Network DoS¶
Overview¶
Module Name in API¶
bigip-network-dos
Product Name in API¶
local-traffic
Dimensions¶
Dimension | Name in API | Description |
---|---|---|
Attack Category | attack-vector-category | |
Country | country | Client Country |
Virtual Server | virtual | |
DOS Profile | dos-profile-name | Name of the DoS profile used in the BIG-IP |
BIG-IP Blade Number | slot-id | Used for BIG-IP Chassis with multiple blades. A value of 0 means this is a non chassis BIG-IP, any other value tells the serial number of the blade in the chassis |
Attack Mitigation | attack-mitigation | The current method of mitigation taken by the BIG-IP to handle the attack |
Internal Activity indication | is-internal-activity | Internal activity stands for transactions that are generated by BIG-IP own activity, such as injected JS, in conjunction with transactions generated by the user activity |
Attack Vector | attack-vector | |
Client IP | client-ip | |
Attack Trigger | attack-trigger | Tells what triggered the BIG-IP to declare this attack |
Destination Ip | destination-ip | |
BIG-IP Host Name | hostname | The hostname given to the BIG-IP |
Attack ID | attack-id | A code provided by BIG-IP to this attack, the ID is per BIG-IP and should not be confused with combined attack ID of multiple BIG-IPs |
Application Service | applicationService | |
Vlan Group | vlan-group | |
Destination Country | destination-country | |
BIG-IP Service Cluster | dsc-name | Clusters of BIG-IPs grouped together to have the same config |
Vlan Name | vlan-name | |
Attacking IP Indication | attacking-ip-indication | Indicates whether the reported Client IPs are considered as part of the IPs causing an attack |
Application | applications | |
Action | security-action | The action a security module took with this transaction/packet, such as allow or block |
MetricSets¶
Examples¶
By Time Query¶
A query by time returns a series of data points in time, based on optional filters, time range, and time granularity. This query kind is identified by the keyword: “ap:query:stats:byTime”
POST https://<address>/mgmt/ap/query/v1/tenants/default/products/local-traffic/metric-query
This example for JSON body in the post, filters by dimension attack-vector-category and get the count of network-events
{
"kind": "ap:query:stats:byTime",
"module": "bigip-network-dos",
"timeRange": {
"from": "-1h",
"to": "now"
},
"timeGranularity": {
"duration": 30,
"unit": "SECONDS"
},
"aggregations": {
"network-events$count": {
"metricSet": "network-events",
"metric": "count"
}
},
"dimensionFilter": {
"type": "eq",
"dimension": "attack-vector-category",
"value": "value to filter by"
}
}
By Entities Query¶
A query by entities returns a sort set of entities, based on optional filters, time range, and choosen metric to sort by. This query kind is identified by the keyword: “ap:query:stats:byEntities”
POST https://<address>/mgmt/ap/query/v1/tenants/default/products/local-traffic/metric-query
This example for JSON body in the post, gets top entities of type attack-vector-category, sorted by count of network-events
{
"kind": "ap:query:stats:byEntities",
"module": "bigip-network-dos",
"timeRange": {
"from": "-1H",
"to": "now"
},
"dimension": "attack-vector-category",
"sortMetric": "network-events$count",
"sortOrder": "desc",
"aggregations": {
"network-events$count": {
"metricSet": "network-events",
"metric": "count"
}
},
"limit": 5
}
Entities Count Query¶
An entities count query returns the distinct count of entities, based on optional filters, time range, and choosen entity type. This query kind is identified by the keyword: “ap:query:stats:entitiesCount”
POST https://<address>/mgmt/ap/query/v1/tenants/default/products/local-traffic/metric-query
This example for JSON body in the post, gets the distinct count of entities of type attack-vector-category
{
"kind": "ap:query:stats:entitiesCount",
"module": "bigip-network-dos",
"dimension": "attack-vector-category",
"timeRange": {
"from": "-1h",
"to": "now"
}
}