DOS_Profile (object)

Configures a Denial of Service (DOS) profile

Properties (* = required):

name type(s) default allowed values description
allowlist object     Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above.,Reference to a firewall address list or net address list
application object     Application security sub-profile,Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.
applicationAllowlist object     Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist),Reference to a firewall address list or net address list
applicationWhitelist object     Deprecated. Replaced with functionally equivalent applicationAllowlist. Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist),Reference to a firewall address list or net address list
class string   “DOS_Profile”  
label string   “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML
network object     Network security sub-profile,
protocolDNS object     DNS protocol security sub-profile,
protocolSIP object     SIP protocol security sub-profile,
remark string   “^[^x00-x1fx22x5cx7f]*$” Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks
whitelist object     Deprecated. Replaced with functionally equivalent allowlist. Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above.,Reference to a firewall address list or net address list

DOS_Profile.allowlist (object)

Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above. Reference to a firewall address list or net address list

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP firewall address list or net address list
use string     AS3 pointer to firewall address list or net address list declaration

DOS_Profile.application (object)

Application security sub-profile Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.

Properties (* = required):

name type(s) default allowed values description
allowlistedGeolocations array     Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack
blacklistedGeolocations array     Deprecated. Replaced with functionally equivalent denylistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
botDefense object {}   This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers.,BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:
  • The system sends a client-side JavaScript challenge to the browser.
  • If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
  • The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.
    • botSignatures
    • object
    • {}
    • This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms,This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
    • captchaResponse
    • object
    • {}
    • Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
    • denylistedGeolocations
    • array
    • Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
    • heavyURLProtection
    • object
    • {}
    • Configure Heavy URL include list, automatic detection, and exclude list,Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
    • mobileDefense
    • object
    • {}
    • This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled,When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
    • profileAcceleration
    • object
    • Select a TCP fastL4 profile to be used as a fast-path for acceleration,Reference to a fast L4 profile
    • rateBasedDetection
    • object
    • {}
    • Configures the detection of DoS attacks based on high volume of incoming traffic,Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:
  • Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
  • Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.
In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
    • recordTraffic
    • object
    • {}
    • This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps.,Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
    • remoteTriggeredBlackHoleDuration
    • integer
    • 0 - 4294967295
    • Specifies the BGP route advertisement duration in seconds for Remote Triggered Black Hole of attacking IPs. This requires configuration of the Blacklist Publisher, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Remote Triggered Black Hole. Requires the AFM module and if this property is unspecified it will be disabled.
    • scrubbingDuration
    • integer
    • 0 - 4294967295
    • Specifies the BGP route advertisement duration in seconds for Traffic Scrubbing during attacks. This requires configuration of the Scrubber Profile, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Traffic Scrubbing. Requires the AFM module and if this property is unspecified it will be disabled.
    • singlePageApplicationEnabled
    • boolean
    • false
    • true, false
    • Specifies that your website is a Single Page Application, meaning a web application that loads new content without triggering a full page-reload. This property is available on BIGIP 14.1 and above.
    • stressBasedDetection
    • object
    • {}
    • Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. ,Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
    • triggerIRule
    • boolean
    • false
    • true, false
    • Specifies that the system activates an Application DoS iRule event
    • whitelistedGeolocations
    • array
    • Deprecated. Replaced with functionally equivalent allowlistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack

DOS_Profile.application.botDefense (object)

This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers. BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:

  • The system sends a client-side JavaScript challenge to the browser.
  • If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
  • The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.

Default: {}

Properties (* = required):

name type(s) default allowed values description
blockSuspiscousBrowsers boolean true true, false Detect and block requests from highly suspicious browsers
crossDomainRequests string “allow-all” “allow-all”, “validate-bulk”, “validate-upon-request” Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
externalDomains array     Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above.
gracePeriod integer 300 0 - 4294967295 The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above.
issueCaptchaChallenge boolean true true, false Issue CAPTCHA challenges to moderately suspicious browsers
mode string “off” “off”, “during-attacks”, “always” Specifies the conditions under which bots are detected and blocked
siteDomains array     Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
urlAllowlist array     Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation
urlWhitelist array     Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation

DOS_Profile.application.botSignatures (object)

This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.

Default: {}

Properties (* = required):

name type(s) default allowed values description
blockedCategories array     The system blocks and reports requests that match signatures in this list of categories
checkingEnabled boolean false true, false Specifies the system uses signatures to check whether a bot is benign or malicious
disabledSignatures array     A list of signatures the system ignores when it matches requests with configured bot signatures
reportedCategories array     The system logs requests that match signatures in this list of categories and counts them in the DoS reports

DOS_Profile.application.captchaResponse (object)

Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.

Default: {}

Properties (* = required):

name type(s) default allowed values description
failure string     Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA
first string     Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA

DOS_Profile.application.heavyURLProtection (object)

Configure Heavy URL include list, automatic detection, and exclude list Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.

Default: {}

Properties (* = required):

name type(s) default allowed values description
automaticDetectionEnabled boolean true true, false Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site
detectionThreshold integer 1000 16 - 4294967295 Specifies the latency threshold for automatic heavy URL detection (in milliseconds)
excludeList array     URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards.
protectList array     URLs you expect to be heavy even if the system does not automatically detect them as being heavy

DOS_Profile.application.mobileDefense (object)

This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.

Default: {}

Properties (* = required):

name type(s) default allowed values description
allowAndroidPublishers array     Publisher certificates to allow. All others are blocked. An empty list allows all publishers.
allowAndroidRootedDevice boolean false true, false Select to allow traffic from rooted Android devices
allowEmulators boolean false true, false Select to allow traffic from applications run on emulators
allowIosPackageNames array     Package names to allow. All others are blocked. An empty list allows all package names.
allowJailbrokenDevices boolean false true, false Select to allow traffic from jailbroken iOS devices
clientSideChallengeMode string “pass” “pass”, “challenge” Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented
enabled boolean false true, false When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives.

DOS_Profile.application.profileAcceleration (object)

Select a TCP fastL4 profile to be used as a fast-path for acceleration Reference to a fast L4 profile

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP fast L4 profile
use string     AS3 pointer to fast L4 profile declaration

DOS_Profile.application.rateBasedDetection (object)

Configures the detection of DoS attacks based on high volume of incoming traffic Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:

  • Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
  • Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.

In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.

Default: {}

Properties (* = required):

name type(s) default allowed values description
deEscalationPeriod integer 7200 0 - 86400 When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
deviceID object {}   Specifies the criteria that determines when the system treats a device as an attacker
escalationPeriod integer 120 1 - 3600 Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
geolocation object {}   Specifies the criteria that determines when the system treats a geolocation as an attacker
operationMode string “off” “off”, “transparent”, “blocking” Specifies how the system reacts when it detects an attack
site object {}   Specifies the criteria that determines when the system treats a site as an attacker
sourceIP object {}   Specifies the criteria that determines when the system treats a source IP address as an attacker
thresholdsMode string “manual” “manual”, “automatic” Specifies what type of thresholds to use
url object {}   Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile.application.rateBasedDetection.deviceID (object)

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.rateBasedDetection.geolocation (object)

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps integer 50 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare integer 10 0 - 4294967295 The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate integer 500 0 - 4294967295 The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.rateBasedDetection.site (object)

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 10000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 2000 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.rateBasedDetection.sourceIP (object)

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.rateBasedDetection.url (object)

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled boolean true true, false Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 1000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 200 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.recordTraffic (object)

This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps. Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.

Default: {}

Properties (* = required):

name type(s) default allowed values description
maximumDuration integer 30 0 - 4294967295 Configures the maximum time for each TCP dump recording cycle
maximumSize integer 10 0 - 4294967295 Configures the maximum size (in MB) for each TCP dump recording cycle
recordTrafficEnabled boolean false true, false Enables the recording of traffic during attacks
repetitionInterval   120   Allow multiple TCP dumps to be recorded during a single DoS attack

DOS_Profile.application.stressBasedDetection (object)

Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.

Default: {}

Properties (* = required):

name type(s) default allowed values description
badActor object {}   Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

  • Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
      • deEscalationPeriod
      • integer
      • 7200
      • 0 - 86400
      • When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
      • deviceID
      • object
      • {}
      • Specifies the criteria that determines when the system treats a device as an attacker
      • escalationPeriod
      • integer
      • 120
      • 1 - 3600
      • Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
      • geolocation
      • object
      • {}
      • Specifies the criteria that determines when the system treats a geolocation as an attacker
      • operationMode
      • string
      • “off”
      • “off”, “transparent”, “blocking”
      • Specifies how the system reacts when it detects an attack
      • site
      • object
      • {}
      • Specifies the criteria that determines when the system treats a site as an attacker
      • sourceIP
      • object
      • {}
      • Specifies the criteria that determines when the system treats a source IP address as an attacker
      • thresholdsMode
      • string
      • “manual”
      • “manual”, “automatic”
      • Specifies what type of thresholds to use
      • url
      • object
      • {}
      • Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile.application.stressBasedDetection.badActor (object)

Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

  • Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.

Default: {}

Properties (* = required):

name type(s) default allowed values description
acceleratedSignaturesEnabled boolean false true, false Enables signature detection before the connection establishment
detectionEnabled boolean false true, false Enables traffic behavior, server’s capacity learning, and anomaly detection
mitigationMode string “none” “none”, “conservative”, “standard”, “aggressive” Specifies mitigation impact on suspicious bad actors/requests
signatureDetectionEnabled boolean false true, false Enables request signature detection
tlsSignaturesEnabled boolean false true, false Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above.
useApprovedSignaturesOnly boolean false true, false Limits request signature detection to approved signatures only

DOS_Profile.application.stressBasedDetection.deviceID (object)

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.stressBasedDetection.geolocation (object)

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps integer 50 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare integer 10 0 - 4294967295 The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate integer 500 0 - 4294967295 The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.stressBasedDetection.site (object)

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 10000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 2000 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.stressBasedDetection.sourceIP (object)

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.stressBasedDetection.url (object)

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled boolean true true, false Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 1000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 200 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.applicationAllowlist (object)

Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist) Reference to a firewall address list or net address list

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP firewall address list or net address list
use string     AS3 pointer to firewall address list or net address list declaration

DOS_Profile.applicationWhitelist (object)

Deprecated. Replaced with functionally equivalent applicationAllowlist. Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist) Reference to a firewall address list or net address list

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP firewall address list or net address list
use string     AS3 pointer to firewall address list or net address list declaration

DOS_Profile.network (object)

Network security sub-profile

Properties (* = required):

name type(s) default allowed values description
dynamicSignatures object {}    
vectors array     A list of configured network DoS vectors

DOS_Profile.network.dynamicSignatures (object)

Default: {}

Properties (* = required):

name type(s) default allowed values description
detectionMode string “disabled” “disabled”, “learn-only”, “enabled” Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits.
mitigationMode string “none” “none”, “low”, “medium”, “high” Specify the mitigation sensitivity for dynamic signatures
scrubbingCategory object     Specifies the IP intelligence denylist category to which scrubbed IPs are sent,Reference to a denylist category
scrubbingDuration integer 500 60 - 4294967295 Specify the duration in seconds for which an IP address is added to the denylist category
scrubbingEnabled boolean false true, false Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category.

DOS_Profile.network.dynamicSignatures.scrubbingCategory (object)

Specifies the IP intelligence denylist category to which scrubbed IPs are sent Reference to a denylist category

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_Profile.protocolDNS (object)

DNS protocol security sub-profile

Properties (* = required):

name type(s) default allowed values description
vectors array     A list of configured DNS DoS vectors

DOS_Profile.protocolSIP (object)

SIP protocol security sub-profile

Properties (* = required):

name type(s) default allowed values description
vectors array     A list of configured SIP DoS vectors

DOS_Profile.whitelist (object)

Deprecated. Replaced with functionally equivalent allowlist. Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above. Reference to a firewall address list or net address list

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP firewall address list or net address list
use string     AS3 pointer to firewall address list or net address list declaration

DOS_Auto_Denylist_Settings (object)

Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Properties (* = required):

name type(s) default allowed values description
attackDetectionTime integer 60 1 - 4294967295 Specifies the time in seconds before a vector is denylisted
category object {“bigip”:”/Common/denial_of_service”}   Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration integer 14400 60 - 4294967295 Specifies the time in seconds before the denylist entry is removed
enabled boolean false true, false Specifies if automatic denylist management should be used
externalAdvertisementEnabled boolean false true, false Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_Auto_Denylist_Settings.category (object)

Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_Bad_Actor_Detection_Settings (object)

Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.

Properties (* = required):

name type(s) default allowed values description
enabled boolean false true, false Specifies that Bad Actor detection is enabled
sourceDetectionThreshold integer 4294967295 0 - 4294967295 Specifies the number of packets per second to identify an IP address as a bad actor
sourceMitigationThreshold integer 4294967295 0 - 4294967295 Specifies the rate limit applied to a source IP that is identified as a bad actor

DOS_DNS_Vector (object)

Protocol DNS Denial-of-Service (DoS) vector

Properties (* = required):

name type(s) default allowed values description
autoAttackCeiling integer 4294967295 0 - 4294967295 Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295.
autoAttackFloor integer 100 0 - 4294967295 Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant.
autoBlacklistSettings object {}   Deprecated. Replaced with functionally equivalent autoDenylistSettings.,Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
autoDenylistSettings object     Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
badActorSettings object {}   Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
rateIncreaseThreshold integer 500 0 - 4294967295 Specify percent of rate increase the system must discover in traffic in order to detect this attack
rateLimit integer 4294967295 0 - 4294967295 Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
rateThreshold integer 4294967295 0 - 4294967295 Specify how many packets per second the system must discover in traffic in order to detect this attack
simulateAutoThresholdEnabled boolean false true, false Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds
state string “mitigate” “disabled”, “learn-only”, “detect-only”, “mitigate” Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation).
thresholdMode string “manual” “manual”, “stress-based-mitigation”, “fully-automatic” Specifies how thresholds are set for this vector
type* string   “a”, “aaaa”, “any”, “axfr”, “cname”, “ixfr”, “mx”, “ns”, “nxdomain”, “other”, “ptr”, “qdcount”, “soa”, “srv”, “txt”, “malformed” Specifies the name of the DoS attack vector whose thresholds you are configuring

DOS_DNS_Vector.autoBlacklistSettings (object)

Deprecated. Replaced with functionally equivalent autoDenylistSettings. Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Default: {}

Properties (* = required):

name type(s) default allowed values description
attackDetectionTime integer 60 1 - 4294967295 Specifies the time in seconds before a vector is denylisted
category object {“bigip”:”/Common/denial_of_service”}   Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration integer 14400 60 - 4294967295 Specifies the time in seconds before the denylist entry is removed
enabled boolean false true, false Specifies if automatic denylist management should be used
externalAdvertisementEnabled boolean false true, false Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_DNS_Vector.autoBlacklistSettings.category (object)

Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_DNS_Vector.autoDenylistSettings (object)

Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Properties (* = required):

name type(s) default allowed values description
attackDetectionTime integer 60 1 - 4294967295 Specifies the time in seconds before a vector is denylisted
category object {“bigip”:”/Common/denial_of_service”}   Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration integer 14400 60 - 4294967295 Specifies the time in seconds before the denylist entry is removed
enabled boolean false true, false Specifies if automatic denylist management should be used
externalAdvertisementEnabled boolean false true, false Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_DNS_Vector.autoDenylistSettings.category (object)

Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_DNS_Vector.badActorSettings (object)

Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.

Default: {}

Properties (* = required):

name type(s) default allowed values description
enabled boolean false true, false Specifies that Bad Actor detection is enabled
sourceDetectionThreshold integer 4294967295 0 - 4294967295 Specifies the number of packets per second to identify an IP address as a bad actor
sourceMitigationThreshold integer 4294967295 0 - 4294967295 Specifies the rate limit applied to a source IP that is identified as a bad actor

DOS_Network_Vector (object)

Network Denial-of-Service (DoS) vector

Properties (* = required):

name type(s) default allowed values description
autoAttackCeiling integer 4294967295 0 - 4294967295 Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295.
autoAttackFloor integer 100 0 - 4294967295 Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant.
autoBlacklistSettings object {}   Deprecated. Replaced with functionally equivalent autoDenylistSettings.,Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
autoDenylistSettings object     Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
badActorSettings object {}   Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
rateIncreaseThreshold integer 500 0 - 4294967295 Specify percent of rate increase the system must discover in traffic in order to detect this attack
rateLimit integer 4294967295 0 - 4294967295 Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
rateThreshold integer 4294967295 0 - 4294967295 Specify how many packets per second the system must discover in traffic in order to detect this attack
simulateAutoThresholdEnabled boolean false true, false Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds
state string “mitigate” “disabled”, “learn-only”, “detect-only”, “mitigate” Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation).
thresholdMode string “manual” “manual”, “stress-based-mitigation”, “fully-automatic” Specifies how thresholds are set for this vector
type string   “ext-hdr-too-large”, “hop-cnt-low”, “host-unreachable”, “icmpv4-flood”, “icmpv6-flood”, “icmp-frag”, “ip-frag-flood”, “ip-low-ttl”, “ip-opt-frames”, “ipv6-ext-hdr-frames”, “ipv6-frag-flood”, “non-tcp-connection”, “opt-present-with-illegal-len”, “sweep”, “tcp-half-open”, “tcp-opt-overruns-tcp-hdr”, “tcp-psh-flood”, “tcp-rst-flood”, “tcp-syn-flood”, “tcp-synack-flood”, “tcp-syn-oversize”, “tcp-bad-urg”, “tcp-window-size”, “tidcmp”, “too-many-ext-hdrs”, “udp-flood”, “unk-tcp-opt-type” Specifies the name of the DoS attack vector whose thresholds you are configuring

DOS_Network_Vector.autoBlacklistSettings (object)

Deprecated. Replaced with functionally equivalent autoDenylistSettings. Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Default: {}

Properties (* = required):

name type(s) default allowed values description
attackDetectionTime integer 60 1 - 4294967295 Specifies the time in seconds before a vector is denylisted
category object {“bigip”:”/Common/denial_of_service”}   Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration integer 14400 60 - 4294967295 Specifies the time in seconds before the denylist entry is removed
enabled boolean false true, false Specifies if automatic denylist management should be used
externalAdvertisementEnabled boolean false true, false Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_Network_Vector.autoBlacklistSettings.category (object)

Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_Network_Vector.autoDenylistSettings (object)

Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Properties (* = required):

name type(s) default allowed values description
attackDetectionTime integer 60 1 - 4294967295 Specifies the time in seconds before a vector is denylisted
category object {“bigip”:”/Common/denial_of_service”}   Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration integer 14400 60 - 4294967295 Specifies the time in seconds before the denylist entry is removed
enabled boolean false true, false Specifies if automatic denylist management should be used
externalAdvertisementEnabled boolean false true, false Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_Network_Vector.autoDenylistSettings.category (object)

Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_Network_Vector.badActorSettings (object)

Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.

Default: {}

Properties (* = required):

name type(s) default allowed values description
enabled boolean false true, false Specifies that Bad Actor detection is enabled
sourceDetectionThreshold integer 4294967295 0 - 4294967295 Specifies the number of packets per second to identify an IP address as a bad actor
sourceMitigationThreshold integer 4294967295 0 - 4294967295 Specifies the rate limit applied to a source IP that is identified as a bad actor

DOS_Profile_Application (object)

Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.

Properties (* = required):

name type(s) default allowed values description
allowlistedGeolocations array     Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack
blacklistedGeolocations array     Deprecated. Replaced with functionally equivalent denylistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
botDefense object {}   This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers.,BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:
  • The system sends a client-side JavaScript challenge to the browser.
  • If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
  • The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.
    • botSignatures
    • object
    • {}
    • This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms,This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
    • captchaResponse
    • object
    • {}
    • Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
    • denylistedGeolocations
    • array
    • Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
    • heavyURLProtection
    • object
    • {}
    • Configure Heavy URL include list, automatic detection, and exclude list,Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
    • mobileDefense
    • object
    • {}
    • This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled,When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
    • profileAcceleration
    • object
    • Select a TCP fastL4 profile to be used as a fast-path for acceleration,Reference to a fast L4 profile
    • rateBasedDetection
    • object
    • {}
    • Configures the detection of DoS attacks based on high volume of incoming traffic,Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:
  • Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
  • Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.
In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.
    • recordTraffic
    • object
    • {}
    • This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps.,Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
    • remoteTriggeredBlackHoleDuration
    • integer
    • 0 - 4294967295
    • Specifies the BGP route advertisement duration in seconds for Remote Triggered Black Hole of attacking IPs. This requires configuration of the Blacklist Publisher, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Remote Triggered Black Hole. Requires the AFM module and if this property is unspecified it will be disabled.
    • scrubbingDuration
    • integer
    • 0 - 4294967295
    • Specifies the BGP route advertisement duration in seconds for Traffic Scrubbing during attacks. This requires configuration of the Scrubber Profile, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Traffic Scrubbing. Requires the AFM module and if this property is unspecified it will be disabled.
    • singlePageApplicationEnabled
    • boolean
    • false
    • true, false
    • Specifies that your website is a Single Page Application, meaning a web application that loads new content without triggering a full page-reload. This property is available on BIGIP 14.1 and above.
    • stressBasedDetection
    • object
    • {}
    • Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. ,Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
    • triggerIRule
    • boolean
    • false
    • true, false
    • Specifies that the system activates an Application DoS iRule event
    • whitelistedGeolocations
    • array
    • Deprecated. Replaced with functionally equivalent allowlistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack

DOS_Profile_Application.botDefense (object)

This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers. BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:

  • The system sends a client-side JavaScript challenge to the browser.
  • If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
  • The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.

Default: {}

Properties (* = required):

name type(s) default allowed values description
blockSuspiscousBrowsers boolean true true, false Detect and block requests from highly suspicious browsers
crossDomainRequests string “allow-all” “allow-all”, “validate-bulk”, “validate-upon-request” Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
externalDomains array     Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above.
gracePeriod integer 300 0 - 4294967295 The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above.
issueCaptchaChallenge boolean true true, false Issue CAPTCHA challenges to moderately suspicious browsers
mode string “off” “off”, “during-attacks”, “always” Specifies the conditions under which bots are detected and blocked
siteDomains array     Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
urlAllowlist array     Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation
urlWhitelist array     Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation

DOS_Profile_Application.botSignatures (object)

This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.

Default: {}

Properties (* = required):

name type(s) default allowed values description
blockedCategories array     The system blocks and reports requests that match signatures in this list of categories
checkingEnabled boolean false true, false Specifies the system uses signatures to check whether a bot is benign or malicious
disabledSignatures array     A list of signatures the system ignores when it matches requests with configured bot signatures
reportedCategories array     The system logs requests that match signatures in this list of categories and counts them in the DoS reports

DOS_Profile_Application.captchaResponse (object)

Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.

Default: {}

Properties (* = required):

name type(s) default allowed values description
failure string     Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA
first string     Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA

DOS_Profile_Application.heavyURLProtection (object)

Configure Heavy URL include list, automatic detection, and exclude list Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.

Default: {}

Properties (* = required):

name type(s) default allowed values description
automaticDetectionEnabled boolean true true, false Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site
detectionThreshold integer 1000 16 - 4294967295 Specifies the latency threshold for automatic heavy URL detection (in milliseconds)
excludeList array     URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards.
protectList array     URLs you expect to be heavy even if the system does not automatically detect them as being heavy

DOS_Profile_Application.mobileDefense (object)

This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.

Default: {}

Properties (* = required):

name type(s) default allowed values description
allowAndroidPublishers array     Publisher certificates to allow. All others are blocked. An empty list allows all publishers.
allowAndroidRootedDevice boolean false true, false Select to allow traffic from rooted Android devices
allowEmulators boolean false true, false Select to allow traffic from applications run on emulators
allowIosPackageNames array     Package names to allow. All others are blocked. An empty list allows all package names.
allowJailbrokenDevices boolean false true, false Select to allow traffic from jailbroken iOS devices
clientSideChallengeMode string “pass” “pass”, “challenge” Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented
enabled boolean false true, false When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives.

DOS_Profile_Application.profileAcceleration (object)

Select a TCP fastL4 profile to be used as a fast-path for acceleration Reference to a fast L4 profile

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP fast L4 profile
use string     AS3 pointer to fast L4 profile declaration

DOS_Profile_Application.rateBasedDetection (object)

Configures the detection of DoS attacks based on high volume of incoming traffic Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:

  • Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
  • Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.

In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.

Default: {}

Properties (* = required):

name type(s) default allowed values description
deEscalationPeriod integer 7200 0 - 86400 When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
deviceID object {}   Specifies the criteria that determines when the system treats a device as an attacker
escalationPeriod integer 120 1 - 3600 Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
geolocation object {}   Specifies the criteria that determines when the system treats a geolocation as an attacker
operationMode string “off” “off”, “transparent”, “blocking” Specifies how the system reacts when it detects an attack
site object {}   Specifies the criteria that determines when the system treats a site as an attacker
sourceIP object {}   Specifies the criteria that determines when the system treats a source IP address as an attacker
thresholdsMode string “manual” “manual”, “automatic” Specifies what type of thresholds to use
url object {}   Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile_Application.rateBasedDetection.deviceID (object)

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.rateBasedDetection.geolocation (object)

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps integer 50 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare integer 10 0 - 4294967295 The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate integer 500 0 - 4294967295 The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.rateBasedDetection.site (object)

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 10000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 2000 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.rateBasedDetection.sourceIP (object)

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.rateBasedDetection.url (object)

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled boolean true true, false Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 1000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 200 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.recordTraffic (object)

This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps. Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.

Default: {}

Properties (* = required):

name type(s) default allowed values description
maximumDuration integer 30 0 - 4294967295 Configures the maximum time for each TCP dump recording cycle
maximumSize integer 10 0 - 4294967295 Configures the maximum size (in MB) for each TCP dump recording cycle
recordTrafficEnabled boolean false true, false Enables the recording of traffic during attacks
repetitionInterval   120   Allow multiple TCP dumps to be recorded during a single DoS attack

DOS_Profile_Application.stressBasedDetection (object)

Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.

Default: {}

Properties (* = required):

name type(s) default allowed values description
badActor object {}   Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

  • Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
      • deEscalationPeriod
      • integer
      • 7200
      • 0 - 86400
      • When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
      • deviceID
      • object
      • {}
      • Specifies the criteria that determines when the system treats a device as an attacker
      • escalationPeriod
      • integer
      • 120
      • 1 - 3600
      • Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
      • geolocation
      • object
      • {}
      • Specifies the criteria that determines when the system treats a geolocation as an attacker
      • operationMode
      • string
      • “off”
      • “off”, “transparent”, “blocking”
      • Specifies how the system reacts when it detects an attack
      • site
      • object
      • {}
      • Specifies the criteria that determines when the system treats a site as an attacker
      • sourceIP
      • object
      • {}
      • Specifies the criteria that determines when the system treats a source IP address as an attacker
      • thresholdsMode
      • string
      • “manual”
      • “manual”, “automatic”
      • Specifies what type of thresholds to use
      • url
      • object
      • {}
      • Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile_Application.stressBasedDetection.badActor (object)

Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

  • Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.

Default: {}

Properties (* = required):

name type(s) default allowed values description
acceleratedSignaturesEnabled boolean false true, false Enables signature detection before the connection establishment
detectionEnabled boolean false true, false Enables traffic behavior, server’s capacity learning, and anomaly detection
mitigationMode string “none” “none”, “conservative”, “standard”, “aggressive” Specifies mitigation impact on suspicious bad actors/requests
signatureDetectionEnabled boolean false true, false Enables request signature detection
tlsSignaturesEnabled boolean false true, false Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above.
useApprovedSignaturesOnly boolean false true, false Limits request signature detection to approved signatures only

DOS_Profile_Application.stressBasedDetection.deviceID (object)

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.stressBasedDetection.geolocation (object)

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps integer 50 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare integer 10 0 - 4294967295 The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate integer 500 0 - 4294967295 The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.stressBasedDetection.site (object)

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 10000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 2000 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.stressBasedDetection.sourceIP (object)

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.stressBasedDetection.url (object)

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled boolean true true, false Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 1000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 200 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Bot_Defense (object)

BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:

  • The system sends a client-side JavaScript challenge to the browser.
  • If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
  • The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.

Properties (* = required):

name type(s) default allowed values description
blockSuspiscousBrowsers boolean true true, false Detect and block requests from highly suspicious browsers
crossDomainRequests string “allow-all” “allow-all”, “validate-bulk”, “validate-upon-request” Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
externalDomains array     Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above.
gracePeriod integer 300 0 - 4294967295 The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above.
issueCaptchaChallenge boolean true true, false Issue CAPTCHA challenges to moderately suspicious browsers
mode string “off” “off”, “during-attacks”, “always” Specifies the conditions under which bots are detected and blocked
siteDomains array     Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
urlAllowlist array     Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation
urlWhitelist array     Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation

DOS_Profile_Application_Bot_Signatures (object)

This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.

Properties (* = required):

name type(s) default allowed values description
blockedCategories array     The system blocks and reports requests that match signatures in this list of categories
checkingEnabled boolean false true, false Specifies the system uses signatures to check whether a bot is benign or malicious
disabledSignatures array     A list of signatures the system ignores when it matches requests with configured bot signatures
reportedCategories array     The system logs requests that match signatures in this list of categories and counts them in the DoS reports

DOS_Profile_Application_Captcha (object)

Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.

Properties (* = required):

name type(s) default allowed values description
failure string     Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA
first string     Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA

DOS_Profile_Application_Detection_Device (object)

Specifies the criteria that determines when the system treats a device as an attacker

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_Geolocation (object)

Specifies the criteria that determines when the system treats a geolocation as an attacker

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps integer 50 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare integer 10 0 - 4294967295 The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate integer 500 0 - 4294967295 The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_IP (object)

Specifies the criteria that determines when the system treats a source IP address as an attacker

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_Site (object)

Specifies the criteria that determines when the system treats a site as an attacker

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 10000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 2000 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_URL (object)

Specifies the criteria that determines when the system treats a URL as an attacker

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled boolean true true, false Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 1000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 200 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Heavy_URL (object)

Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.

Properties (* = required):

name type(s) default allowed values description
automaticDetectionEnabled boolean true true, false Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site
detectionThreshold integer 1000 16 - 4294967295 Specifies the latency threshold for automatic heavy URL detection (in milliseconds)
excludeList array     URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards.
protectList array     URLs you expect to be heavy even if the system does not automatically detect them as being heavy

DOS_Profile_Application_Mobile_Defense (object)

When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.

Properties (* = required):

name type(s) default allowed values description
allowAndroidPublishers array     Publisher certificates to allow. All others are blocked. An empty list allows all publishers.
allowAndroidRootedDevice boolean false true, false Select to allow traffic from rooted Android devices
allowEmulators boolean false true, false Select to allow traffic from applications run on emulators
allowIosPackageNames array     Package names to allow. All others are blocked. An empty list allows all package names.
allowJailbrokenDevices boolean false true, false Select to allow traffic from jailbroken iOS devices
clientSideChallengeMode string “pass” “pass”, “challenge” Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented
enabled boolean false true, false When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives.

DOS_Profile_Application_Rate_Based_Detection (object)

Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:

  • Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
  • Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.

In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.

Properties (* = required):

name type(s) default allowed values description
deEscalationPeriod integer 7200 0 - 86400 When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
deviceID object {}   Specifies the criteria that determines when the system treats a device as an attacker
escalationPeriod integer 120 1 - 3600 Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
geolocation object {}   Specifies the criteria that determines when the system treats a geolocation as an attacker
operationMode string “off” “off”, “transparent”, “blocking” Specifies how the system reacts when it detects an attack
site object {}   Specifies the criteria that determines when the system treats a site as an attacker
sourceIP object {}   Specifies the criteria that determines when the system treats a source IP address as an attacker
thresholdsMode string “manual” “manual”, “automatic” Specifies what type of thresholds to use
url object {}   Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile_Application_Rate_Based_Detection.deviceID (object)

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Rate_Based_Detection.geolocation (object)

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps integer 50 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare integer 10 0 - 4294967295 The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate integer 500 0 - 4294967295 The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Rate_Based_Detection.site (object)

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 10000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 2000 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Rate_Based_Detection.sourceIP (object)

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Rate_Based_Detection.url (object)

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled boolean true true, false Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 1000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 200 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection (object)

Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.

Properties (* = required):

name type(s) default allowed values description
badActor object {}   Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

  • Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
      • deEscalationPeriod
      • integer
      • 7200
      • 0 - 86400
      • When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
      • deviceID
      • object
      • {}
      • Specifies the criteria that determines when the system treats a device as an attacker
      • escalationPeriod
      • integer
      • 120
      • 1 - 3600
      • Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
      • geolocation
      • object
      • {}
      • Specifies the criteria that determines when the system treats a geolocation as an attacker
      • operationMode
      • string
      • “off”
      • “off”, “transparent”, “blocking”
      • Specifies how the system reacts when it detects an attack
      • site
      • object
      • {}
      • Specifies the criteria that determines when the system treats a site as an attacker
      • sourceIP
      • object
      • {}
      • Specifies the criteria that determines when the system treats a source IP address as an attacker
      • thresholdsMode
      • string
      • “manual”
      • “manual”, “automatic”
      • Specifies what type of thresholds to use
      • url
      • object
      • {}
      • Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile_Application_Stress_Based_Detection.badActor (object)

Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

  • Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.

Default: {}

Properties (* = required):

name type(s) default allowed values description
acceleratedSignaturesEnabled boolean false true, false Enables signature detection before the connection establishment
detectionEnabled boolean false true, false Enables traffic behavior, server’s capacity learning, and anomaly detection
mitigationMode string “none” “none”, “conservative”, “standard”, “aggressive” Specifies mitigation impact on suspicious bad actors/requests
signatureDetectionEnabled boolean false true, false Enables request signature detection
tlsSignaturesEnabled boolean false true, false Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above.
useApprovedSignaturesOnly boolean false true, false Limits request signature detection to approved signatures only

DOS_Profile_Application_Stress_Based_Detection.deviceID (object)

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection.geolocation (object)

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps integer 50 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare integer 10 0 - 4294967295 The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate integer 500 0 - 4294967295 The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection.site (object)

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 20000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 10000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 2000 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection.sourceIP (object)

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 200 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 40 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode string “rate-limit” “rate-limit”, “block-all” Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection.url (object)

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name type(s) default allowed values description
captchaChallengeEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled boolean false true, false Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled boolean true true, false Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps integer 5000 0 - 4294967295 Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps integer 1000 0 - 4294967295 The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps integer 5 0 - 4294967295 Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps integer 200 0 - 4294967295 The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled boolean true true, false Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate integer 500 0 - 4294967295 The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection_Bad_Actor (object)

Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

  • Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
  • Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.

Properties (* = required):

name type(s) default allowed values description
acceleratedSignaturesEnabled boolean false true, false Enables signature detection before the connection establishment
detectionEnabled boolean false true, false Enables traffic behavior, server’s capacity learning, and anomaly detection
mitigationMode string “none” “none”, “conservative”, “standard”, “aggressive” Specifies mitigation impact on suspicious bad actors/requests
signatureDetectionEnabled boolean false true, false Enables request signature detection
tlsSignaturesEnabled boolean false true, false Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above.
useApprovedSignaturesOnly boolean false true, false Limits request signature detection to approved signatures only

DOS_Profile_Application_TCP_Dump (object)

Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.

Properties (* = required):

name type(s) default allowed values description
maximumDuration integer 30 0 - 4294967295 Configures the maximum time for each TCP dump recording cycle
maximumSize integer 10 0 - 4294967295 Configures the maximum size (in MB) for each TCP dump recording cycle
recordTrafficEnabled boolean false true, false Enables the recording of traffic during attacks
repetitionInterval   120   Allow multiple TCP dumps to be recorded during a single DoS attack

DOS_Profile_Network (object)

Properties (* = required):

name type(s) default allowed values description
dynamicSignatures object {}    
vectors array     A list of configured network DoS vectors

DOS_Profile_Network.dynamicSignatures (object)

Default: {}

Properties (* = required):

name type(s) default allowed values description
detectionMode string “disabled” “disabled”, “learn-only”, “enabled” Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits.
mitigationMode string “none” “none”, “low”, “medium”, “high” Specify the mitigation sensitivity for dynamic signatures
scrubbingCategory object     Specifies the IP intelligence denylist category to which scrubbed IPs are sent,Reference to a denylist category
scrubbingDuration integer 500 60 - 4294967295 Specify the duration in seconds for which an IP address is added to the denylist category
scrubbingEnabled boolean false true, false Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category.

DOS_Profile_Network.dynamicSignatures.scrubbingCategory (object)

Specifies the IP intelligence denylist category to which scrubbed IPs are sent Reference to a denylist category

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_Profile_Network_Dynamic_Signatures (object)

Properties (* = required):

name type(s) default allowed values description
detectionMode string “disabled” “disabled”, “learn-only”, “enabled” Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits.
mitigationMode string “none” “none”, “low”, “medium”, “high” Specify the mitigation sensitivity for dynamic signatures
scrubbingCategory object     Specifies the IP intelligence denylist category to which scrubbed IPs are sent,Reference to a denylist category
scrubbingDuration integer 500 60 - 4294967295 Specify the duration in seconds for which an IP address is added to the denylist category
scrubbingEnabled boolean false true, false Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category.

DOS_Profile_Network_Dynamic_Signatures.scrubbingCategory (object)

Specifies the IP intelligence denylist category to which scrubbed IPs are sent Reference to a denylist category

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_Profile_Protocol_DNS (object)

Properties (* = required):

name type(s) default allowed values description
vectors array     A list of configured DNS DoS vectors

DOS_Profile_Protocol_SIP (object)

Properties (* = required):

name type(s) default allowed values description
vectors array     A list of configured SIP DoS vectors

DOS_SIP_Vector (object)

Protocol SIP Denial-of-Service (DoS) vector

Properties (* = required):

name type(s) default allowed values description
autoAttackCeiling integer 4294967295 0 - 4294967295 Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295.
autoAttackFloor integer 100 0 - 4294967295 Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant.
autoBlacklistSettings object {}   Deprecated. Replaced with functionally equivalent autoDenylistSettings.,Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
autoDenylistSettings object     Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
badActorSettings object {}   Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
rateIncreaseThreshold integer 500 0 - 4294967295 Specify percent of rate increase the system must discover in traffic in order to detect this attack
rateLimit integer 4294967295 0 - 4294967295 Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
rateThreshold integer 4294967295 0 - 4294967295 Specify how many packets per second the system must discover in traffic in order to detect this attack
simulateAutoThresholdEnabled boolean false true, false Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds
state string “mitigate” “disabled”, “learn-only”, “detect-only”, “mitigate” Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation).
thresholdMode string “manual” “manual”, “stress-based-mitigation”, “fully-automatic” Specifies how thresholds are set for this vector
type* string   “ack”, “cancel”, “message”, “options”, “prack”, “register”, “bye”, “invite”, “notify”, “other”, “publish”, “subscribe”, “uri-limit”, “malformed” Specifies the name of the DoS attack vector whose thresholds you are configuring

DOS_SIP_Vector.autoBlacklistSettings (object)

Deprecated. Replaced with functionally equivalent autoDenylistSettings. Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Default: {}

Properties (* = required):

name type(s) default allowed values description
attackDetectionTime integer 60 1 - 4294967295 Specifies the time in seconds before a vector is denylisted
category object {“bigip”:”/Common/denial_of_service”}   Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration integer 14400 60 - 4294967295 Specifies the time in seconds before the denylist entry is removed
enabled boolean false true, false Specifies if automatic denylist management should be used
externalAdvertisementEnabled boolean false true, false Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_SIP_Vector.autoBlacklistSettings.category (object)

Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_SIP_Vector.autoDenylistSettings (object)

Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Properties (* = required):

name type(s) default allowed values description
attackDetectionTime integer 60 1 - 4294967295 Specifies the time in seconds before a vector is denylisted
category object {“bigip”:”/Common/denial_of_service”}   Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration integer 14400 60 - 4294967295 Specifies the time in seconds before the denylist entry is removed
enabled boolean false true, false Specifies if automatic denylist management should be used
externalAdvertisementEnabled boolean false true, false Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_SIP_Vector.autoDenylistSettings.category (object)

Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP denylist category

DOS_SIP_Vector.badActorSettings (object)

Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.

Default: {}

Properties (* = required):

name type(s) default allowed values description
enabled boolean false true, false Specifies that Bad Actor detection is enabled
sourceDetectionThreshold integer 4294967295 0 - 4294967295 Specifies the number of packets per second to identify an IP address as a bad actor
sourceMitigationThreshold integer 4294967295 0 - 4294967295 Specifies the rate limit applied to a source IP that is identified as a bad actor