Network DoS¶
Overview¶
Module Name in API¶
bigip-network-dos
Product Name in API¶
local-traffic
Dimensions¶
Dimension | Name in API | Description |
---|---|---|
Country | country | Client Country |
Virtual Server | virtual | |
BIG-IP Blade Number | slot-id | Used for BIG-IP Chassis with multiple blades. A value of 0 means this is a non chassis BIG-IP, any other value tells the serial number of the blade in the chassis |
Attack Mitigation | attack-mitigation | The current method of mitigation taken by the BIG-IP to handle the attack |
Internal Activity indication | is-internal-activity | Internal activity stands for transactions that are generated by BIG-IP own activity, such as injected JS, in conjunction with transactions generated by the user activity |
Attack Trigger | attack-trigger | Tells what triggered the BIG-IP to declare this attack |
BIG-IP Host Name | hostname | The hostname given to the BIG-IP |
Application Service | applicationService | |
Vlan Name | vlan-name | |
Attacking IP Indication | attacking-ip-indication | Indicates whether the reported Client IPs are considered as part of the IPs causing an attack |
Action | security-action | The action a security module took with this transaction/packet, such as allow or block |
Attack Category | attack-vector-category | |
DOS Profile | dos-profile-name | Name of the DoS profile used in the BIG-IP |
Attack Vector | attack-vector | |
Client IP | client-ip | |
Destination Ip | destination-ip | |
Attack ID | attack-id | A code provided by BIG-IP to this attack, the ID is per BIG-IP and should not be confused with combined attack ID of multiple BIG-IPs |
Vlan Group | vlan-group | |
Virtual Server Unique Name | unique-virtual-name | Virtual server full name connected to a device or cluster name |
Destination Country | destination-country | |
BIG-IP Service Cluster | dsc-name | Clusters of BIG-IPs grouped together to have the same config |
Application | applications |
MetricSets¶
Examples¶
By Time Query¶
A query by time returns a series of data points in time, based on optional filters, time range, and time granularity. This query kind is identified by the keyword: “ap:query:stats:byTime”
POST https://<address>/mgmt/ap/query/v1/tenants/default/products/local-traffic/metric-query
This example for JSON body in the post, filters by dimension country and get the count of network-events
{
"kind": "ap:query:stats:byTime",
"module": "bigip-network-dos",
"timeRange": {
"from": "-1h",
"to": "now"
},
"timeGranularity": {
"duration": 30,
"unit": "SECONDS"
},
"aggregations": {
"network-events$count": {
"metricSet": "network-events",
"metric": "count"
}
},
"dimensionFilter": {
"type": "eq",
"dimension": "country",
"value": "value to filter by"
}
}
By Entities Query¶
A query by entities returns a sort set of entities, based on optional filters, time range, and choosen metric to sort by. This query kind is identified by the keyword: “ap:query:stats:byEntities”
POST https://<address>/mgmt/ap/query/v1/tenants/default/products/local-traffic/metric-query
This example for JSON body in the post, gets top entities of type country, sorted by count of network-events
{
"kind": "ap:query:stats:byEntities",
"module": "bigip-network-dos",
"timeRange": {
"from": "-1H",
"to": "now"
},
"dimension": "country",
"sortMetric": "network-events$count",
"sortOrder": "desc",
"aggregations": {
"network-events$count": {
"metricSet": "network-events",
"metric": "count"
}
},
"limit": 5
}
Entities Count Query¶
An entities count query returns the distinct count of entities, based on optional filters, time range, and choosen entity type. This query kind is identified by the keyword: “ap:query:stats:entitiesCount”
POST https://<address>/mgmt/ap/query/v1/tenants/default/products/local-traffic/metric-query
This example for JSON body in the post, gets the distinct count of entities of type country
{
"kind": "ap:query:stats:entitiesCount",
"module": "bigip-network-dos",
"dimension": "country",
"timeRange": {
"from": "-1h",
"to": "now"
}
}