bigip_firewall_dos_vector – Manage attack vector configuration in an AFM DoS profile

New in version 2.8.

Synopsis

  • Manage attack vector configuration in an AFM DoS profile. In addition to the normal AFM DoS profile vectors, this module can manage the device-configuration vectors. See the module documentation for details about this method.

Requirements

The below requirements are needed on the host that executes this module.

  • BIG-IP >= v13.0.0

Parameters

Parameter Choices/Defaults Comments
allow_advertisement
boolean
    Choices:
  • no
  • yes
Specifies that addresses that are identified for blacklisting are advertised to BGP routers
attack_ceiling
string
Specifies the absolute maximum allowable for packets of this type.
This setting rate limits packets to the packets per second setting, when specified.
To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to infinite.
attack_floor
string
Specifies packets per second to identify an attack.
These settings provide an absolute minimum of packets to allow before the attack is identified.
As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant.
This value may not exceed the value in attack_floor.
auto_blacklist
boolean
    Choices:
  • no
  • yes
Automatically blacklists detected bad actors.
To enable this parameter, the bad_actor_detection must also be enabled.
This parameter is not supported by the dns-malformed vector.
This parameter is not supported by the qdcount vector.
bad_actor_detection
boolean
    Choices:
  • no
  • yes
Whether Bad Actor detection is enabled or disabled for a vector, if available.
This parameter must be enabled to enable the auto_blacklist parameter.
This parameter is not supported by the dns-malformed vector.
This parameter is not supported by the qdcount vector.
blacklist_detection_seconds
integer
Detection, in seconds, before blacklisting occurs.
blacklist_duration
integer
Duration, in seconds, that the blacklist will last.
detection_threshold_eps
string
Lists how many packets per second the system must discover in traffic in order to detect this attack.

aliases: rate_threshold
detection_threshold_percent
string
Lists the threshold percent increase over time that the system must detect in traffic in order to detect this attack.
The tcp-half-open vector does not support this parameter.

aliases: rate_increase
mitigation_threshold_eps
string
Specify the maximum number of this type of packet per second the system allows for a vector.
The system drops packets once the traffic level exceeds the rate limit.

aliases: rate_limit
name
string
    Choices:
  • ext-hdr-too-large
  • hop-cnt-low
  • host-unreachable
  • icmp-frag
  • icmpv4-flood
  • icmpv6-flood
  • ip-frag-flood
  • ip-low-ttl
  • ip-opt-frames
  • ipv6-frag-flood
  • opt-present-with-illegal-len
  • sweep
  • tcp-bad-urg
  • tcp-half-open
  • tcp-opt-overruns-tcp-hdr
  • tcp-psh-flood
  • tcp-rst-flood
  • tcp-syn-flood
  • tcp-syn-oversize
  • tcp-synack-flood
  • tcp-window-size
  • tidcmp
  • too-many-ext-hdrs
  • udp-flood
  • unk-tcp-opt-type
  • a
  • aaaa
  • any
  • axfr
  • cname
  • dns-malformed
  • ixfr
  • mx
  • ns
  • other
  • ptr
  • qdcount
  • soa
  • srv
  • txt
  • ack
  • bye
  • cancel
  • invite
  • message
  • notify
  • options
  • other
  • prack
  • publish
  • register
  • sip-malformed
  • subscribe
  • uri-limit
Specifies the name of the vector to modify.
Vectors that ship with the device are "hard-coded" so-to-speak in that the list of vectors is known to the system and users cannot add new vectors. Users only manipulate the existing vectors; all of which are disabled by default.
When ext-hdr-too-large, configures the "IPv6 extension header too large" Network Security vector.
When hop-cnt-low, configures the "IPv6 hop count <= <tunable>" Network Security vector.
When host-unreachable, configures the "Host Unreachable" Network Security vector.
When icmp-frag, configures the "ICMP Fragment" Network Security vector.
When icmpv4-flood, configures the "ICMPv4 flood" Network Security vector.
When icmpv6-flood, configures the "ICMPv6 flood" Network Security vector.
When ip-frag-flood, configures the "IP Fragment Flood" Network Security vector.
When ip-low-ttl, configures the "TTL <= <tunable>" Network Security vector.
When ip-opt-frames, configures the "IP Option Frames" Network Security vector.
When ipv6-ext-hdr-frames, configures the "IPv6 Extended Header Frames" Network Security vector.
When ipv6-frag-flood, configures the "IPv6 Fragment Flood" Network Security vector.
When opt-present-with-illegal-len, configures the "Option Present With Illegal Length" Network Security vector.
When sweep, configures the "Sweep" Network Security vector.
When tcp-bad-urg, configures the "TCP Flags-Bad URG" Network Security vector.
When tcp-half-open, configures the "TCP Half Open" Network Security vector.
When tcp-opt-overruns-tcp-hdr, configures the "TCP Option Overruns TCP Header" Network Security vector.
When tcp-psh-flood, configures the "TCP PUSH Flood" Network Security vector.
When tcp-rst-flood, configures the "TCP RST Flood" Network Security vector.
When tcp-syn-flood, configures the "TCP SYN Flood" Network Security vector.
When tcp-syn-oversize, configures the "TCP SYN Oversize" Network Security vector.
When tcp-synack-flood, configures the "TCP SYN ACK Flood" Network Security vector.
When tcp-window-size, configures the "TCP Window Size" Network Security vector.
When tidcmp, configures the "TIDCMP" Network Security vector.
When too-many-ext-hdrs, configures the "Too Many Extension Headers" Network Security vector.
When udp-flood, configures the "UDP Flood" Network Security vector.
When unk-tcp-opt-type, configures the "Unknown TCP Option Type" Network Security vector.
When a, configures the "DNS A Query" DNS Protocol Security vector.
When aaaa, configures the "DNS AAAA Query" DNS Protocol Security vector.
When any, configures the "DNS ANY Query" DNS Protocol Security vector.
When axfr, configures the "DNS AXFR Query" DNS Protocol Security vector.
When cname, configures the "DNS CNAME Query" DNS Protocol Security vector.
When dns-malformed, configures the "dns-malformed" DNS Protocol Security vector.
When ixfr, configures the "DNS IXFR Query" DNS Protocol Security vector.
When mx, configures the "DNS MX Query" DNS Protocol Security vector.
When ns, configures the "DNS NS Query" DNS Protocol Security vector.
When other, configures the "DNS OTHER Query" DNS Protocol Security vector.
When ptr, configures the "DNS PTR Query" DNS Protocol Security vector.
When qdcount, configures the "DNS QDCOUNT Query" DNS Protocol Security vector.
When soa, configures the "DNS SOA Query" DNS Protocol Security vector.
When srv, configures the "DNS SRV Query" DNS Protocol Security vector.
When txt, configures the "DNS TXT Query" DNS Protocol Security vector.
When ack, configures the "SIP ACK Method" SIP Protocol Security vector.
When bye, configures the "SIP BYE Method" SIP Protocol Security vector.
When cancel, configures the "SIP CANCEL Method" SIP Protocol Security vector.
When invite, configures the "SIP INVITE Method" SIP Protocol Security vector.
When message, configures the "SIP MESSAGE Method" SIP Protocol Security vector.
When notify, configures the "SIP NOTIFY Method" SIP Protocol Security vector.
When options, configures the "SIP OPTIONS Method" SIP Protocol Security vector.
When other, configures the "SIP OTHER Method" SIP Protocol Security vector.
When prack, configures the "SIP PRACK Method" SIP Protocol Security vector.
When publish, configures the "SIP PUBLISH Method" SIP Protocol Security vector.
When register, configures the "SIP REGISTER Method" SIP Protocol Security vector.
When sip-malformed, configures the "sip-malformed" SIP Protocol Security vector.
When subscribe, configures the "SIP SUBSCRIBE Method" SIP Protocol Security vector.
When uri-limit, configures the "uri-limit" SIP Protocol Security vector.
partition
string
Default:
"Common"
Device partition to manage resources on.
password
string / required
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable F5_PASSWORD.

aliases: pass, pwd
per_source_ip_detection_threshold
string
Specifies the number of packets per second to identify an IP address as a bad actor.
per_source_ip_mitigation_threshold
string
Specifies the rate limit applied to a source IP that is identified as a bad actor.
profile
string / required
Specifies the name of the profile to manage vectors in.
The name device-config is reserved for use by this module.
Vectors can be managed in either DoS Profiles, or Device Configuration. By specifying a profile of 'device-config', this module will specifically tailor configuration of the provided vectors to the Device Configuration.
provider
dictionary
added in 2.5
A dict object containing connection details.
password
string / required
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable F5_PASSWORD.

aliases: pass, pwd
server
string / required
The BIG-IP host.
You may omit this option by setting the environment variable F5_SERVER.
server_port
integer
Default:
443
The BIG-IP server port.
You may omit this option by setting the environment variable F5_SERVER_PORT.
ssh_keyfile
path
Specifies the SSH keyfile to use to authenticate the connection to the remote device. This argument is only used for cli transports.
You may omit this option by setting the environment variable ANSIBLE_NET_SSH_KEYFILE.
timeout
integer
Default:
10
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
transport
string
    Choices:
  • cli
  • rest ←
Configures the transport connection to use when connecting to the remote device.
user
string / required
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable F5_USER.
validate_certs
boolean
    Choices:
  • no
  • yes ←
If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.
You may omit this option by setting the environment variable F5_VALIDATE_CERTS.
server
string / required
The BIG-IP host.
You may omit this option by setting the environment variable F5_SERVER.
server_port
integer
added in 2.2
 Default:
443
The BIG-IP server port.
You may omit this option by setting the environment variable F5_SERVER_PORT.
simulate_auto_threshold
boolean
    Choices:
  • no
  • yes
Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds.
The sweep vector does not support this parameter.
state
string / required
    Choices:
  • mitigate
  • detect-only
  • learn-only
  • disabled
When state is mitigate, ensures that the vector enforces limits and thresholds.
When state is detect-only, ensures that the vector does not enforce limits and thresholds (rate limiting, dopping, etc), but is still tracked in logs and statistics.
When state is disabled, ensures that the vector does not enforce limits and thresholds, but is still tracked in logs and statistics.
When state is learn-only, ensures that the vector does not "detect" any attacks. Only learning and stat collecting is performed.
threshold_mode
string
    Choices:
  • manual
  • stress-based-mitigation
  • fully-automatic
The dns-malformed vector does not support fully-automatic, or stress-based-mitigation for this parameter.
The qdcount vector does not support fully-automatic, or stress-based-mitigation for this parameter.
The sip-malformed vector does not support fully-automatic, or stress-based-mitigation for this parameter.
user
string / required
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable F5_USER.
validate_certs
boolean
added in 2.0
    Choices:
  • no
  • yes ←
If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.
You may omit this option by setting the environment variable F5_VALIDATE_CERTS.

Notes

Note

  • For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.

  • Requires BIG-IP software version >= 12.

  • The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.

Examples

- name: Enable DNS AAAA vector mitigation
  bigip_firewall_dos_vector:
    name: aaaa
    state: mitigate
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
allow_advertisement
boolean
 changed
The new Allow External Advertisement setting.

Sample:
True
attack_ceiling
string
 changed
The new Attack Ceiling EPS setting.

Sample:
infinite
attack_floor
string
 changed
The new Attack Floor EPS setting.

Sample:
infinite
auto_blacklist
boolean
 changed
The new Auto Blacklist setting.
bad_actor_detection
boolean
 changed
The new Bad Actor Detection setting.
blacklist_category
string
 changed
The new Category Name setting.

Sample:
/Common/cloud_provider_networks
blacklist_detection_seconds
integer
 changed
The new Sustained Attack Detection Time setting.

Sample:
60
blacklist_duration
integer
 changed
The new Category Duration Time setting.

Sample:
14400
detection_threshold_eps
string
 changed
The new Detection Threshold EPS setting.

Sample:
infinite
detection_threshold_percent
string
 changed
The new Detection Threshold Percent setting.

Sample:
infinite
mitigation_threshold_eps
string
 changed
The new Mitigation Threshold EPS setting.

Sample:
infinite
per_source_ip_detection_threshold
string
 changed
The new Per Source IP Detection Threshold EPS setting.

Sample:
23
per_source_ip_mitigation_threshold
string
 changed
The new Per Source IP Mitigation Threshold EPS setting.

Sample:
infinite
simulate_auto_threshold
boolean
 changed
The new Simulate Auto Threshold setting.
state
string
 changed
The new state of the vector.

Sample:
mitigate
threshold_mode
string
 changed
The new Mitigation Threshold EPS setting.

Sample:
infinite


Status

Authors

  • Tim Rupp (@caphrim007)

Hint

If you notice any issues in this documentation you can edit this document to improve it.