Virtual Server DDoS Attacks List

Overview

A list of all ongoing DDoS attacks, to the selected virtual server, over a specified period of time.

REST Endpoint: /mgmt/ap/query/v1/tenants/default/reports/AllVsAttacksList

Requests

GET /mgmt/ap/query/v1/tenants/default/reports/AllVsAttacksList

Query Parameters

Name Type Required Description
$protectedObjectId string False Specifies protected virtual server’s unique identifier.
$filter string null Specifies a string or integer used to filter the results. You can filter by all or a specific parameter.
$from string False Specifies time to start results. The default uses the values of “-1d” for from and “now” for to, which starts from 1 day before the current time and ends at the current time.
$orderby string False Specifies the sorting parameter and order to apply to results. You can sort by attackID, protectedObject, dosProfileName, severity, detectionMode, attackMitigationId, protocol, attackVector, startTime or dropRate. The sort order can be ascending (asc) or descending (desc). The default value is “startTime asc”, which sorts by startTime in ascending order.
$skip number False Specifies the number of results in the ordered list to skip. The default value of skip is 0, meaning none are skipped and the results range from 1 to the top value.
$to string False Specifies time to end results. The default uses the values of “-1d” for from and “now” for to, which starts from 1 day before the current time and ends at the current time.
$top number False Specify the maximum number of results in the ordered list. The default value is 10.

Response

HTTP/1.1 200 OK

Name Type Description
     items object The items that appear in the query.
          attackID string The attack’s unique identifier.
          attackMitigationId string The identifier of the mitigation type applied to the attack.
          detectionMode string The attack’s detection mode.
          dosProfiles object The DoS profile that detected the attack.
                id string The profile’s unique identifier.
                link string The link to the profile.
                name string The profile’s name.
                partition string The partition assigned to the profile.
          dosProfileName string The name of the DoS profile that detected the attack.
          protectedObject string The protected object that was attacked.
          protectedObjectId string The unique identifier of the attacked protected object.
          protectedObjectType string The type of protected object attacked.
          protocol string The protocol that detected the attack.
          attackVector string The attack vector that detected the attack.
          attackVectorId string The identifier of the attack vector that detected the attack.
          severity string The severity of the attack.
          startTime Long The time the attack was first detected.
          dropRate Double The number of dropped events per second.
     itemsPerPage number The number of items per page.
     pageIndex number The chronological page number as of which to display query results.
     startIndex number The chronological item number as of which to display query results.
     total number The total number of items queried.
     totalPages number The total number of pages in the query result.

Permissions

Role Allow
Security Manager Yes
Network Security Viewer Yes
Network Security Manager Yes

Examples

GET to retrieve list of all ongoing DDoS attacks over a specified period of time for a specific virtula server

GET https://<BIG-IQ>/mgmt/ap/query/v1/tenants/default/reports/AllVsAttacksList?$protectedObjectId=8b08e3b5-5bc9-3ce7-ba3a-7358c53202ec&$orderby=severity asc&$skip=0&$top=50

Following is an example of a response to the API call for a specific virtual server.

Response

"kind": "ap:compose:Report",
"lastUpdateMicros": 4619606415,
"result": {
    "totalItems": 1,
    "items": [
        {
            "attackID": "Network_dosVS_NetworkDosProfile_blocking_1563707938623_19/07/22,17:14",
            "severity": "Warning",
            "protectedObject": "/Common/dosVS",
            "protectedObjectType": "Virtual Server",
            "protectedObjectId": "8b08e3b5-5bc9-3ce7-ba3a-7358c53202ec",
            "detectionMode": "Volumetric, Per-SrcIP, VS-specific attack, metric:PPS",
            "attackMitigationId": "Per-SrcIP Blocked",
            "protocol": "Network",
            "attackVector": "TCP Push Flood",
            "startTime": 1563804842436,
            "dosProfiles": [
                {
                    "id": "4d112ff8-4b33-31b1-8c42-e530d7251747",
                    "name": "NetworkDosProfile_blocking_1563707938623",
                    "link": "https://localhost/mgmt/cm/security-shared/working-config/dos-profiles/4d112ff8-4b33-31b1-8c42-e530d7251747",
                    "partition": "Common"
                }
            ],
            "dosProfileName": "NetworkDosProfile_blocking_1563707938623"
        }
    ],
    "itemsPerPage": 50,
    "startIndex": 0,
    "totalPages": 1,
    "pageIndex": 0,
    "currentItemCount": 1
},
"requestDurationInMillis": 257
}