DOS_Profile (object)¶
Configures a Denial of Service (DOS) profile
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
allowlist | object | Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above.,Reference to a firewall address list or net address list | ||
application | object | Application security sub-profile,Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack. | ||
applicationAllowlist | object | Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist),Reference to a firewall address list or net address list | ||
applicationWhitelist | object | Deprecated. Replaced with functionally equivalent applicationAllowlist. Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist),Reference to a firewall address list or net address list | ||
class | string | “DOS_Profile” | ||
label | string | “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
network | object | Network security sub-profile, | ||
protocolDNS | object | DNS protocol security sub-profile, | ||
protocolSIP | object | SIP protocol security sub-profile, | ||
remark | string | “^[^x00-x1fx22x5cx7f]*$” | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
whitelist | object | Deprecated. Replaced with functionally equivalent allowlist. Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above.,Reference to a firewall address list or net address list |
DOS_Profile.allowlist (object)¶
Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above. Reference to a firewall address list or net address list
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP firewall address list or net address list | |
use | string | AS3 pointer to firewall address list or net address list declaration |
DOS_Profile.application (object)¶
Application security sub-profile Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
allowlistedGeolocations | array | Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack | ||
blacklistedGeolocations | array | Deprecated. Replaced with functionally equivalent denylistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack | ||
botDefense | object | {} | This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers.,BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following: |
- The system sends a client-side JavaScript challenge to the browser.
- If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
- The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.
Note: This feature requires browsers to allow JavaScript.
Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.
Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.
- This method is intended to complement, not replace, the other mitigation methods.
- botSignatures
- object
- {}
- This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms,This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
- captchaResponse
- object
- {}
- Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
- denylistedGeolocations
- array
- Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
- heavyURLProtection
- object
- {}
- Configure Heavy URL include list, automatic detection, and exclude list,Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
- mobileDefense
- object
- {}
- This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled,When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
- profileAcceleration
- object
- Select a TCP fastL4 profile to be used as a fast-path for acceleration,Reference to a fast L4 profile,Reference for a BIG-IP or Use object
- rateBasedDetection
- object
- {}
- Configures the detection of DoS attacks based on high volume of incoming traffic,Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:
- Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
- Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.
- In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
- recordTraffic
- object
- {}
- This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps.,Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
- remoteTriggeredBlackHoleDuration
- integer
- 0 - 4294967295
- Specifies the BGP route advertisement duration in seconds for Remote Triggered Black Hole of attacking IPs. This requires configuration of the Blacklist Publisher, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Remote Triggered Black Hole. Requires the AFM module and if this property is unspecified it will be disabled.
- scrubbingDuration
- integer
- 0 - 4294967295
- Specifies the BGP route advertisement duration in seconds for Traffic Scrubbing during attacks. This requires configuration of the Scrubber Profile, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Traffic Scrubbing. Requires the AFM module and if this property is unspecified it will be disabled.
- singlePageApplicationEnabled
- boolean
- false
- true, false
- Specifies that your website is a Single Page Application, meaning a web application that loads new content without triggering a full page-reload. This property is available on BIGIP 14.1 and above.
- stressBasedDetection
- object
- {}
- Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. ,Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
- triggerIRule
- boolean
- false
- true, false
- Specifies that the system activates an Application DoS iRule event
- whitelistedGeolocations
- array
- Deprecated. Replaced with functionally equivalent allowlistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack
DOS_Profile.application.botDefense (object)¶
This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers. BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:
- The system sends a client-side JavaScript challenge to the browser.
- If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
- The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.
Note: This feature requires browsers to allow JavaScript.
Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.
Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.
This method is intended to complement, not replace, the other mitigation methods.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
blockSuspiscousBrowsers | boolean | true | true, false | Detect and block requests from highly suspicious browsers |
crossDomainRequests | string | “allow-all” | “allow-all”, “validate-bulk”, “validate-upon-request” | Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above. |
externalDomains | array | Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above. | ||
gracePeriod | integer | 300 | 0 - 4294967295 | The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above. |
issueCaptchaChallenge | boolean | true | true, false | Issue CAPTCHA challenges to moderately suspicious browsers |
mode | string | “off” | “off”, “during-attacks”, “always” | Specifies the conditions under which bots are detected and blocked |
siteDomains | array | Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above. | ||
urlAllowlist | array | Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation | ||
urlWhitelist | array | Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation |
DOS_Profile.application.botSignatures (object)¶
This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
blockedCategories | array | The system blocks and reports requests that match signatures in this list of categories | ||
checkingEnabled | boolean | false | true, false | Specifies the system uses signatures to check whether a bot is benign or malicious |
disabledSignatures | array | A list of signatures the system ignores when it matches requests with configured bot signatures | ||
reportedCategories | array | The system logs requests that match signatures in this list of categories and counts them in the DoS reports |
DOS_Profile.application.captchaResponse (object)¶
Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
failure | string | Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA | ||
first | string | Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA |
DOS_Profile.application.heavyURLProtection (object)¶
Configure Heavy URL include list, automatic detection, and exclude list Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
automaticDetectionEnabled | boolean | true | true, false | Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site |
detectionThreshold | integer | 1000 | 16 - 4294967295 | Specifies the latency threshold for automatic heavy URL detection (in milliseconds) |
excludeList | array | URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards. | ||
protectList | array | URLs you expect to be heavy even if the system does not automatically detect them as being heavy |
DOS_Profile.application.mobileDefense (object)¶
This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
allowAndroidPublishers | array | Publisher certificates to allow. All others are blocked. An empty list allows all publishers. | ||
allowAndroidRootedDevice | boolean | false | true, false | Select to allow traffic from rooted Android devices |
allowEmulators | boolean | false | true, false | Select to allow traffic from applications run on emulators |
allowIosPackageNames | array | Package names to allow. All others are blocked. An empty list allows all package names. | ||
allowJailbrokenDevices | boolean | false | true, false | Select to allow traffic from jailbroken iOS devices |
clientSideChallengeMode | string | “pass” | “pass”, “challenge” | Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented |
enabled | boolean | false | true, false | When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives. |
DOS_Profile.application.profileAcceleration (object)¶
Select a TCP fastL4 profile to be used as a fast-path for acceleration Reference to a fast L4 profile Reference for a BIG-IP or Use object
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | “f5bigip” formatted string | |||
use |
DOS_Profile.application.rateBasedDetection (object)¶
Configures the detection of DoS attacks based on high volume of incoming traffic Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:
- Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
- Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.
In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
deEscalationPeriod | integer | 7200 | 0 - 86400 | When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs. |
deviceID | object | {} | Specifies the criteria that determines when the system treats a device as an attacker | |
escalationPeriod | integer | 120 | 1 - 3600 | Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step. |
geolocation | object | {} | Specifies the criteria that determines when the system treats a geolocation as an attacker | |
operationMode | string | “off” | “off”, “transparent”, “blocking” | Specifies how the system reacts when it detects an attack |
site | object | {} | Specifies the criteria that determines when the system treats a site as an attacker | |
sourceIP | object | {} | Specifies the criteria that determines when the system treats a source IP address as an attacker | |
thresholdsMode | string | “manual” | “manual”, “automatic” | Specifies what type of thresholds to use |
url | object | {} | Specifies the criteria that determines when the system treats a URL as an attacker |
DOS_Profile.application.rateBasedDetection.deviceID (object)¶
Specifies the criteria that determines when the system treats a device as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile.application.rateBasedDetection.geolocation (object)¶
Specifies the criteria that determines when the system treats a geolocation as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumAutoTps | integer | 50 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumShare | integer | 10 | 0 - 4294967295 | The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
shareIncreaseRate | integer | 500 | 0 - 4294967295 | The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity. |
DOS_Profile.application.rateBasedDetection.site (object)¶
Specifies the criteria that determines when the system treats a site as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 10000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 2000 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile.application.rateBasedDetection.sourceIP (object)¶
Specifies the criteria that determines when the system treats a source IP address as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile.application.rateBasedDetection.url (object)¶
Specifies the criteria that determines when the system treats a URL as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
heavyURLProtectionEnabled | boolean | true | true, false | Specifies, when enabled, that heavy URL protection should be enabled |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 1000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 200 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile.application.recordTraffic (object)¶
This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps. Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
maximumDuration | integer | 30 | 0 - 4294967295 | Configures the maximum time for each TCP dump recording cycle |
maximumSize | integer | 10 | 0 - 4294967295 | Configures the maximum size (in MB) for each TCP dump recording cycle |
recordTrafficEnabled | boolean | false | true, false | Enables the recording of traffic during attacks |
repetitionInterval | 120 | Allow multiple TCP dumps to be recorded during a single DoS attack |
DOS_Profile.application.stressBasedDetection (object)¶
Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
badActor | object | {} | Specifies properties of Behavioral Detection in Stress-based anomaly. |
The following mitigation options are available:
- Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
- deEscalationPeriod
- integer
- 7200
- 0 - 86400
- When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
- deviceID
- object
- {}
- Specifies the criteria that determines when the system treats a device as an attacker
- escalationPeriod
- integer
- 120
- 1 - 3600
- Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
- geolocation
- object
- {}
- Specifies the criteria that determines when the system treats a geolocation as an attacker
- operationMode
- string
- “off”
- “off”, “transparent”, “blocking”
- Specifies how the system reacts when it detects an attack
- site
- object
- {}
- Specifies the criteria that determines when the system treats a site as an attacker
- sourceIP
- object
- {}
- Specifies the criteria that determines when the system treats a source IP address as an attacker
- thresholdsMode
- string
- “manual”
- “manual”, “automatic”
- Specifies what type of thresholds to use
- url
- object
- {}
- Specifies the criteria that determines when the system treats a URL as an attacker
DOS_Profile.application.stressBasedDetection.badActor (object)¶
Specifies properties of Behavioral Detection in Stress-based anomaly.
The following mitigation options are available:
- Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
acceleratedSignaturesEnabled | boolean | false | true, false | Enables signature detection before the connection establishment |
detectionEnabled | boolean | false | true, false | Enables traffic behavior, server’s capacity learning, and anomaly detection |
mitigationMode | string | “none” | “none”, “conservative”, “standard”, “aggressive” | Specifies mitigation impact on suspicious bad actors/requests |
signatureDetectionEnabled | boolean | false | true, false | Enables request signature detection |
tlsSignaturesEnabled | boolean | false | true, false | Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above. |
useApprovedSignaturesOnly | boolean | false | true, false | Limits request signature detection to approved signatures only |
DOS_Profile.application.stressBasedDetection.deviceID (object)¶
Specifies the criteria that determines when the system treats a device as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile.application.stressBasedDetection.geolocation (object)¶
Specifies the criteria that determines when the system treats a geolocation as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumAutoTps | integer | 50 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumShare | integer | 10 | 0 - 4294967295 | The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
shareIncreaseRate | integer | 500 | 0 - 4294967295 | The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity. |
DOS_Profile.application.stressBasedDetection.site (object)¶
Specifies the criteria that determines when the system treats a site as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 10000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 2000 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile.application.stressBasedDetection.sourceIP (object)¶
Specifies the criteria that determines when the system treats a source IP address as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile.application.stressBasedDetection.url (object)¶
Specifies the criteria that determines when the system treats a URL as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
heavyURLProtectionEnabled | boolean | true | true, false | Specifies, when enabled, that heavy URL protection should be enabled |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 1000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 200 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile.applicationAllowlist (object)¶
Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist) Reference to a firewall address list or net address list
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP firewall address list or net address list | |
use | string | AS3 pointer to firewall address list or net address list declaration |
DOS_Profile.applicationWhitelist (object)¶
Deprecated. Replaced with functionally equivalent applicationAllowlist. Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist) Reference to a firewall address list or net address list
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP firewall address list or net address list | |
use | string | AS3 pointer to firewall address list or net address list declaration |
DOS_Profile.network (object)¶
Network security sub-profile
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
dynamicSignatures | object | {} | ||
vectors | array | A list of configured network DoS vectors |
DOS_Profile.network.dynamicSignatures (object)¶
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
detectionMode | string | “disabled” | “disabled”, “learn-only”, “enabled” | Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits. |
mitigationMode | string | “none” | “none”, “low”, “medium”, “high” | Specify the mitigation sensitivity for dynamic signatures |
scrubbingCategory | object | Specifies the IP intelligence denylist category to which scrubbed IPs are sent,Reference to a denylist category | ||
scrubbingDuration | integer | 500 | 60 - 4294967295 | Specify the duration in seconds for which an IP address is added to the denylist category |
scrubbingEnabled | boolean | false | true, false | Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category. |
DOS_Profile.network.dynamicSignatures.scrubbingCategory (object)¶
Specifies the IP intelligence denylist category to which scrubbed IPs are sent Reference to a denylist category
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_Profile.protocolDNS (object)¶
DNS protocol security sub-profile
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
vectors | array | A list of configured DNS DoS vectors |
DOS_Profile.protocolSIP (object)¶
SIP protocol security sub-profile
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
vectors | array | A list of configured SIP DoS vectors |
DOS_Profile.whitelist (object)¶
Deprecated. Replaced with functionally equivalent allowlist. Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above. Reference to a firewall address list or net address list
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP firewall address list or net address list | |
use | string | AS3 pointer to firewall address list or net address list declaration |
DOS_Auto_Denylist_Settings (object)¶
Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
attackDetectionTime | integer | 60 | 1 - 4294967295 | Specifies the time in seconds before a vector is denylisted |
category | object | {“bigip”:”/Common/denial_of_service”} | Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category | |
categoryDuration | integer | 14400 | 60 - 4294967295 | Specifies the time in seconds before the denylist entry is removed |
enabled | boolean | false | true, false | Specifies if automatic denylist management should be used |
externalAdvertisementEnabled | boolean | false | true, false | Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher |
DOS_Auto_Denylist_Settings.category (object)¶
Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category
Default: {“bigip”:”/Common/denial_of_service”}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_Bad_Actor_Detection_Settings (object)¶
Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
enabled | boolean | false | true, false | Specifies that Bad Actor detection is enabled |
sourceDetectionThreshold | integer | 4294967295 | 0 - 4294967295 | Specifies the number of packets per second to identify an IP address as a bad actor |
sourceMitigationThreshold | integer | 4294967295 | 0 - 4294967295 | Specifies the rate limit applied to a source IP that is identified as a bad actor |
DOS_DNS_Vector (object)¶
Protocol DNS Denial-of-Service (DoS) vector
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
autoAttackCeiling | integer | 4294967295 | 0 - 4294967295 | Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295. |
autoAttackFloor | integer | 100 | 0 - 4294967295 | Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. |
autoBlacklistSettings | object | {} | Deprecated. Replaced with functionally equivalent autoDenylistSettings.,Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector | |
autoDenylistSettings | object | Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector | ||
badActorSettings | object | {} | Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure. | |
rateIncreaseThreshold | integer | 500 | 0 - 4294967295 | Specify percent of rate increase the system must discover in traffic in order to detect this attack |
rateLimit | integer | 4294967295 | 0 - 4294967295 | Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit. |
rateThreshold | integer | 4294967295 | 0 - 4294967295 | Specify how many packets per second the system must discover in traffic in order to detect this attack |
simulateAutoThresholdEnabled | boolean | false | true, false | Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds |
state | string | “mitigate” | “disabled”, “learn-only”, “detect-only”, “mitigate” | Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation). |
thresholdMode | string | “manual” | “manual”, “stress-based-mitigation”, “fully-automatic” | Specifies how thresholds are set for this vector |
type* | string | “a”, “aaaa”, “any”, “axfr”, “cname”, “ixfr”, “mx”, “ns”, “nxdomain”, “other”, “ptr”, “qdcount”, “soa”, “srv”, “txt”, “malformed” | Specifies the name of the DoS attack vector whose thresholds you are configuring |
DOS_DNS_Vector.autoBlacklistSettings (object)¶
Deprecated. Replaced with functionally equivalent autoDenylistSettings. Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
attackDetectionTime | integer | 60 | 1 - 4294967295 | Specifies the time in seconds before a vector is denylisted |
category | object | {“bigip”:”/Common/denial_of_service”} | Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category | |
categoryDuration | integer | 14400 | 60 - 4294967295 | Specifies the time in seconds before the denylist entry is removed |
enabled | boolean | false | true, false | Specifies if automatic denylist management should be used |
externalAdvertisementEnabled | boolean | false | true, false | Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher |
DOS_DNS_Vector.autoBlacklistSettings.category (object)¶
Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category
Default: {“bigip”:”/Common/denial_of_service”}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_DNS_Vector.autoDenylistSettings (object)¶
Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
attackDetectionTime | integer | 60 | 1 - 4294967295 | Specifies the time in seconds before a vector is denylisted |
category | object | {“bigip”:”/Common/denial_of_service”} | Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category | |
categoryDuration | integer | 14400 | 60 - 4294967295 | Specifies the time in seconds before the denylist entry is removed |
enabled | boolean | false | true, false | Specifies if automatic denylist management should be used |
externalAdvertisementEnabled | boolean | false | true, false | Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher |
DOS_DNS_Vector.autoDenylistSettings.category (object)¶
Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category
Default: {“bigip”:”/Common/denial_of_service”}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_DNS_Vector.badActorSettings (object)¶
Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
enabled | boolean | false | true, false | Specifies that Bad Actor detection is enabled |
sourceDetectionThreshold | integer | 4294967295 | 0 - 4294967295 | Specifies the number of packets per second to identify an IP address as a bad actor |
sourceMitigationThreshold | integer | 4294967295 | 0 - 4294967295 | Specifies the rate limit applied to a source IP that is identified as a bad actor |
DOS_Network_Vector (object)¶
Network Denial-of-Service (DoS) vector
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
autoAttackCeiling | integer | 4294967295 | 0 - 4294967295 | Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295. |
autoAttackFloor | integer | 100 | 0 - 4294967295 | Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. |
autoBlacklistSettings | object | {} | Deprecated. Replaced with functionally equivalent autoDenylistSettings.,Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector | |
autoDenylistSettings | object | Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector | ||
badActorSettings | object | {} | Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure. | |
rateIncreaseThreshold | integer | 500 | 0 - 4294967295 | Specify percent of rate increase the system must discover in traffic in order to detect this attack |
rateLimit | integer | 4294967295 | 0 - 4294967295 | Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit. |
rateThreshold | integer | 4294967295 | 0 - 4294967295 | Specify how many packets per second the system must discover in traffic in order to detect this attack |
simulateAutoThresholdEnabled | boolean | false | true, false | Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds |
state | string | “mitigate” | “disabled”, “learn-only”, “detect-only”, “mitigate” | Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation). |
thresholdMode | string | “manual” | “manual”, “stress-based-mitigation”, “fully-automatic” | Specifies how thresholds are set for this vector |
type | string | “ext-hdr-too-large”, “hop-cnt-low”, “host-unreachable”, “icmpv4-flood”, “icmpv6-flood”, “icmp-frag”, “ip-frag-flood”, “ip-low-ttl”, “ip-opt-frames”, “ipv6-ext-hdr-frames”, “ipv6-frag-flood”, “non-tcp-connection”, “opt-present-with-illegal-len”, “sweep”, “tcp-half-open”, “tcp-opt-overruns-tcp-hdr”, “tcp-psh-flood”, “tcp-rst-flood”, “tcp-syn-flood”, “tcp-synack-flood”, “tcp-syn-oversize”, “tcp-bad-urg”, “tcp-window-size”, “tidcmp”, “too-many-ext-hdrs”, “udp-flood”, “unk-tcp-opt-type” | Specifies the name of the DoS attack vector whose thresholds you are configuring |
DOS_Network_Vector.autoBlacklistSettings (object)¶
Deprecated. Replaced with functionally equivalent autoDenylistSettings. Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
attackDetectionTime | integer | 60 | 1 - 4294967295 | Specifies the time in seconds before a vector is denylisted |
category | object | {“bigip”:”/Common/denial_of_service”} | Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category | |
categoryDuration | integer | 14400 | 60 - 4294967295 | Specifies the time in seconds before the denylist entry is removed |
enabled | boolean | false | true, false | Specifies if automatic denylist management should be used |
externalAdvertisementEnabled | boolean | false | true, false | Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher |
DOS_Network_Vector.autoBlacklistSettings.category (object)¶
Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category
Default: {“bigip”:”/Common/denial_of_service”}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_Network_Vector.autoDenylistSettings (object)¶
Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
attackDetectionTime | integer | 60 | 1 - 4294967295 | Specifies the time in seconds before a vector is denylisted |
category | object | {“bigip”:”/Common/denial_of_service”} | Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category | |
categoryDuration | integer | 14400 | 60 - 4294967295 | Specifies the time in seconds before the denylist entry is removed |
enabled | boolean | false | true, false | Specifies if automatic denylist management should be used |
externalAdvertisementEnabled | boolean | false | true, false | Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher |
DOS_Network_Vector.autoDenylistSettings.category (object)¶
Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category
Default: {“bigip”:”/Common/denial_of_service”}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_Network_Vector.badActorSettings (object)¶
Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
enabled | boolean | false | true, false | Specifies that Bad Actor detection is enabled |
sourceDetectionThreshold | integer | 4294967295 | 0 - 4294967295 | Specifies the number of packets per second to identify an IP address as a bad actor |
sourceMitigationThreshold | integer | 4294967295 | 0 - 4294967295 | Specifies the rate limit applied to a source IP that is identified as a bad actor |
DOS_Profile_Application (object)¶
Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
allowlistedGeolocations | array | Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack | ||
blacklistedGeolocations | array | Deprecated. Replaced with functionally equivalent denylistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack | ||
botDefense | object | {} | This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers.,BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following: |
- The system sends a client-side JavaScript challenge to the browser.
- If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
- The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.
Note: This feature requires browsers to allow JavaScript.
Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.
Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.
- This method is intended to complement, not replace, the other mitigation methods.
- botSignatures
- object
- {}
- This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms,This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
- captchaResponse
- object
- {}
- Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
- denylistedGeolocations
- array
- Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
- heavyURLProtection
- object
- {}
- Configure Heavy URL include list, automatic detection, and exclude list,Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
- mobileDefense
- object
- {}
- This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled,When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
- profileAcceleration
- object
- Select a TCP fastL4 profile to be used as a fast-path for acceleration,Reference to a fast L4 profile,Reference for a BIG-IP or Use object
- rateBasedDetection
- object
- {}
- Configures the detection of DoS attacks based on high volume of incoming traffic,Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:
- Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
- Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.
- In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
- recordTraffic
- object
- {}
- This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps.,Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
- remoteTriggeredBlackHoleDuration
- integer
- 0 - 4294967295
- Specifies the BGP route advertisement duration in seconds for Remote Triggered Black Hole of attacking IPs. This requires configuration of the Blacklist Publisher, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Remote Triggered Black Hole. Requires the AFM module and if this property is unspecified it will be disabled.
- scrubbingDuration
- integer
- 0 - 4294967295
- Specifies the BGP route advertisement duration in seconds for Traffic Scrubbing during attacks. This requires configuration of the Scrubber Profile, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Traffic Scrubbing. Requires the AFM module and if this property is unspecified it will be disabled.
- singlePageApplicationEnabled
- boolean
- false
- true, false
- Specifies that your website is a Single Page Application, meaning a web application that loads new content without triggering a full page-reload. This property is available on BIGIP 14.1 and above.
- stressBasedDetection
- object
- {}
- Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. ,Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
- triggerIRule
- boolean
- false
- true, false
- Specifies that the system activates an Application DoS iRule event
- whitelistedGeolocations
- array
- Deprecated. Replaced with functionally equivalent allowlistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack
DOS_Profile_Application.botDefense (object)¶
This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers. BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:
- The system sends a client-side JavaScript challenge to the browser.
- If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
- The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.
Note: This feature requires browsers to allow JavaScript.
Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.
Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.
This method is intended to complement, not replace, the other mitigation methods.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
blockSuspiscousBrowsers | boolean | true | true, false | Detect and block requests from highly suspicious browsers |
crossDomainRequests | string | “allow-all” | “allow-all”, “validate-bulk”, “validate-upon-request” | Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above. |
externalDomains | array | Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above. | ||
gracePeriod | integer | 300 | 0 - 4294967295 | The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above. |
issueCaptchaChallenge | boolean | true | true, false | Issue CAPTCHA challenges to moderately suspicious browsers |
mode | string | “off” | “off”, “during-attacks”, “always” | Specifies the conditions under which bots are detected and blocked |
siteDomains | array | Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above. | ||
urlAllowlist | array | Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation | ||
urlWhitelist | array | Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation |
DOS_Profile_Application.botSignatures (object)¶
This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
blockedCategories | array | The system blocks and reports requests that match signatures in this list of categories | ||
checkingEnabled | boolean | false | true, false | Specifies the system uses signatures to check whether a bot is benign or malicious |
disabledSignatures | array | A list of signatures the system ignores when it matches requests with configured bot signatures | ||
reportedCategories | array | The system logs requests that match signatures in this list of categories and counts them in the DoS reports |
DOS_Profile_Application.captchaResponse (object)¶
Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
failure | string | Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA | ||
first | string | Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA |
DOS_Profile_Application.heavyURLProtection (object)¶
Configure Heavy URL include list, automatic detection, and exclude list Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
automaticDetectionEnabled | boolean | true | true, false | Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site |
detectionThreshold | integer | 1000 | 16 - 4294967295 | Specifies the latency threshold for automatic heavy URL detection (in milliseconds) |
excludeList | array | URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards. | ||
protectList | array | URLs you expect to be heavy even if the system does not automatically detect them as being heavy |
DOS_Profile_Application.mobileDefense (object)¶
This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
allowAndroidPublishers | array | Publisher certificates to allow. All others are blocked. An empty list allows all publishers. | ||
allowAndroidRootedDevice | boolean | false | true, false | Select to allow traffic from rooted Android devices |
allowEmulators | boolean | false | true, false | Select to allow traffic from applications run on emulators |
allowIosPackageNames | array | Package names to allow. All others are blocked. An empty list allows all package names. | ||
allowJailbrokenDevices | boolean | false | true, false | Select to allow traffic from jailbroken iOS devices |
clientSideChallengeMode | string | “pass” | “pass”, “challenge” | Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented |
enabled | boolean | false | true, false | When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives. |
DOS_Profile_Application.profileAcceleration (object)¶
Select a TCP fastL4 profile to be used as a fast-path for acceleration Reference to a fast L4 profile Reference for a BIG-IP or Use object
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | “f5bigip” formatted string | |||
use |
DOS_Profile_Application.rateBasedDetection (object)¶
Configures the detection of DoS attacks based on high volume of incoming traffic Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:
- Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
- Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.
In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
deEscalationPeriod | integer | 7200 | 0 - 86400 | When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs. |
deviceID | object | {} | Specifies the criteria that determines when the system treats a device as an attacker | |
escalationPeriod | integer | 120 | 1 - 3600 | Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step. |
geolocation | object | {} | Specifies the criteria that determines when the system treats a geolocation as an attacker | |
operationMode | string | “off” | “off”, “transparent”, “blocking” | Specifies how the system reacts when it detects an attack |
site | object | {} | Specifies the criteria that determines when the system treats a site as an attacker | |
sourceIP | object | {} | Specifies the criteria that determines when the system treats a source IP address as an attacker | |
thresholdsMode | string | “manual” | “manual”, “automatic” | Specifies what type of thresholds to use |
url | object | {} | Specifies the criteria that determines when the system treats a URL as an attacker |
DOS_Profile_Application.rateBasedDetection.deviceID (object)¶
Specifies the criteria that determines when the system treats a device as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application.rateBasedDetection.geolocation (object)¶
Specifies the criteria that determines when the system treats a geolocation as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumAutoTps | integer | 50 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumShare | integer | 10 | 0 - 4294967295 | The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
shareIncreaseRate | integer | 500 | 0 - 4294967295 | The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application.rateBasedDetection.site (object)¶
Specifies the criteria that determines when the system treats a site as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 10000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 2000 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application.rateBasedDetection.sourceIP (object)¶
Specifies the criteria that determines when the system treats a source IP address as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application.rateBasedDetection.url (object)¶
Specifies the criteria that determines when the system treats a URL as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
heavyURLProtectionEnabled | boolean | true | true, false | Specifies, when enabled, that heavy URL protection should be enabled |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 1000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 200 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application.recordTraffic (object)¶
This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps. Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
maximumDuration | integer | 30 | 0 - 4294967295 | Configures the maximum time for each TCP dump recording cycle |
maximumSize | integer | 10 | 0 - 4294967295 | Configures the maximum size (in MB) for each TCP dump recording cycle |
recordTrafficEnabled | boolean | false | true, false | Enables the recording of traffic during attacks |
repetitionInterval | 120 | Allow multiple TCP dumps to be recorded during a single DoS attack |
DOS_Profile_Application.stressBasedDetection (object)¶
Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
badActor | object | {} | Specifies properties of Behavioral Detection in Stress-based anomaly. |
The following mitigation options are available:
- Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
- deEscalationPeriod
- integer
- 7200
- 0 - 86400
- When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
- deviceID
- object
- {}
- Specifies the criteria that determines when the system treats a device as an attacker
- escalationPeriod
- integer
- 120
- 1 - 3600
- Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
- geolocation
- object
- {}
- Specifies the criteria that determines when the system treats a geolocation as an attacker
- operationMode
- string
- “off”
- “off”, “transparent”, “blocking”
- Specifies how the system reacts when it detects an attack
- site
- object
- {}
- Specifies the criteria that determines when the system treats a site as an attacker
- sourceIP
- object
- {}
- Specifies the criteria that determines when the system treats a source IP address as an attacker
- thresholdsMode
- string
- “manual”
- “manual”, “automatic”
- Specifies what type of thresholds to use
- url
- object
- {}
- Specifies the criteria that determines when the system treats a URL as an attacker
DOS_Profile_Application.stressBasedDetection.badActor (object)¶
Specifies properties of Behavioral Detection in Stress-based anomaly.
The following mitigation options are available:
- Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
acceleratedSignaturesEnabled | boolean | false | true, false | Enables signature detection before the connection establishment |
detectionEnabled | boolean | false | true, false | Enables traffic behavior, server’s capacity learning, and anomaly detection |
mitigationMode | string | “none” | “none”, “conservative”, “standard”, “aggressive” | Specifies mitigation impact on suspicious bad actors/requests |
signatureDetectionEnabled | boolean | false | true, false | Enables request signature detection |
tlsSignaturesEnabled | boolean | false | true, false | Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above. |
useApprovedSignaturesOnly | boolean | false | true, false | Limits request signature detection to approved signatures only |
DOS_Profile_Application.stressBasedDetection.deviceID (object)¶
Specifies the criteria that determines when the system treats a device as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application.stressBasedDetection.geolocation (object)¶
Specifies the criteria that determines when the system treats a geolocation as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumAutoTps | integer | 50 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumShare | integer | 10 | 0 - 4294967295 | The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
shareIncreaseRate | integer | 500 | 0 - 4294967295 | The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application.stressBasedDetection.site (object)¶
Specifies the criteria that determines when the system treats a site as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 10000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 2000 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application.stressBasedDetection.sourceIP (object)¶
Specifies the criteria that determines when the system treats a source IP address as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application.stressBasedDetection.url (object)¶
Specifies the criteria that determines when the system treats a URL as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
heavyURLProtectionEnabled | boolean | true | true, false | Specifies, when enabled, that heavy URL protection should be enabled |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 1000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 200 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Bot_Defense (object)¶
BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:
- The system sends a client-side JavaScript challenge to the browser.
- If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
- The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.
Note: This feature requires browsers to allow JavaScript.
Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.
Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.
This method is intended to complement, not replace, the other mitigation methods.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
blockSuspiscousBrowsers | boolean | true | true, false | Detect and block requests from highly suspicious browsers |
crossDomainRequests | string | “allow-all” | “allow-all”, “validate-bulk”, “validate-upon-request” | Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above. |
externalDomains | array | Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above. | ||
gracePeriod | integer | 300 | 0 - 4294967295 | The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above. |
issueCaptchaChallenge | boolean | true | true, false | Issue CAPTCHA challenges to moderately suspicious browsers |
mode | string | “off” | “off”, “during-attacks”, “always” | Specifies the conditions under which bots are detected and blocked |
siteDomains | array | Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above. | ||
urlAllowlist | array | Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation | ||
urlWhitelist | array | Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation |
DOS_Profile_Application_Bot_Signatures (object)¶
This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
blockedCategories | array | The system blocks and reports requests that match signatures in this list of categories | ||
checkingEnabled | boolean | false | true, false | Specifies the system uses signatures to check whether a bot is benign or malicious |
disabledSignatures | array | A list of signatures the system ignores when it matches requests with configured bot signatures | ||
reportedCategories | array | The system logs requests that match signatures in this list of categories and counts them in the DoS reports |
DOS_Profile_Application_Captcha (object)¶
Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
failure | string | Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA | ||
first | string | Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA |
DOS_Profile_Application_Detection_Device (object)¶
Specifies the criteria that determines when the system treats a device as an attacker
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Detection_Geolocation (object)¶
Specifies the criteria that determines when the system treats a geolocation as an attacker
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumAutoTps | integer | 50 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumShare | integer | 10 | 0 - 4294967295 | The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
shareIncreaseRate | integer | 500 | 0 - 4294967295 | The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Detection_IP (object)¶
Specifies the criteria that determines when the system treats a source IP address as an attacker
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Detection_Site (object)¶
Specifies the criteria that determines when the system treats a site as an attacker
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 10000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 2000 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Detection_URL (object)¶
Specifies the criteria that determines when the system treats a URL as an attacker
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
heavyURLProtectionEnabled | boolean | true | true, false | Specifies, when enabled, that heavy URL protection should be enabled |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 1000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 200 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Heavy_URL (object)¶
Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
automaticDetectionEnabled | boolean | true | true, false | Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site |
detectionThreshold | integer | 1000 | 16 - 4294967295 | Specifies the latency threshold for automatic heavy URL detection (in milliseconds) |
excludeList | array | URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards. | ||
protectList | array | URLs you expect to be heavy even if the system does not automatically detect them as being heavy |
DOS_Profile_Application_Mobile_Defense (object)¶
When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
allowAndroidPublishers | array | Publisher certificates to allow. All others are blocked. An empty list allows all publishers. | ||
allowAndroidRootedDevice | boolean | false | true, false | Select to allow traffic from rooted Android devices |
allowEmulators | boolean | false | true, false | Select to allow traffic from applications run on emulators |
allowIosPackageNames | array | Package names to allow. All others are blocked. An empty list allows all package names. | ||
allowJailbrokenDevices | boolean | false | true, false | Select to allow traffic from jailbroken iOS devices |
clientSideChallengeMode | string | “pass” | “pass”, “challenge” | Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented |
enabled | boolean | false | true, false | When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives. |
DOS_Profile_Application_Rate_Based_Detection (object)¶
Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:
- Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
- Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.
In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
deEscalationPeriod | integer | 7200 | 0 - 86400 | When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs. |
deviceID | object | {} | Specifies the criteria that determines when the system treats a device as an attacker | |
escalationPeriod | integer | 120 | 1 - 3600 | Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step. |
geolocation | object | {} | Specifies the criteria that determines when the system treats a geolocation as an attacker | |
operationMode | string | “off” | “off”, “transparent”, “blocking” | Specifies how the system reacts when it detects an attack |
site | object | {} | Specifies the criteria that determines when the system treats a site as an attacker | |
sourceIP | object | {} | Specifies the criteria that determines when the system treats a source IP address as an attacker | |
thresholdsMode | string | “manual” | “manual”, “automatic” | Specifies what type of thresholds to use |
url | object | {} | Specifies the criteria that determines when the system treats a URL as an attacker |
DOS_Profile_Application_Rate_Based_Detection.deviceID (object)¶
Specifies the criteria that determines when the system treats a device as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Rate_Based_Detection.geolocation (object)¶
Specifies the criteria that determines when the system treats a geolocation as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumAutoTps | integer | 50 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumShare | integer | 10 | 0 - 4294967295 | The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
shareIncreaseRate | integer | 500 | 0 - 4294967295 | The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Rate_Based_Detection.site (object)¶
Specifies the criteria that determines when the system treats a site as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 10000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 2000 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Rate_Based_Detection.sourceIP (object)¶
Specifies the criteria that determines when the system treats a source IP address as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Rate_Based_Detection.url (object)¶
Specifies the criteria that determines when the system treats a URL as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
heavyURLProtectionEnabled | boolean | true | true, false | Specifies, when enabled, that heavy URL protection should be enabled |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 1000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 200 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Stress_Based_Detection (object)¶
Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
badActor | object | {} | Specifies properties of Behavioral Detection in Stress-based anomaly. |
The following mitigation options are available:
- Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
- deEscalationPeriod
- integer
- 7200
- 0 - 86400
- When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
- deviceID
- object
- {}
- Specifies the criteria that determines when the system treats a device as an attacker
- escalationPeriod
- integer
- 120
- 1 - 3600
- Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
- geolocation
- object
- {}
- Specifies the criteria that determines when the system treats a geolocation as an attacker
- operationMode
- string
- “off”
- “off”, “transparent”, “blocking”
- Specifies how the system reacts when it detects an attack
- site
- object
- {}
- Specifies the criteria that determines when the system treats a site as an attacker
- sourceIP
- object
- {}
- Specifies the criteria that determines when the system treats a source IP address as an attacker
- thresholdsMode
- string
- “manual”
- “manual”, “automatic”
- Specifies what type of thresholds to use
- url
- object
- {}
- Specifies the criteria that determines when the system treats a URL as an attacker
DOS_Profile_Application_Stress_Based_Detection.badActor (object)¶
Specifies properties of Behavioral Detection in Stress-based anomaly.
The following mitigation options are available:
- Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
acceleratedSignaturesEnabled | boolean | false | true, false | Enables signature detection before the connection establishment |
detectionEnabled | boolean | false | true, false | Enables traffic behavior, server’s capacity learning, and anomaly detection |
mitigationMode | string | “none” | “none”, “conservative”, “standard”, “aggressive” | Specifies mitigation impact on suspicious bad actors/requests |
signatureDetectionEnabled | boolean | false | true, false | Enables request signature detection |
tlsSignaturesEnabled | boolean | false | true, false | Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above. |
useApprovedSignaturesOnly | boolean | false | true, false | Limits request signature detection to approved signatures only |
DOS_Profile_Application_Stress_Based_Detection.deviceID (object)¶
Specifies the criteria that determines when the system treats a device as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Stress_Based_Detection.geolocation (object)¶
Specifies the criteria that determines when the system treats a geolocation as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumAutoTps | integer | 50 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumShare | integer | 10 | 0 - 4294967295 | The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
shareIncreaseRate | integer | 500 | 0 - 4294967295 | The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Stress_Based_Detection.site (object)¶
Specifies the criteria that determines when the system treats a site as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 20000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 10000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 2000 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Stress_Based_Detection.sourceIP (object)¶
Specifies the criteria that determines when the system treats a source IP address as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 200 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 40 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
rateLimitingMode | string | “rate-limit” | “rate-limit”, “block-all” | Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’). |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Stress_Based_Detection.url (object)¶
Specifies the criteria that determines when the system treats a URL as an attacker
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
captchaChallengeEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.) |
clientSideDefenseEnabled | boolean | false | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.) |
heavyURLProtectionEnabled | boolean | true | true, false | Specifies, when enabled, that heavy URL protection should be enabled |
maximumAutoTps | integer | 5000 | 0 - 4294967295 | Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
maximumTps | integer | 1000 | 0 - 4294967295 | The maximum number of transactions per second before a source is always considered an attacking entity |
minimumAutoTps | integer | 5 | 0 - 4294967295 | Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity |
minimumTps | integer | 200 | 0 - 4294967295 | The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity. |
rateLimitingEnabled | boolean | true | true, false | Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic |
tpsIncreaseRate | integer | 500 | 0 - 4294967295 | The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity. |
DOS_Profile_Application_Stress_Based_Detection_Bad_Actor (object)¶
Specifies properties of Behavioral Detection in Stress-based anomaly.
The following mitigation options are available:
- Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
- Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
acceleratedSignaturesEnabled | boolean | false | true, false | Enables signature detection before the connection establishment |
detectionEnabled | boolean | false | true, false | Enables traffic behavior, server’s capacity learning, and anomaly detection |
mitigationMode | string | “none” | “none”, “conservative”, “standard”, “aggressive” | Specifies mitigation impact on suspicious bad actors/requests |
signatureDetectionEnabled | boolean | false | true, false | Enables request signature detection |
tlsSignaturesEnabled | boolean | false | true, false | Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above. |
useApprovedSignaturesOnly | boolean | false | true, false | Limits request signature detection to approved signatures only |
DOS_Profile_Application_TCP_Dump (object)¶
Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
maximumDuration | integer | 30 | 0 - 4294967295 | Configures the maximum time for each TCP dump recording cycle |
maximumSize | integer | 10 | 0 - 4294967295 | Configures the maximum size (in MB) for each TCP dump recording cycle |
recordTrafficEnabled | boolean | false | true, false | Enables the recording of traffic during attacks |
repetitionInterval | 120 | Allow multiple TCP dumps to be recorded during a single DoS attack |
DOS_Profile_Network (object)¶
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
dynamicSignatures | object | {} | ||
vectors | array | A list of configured network DoS vectors |
DOS_Profile_Network.dynamicSignatures (object)¶
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
detectionMode | string | “disabled” | “disabled”, “learn-only”, “enabled” | Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits. |
mitigationMode | string | “none” | “none”, “low”, “medium”, “high” | Specify the mitigation sensitivity for dynamic signatures |
scrubbingCategory | object | Specifies the IP intelligence denylist category to which scrubbed IPs are sent,Reference to a denylist category | ||
scrubbingDuration | integer | 500 | 60 - 4294967295 | Specify the duration in seconds for which an IP address is added to the denylist category |
scrubbingEnabled | boolean | false | true, false | Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category. |
DOS_Profile_Network.dynamicSignatures.scrubbingCategory (object)¶
Specifies the IP intelligence denylist category to which scrubbed IPs are sent Reference to a denylist category
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_Profile_Network_Dynamic_Signatures (object)¶
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
detectionMode | string | “disabled” | “disabled”, “learn-only”, “enabled” | Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits. |
mitigationMode | string | “none” | “none”, “low”, “medium”, “high” | Specify the mitigation sensitivity for dynamic signatures |
scrubbingCategory | object | Specifies the IP intelligence denylist category to which scrubbed IPs are sent,Reference to a denylist category | ||
scrubbingDuration | integer | 500 | 60 - 4294967295 | Specify the duration in seconds for which an IP address is added to the denylist category |
scrubbingEnabled | boolean | false | true, false | Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category. |
DOS_Profile_Network_Dynamic_Signatures.scrubbingCategory (object)¶
Specifies the IP intelligence denylist category to which scrubbed IPs are sent Reference to a denylist category
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_Profile_Protocol_DNS (object)¶
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
vectors | array | A list of configured DNS DoS vectors |
DOS_Profile_Protocol_SIP (object)¶
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
vectors | array | A list of configured SIP DoS vectors |
DOS_SIP_Vector (object)¶
Protocol SIP Denial-of-Service (DoS) vector
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
autoAttackCeiling | integer | 4294967295 | 0 - 4294967295 | Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295. |
autoAttackFloor | integer | 100 | 0 - 4294967295 | Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. |
autoBlacklistSettings | object | {} | Deprecated. Replaced with functionally equivalent autoDenylistSettings.,Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector | |
autoDenylistSettings | object | Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector | ||
badActorSettings | object | {} | Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure. | |
rateIncreaseThreshold | integer | 500 | 0 - 4294967295 | Specify percent of rate increase the system must discover in traffic in order to detect this attack |
rateLimit | integer | 4294967295 | 0 - 4294967295 | Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit. |
rateThreshold | integer | 4294967295 | 0 - 4294967295 | Specify how many packets per second the system must discover in traffic in order to detect this attack |
simulateAutoThresholdEnabled | boolean | false | true, false | Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds |
state | string | “mitigate” | “disabled”, “learn-only”, “detect-only”, “mitigate” | Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation). |
thresholdMode | string | “manual” | “manual”, “stress-based-mitigation”, “fully-automatic” | Specifies how thresholds are set for this vector |
type* | string | “ack”, “cancel”, “message”, “options”, “prack”, “register”, “bye”, “invite”, “notify”, “other”, “publish”, “subscribe”, “uri-limit”, “malformed” | Specifies the name of the DoS attack vector whose thresholds you are configuring |
DOS_SIP_Vector.autoBlacklistSettings (object)¶
Deprecated. Replaced with functionally equivalent autoDenylistSettings. Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
attackDetectionTime | integer | 60 | 1 - 4294967295 | Specifies the time in seconds before a vector is denylisted |
category | object | {“bigip”:”/Common/denial_of_service”} | Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category | |
categoryDuration | integer | 14400 | 60 - 4294967295 | Specifies the time in seconds before the denylist entry is removed |
enabled | boolean | false | true, false | Specifies if automatic denylist management should be used |
externalAdvertisementEnabled | boolean | false | true, false | Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher |
DOS_SIP_Vector.autoBlacklistSettings.category (object)¶
Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category
Default: {“bigip”:”/Common/denial_of_service”}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_SIP_Vector.autoDenylistSettings (object)¶
Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
attackDetectionTime | integer | 60 | 1 - 4294967295 | Specifies the time in seconds before a vector is denylisted |
category | object | {“bigip”:”/Common/denial_of_service”} | Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category | |
categoryDuration | integer | 14400 | 60 - 4294967295 | Specifies the time in seconds before the denylist entry is removed |
enabled | boolean | false | true, false | Specifies if automatic denylist management should be used |
externalAdvertisementEnabled | boolean | false | true, false | Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher |
DOS_SIP_Vector.autoDenylistSettings.category (object)¶
Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category
Default: {“bigip”:”/Common/denial_of_service”}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP denylist category |
DOS_SIP_Vector.badActorSettings (object)¶
Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
Default: {}
Properties (* = required):
name | type(s) | default | allowed values | description |
---|---|---|---|---|
enabled | boolean | false | true, false | Specifies that Bad Actor detection is enabled |
sourceDetectionThreshold | integer | 4294967295 | 0 - 4294967295 | Specifies the number of packets per second to identify an IP address as a bad actor |
sourceMitigationThreshold | integer | 4294967295 | 0 - 4294967295 | Specifies the rate limit applied to a source IP that is identified as a bad actor |