be installed. The first TMM Proxy Pod to detect an attack stores the attack-ID in the dSSM database, and the TMM Proxy Pod replicas then check the dSSM database before creating any new attack-IDs.


Ensure you have:


Use these steps to install the example Percontext DDoS CR, and the optional CNFs CR. Each step offers a brief description of the example CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514 and the udp protocol. Copy and paste the example into a YAML file:

    Note: The F5BigLogHslpub CR will be referenced by the Percontext DDoS.

    kind: F5BigLogHslpub
      name: "cnf-hsl-pub"
      namespace: "cnf-gateway"
      - name: "cnf-hslpool"
        - "[2002::10:30:2:220]:514"
      - name: "syslog-dest"
        format: "rfc5424"
        protocol: "udp"
        pool: "cnf-hslpool"
  2. Install the F5BigLogHslpub CR:

    kubectl apply -f cnf-hsl-cr.yaml
  3. Install the F5BigCneAddresslist CR:

    kubectl apply -f cnf-address-list.yaml
  4. The example F5BigCneAddresslist specifies of IP addresses 2002::192:168:10:1 and Copy and paste the example into a YAML file:

    Note: The F5BigCneAddresslist CR defines lists of IP addresses that can be referenced by the Percontext DDoS CR. The DDoS supports the individual IP addresses and do not work on IP ranges or pre-fixes.

    apiVersion: ""
    kind: F5BigCneAddresslist
      name: "outbound-nat"
      namespace: "cnf-gateway"
      - "2002::192:168:10:1"
      - ""
  5. The example mitigates ipv6-frag-flood and dns-aaaa-query attacks, and excludes the F5BigCneAddresslist IPs from the policy. Copy and paste the example into a YAML file:

    apiVersion: ""
    kind: F5BigDdosProfile
       name: "cnf-dns-vddos"
       namespace: "cnf-gateway"
       hslPublisher: "cnf-hsl-pub"
          state: "mitigation"
          rateLimit: 200
          perSrcIpDetectionEps: 100
          state: "detection-only"
          detectionThresholdEps: 100
          srcAddressList: "outbound-nat"
  6. Install the Percontext DDoS CR:

    kubectl apply -f cnf-ddos-cr.yaml -n cnf-gateway

    In this example, the BIG-IP Controller logs indicate the Percontext DDoS CR was added/updated:

    I0208 12:00:00:12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dos", 
    F5Dos cnf-gateway/cnf-dns-ddos was added/updated
  7. Verify the percontext DDoS status.

    kubectl get
  8. The Percontext DDoS will inspect all application traffic processed by the TMM Proxy Pod. Continue to the Additional CRs and Dos/DDoS Statistics sections.

  9. A reference in the virtual server is necessary to configure per-context DoS.

    apiVersion: ""
    kind: F5BigDnsApp
       name: "cnf-dns-virtual"
       namespace: "cnf-gateway"
       # Rest of the F5BigDnsApp config goes here.
       ddosProfile: "cnf-dns-vddos"

Additional CRs

To begin Dos/DDoS detection and mitigation, install one of the Traffic management CNFs CRs.

Dos/DDoS Statistics

Use the steps below to verify the Percontext DDoS CR DoS/DDoS statistics:

  1. Connect to the debug sidecar:

    kubectl exec -it deploy/f5-tmm -c debug -n <namespace> -- bash

    In this example, the debug sidecar is in the cnf-gateway Namespace:

    kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
  2. Verify the DoS/DDoS statistics:

    tmctl -f /var/tmstat/blade dos_stat -s context_name,vector_name,profile_name,protocol_type,status,attack_detected,attack_count,drops
       context_name                           vector_name        
    -------------------------------------- -------------------
    Device                                 L3/4 BDoS          
    Device                                 IPv6 fragment flood
    default-cnf-dns-virtual-virtual_server AAAA query DOS     
    default-cnf-dns-virtual-virtual_server IPv6 fragment flood
    Device                                 DNS AAAA Query     
    profile_name          protocol_type status   attack_detected attack_count drops
    --------------------- ------------- -------- --------------- ------------ -----
                         L4 BDoS       Ready                  0            0     0
    implicit              Device        Learning               0            0     0
    cnf-dns-vddos-virtual DNS           Learning               0            0     0
    cnf-dns-vddos-virtual Network       Learning               0            0     0
    implicit              Device        Learning               0            0     0


Provide feedback to improve this document by emailing