DOS_Profile (object)¶

Configures a Denial of Service (DOS) profile

Properties (* = required):

name	type(s)	allowed values	description
allowlist	object		Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above.,Reference to a firewall address list or net address list
application	object		Application security sub-profile,Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.
applicationAllowlist	object		Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist),Reference to a firewall address list or net address list
applicationWhitelist	object		Deprecated. Replaced with functionally equivalent applicationAllowlist. Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist),Reference to a firewall address list or net address list
class	string	“DOS_Profile”
label	string	“^[^x00-x1fx22#&<>?x5b-x5d`x7f]$”	Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML
network	object		Network security sub-profile,
protocolDNS	object		DNS protocol security sub-profile,
protocolSIP	object		SIP protocol security sub-profile,
remark	string	“^[^x00-x1fx22x5cx7f]*$”	Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks
whitelist	object		Deprecated. Replaced with functionally equivalent allowlist. Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above.,Reference to a firewall address list or net address list

DOS_Profile.allowlist (object)¶

Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above. Reference to a firewall address list or net address list

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP firewall address list or net address list
use	string			AS3 pointer to firewall address list or net address list declaration

DOS_Profile.application (object)¶

Application security sub-profile Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.

Properties (* = required):

name	type(s)	default	description
allowlistedGeolocations	array		Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack
blacklistedGeolocations	array		Deprecated. Replaced with functionally equivalent denylistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
botDefense	object	{}	This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers.,BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:

The system sends a client-side JavaScript challenge to the browser.
If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: The proactive bot defense feature works also in Transparent mode. This means that the system will replace responses with client side JavaScript also in Transparent mode, and if the client cannot run JavaScript, it will not be able to receive the server responses.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.

- botSignatures
- object
- {}
- This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms,This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
- captchaResponse
- object
- {}
- Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
- denylistedGeolocations
- array
- Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
- heavyURLProtection
- object
- {}
- Configure Heavy URL include list, automatic detection, and exclude list,Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
- mobileDefense
- object
- {}
- This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled,When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
- profileAcceleration
- object
- Select a TCP fastL4 profile to be used as a fast-path for acceleration,Reference to a fast L4 profile,Reference for a BIG-IP or Use object
- rateBasedDetection
- object
- {}
- Configures the detection of DoS attacks based on high volume of incoming traffic,Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:

Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.

In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.

- recordTraffic
- object
- {}
- This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps.,Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
- remoteTriggeredBlackHoleDuration
- integer
- 0 - 4294967295
- Specifies the BGP route advertisement duration in seconds for Remote Triggered Black Hole of attacking IPs. This requires configuration of the Blacklist Publisher, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Remote Triggered Black Hole. Requires the AFM module and if this property is unspecified it will be disabled.
- scrubbingDuration
- integer
- 0 - 4294967295
- Specifies the BGP route advertisement duration in seconds for Traffic Scrubbing during attacks. This requires configuration of the Scrubber Profile, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Traffic Scrubbing. Requires the AFM module and if this property is unspecified it will be disabled.
- singlePageApplicationEnabled
- boolean
- false
- true, false
- Specifies that your website is a Single Page Application, meaning a web application that loads new content without triggering a full page-reload. This property is available on BIGIP 14.1 and above.
- stressBasedDetection
- object
- {}
- Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. ,Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
- triggerIRule
- boolean
- false
- true, false
- Specifies that the system activates an Application DoS iRule event
- whitelistedGeolocations
- array
- Deprecated. Replaced with functionally equivalent allowlistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack

DOS_Profile.application.botDefense (object)¶

This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers. BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:

The system sends a client-side JavaScript challenge to the browser.
If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
blockSuspiscousBrowsers	boolean	true	true, false	Detect and block requests from highly suspicious browsers
crossDomainRequests	string	“allow-all”	“allow-all”, “validate-bulk”, “validate-upon-request”	Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
externalDomains	array			Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above.
gracePeriod	integer	300	0 - 4294967295	The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above.
issueCaptchaChallenge	boolean	true	true, false	Issue CAPTCHA challenges to moderately suspicious browsers
mode	string	“off”	“off”, “during-attacks”, “always”	Specifies the conditions under which bots are detected and blocked
siteDomains	array			Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
urlAllowlist	array			Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation
urlWhitelist	array			Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation

DOS_Profile.application.botSignatures (object)¶

This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
blockedCategories	array			The system blocks and reports requests that match signatures in this list of categories
checkingEnabled	boolean	false	true, false	Specifies the system uses signatures to check whether a bot is benign or malicious
disabledSignatures	array			A list of signatures the system ignores when it matches requests with configured bot signatures
reportedCategories	array			The system logs requests that match signatures in this list of categories and counts them in the DoS reports

DOS_Profile.application.captchaResponse (object)¶

Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
failure	string			Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA
first	string			Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA

DOS_Profile.application.heavyURLProtection (object)¶

Configure Heavy URL include list, automatic detection, and exclude list Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
automaticDetectionEnabled	boolean	true	true, false	Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site
detectionThreshold	integer	1000	16 - 4294967295	Specifies the latency threshold for automatic heavy URL detection (in milliseconds)
excludeList	array			URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards.
protectList	array			URLs you expect to be heavy even if the system does not automatically detect them as being heavy

DOS_Profile.application.mobileDefense (object)¶

This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
allowAndroidPublishers	array			Publisher certificates to allow. All others are blocked. An empty list allows all publishers.
allowAndroidRootedDevice	boolean	false	true, false	Select to allow traffic from rooted Android devices
allowEmulators	boolean	false	true, false	Select to allow traffic from applications run on emulators
allowIosPackageNames	array			Package names to allow. All others are blocked. An empty list allows all package names.
allowJailbrokenDevices	boolean	false	true, false	Select to allow traffic from jailbroken iOS devices
clientSideChallengeMode	string	“pass”	“pass”, “challenge”	Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented
enabled	boolean	false	true, false	When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives.

DOS_Profile.application.profileAcceleration (object)¶

Select a TCP fastL4 profile to be used as a fast-path for acceleration Reference to a fast L4 profile Reference for a BIG-IP or Use object

Properties (* = required):

name	type(s)	default	allowed values	description
bigip			“f5bigip” formatted string
use

DOS_Profile.application.rateBasedDetection (object)¶

Configures the detection of DoS attacks based on high volume of incoming traffic Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:

Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.

In TPS-based detection mode, if the ratio of the transaction rate detection interval to the transaction rate history interval is greater than the specific percentage configured, the system detects the URL/site to be under attack, or the IP address/geolocation to be attacking. In order to stop the attack, the system blocks some, or all, requests from the detected IP address/geolocation and/to the attacked URL/site, depending on the configuration of the DoS profile.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
deEscalationPeriod	integer	7200	0 - 86400	When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
deviceID	object	{}		Specifies the criteria that determines when the system treats a device as an attacker
escalationPeriod	integer	120	1 - 3600	Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
geolocation	object	{}		Specifies the criteria that determines when the system treats a geolocation as an attacker
operationMode	string	“off”	“off”, “transparent”, “blocking”	Specifies how the system reacts when it detects an attack
site	object	{}		Specifies the criteria that determines when the system treats a site as an attacker
sourceIP	object	{}		Specifies the criteria that determines when the system treats a source IP address as an attacker
thresholdsMode	string	“manual”	“manual”, “automatic”	Specifies what type of thresholds to use
url	object	{}		Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile.application.rateBasedDetection.deviceID (object)¶

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.rateBasedDetection.geolocation (object)¶

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps	integer	50	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare	integer	10	0 - 4294967295	The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate	integer	500	0 - 4294967295	The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.rateBasedDetection.site (object)¶

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	10000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	2000	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.rateBasedDetection.sourceIP (object)¶

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.rateBasedDetection.url (object)¶

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled	boolean	true	true, false	Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	1000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	200	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.recordTraffic (object)¶

This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps. Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
maximumDuration	integer	30	0 - 4294967295	Configures the maximum time for each TCP dump recording cycle
maximumSize	integer	10	0 - 4294967295	Configures the maximum size (in MB) for each TCP dump recording cycle
recordTrafficEnabled	boolean	false	true, false	Enables the recording of traffic during attacks
repetitionInterval		120		Allow multiple TCP dumps to be recorded during a single DoS attack

DOS_Profile.application.stressBasedDetection (object)¶

Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
badActor	object	{}		Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
- - deEscalationPeriod
  - integer
  - 7200
  - 0 - 86400
  - When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
- - deviceID
  - object
  - {}
  - Specifies the criteria that determines when the system treats a device as an attacker
- - escalationPeriod
  - integer
  - 120
  - 1 - 3600
  - Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
- - geolocation
  - object
  - {}
  - Specifies the criteria that determines when the system treats a geolocation as an attacker
- - operationMode
  - string
  - “off”
  - “off”, “transparent”, “blocking”
  - Specifies how the system reacts when it detects an attack
- - site
  - object
  - {}
  - Specifies the criteria that determines when the system treats a site as an attacker
- - sourceIP
  - object
  - {}
  - Specifies the criteria that determines when the system treats a source IP address as an attacker
- - thresholdsMode
  - string
  - “manual”
  - “manual”, “automatic”
  - Specifies what type of thresholds to use
- - url
  - object
  - {}
  - Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile.application.stressBasedDetection.badActor (object)¶

Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
acceleratedSignaturesEnabled	boolean	false	true, false	Enables signature detection before the connection establishment
detectionEnabled	boolean	false	true, false	Enables traffic behavior, server’s capacity learning, and anomaly detection
mitigationMode	string	“none”	“none”, “conservative”, “standard”, “aggressive”	Specifies mitigation impact on suspicious bad actors/requests
signatureDetectionEnabled	boolean	false	true, false	Enables request signature detection
tlsSignaturesEnabled	boolean	false	true, false	Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above.
useApprovedSignaturesOnly	boolean	false	true, false	Limits request signature detection to approved signatures only

DOS_Profile.application.stressBasedDetection.deviceID (object)¶

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.stressBasedDetection.geolocation (object)¶

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps	integer	50	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare	integer	10	0 - 4294967295	The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate	integer	500	0 - 4294967295	The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.stressBasedDetection.site (object)¶

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	10000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	2000	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.stressBasedDetection.sourceIP (object)¶

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.application.stressBasedDetection.url (object)¶

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled	boolean	true	true, false	Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	1000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	200	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile.applicationAllowlist (object)¶

Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist) Reference to a firewall address list or net address list

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP firewall address list or net address list
use	string			AS3 pointer to firewall address list or net address list declaration

DOS_Profile.applicationWhitelist (object)¶

Deprecated. Replaced with functionally equivalent applicationAllowlist. Specifies the IP addresses and subnets allowlist configuration for Application Security (Overrides the global allowlist) Reference to a firewall address list or net address list

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP firewall address list or net address list
use	string			AS3 pointer to firewall address list or net address list declaration

DOS_Profile.network (object)¶

Network security sub-profile

Properties (* = required):

name	type(s)	default	allowed values	description
dynamicSignatures	object	{}
vectors	array			A list of configured network DoS vectors

DOS_Profile.network.dynamicSignatures (object)¶

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
detectionMode	string	“disabled”	“disabled”, “learn-only”, “enabled”	Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits.
mitigationMode	string	“none”	“none”, “low”, “medium”, “high”	Specify the mitigation sensitivity for dynamic signatures
scrubbingCategory	object			Specifies the IP intelligence denylist category to which scrubbed IPs are sent,Reference to a denylist category
scrubbingDuration	integer	500	60 - 4294967295	Specify the duration in seconds for which an IP address is added to the denylist category
scrubbingEnabled	boolean	false	true, false	Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category.

DOS_Profile.network.dynamicSignatures.scrubbingCategory (object)¶

Specifies the IP intelligence denylist category to which scrubbed IPs are sent Reference to a denylist category

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_Profile.protocolDNS (object)¶

DNS protocol security sub-profile

Properties (* = required):

name	type(s)	default	allowed values	description
vectors	array			A list of configured DNS DoS vectors

DOS_Profile.protocolSIP (object)¶

SIP protocol security sub-profile

Properties (* = required):

name	type(s)	default	allowed values	description
vectors	array			A list of configured SIP DoS vectors

DOS_Profile.whitelist (object)¶

Deprecated. Replaced with functionally equivalent allowlist. Specifies the default allowlist address list for the system to use to determine which IP addresses are legitimate. The system does not examine traffic from the IP addresses in the list when performing DoS prevention. This property is available on BIGIP 14.1 and above. Reference to a firewall address list or net address list

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP firewall address list or net address list
use	string			AS3 pointer to firewall address list or net address list declaration

DOS_Auto_Denylist_Settings (object)¶

Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Properties (* = required):

name	type(s)	default	allowed values	description
attackDetectionTime	integer	60	1 - 4294967295	Specifies the time in seconds before a vector is denylisted
category	object	{“bigip”:”/Common/denial_of_service”}		Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration	integer	14400	60 - 4294967295	Specifies the time in seconds before the denylist entry is removed
enabled	boolean	false	true, false	Specifies if automatic denylist management should be used
externalAdvertisementEnabled	boolean	false	true, false	Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_Auto_Denylist_Settings.category (object)¶

Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings. Reference to a denylist category

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_Bad_Actor_Detection_Settings (object)¶

Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.

Properties (* = required):

name	type(s)	default	allowed values	description
enabled	boolean	false	true, false	Specifies that Bad Actor detection is enabled
sourceDetectionThreshold	integer	4294967295	0 - 4294967295	Specifies the number of packets per second to identify an IP address as a bad actor
sourceMitigationThreshold	integer	4294967295	0 - 4294967295	Specifies the rate limit applied to a source IP that is identified as a bad actor

DOS_DNS_Vector (object)¶

Protocol DNS Denial-of-Service (DoS) vector

Properties (* = required):

name	type(s)	default	allowed values	description
autoAttackCeiling	integer	4294967295	0 - 4294967295	Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295.
autoAttackFloor	integer	100	0 - 4294967295	Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant.
autoBlacklistSettings	object	{}		Deprecated. Replaced with functionally equivalent autoDenylistSettings.,Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
autoDenylistSettings	object			Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
badActorSettings	object	{}		Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
rateIncreaseThreshold	integer	500	0 - 4294967295	Specify percent of rate increase the system must discover in traffic in order to detect this attack
rateLimit	integer	4294967295	0 - 4294967295	Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
rateThreshold	integer	4294967295	0 - 4294967295	Specify how many packets per second the system must discover in traffic in order to detect this attack
simulateAutoThresholdEnabled	boolean	false	true, false	Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds
state	string	“mitigate”	“disabled”, “learn-only”, “detect-only”, “mitigate”	Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation).
thresholdMode	string	“manual”	“manual”, “stress-based-mitigation”, “fully-automatic”	Specifies how thresholds are set for this vector
type*	string		“a”, “aaaa”, “any”, “axfr”, “cname”, “ixfr”, “mx”, “ns”, “nxdomain”, “other”, “ptr”, “qdcount”, “soa”, “srv”, “txt”, “malformed”	Specifies the name of the DoS attack vector whose thresholds you are configuring

DOS_DNS_Vector.autoBlacklistSettings (object)¶

Deprecated. Replaced with functionally equivalent autoDenylistSettings. Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
attackDetectionTime	integer	60	1 - 4294967295	Specifies the time in seconds before a vector is denylisted
category	object	{“bigip”:”/Common/denial_of_service”}		Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration	integer	14400	60 - 4294967295	Specifies the time in seconds before the denylist entry is removed
enabled	boolean	false	true, false	Specifies if automatic denylist management should be used
externalAdvertisementEnabled	boolean	false	true, false	Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_DNS_Vector.autoBlacklistSettings.category (object)¶

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_DNS_Vector.autoDenylistSettings (object)¶

Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Properties (* = required):

name	type(s)	default	allowed values	description
attackDetectionTime	integer	60	1 - 4294967295	Specifies the time in seconds before a vector is denylisted
category	object	{“bigip”:”/Common/denial_of_service”}		Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration	integer	14400	60 - 4294967295	Specifies the time in seconds before the denylist entry is removed
enabled	boolean	false	true, false	Specifies if automatic denylist management should be used
externalAdvertisementEnabled	boolean	false	true, false	Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_DNS_Vector.autoDenylistSettings.category (object)¶

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_DNS_Vector.badActorSettings (object)¶

Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
enabled	boolean	false	true, false	Specifies that Bad Actor detection is enabled
sourceDetectionThreshold	integer	4294967295	0 - 4294967295	Specifies the number of packets per second to identify an IP address as a bad actor
sourceMitigationThreshold	integer	4294967295	0 - 4294967295	Specifies the rate limit applied to a source IP that is identified as a bad actor

DOS_Network_Vector (object)¶

Network Denial-of-Service (DoS) vector

Properties (* = required):

name	type(s)	default	allowed values	description
autoAttackCeiling	integer	4294967295	0 - 4294967295	Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295.
autoAttackFloor	integer	100	0 - 4294967295	Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant.
autoBlacklistSettings	object	{}		Deprecated. Replaced with functionally equivalent autoDenylistSettings.,Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
autoDenylistSettings	object			Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
badActorSettings	object	{}		Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
rateIncreaseThreshold	integer	500	0 - 4294967295	Specify percent of rate increase the system must discover in traffic in order to detect this attack
rateLimit	integer	4294967295	0 - 4294967295	Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
rateThreshold	integer	4294967295	0 - 4294967295	Specify how many packets per second the system must discover in traffic in order to detect this attack
simulateAutoThresholdEnabled	boolean	false	true, false	Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds
state	string	“mitigate”	“disabled”, “learn-only”, “detect-only”, “mitigate”	Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation).
thresholdMode	string	“manual”	“manual”, “stress-based-mitigation”, “fully-automatic”	Specifies how thresholds are set for this vector
type	string		“ext-hdr-too-large”, “hop-cnt-low”, “host-unreachable”, “icmpv4-flood”, “icmpv6-flood”, “icmp-frag”, “ip-frag-flood”, “ip-low-ttl”, “ip-opt-frames”, “ipv6-ext-hdr-frames”, “ipv6-frag-flood”, “non-tcp-connection”, “opt-present-with-illegal-len”, “sweep”, “tcp-half-open”, “tcp-opt-overruns-tcp-hdr”, “tcp-psh-flood”, “tcp-rst-flood”, “tcp-syn-flood”, “tcp-synack-flood”, “tcp-syn-oversize”, “tcp-bad-urg”, “tcp-window-size”, “tidcmp”, “too-many-ext-hdrs”, “udp-flood”, “unk-tcp-opt-type”	Specifies the name of the DoS attack vector whose thresholds you are configuring

DOS_Network_Vector.autoBlacklistSettings (object)¶

Deprecated. Replaced with functionally equivalent autoDenylistSettings. Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
attackDetectionTime	integer	60	1 - 4294967295	Specifies the time in seconds before a vector is denylisted
category	object	{“bigip”:”/Common/denial_of_service”}		Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration	integer	14400	60 - 4294967295	Specifies the time in seconds before the denylist entry is removed
enabled	boolean	false	true, false	Specifies if automatic denylist management should be used
externalAdvertisementEnabled	boolean	false	true, false	Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_Network_Vector.autoBlacklistSettings.category (object)¶

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_Network_Vector.autoDenylistSettings (object)¶

Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Properties (* = required):

name	type(s)	default	allowed values	description
attackDetectionTime	integer	60	1 - 4294967295	Specifies the time in seconds before a vector is denylisted
category	object	{“bigip”:”/Common/denial_of_service”}		Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration	integer	14400	60 - 4294967295	Specifies the time in seconds before the denylist entry is removed
enabled	boolean	false	true, false	Specifies if automatic denylist management should be used
externalAdvertisementEnabled	boolean	false	true, false	Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_Network_Vector.autoDenylistSettings.category (object)¶

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_Network_Vector.badActorSettings (object)¶

Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
enabled	boolean	false	true, false	Specifies that Bad Actor detection is enabled
sourceDetectionThreshold	integer	4294967295	0 - 4294967295	Specifies the number of packets per second to identify an IP address as a bad actor
sourceMitigationThreshold	integer	4294967295	0 - 4294967295	Specifies the rate limit applied to a source IP that is identified as a bad actor

DOS_Profile_Application (object)¶

Specifies the conditions for determining that your application is under a DoS attack, and how the system reacts to a suspected attack.

Properties (* = required):

name	type(s)	default	description
allowlistedGeolocations	array		Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack
blacklistedGeolocations	array		Deprecated. Replaced with functionally equivalent denylistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
botDefense	object	{}	This feature proactively detects bots and scripts, and prevents them from accessing the site. It may be used to prevent DDoS, Web Scraping, and Brute Force attacks. Enabling this feature requires JavaScript support from the browsers.,BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:

The system sends a client-side JavaScript challenge to the browser.
If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.

- botSignatures
- object
- {}
- This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms,This feature automatically detects well known bots according to their HTTP characteristics. Malicious bots can be configured to be blocked, while benign bots can be configured to pass through the anti-bot defense mechanisms.
- captchaResponse
- object
- {}
- Specifies the text the system sends, during a suspected DoS event, to users after it challenges users with the first CAPTCHA response, and the text the system sends to users after they fail a CAPTCHA response.
- denylistedGeolocations
- array
- Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to block traffic during a DoS attack
- heavyURLProtection
- object
- {}
- Configure Heavy URL include list, automatic detection, and exclude list,Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.
- mobileDefense
- object
- {}
- This feature detects mobile applications built with the Anti-Bot Mobile SDK and defines how requests from these mobile application clients are handled,When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.
- profileAcceleration
- object
- Select a TCP fastL4 profile to be used as a fast-path for acceleration,Reference to a fast L4 profile,Reference for a BIG-IP or Use object
- rateBasedDetection
- object
- {}
- Configures the detection of DoS attacks based on high volume of incoming traffic,Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:

Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.

- recordTraffic
- object
- {}
- This feature allows automatic recording of traffic during DoS attacks, and storing the recordings as TCP Dump files. The files are placed in the system file path /shared/dosl7/tcpdumps.,Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.
- remoteTriggeredBlackHoleDuration
- integer
- 0 - 4294967295
- Specifies the BGP route advertisement duration in seconds for Remote Triggered Black Hole of attacking IPs. This requires configuration of the Blacklist Publisher, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Remote Triggered Black Hole. Requires the AFM module and if this property is unspecified it will be disabled.
- scrubbingDuration
- integer
- 0 - 4294967295
- Specifies the BGP route advertisement duration in seconds for Traffic Scrubbing during attacks. This requires configuration of the Scrubber Profile, and will function even when the Operation Mode is set to Transparent. A value of 0 disables Traffic Scrubbing. Requires the AFM module and if this property is unspecified it will be disabled.
- singlePageApplicationEnabled
- boolean
- false
- true, false
- Specifies that your website is a Single Page Application, meaning a web application that loads new content without triggering a full page-reload. This property is available on BIGIP 14.1 and above.
- stressBasedDetection
- object
- {}
- Configures the detection of DoS attacks based on server stress. The system automatically detects an increase in server stress and mitigates DoS attacks causing it. ,Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.
- triggerIRule
- boolean
- false
- true, false
- Specifies that the system activates an Application DoS iRule event
- whitelistedGeolocations
- array
- Deprecated. Replaced with functionally equivalent allowlistedGeolocations. Override the DoS profile’s geolocation rate based threshold settings by selecting countries from which to allow traffic during a DoS attack

DOS_Profile_Application.botDefense (object)¶

The system sends a client-side JavaScript challenge to the browser.
If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
blockSuspiscousBrowsers	boolean	true	true, false	Detect and block requests from highly suspicious browsers
crossDomainRequests	string	“allow-all”	“allow-all”, “validate-bulk”, “validate-upon-request”	Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
externalDomains	array			Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above.
gracePeriod	integer	300	0 - 4294967295	The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above.
issueCaptchaChallenge	boolean	true	true, false	Issue CAPTCHA challenges to moderately suspicious browsers
mode	string	“off”	“off”, “during-attacks”, “always”	Specifies the conditions under which bots are detected and blocked
siteDomains	array			Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
urlAllowlist	array			Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation
urlWhitelist	array			Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation

DOS_Profile_Application.botSignatures (object)¶

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
blockedCategories	array			The system blocks and reports requests that match signatures in this list of categories
checkingEnabled	boolean	false	true, false	Specifies the system uses signatures to check whether a bot is benign or malicious
disabledSignatures	array			A list of signatures the system ignores when it matches requests with configured bot signatures
reportedCategories	array			The system logs requests that match signatures in this list of categories and counts them in the DoS reports

DOS_Profile_Application.captchaResponse (object)¶

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
failure	string			Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA
first	string			Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA

DOS_Profile_Application.heavyURLProtection (object)¶

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
automaticDetectionEnabled	boolean	true	true, false	Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site
detectionThreshold	integer	1000	16 - 4294967295	Specifies the latency threshold for automatic heavy URL detection (in milliseconds)
excludeList	array			URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards.
protectList	array			URLs you expect to be heavy even if the system does not automatically detect them as being heavy

DOS_Profile_Application.mobileDefense (object)¶

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
allowAndroidPublishers	array			Publisher certificates to allow. All others are blocked. An empty list allows all publishers.
allowAndroidRootedDevice	boolean	false	true, false	Select to allow traffic from rooted Android devices
allowEmulators	boolean	false	true, false	Select to allow traffic from applications run on emulators
allowIosPackageNames	array			Package names to allow. All others are blocked. An empty list allows all package names.
allowJailbrokenDevices	boolean	false	true, false	Select to allow traffic from jailbroken iOS devices
clientSideChallengeMode	string	“pass”	“pass”, “challenge”	Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented
enabled	boolean	false	true, false	When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives.

DOS_Profile_Application.profileAcceleration (object)¶

Select a TCP fastL4 profile to be used as a fast-path for acceleration Reference to a fast L4 profile Reference for a BIG-IP or Use object

Properties (* = required):

name	type(s)	default	allowed values	description
bigip			“f5bigip” formatted string
use

DOS_Profile_Application.rateBasedDetection (object)¶

Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
deEscalationPeriod	integer	7200	0 - 86400	When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
deviceID	object	{}		Specifies the criteria that determines when the system treats a device as an attacker
escalationPeriod	integer	120	1 - 3600	Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
geolocation	object	{}		Specifies the criteria that determines when the system treats a geolocation as an attacker
operationMode	string	“off”	“off”, “transparent”, “blocking”	Specifies how the system reacts when it detects an attack
site	object	{}		Specifies the criteria that determines when the system treats a site as an attacker
sourceIP	object	{}		Specifies the criteria that determines when the system treats a source IP address as an attacker
thresholdsMode	string	“manual”	“manual”, “automatic”	Specifies what type of thresholds to use
url	object	{}		Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile_Application.rateBasedDetection.deviceID (object)¶

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.rateBasedDetection.geolocation (object)¶

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps	integer	50	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare	integer	10	0 - 4294967295	The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate	integer	500	0 - 4294967295	The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.rateBasedDetection.site (object)¶

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	10000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	2000	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.rateBasedDetection.sourceIP (object)¶

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.rateBasedDetection.url (object)¶

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled	boolean	true	true, false	Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	1000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	200	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.recordTraffic (object)¶

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
maximumDuration	integer	30	0 - 4294967295	Configures the maximum time for each TCP dump recording cycle
maximumSize	integer	10	0 - 4294967295	Configures the maximum size (in MB) for each TCP dump recording cycle
recordTrafficEnabled	boolean	false	true, false	Enables the recording of traffic during attacks
repetitionInterval		120		Allow multiple TCP dumps to be recorded during a single DoS attack

DOS_Profile_Application.stressBasedDetection (object)¶

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
badActor	object	{}		Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
- - deEscalationPeriod
  - integer
  - 7200
  - 0 - 86400
  - When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
- - deviceID
  - object
  - {}
  - Specifies the criteria that determines when the system treats a device as an attacker
- - escalationPeriod
  - integer
  - 120
  - 1 - 3600
  - Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
- - geolocation
  - object
  - {}
  - Specifies the criteria that determines when the system treats a geolocation as an attacker
- - operationMode
  - string
  - “off”
  - “off”, “transparent”, “blocking”
  - Specifies how the system reacts when it detects an attack
- - site
  - object
  - {}
  - Specifies the criteria that determines when the system treats a site as an attacker
- - sourceIP
  - object
  - {}
  - Specifies the criteria that determines when the system treats a source IP address as an attacker
- - thresholdsMode
  - string
  - “manual”
  - “manual”, “automatic”
  - Specifies what type of thresholds to use
- - url
  - object
  - {}
  - Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile_Application.stressBasedDetection.badActor (object)¶

Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
acceleratedSignaturesEnabled	boolean	false	true, false	Enables signature detection before the connection establishment
detectionEnabled	boolean	false	true, false	Enables traffic behavior, server’s capacity learning, and anomaly detection
mitigationMode	string	“none”	“none”, “conservative”, “standard”, “aggressive”	Specifies mitigation impact on suspicious bad actors/requests
signatureDetectionEnabled	boolean	false	true, false	Enables request signature detection
tlsSignaturesEnabled	boolean	false	true, false	Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above.
useApprovedSignaturesOnly	boolean	false	true, false	Limits request signature detection to approved signatures only

DOS_Profile_Application.stressBasedDetection.deviceID (object)¶

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.stressBasedDetection.geolocation (object)¶

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps	integer	50	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare	integer	10	0 - 4294967295	The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate	integer	500	0 - 4294967295	The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.stressBasedDetection.site (object)¶

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	10000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	2000	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.stressBasedDetection.sourceIP (object)¶

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application.stressBasedDetection.url (object)¶

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled	boolean	true	true, false	Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	1000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	200	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Bot_Defense (object)¶

BIG-IP AS3 provides defense against bot attacks by detecting and stopping them before the attacks start to grow, by performing the following:

The system sends a client-side JavaScript challenge to the browser.
If the challenge is met, the system adds a cookie to the second request. This cookie is active until the session ends, and the system does not add any more cookies to further requests during that session.
The system drops requests sent by browsers that do not answer the system’s initial JavaScript challenge, assuming they are bots that do not support JavaScript.

Note: This feature requires browsers to allow JavaScript.

Important: If you enable Proactive Bot Defense and your web site uses CORS (Cross-Origin Resource Sharing), we recommend that you add the CORS URLs to the proactive bot URL allowlist.

This method is intended to complement, not replace, the other mitigation methods.

Properties (* = required):

name	type(s)	default	allowed values	description
blockSuspiscousBrowsers	boolean	true	true, false	Detect and block requests from highly suspicious browsers
crossDomainRequests	string	“allow-all”	“allow-all”, “validate-bulk”, “validate-upon-request”	Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
externalDomains	array			Specifies the external referring domains (that are not part of your website) that are allowed to link to resources in your website. These domains are not protected with proactive bot defense, but the system allows them if they pass the system’s redirect-cookie challenge. This property is available on BIGIP 14.1 and above.
gracePeriod	integer	300	0 - 4294967295	The length of time (in seconds) before the system blocks suspected bots. The grace period allows web application pages with both HTML and non-HTML (like images, JS, and CSS) to load completely without being blocked. The grace period starts after client validation, a configuration change, or when proactive bot defense is activated as a result of a detected attack or high latency. This property is available on BIGIP 14.1 and above.
issueCaptchaChallenge	boolean	true	true, false	Issue CAPTCHA challenges to moderately suspicious browsers
mode	string	“off”	“off”, “during-attacks”, “always”	Specifies the conditions under which bots are detected and blocked
siteDomains	array			Specifies how the system responds when receiving a request for non-HTML resources (images, CSS, XML, JavaScript, and Flash) without a valid cookie, and has a Referer header with a different domain than the host domain. This property is available on BIGIP 14.1 and above.
urlAllowlist	array			Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation
urlWhitelist	array			Deprecated. Replaced with functionally equivalent urlAllowlist. Specifies excluded URLs. Requests to these URLs will not be blocked by Proactive Bot Defense, although they may still be blocked by the TPS-based / Stress-based attack mitigation

DOS_Profile_Application_Bot_Signatures (object)¶

Properties (* = required):

name	type(s)	default	allowed values	description
blockedCategories	array			The system blocks and reports requests that match signatures in this list of categories
checkingEnabled	boolean	false	true, false	Specifies the system uses signatures to check whether a bot is benign or malicious
disabledSignatures	array			A list of signatures the system ignores when it matches requests with configured bot signatures
reportedCategories	array			The system logs requests that match signatures in this list of categories and counts them in the DoS reports

DOS_Profile_Application_Captcha (object)¶

Properties (* = required):

name	type(s)	default	allowed values	description
failure	string			Specifies the content the system displays to a user after the user fails to correctly answer a CAPTCHA
first	string			Specifies the content that the system displays to a user the first time the user is asked to respond to a CAPTCHA

DOS_Profile_Application_Detection_Device (object)¶

Specifies the criteria that determines when the system treats a device as an attacker

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_Geolocation (object)¶

Specifies the criteria that determines when the system treats a geolocation as an attacker

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps	integer	50	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare	integer	10	0 - 4294967295	The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate	integer	500	0 - 4294967295	The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_IP (object)¶

Specifies the criteria that determines when the system treats a source IP address as an attacker

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_Site (object)¶

Specifies the criteria that determines when the system treats a site as an attacker

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	10000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	2000	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Detection_URL (object)¶

Specifies the criteria that determines when the system treats a URL as an attacker

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled	boolean	true	true, false	Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	1000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	200	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Heavy_URL (object)¶

Heavy URLs are a small number of site URLs that might consume considerable server resources per request. Heavy URLs respond with low latency most of the time, but may easily reach high latency under specific conditions. Heavy URLs are not necessarily heavy all the time, but are potentially heavy, especially during DoS attacks. It only takes a low rate of requests to heavy URLs in order to cause DoS attacks. When an attack is suspected, the system protects the heavy URLs using the by URL methods that you enabled in TPS-based Detection and Behavioral & Stress-based Detection. If no URL-based methods are enabled there, the system only reports attacks.

Properties (* = required):

name	type(s)	default	allowed values	description
automaticDetectionEnabled	boolean	true	true, false	Mark a URL as heavy if its portion of transactions with latency above the specified threshold is higher than usual for this site
detectionThreshold	integer	1000	16 - 4294967295	Specifies the latency threshold for automatic heavy URL detection (in milliseconds)
excludeList	array			URLs the system should not consider heavy even if the system automatically detects them as being heavy. This list may contain prefix wildcards.
protectList	array			URLs you expect to be heavy even if the system does not automatically detect them as being heavy

DOS_Profile_Application_Mobile_Defense (object)¶

When enabled, requests from mobile applications built with the Anti-Bot Mobile SDK will be detected and handled according to the setting configured here. When disabled, these requests will be handled like any other request, meaning that they may let attacks in or cause false positives. Mobile application traffic will be treated differently than other clients, e.g. browsers, in security policies. For this reason, even when DoS protection is not required in a security policy, you still must set a DoS profile with mobile application protection enabled.

Properties (* = required):

name	type(s)	default	allowed values	description
allowAndroidPublishers	array			Publisher certificates to allow. All others are blocked. An empty list allows all publishers.
allowAndroidRootedDevice	boolean	false	true, false	Select to allow traffic from rooted Android devices
allowEmulators	boolean	false	true, false	Select to allow traffic from applications run on emulators
allowIosPackageNames	array			Package names to allow. All others are blocked. An empty list allows all package names.
allowJailbrokenDevices	boolean	false	true, false	Select to allow traffic from jailbroken iOS devices
clientSideChallengeMode	string	“pass”	“pass”, “challenge”	Specifies the action to take when a CAPTCHA or Client Side Integrity challenge needs to be presented
enabled	boolean	false	true, false	When enabled, requests from mobile applications built with Anti-Bot Mobile SDK will be detected and handled according to the settings below. When disabled, these requests will be handled like any other request which may let attacks in, or cause false positives.

DOS_Profile_Application_Rate_Based_Detection (object)¶

Configure the system to prevent DoS attacks based on the client side transactions per second (TPS-based detection mode). The system considers traffic to be a DoS attack based on the following calculations:

Transaction rate detection interval: The average number of requests per second sent. This is the TPS value that triggered the attack. This number is calculated by the system, by default, every ten seconds.
Transaction rate history interval: The average number of requests per second sent. This number is the average number of transactions for the past hour, and it is updated every 10 seconds.

Properties (* = required):

name	type(s)	default	allowed values	description
deEscalationPeriod	integer	7200	0 - 86400	When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
deviceID	object	{}		Specifies the criteria that determines when the system treats a device as an attacker
escalationPeriod	integer	120	1 - 3600	Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
geolocation	object	{}		Specifies the criteria that determines when the system treats a geolocation as an attacker
operationMode	string	“off”	“off”, “transparent”, “blocking”	Specifies how the system reacts when it detects an attack
site	object	{}		Specifies the criteria that determines when the system treats a site as an attacker
sourceIP	object	{}		Specifies the criteria that determines when the system treats a source IP address as an attacker
thresholdsMode	string	“manual”	“manual”, “automatic”	Specifies what type of thresholds to use
url	object	{}		Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile_Application_Rate_Based_Detection.deviceID (object)¶

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Rate_Based_Detection.geolocation (object)¶

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps	integer	50	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare	integer	10	0 - 4294967295	The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate	integer	500	0 - 4294967295	The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Rate_Based_Detection.site (object)¶

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	10000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	2000	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Rate_Based_Detection.sourceIP (object)¶

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Rate_Based_Detection.url (object)¶

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled	boolean	true	true, false	Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	1000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	200	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection (object)¶

Configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed.

Properties (* = required):

name	type(s)	default	allowed values	description
badActor	object	{}		Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.
- - deEscalationPeriod
  - integer
  - 7200
  - 0 - 86400
  - When preventing a DoS attack, specifies the time spent since the mitigation started until retrying the steps from the beginning of the enabled methods. If the value is 0, no de-escalation occurs.
- - deviceID
  - object
  - {}
  - Specifies the criteria that determines when the system treats a device as an attacker
- - escalationPeriod
  - integer
  - 120
  - 1 - 3600
  - Specifies the minimum time spent in each mitigation step before the system moves to the next mitigation step when preventing a DoS attack. After the system detects a DoS attack, it performs attack prevention for the amount of time specified here for every method that is enabled. If after this period the attack has not been fully stopped, the system escalates to the next enabled prevention step.
- - geolocation
  - object
  - {}
  - Specifies the criteria that determines when the system treats a geolocation as an attacker
- - operationMode
  - string
  - “off”
  - “off”, “transparent”, “blocking”
  - Specifies how the system reacts when it detects an attack
- - site
  - object
  - {}
  - Specifies the criteria that determines when the system treats a site as an attacker
- - sourceIP
  - object
  - {}
  - Specifies the criteria that determines when the system treats a source IP address as an attacker
- - thresholdsMode
  - string
  - “manual”
  - “manual”, “automatic”
  - Specifies what type of thresholds to use
- - url
  - object
  - {}
  - Specifies the criteria that determines when the system treats a URL as an attacker

DOS_Profile_Application_Stress_Based_Detection.badActor (object)¶

Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
acceleratedSignaturesEnabled	boolean	false	true, false	Enables signature detection before the connection establishment
detectionEnabled	boolean	false	true, false	Enables traffic behavior, server’s capacity learning, and anomaly detection
mitigationMode	string	“none”	“none”, “conservative”, “standard”, “aggressive”	Specifies mitigation impact on suspicious bad actors/requests
signatureDetectionEnabled	boolean	false	true, false	Enables request signature detection
tlsSignaturesEnabled	boolean	false	true, false	Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above.
useApprovedSignaturesOnly	boolean	false	true, false	Limits request signature detection to approved signatures only

DOS_Profile_Application_Stress_Based_Detection.deviceID (object)¶

Specifies the criteria that determines when the system treats a device as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection.geolocation (object)¶

Specifies the criteria that determines when the system treats a geolocation as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumAutoTps	integer	50	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumShare	integer	10	0 - 4294967295	The minimum share of traffic (as a percentage) before a source can be considered an attacking entity. This condition and the share increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
shareIncreaseRate	integer	500	0 - 4294967295	The share increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum share condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection.site (object)¶

Specifies the criteria that determines when the system treats a site as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	20000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	10000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	2000	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection.sourceIP (object)¶

Specifies the criteria that determines when the system treats a source IP address as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	200	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	40	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
rateLimitingMode	string	“rate-limit”	“rate-limit”, “block-all”	Specifies if rate limiting should block all traffic (‘block-all’) or apply normal rate limiting (‘rate-limit’).
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection.url (object)¶

Specifies the criteria that determines when the system treats a URL as an attacker

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
captchaChallengeEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a CAPTCHA challenge to determine whether the client is a legal browser with a human user behind it, or an illegal script. (Legal browsers with human users behind them are able to respond, while illegal scripts cannot.)
clientSideDefenseEnabled	boolean	false	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system issues a client-side integrity challenge that will consume computation resources from the client and slow its attack rate. The system issues a client-side integrity challenge to determine whether the client is a legal browser or an illegal script by sending a JavaScript challenge and waiting for a response. (Legal browsers are able to respond, while illegal scripts cannot.)
heavyURLProtectionEnabled	boolean	true	true, false	Specifies, when enabled, that heavy URL protection should be enabled
maximumAutoTps	integer	5000	0 - 4294967295	Maximum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
maximumTps	integer	1000	0 - 4294967295	The maximum number of transactions per second before a source is always considered an attacking entity
minimumAutoTps	integer	5	0 - 4294967295	Minimum number of transactions per second of an auto-calculated threshold before a source is considered an attacking entity
minimumTps	integer	200	0 - 4294967295	The minimum number of transactions per second before a source can be considered an attacking entity. This condition and the increase rate condition must be met for a source to be considered an attacking entity.
rateLimitingEnabled	boolean	true	true, false	Specifies, when enabled, that if traffic meets the detection conditions, the system applies rate limiting to the traffic
tpsIncreaseRate	integer	500	0 - 4294967295	The transactions per second increase (as a percentage) that must occur before a source can be considered an attacking entity. This condition and the minimum TPS condition must be met for a source to be considered an attacking entity.

DOS_Profile_Application_Stress_Based_Detection_Bad_Actor (object)¶

Specifies properties of Behavioral Detection in Stress-based anomaly.

The following mitigation options are available:

Conservative protection: If detectionEnabled is true, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Standard protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. If signatureDetectionEnabled is true, blocks requests that match the attack signatures.
Aggressive protection: If detectionEnabled is true, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server’s health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the server’s health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server’s health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If signatureDetectionEnabled is true, blocks requests that match the attack signatures. Increases the impact of blocked requests.

Properties (* = required):

name	type(s)	default	allowed values	description
acceleratedSignaturesEnabled	boolean	false	true, false	Enables signature detection before the connection establishment
detectionEnabled	boolean	false	true, false	Enables traffic behavior, server’s capacity learning, and anomaly detection
mitigationMode	string	“none”	“none”, “conservative”, “standard”, “aggressive”	Specifies mitigation impact on suspicious bad actors/requests
signatureDetectionEnabled	boolean	false	true, false	Enables request signature detection
tlsSignaturesEnabled	boolean	false	true, false	Enables tls signature detection before the connection establishment. This property is available on BIGIP 14.1 and above.
useApprovedSignaturesOnly	boolean	false	true, false	Limits request signature detection to approved signatures only

DOS_Profile_Application_TCP_Dump (object)¶

Configure settings to record traffic (perform a TCP dump) when a DoS attack is underway, in order to diagnose the attack vectors and attackers, observe whether and how it was mitigated, and draw conclusions for changing the DoS profile configuration.

Properties (* = required):

name	type(s)	default	allowed values	description
maximumDuration	integer	30	0 - 4294967295	Configures the maximum time for each TCP dump recording cycle
maximumSize	integer	10	0 - 4294967295	Configures the maximum size (in MB) for each TCP dump recording cycle
recordTrafficEnabled	boolean	false	true, false	Enables the recording of traffic during attacks
repetitionInterval		120		Allow multiple TCP dumps to be recorded during a single DoS attack

DOS_Profile_Network (object)¶

Properties (* = required):

name	type(s)	default	allowed values	description
dynamicSignatures	object	{}
vectors	array			A list of configured network DoS vectors

DOS_Profile_Network.dynamicSignatures (object)¶

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
detectionMode	string	“disabled”	“disabled”, “learn-only”, “enabled”	Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits.
mitigationMode	string	“none”	“none”, “low”, “medium”, “high”	Specify the mitigation sensitivity for dynamic signatures
scrubbingCategory	object			Specifies the IP intelligence denylist category to which scrubbed IPs are sent,Reference to a denylist category
scrubbingDuration	integer	500	60 - 4294967295	Specify the duration in seconds for which an IP address is added to the denylist category
scrubbingEnabled	boolean	false	true, false	Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category.

DOS_Profile_Network.dynamicSignatures.scrubbingCategory (object)¶

Specifies the IP intelligence denylist category to which scrubbed IPs are sent Reference to a denylist category

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_Profile_Network_Dynamic_Signatures (object)¶

Properties (* = required):

name	type(s)	default	allowed values	description
detectionMode	string	“disabled”	“disabled”, “learn-only”, “enabled”	Select the enforcement state for dynamic signatures. To enable enforcement of dynamic DoS vectors, select enabled. When enforcement is enabled, all thresholds and threshold actions are applied. Select disabled to apply no action or thresholds to dynamic Vectors. Select learn-only to track dynamic vector statistics, without enforcing any thresholds or limits.
mitigationMode	string	“none”	“none”, “low”, “medium”, “high”	Specify the mitigation sensitivity for dynamic signatures
scrubbingCategory	object			Specifies the IP intelligence denylist category to which scrubbed IPs are sent,Reference to a denylist category
scrubbingDuration	integer	500	60 - 4294967295	Specify the duration in seconds for which an IP address is added to the denylist category
scrubbingEnabled	boolean	false	true, false	Specify whether to enable redirection and scrubbing of IP addresses identified by dynamic vectors. This enables handling of the dynamic vector hits by an IP intelligence category.

DOS_Profile_Network_Dynamic_Signatures.scrubbingCategory (object)¶

Specifies the IP intelligence denylist category to which scrubbed IPs are sent Reference to a denylist category

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_Profile_Protocol_DNS (object)¶

Properties (* = required):

name	type(s)	default	allowed values	description
vectors	array			A list of configured DNS DoS vectors

DOS_Profile_Protocol_SIP (object)¶

Properties (* = required):

name	type(s)	default	allowed values	description
vectors	array			A list of configured SIP DoS vectors

DOS_SIP_Vector (object)¶

Protocol SIP Denial-of-Service (DoS) vector

Properties (* = required):

name	type(s)	default	allowed values	description
autoAttackCeiling	integer	4294967295	0 - 4294967295	Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to 4294967295.
autoAttackFloor	integer	100	0 - 4294967295	Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant.
autoBlacklistSettings	object	{}		Deprecated. Replaced with functionally equivalent autoDenylistSettings.,Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
autoDenylistSettings	object			Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector
badActorSettings	object	{}		Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.
rateIncreaseThreshold	integer	500	0 - 4294967295	Specify percent of rate increase the system must discover in traffic in order to detect this attack
rateLimit	integer	4294967295	0 - 4294967295	Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
rateThreshold	integer	4294967295	0 - 4294967295	Specify how many packets per second the system must discover in traffic in order to detect this attack
simulateAutoThresholdEnabled	boolean	false	true, false	Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds
state	string	“mitigate”	“disabled”, “learn-only”, “detect-only”, “mitigate”	Specifies how to enforce protection for that attack type: mitigate (watch, learn, alert, and mitigate), detect-only (watch, learn, and alert), learn-only (collect stats, no mitigation), or Disabled (no stat collection, no mitigation).
thresholdMode	string	“manual”	“manual”, “stress-based-mitigation”, “fully-automatic”	Specifies how thresholds are set for this vector
type*	string		“ack”, “cancel”, “message”, “options”, “prack”, “register”, “bye”, “invite”, “notify”, “other”, “publish”, “subscribe”, “uri-limit”, “malformed”	Specifies the name of the DoS attack vector whose thresholds you are configuring

DOS_SIP_Vector.autoBlacklistSettings (object)¶

Deprecated. Replaced with functionally equivalent autoDenylistSettings. Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
attackDetectionTime	integer	60	1 - 4294967295	Specifies the time in seconds before a vector is denylisted
category	object	{“bigip”:”/Common/denial_of_service”}		Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration	integer	14400	60 - 4294967295	Specifies the time in seconds before the denylist entry is removed
enabled	boolean	false	true, false	Specifies if automatic denylist management should be used
externalAdvertisementEnabled	boolean	false	true, false	Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_SIP_Vector.autoBlacklistSettings.category (object)¶

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_SIP_Vector.autoDenylistSettings (object)¶

Adds the source IP address to the denylist category assigned to the Denial-of-Service (DoS) vector

Properties (* = required):

name	type(s)	default	allowed values	description
attackDetectionTime	integer	60	1 - 4294967295	Specifies the time in seconds before a vector is denylisted
category	object	{“bigip”:”/Common/denial_of_service”}		Specifies the denylist category assigned to the DoS vector. The settings for this category determine IP Intelligence actions, logging settings, and denylist publisher settings.,Reference to a denylist category
categoryDuration	integer	14400	60 - 4294967295	Specifies the time in seconds before the denylist entry is removed
enabled	boolean	false	true, false	Specifies if automatic denylist management should be used
externalAdvertisementEnabled	boolean	false	true, false	Specifies that addresses that are identified for denylisting are advertised to BGP routers, as configured per denylist category in Blacklist Publisher

DOS_SIP_Vector.autoDenylistSettings.category (object)¶

Default: {“bigip”:”/Common/denial_of_service”}

Properties (* = required):

name	type(s)	default	allowed values	description
bigip	string		“f5bigip” formatted string	Pathname of existing BIG-IP denylist category

DOS_SIP_Vector.badActorSettings (object)¶

Bad actor detection allows automatic detection, logging, and rate limiting of specific IP addresses that appear to be the source of an attack, based on criteria you configure.

Default: {}

Properties (* = required):

name	type(s)	default	allowed values	description
enabled	boolean	false	true, false	Specifies that Bad Actor detection is enabled
sourceDetectionThreshold	integer	4294967295	0 - 4294967295	Specifies the number of packets per second to identify an IP address as a bad actor
sourceMitigationThreshold	integer	4294967295	0 - 4294967295	Specifies the rate limit applied to a source IP that is identified as a bad actor

Previous Next