F5BigDdosProfile Reference

The F5BigDdosProfile Custom Resource (CR) configuration parameters. Each heading below represents the top-level parameter element. For example, to set the listType, use udpPortlist.listType.

Parameter Description
hslPublisher Specifies the endpoint logging server to send logging messages. References the F5BigLogHslpub CR by metadata.name parameter.

udpPortlist

Parameter Description
listType Specifies whether to include or exclude the service ports used for UDP flood vector detection: exclude-listed-ports (default), or include-listed-ports.
entries.port Specifies the service port(s) used for UDP flood vector detection.
entries.matchDirection Specifies if packet matches are based on source port, destination port or either: src, dst or either (default).

allowList

Parameter Description
sourceAddressList Specifies a F5BigCneAddresslist CR by metadata.name containing the source IP addresses to be excluded from DoS detection/mitigation.
entries.name Specifies a name for the allowlist.
entries.ipProtocol Specifies the IP protocol allowed by the allowlist: any (default), icmp, igmp, tcp, udp.
entries.entryType Specifies what the allowList match is based on: destination-match, source-match, v4-all, v6-all, or all-ip.
entries.matchingAddress Specifies a destination IP address when entryType is destination-match, or source IP address when entryType is source-match.
entries.destinationPort Specifies a destination service port the allowList matches. The default values is 0 for all ports.
entries.sourceVlan Specifies the name of the source VLAN the allowList matches. The default value is any for all VLANs.

vectors.floodVectors.commonConfigVectors

Parameter Description
vectorType Specifies the type of DoS Flood Vector to detect and mitigate: udp-flood, ether-brdcst-pkt, ether-multicst-pkt, arp-flood, ip-frag-flood, ipv6-frag-flood, tcp-rst-flood, icmpv4-flood, icmpv6-flood, and tcp-psh-flood.
state Specifies the system's response when a vector match occurs: detection-only (default) or mitigation. To disable, delete the custom resource.
detectionThresholdEps Specifies the attack detection threshold in Events Per Second (EPS). When EPS exceeds the threshold, the attack is logged and reported. The default value is 4294967295.
detectionThresholdPercentage Specifies the attack detection threshold by Events Per Second (EPS) percentage increase. The system compares the current EPS rate to the average rate from the last hour, and when the percentage is exceeded, the attack is logged and reported. The default value is 4294967295.
rateLimit Specifies the rate limit in Events Per Second (EPS). When EPS exceeds the threshold, excess events are dropped until the EPS rate no longer exceeds the threshold. The default value is 4294967295.
perSourceIpDetectionEps Specifies the attack detection threshold in EPS per source IP address. The default value is 4294967295.
perSourceIpLimitEps Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
perDstIpLimitEps Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.

vectors.ipV6errorVectors.commonConfigVectors

Parameter Description
vectorType Specifies the type of IPv6 DoS Error Vector to match: dup-ext-hdr, bad-hop-cnt, bad-ipv6-ver, addr-len-gt-l2-len, or payload-len-ls-l2-len.
detectionThresholdEps Specifies the IPv6 attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
detectionThresholdPercentage Specifies the IPv6 attack detection percentage increase for the configured attack type. The default value is 4294967295.

vectors.ipV6floodVectors.commonConfigVectors

Parameter Description
vectorType Specifies the type of IPv6 DoS Flood Vector to match: l4-ext-hdrs-go-end, and bad-ext-hdr-order.
state Specifies the reponse for an IPv6 vector match: detection-only (default) or mitigation. To disable, delete the custom resource.
detectionThresholdEps Specifies the IPv6 attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
detectionThresholdPercentage Specifies the IPv6 attack detection percentage increase for the configured attack type. The default value is 4294967295.
rateLimit Specifies the rate limit in EPS for the configured IPv6 attack type. The default value is 4294967295.
perSourceIpDetectionEps Specifies the IPv6 attack detection threshold in EPS for the configured attack type per source IP. The default value is 4294967295.
perSourceIpLimitEps Specifies the rate limit in EPS for the configured IPv6 attack type source IP. The default value is 4294967295.
perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured IPv6 attack type per destination IP. The default value is 4294967295.
perDstIpLimitEps Specifies the rate Limit in EPS for the configured IPv6 attack type per destination IP. The default value is 4294967295.

vectors.ipV6floodVectors.specificConfigVectors

Parameter Description
lowHopCnt.state Specifies the reponse for a vector match: detection-only (default) or mitigation.
lowHopCnt.detectionThresholdEps Specifies the attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
lowHopCnt.detectionThresholdPercentage Specifies the attack detection percentage increase for the configured attack type. The default value is 4294967295.
lowHopCnt.rateLimit Specifies the rate limit in EPS for the configured attack. The default value is 4294967295.
lowHopCnt.perSourceIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per source IP. The default value is 4294967295.
lowHopCnt.perSourceIpLimitEps Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
lowHopCnt.perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
lowHopCnt.perDstIpLimitEps Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.
lowHopCnt.ipv6LowHopCount Specifies the minimum acceptable value for IPv6 Hop Count: 1 (default) through 4.
extHdrTooLarge.state Specifies the reponse for an IPv6 vector match: detection-only (default) or mitigation. To disable, delete the custom resource.
extHdrTooLarge.detectionThresholdEps Specifies the attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
extHdrTooLarge.detectionThresholdPercentage Specifies the attack detection percentage increase for the configured attack type. The default value is 4294967295.
extHdrTooLarge.rateLimit Specifies the rate limit in EPS for the configured attack. The default value is 4294967295.
extHdrTooLarge.perSourceIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per source IP. The default value is 4294967295.
extHdrTooLarge.perSourceIpLimitEps Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
extHdrTooLarge.perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
extHdrTooLarge.perDstIpLimitEps Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.
extHdrTooLarge.maxipv6ExtHdrSize Specifies the size at which an IPv6 Extension Header is considered oversized: 0 through 1024. The default value is 128.
withExtHdrFrames.state Specifies the reponse for an IPv6 vector match: detection-only (default) or mitigation. To disable, delete the custom resource.
withExtHdrFrames.detectionThresholdEps Specifies the attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
withExtHdrFrames.detectionThresholdPercentage Specifies the attack detection percentage increase for the configured attack type. The default value is 4294967295.
withExtHdrFrames.rateLimit Specifies the rate limit in EPS for the configured attack. The default value is 4294967295.
withExtHdrFrames.perSourceIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per source IP. The default value is 4294967295.
withExtHdrFrames.perSourceIpLimitEps Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
withExtHdrFrames.perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
withExtHdrFrames.perDstIpLimitEps Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.
withExtHdrFrames.ipv6ExtHdrFrameType The IPv6 Header Frame type to match: auth, dstopt, esp, frag, hbh, mobility, route, and All (default).
tooManyExtHdrs.state Specifies the reponse for an IPv6 vector match: detection-only (default) or mitigation. To disable, delete the custom resource.
tooManyExtHdrs.detectionThresholdEps Specifies the attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
tooManyExtHdrs.detectionThresholdPercentage Specifies the attack detection percentage increase for the configured attack type. The default value is 4294967295.
tooManyExtHdrs.rateLimit Specifies the rate limit in EPS for the configured attack. The default value is 4294967295.
tooManyExtHdrs.perSourceIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per source IP. The default value is 4294967295.
tooManyExtHdrs.perSourceIpLimitEps Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
tooManyExtHdrs.perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
tooManyExtHdrs.perDstIpLimitEps Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.
tooManyExtHdrs.maxIpv6ExtHdrs Specifies the number of IPv6 Extension Headers that are considered too many: 0 - 15. The default value is 4.

vectors.l4errorVectors.commonConfigVectors

Parameter Description
vectorType The type of layer 4 DoS Error Vector: bad-udp-chksum or bad-udp-hrd.
detectionThresholdEps Attack detection threshold in pps for the Attack type in question. The default value is 4294967295.
detectionThresholdPercentage Attack detection percentage increase for the Attack type in question. The default value is 4294967295.

vectors.dnsErrorVectors.commonConfigVectors

Parameter Description
vectorType The type of DNS DoS Error Vector: dns-malformed, dns-qdcount-limit, or unsolicited-dns-response.
detectionThresholdEps Attack detection threshold in pps for the Attack type in question. The default value is 4294967295.
detectionThresholdPercentage Attack detection percentage increase for the Attack type in question. The default value is 4294967295.

vectors.dnsFloodVectors.commonConfigVectors

Parameter Description
vectorType The type of DNS Flood Vector: dns-a-query, dns-aaaa-query, dns-any-query, dns-ptr-query, dns-axfr-query, dns-cname-query, dns-ixfr-query, dns-mx-query, dns-ns-query, dns-other-query, dns-soa-query, dns-srv-query, or dns-txt-query.
state Specifies the reponse for a vector match: detection-only (default) or mitigation. To disable, delete the custom resource.
detectionThresholdEps Specifies the attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
detectionThresholdPercentage Specifies the attack detection percentage increase for the configured attack type. The default value is 4294967295.
rateLimit Specifies the rate limit in EPS for the configured attack. The default value is 4294967295.
perSourceIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per source IP. The default value is 4294967295.
perSourceIpLimitEps Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
perDstIpLimitEps Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.

vectors.dnsFloodVectors.specificConfigVectors

Parameter Description
oversizedDns.state Specifies the reponse for a vector match: detection-only (default) or mitigation. To disable, delete the custom resource.
oversizedDns.detectionThresholdEps Specifies the attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
oversizedDns.detectionThresholdPercentage Specifies the attack detection percentage increase for the configured attack type. The default value is 4294967295.
oversizedDns.rateLimit Specifies the rate limit in EPS for the configured attack. The default value is 4294967295.
oversizedDns.perSourceIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per source IP. The default value is 4294967295.
oversizedDns.perSourceIpLimitEps Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
oversizedDns.perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
oversizedDns.perDstIpLimitEps Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.
oversizedDns.maxDnsSize Specifies the size at which a DNS packet is considered oversized: 256 through 8192. The default value is 4096.
dnsNxdomainQuery.state Specifies the reponse for a vector match: detection-only (default) or mitigation. To disable, delete the custom resource.
dnsNxdomainQuery.detectionThresholdEps Specifies the attack detection threshold in EPS for the configured attack type. The default value is 4294967295.
dnsNxdomainQuery.detectionThresholdPercentage Specifies the attack detection percentage increase for the configured attack type. The default value is 4294967295.
dnsNxdomainQuery.rateLimit Specifies the rate limit in EPS for the configured attack. The default value is 4294967295.
dnsNxdomainQuery.perSourceIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per source IP. The default value is 4294967295.
dnsNxdomainQuery.perSourceIpLimitEps Specifies the rate limit in EPS for the configured attack type per source IP. The default value is 4294967295.
dnsNxdomainQuery.perDstIpDetectionEps Specifies the attack detection threshold in EPS for the configured attack type per destination IP. The default value is 4294967295.
dnsNxdomainQuery.perDstIpLimitEps Specifies the rate Limit in EPS for the configured attack type per destination IP. The default value is 4294967295.
dnsNxdomainQuery.dnsNXDomainLearnPeriod Specifies the learn period for nx-domain vector: 1 - 2147483647. The default value is 7200.
dnsNxdomainQuery.dnsNXDomainRelearnPeriod Specifies the relearn period for nx-domain vector: 1 - 2147483647. The default value is 86400.
dnsNxdomainQuery.dnsNXDomainTrackerSize Specifies the tracker size for nx-domain vector: 64 - 8000. The default value is 320.
dnsNxdomainQuery.validDomains Specifies the list of valid domains for dns vectors.