DNS DDoS Attacks

Overview

This BIG-IQ API can get the summary data of an ongoing DNS DDoS attacks.

REST Endpoint: /mgmt/ap/query/v1/tenants/default/reports/DnsCorrelatedAttackDetailsSummary

Requests

GET /mgmt/ap/query/v1/tenants/default/reports/DnsCorrelatedAttackDetailsSummary

Query Parameters

Name Type Required Description
from string False Specifies time to start results. The default uses the values of “-1h” for from and “now” for to, which starts from 1 hour before the current time and ends at the current time.
id query option False The unique identifier of the correlated attack.
to string False Specifies time to end results. The default uses the values of “-1h” for from and “now” for to, which starts from 1 hour before the current time and ends at the current time.

Response

HTTP/1.1 200 OK

Name Type Description
alertsHistory object A list of the attack’s summary information. For more information see AlertHistoryInfo.
     id string The alert’s unique identifier.
     severity string The severity based on reported threshold values.
     timestamp long The time in which the alert was updated.
     title string A short description of the alert.
allTransactionsTs object A list of the average number of transactions detected over time.
     count number The value during a data collection at the time stamp.
     timeMillis number The data collection time stamp.
attackVector string The the type of attack detected by the DoS profile.
blockedTransactionsTs object A list of the average number of blocked transactions detected over time.
     count number The value during a data collection at the time stamp.
     timeMillis number The data collection time stamp.
attackVector string The the type of attack detected by the DoS profile.
currAllTransactions number The average number of transactions per second detected over the past 5 minutes.
currBlockedTransactions number The average number of blocked transactions per second detected over the past 5 minutes.
currIncompleteTransactions number The average number of incomplete transactions per second detected over the past 5 minutes.
dosProfile string The DoS profile that detected the attack.
duration number The length of time for a detected DoS attack.
endTime number The time in which the DoS profile no longer detects the DoS attack, indicating the end of the attack.
id string The attack’s unique identifier.
incompleteTransactionsTs object A list of the average number of incomplete transactions detected over time.
     count number The value during a data collection at the time stamp.
     timeMillis number The data collection time stamp.
attackVector string The the type of attack detected by the DoS profile.
mitigation string The mitigation action that was applied by the DoS profile.
protectedObject string The reported object targeted by the DoS attack.
protocol string The traffic connection layer detected as the target for the DoS attack. This can include either HTTP, DNS or Network targets.
severity string The severity based on reported threshold values.
startTime number The initial time the DoS profile detected a DoS attack.
status string The indication of whether the attack is ongoing or has ended. Possible values: “Active” or “Ended”.
trigger string The attack properties detected by the DoS profile.

Permissions

Role Allow
Security Manager Yes

Examples

GET to retrieve a single DNS attack summary

Following is an example of a response to the API call for an attack of a specified ID

GET https://<BIG-IQ>/mgmt/ap/query/v1/tenants/default/reports/DnsCorrelatedAttackDetailsSummary?$id=DNS_dnsLicener1_dnsProfile_19%2F02%2F26,14:04

Response

{
    "kind": "ap:compose:Report",
    "lastUpdateMicros": 1653853309670,
    "result": {
            "id": "DNS_dnsLicener1_dnsProfile_19/02/26,14:04",
            "alertsHistory": [{
                    "id": "|þf/C£\b3",
                    "title": "Attack detected on Tier1-Stav_StaitcIP-75.sample.com: ID 1796498891",
                    "timestamp": 1551182642370,
                    "severity": "Critical"
            }],
            "severity": "Critical",
            "protectedObject": "/Common/dnsLicener1",
            "dosProfile": "/Common/dnsProfile",
            "attackVector": "DNS A Query",
            "attackVectorId": "a",
            "mitigation": "Blocked",
            "trigger": "Volumetric, Aggregated across all SrcIP's, VS-Specific attack, metric:PPS",
            "protocol": "DNS",
            "startTime": 1551182642370,
            "duration": 1466936,
            "status": "Active",
            "allTransactionsTs": [{
                    "timeMillis": 1551180600000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551180900000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551181200000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551181500000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551181800000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551182100000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551182400000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551182700000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551183000000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551183300000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551183600000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551183900000,
                    "allTransactions": 0.0
            }, {
                    "timeMillis": 1551184050000,
                    "allTransactions": 0.0
            }],
            "incompleteTransactionsTs": [],
            "blockedTransactionsTs": [{
                    "timeMillis": 1551180600000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551180900000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551181200000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551181500000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551181800000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551182100000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551182400000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551182700000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551183000000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551183300000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551183600000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551183900000,
                    "blockedTransactions": 0.0
            }, {
                    "timeMillis": 1551184050000,
                    "blockedTransactions": 0.0
            }],
            "currAllTransactions": 0.0,
            "currIncompleteTransactions": 0.0,
            "currBlockedTransactions": 0.0
    },
    "requestDurationInMillis": 3190
}