f5networks.f5_modules.bigip_firewall_dos_vector – Manage attack vector configuration in an AFM DoS profile
Note
This plugin is part of the f5networks.f5_modules collection (version 1.12.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install f5networks.f5_modules.
To use it in a playbook, specify: f5networks.f5_modules.bigip_firewall_dos_vector.
New in version 1.0.0: of f5networks.f5_modules
Synopsis
- Manage the attack vector configuration in an AFM (Advanced Firewall Manager) DoS profile. In addition to the normal AFM DoS profile vectors, this module can manage the device-configuration vectors. See the module documentation for details about this method.
Requirements
The below requirements are needed on the host that executes this module.
- BIG-IP >= v13.0.0
Parameters
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
| allow_advertisement
boolean
|
|
Specifies addresses that are identified for blacklisting are advertised to BGP routers.
|
|
| attack_ceiling
string
|
Specifies the absolute maximum allowable for packets of this type.
This setting rate limits packets to the packets per second setting, when specified.
To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to infinite.
|
||
| attack_floor
string
|
Specifies packets per second to identify an attack.
These settings provide an absolute minimum of packets to allow before the attack is identified.
As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant.
This value may not exceed the value in attack_floor.
|
||
| auto_blacklist
boolean
|
|
Automatically blacklists detected bad actors.
To enable this parameter, the
bad_actor_detection must also be enabled.
This parameter is not supported by the
dns-malformed vector.
This parameter is not supported by the qdcount vector.
|
|
| bad_actor_detection
boolean
|
|
Whether Bad Actor detection is enabled or disabled for a vector, if available.
This parameter must be enabled to enable the
auto_blacklist parameter.
This parameter is not supported by the
dns-malformed vector.
This parameter is not supported by the qdcount vector.
|
|
| blacklist_detection_seconds
integer
|
Detection before blacklisting occurs, in seconds.
|
||
| blacklist_duration
integer
|
Duration the blacklist will last, in seconds.
|
||
| detection_threshold_eps
string
|
Lists how many packets per second the system must discover in traffic in order to detect this attack.
aliases: rate_threshold |
||
| detection_threshold_percent
string
|
Lists the threshold percent increase over time that the system must detect in traffic in order to detect this attack.
The
tcp-half-open vector does not support this parameter.
aliases: rate_increase |
||
| mitigation_threshold_eps
string
|
Specifies the maximum number of this type of packet per second the system allows for a vector.
The system drops packets once the traffic level exceeds the rate limit.
aliases: rate_limit |
||
| name
string / required
|
|
Specifies the name of the vector to modify.
Vectors that ship with the device are "hard-coded" in that the list of vectors is known to the system and users cannot add new vectors. Users only manipulate the existing vectors; all of which are disabled by default.
When
bad-icmp-chksum, configures the "Bad ICMP Checksum" Network Security vector.
When
bad-icmp-frame, configures the "Bad ICMP Frame" Network Security vector.
When
bad-igmp-frame, configures the "Bad IGMP Frame" Network Security vector.
When
bad-ip-opt, configures the "IP Option Illegal Length" Network Security vector.
When
bad-ipv6-hop-cnt, configures the "Bad IPv6 Hop Count" Network Security vector.
When
bad-ipv6-ver, configures the "Bad IPv6 Version" Network Security vector.
When
bad-sctp-chksum, configures the "Bad SCTP Checksum" Network Security vector.
When
bad-tcp-chksum, configures the "Bad TCP Checksum" Network Security vector.
When
bad-tcp-flags-all-clr, configures the "Bad TCP Flags (All Cleared)" Network Security vector.
When
bad-tcp-flags-all-set, configures the "Bad TCP Flags (All Flags Set)" Network Security vector.
When
bad-ttl-val, configures the "Bad IP TTL Value" Network Security vector.
When
bad-udp-chksum, configures the "Bad UDP Checksum" Network Security vector.
When
bad-udp-hdr, configures the "Bad UDP Header (UDP Length > IP Length or L2 Length)" Network Security vector.
When
bad-ver, configures the "Bad IP Version" Network Security vector.
When
arp-flood, configures the "ARP Flood" Network Security vector.
When
flood, configures the "Single Endpoint Flood" Network Security vector.
When
igmp-flood, configures the "IGMP Flood" Network Security vector.
When
igmp-frag-flood, configures the "IGMP Fragment Flood" Network Security vector.
When
ip-bad-src, configures the "Bad Source" Network Security vector.
When
ip-err-chksum, configures the "IP Error Checksum" Network Security vector.
When
ip-len-gt-l2-len, configures the "IP Length > L2 Length" Network Security vector.
When
ip-other-frag, configures the "IP Fragment Error" Network Security vector.
When
ip-overlap-frag, configures the "IP Fragment Overlap" Network Security vector.
When
ip-short-frag, configures the "IP Fragment Too Small" Network Security vector.
When
ip-uncommon-proto, configures the "IP Uncommon Proto" Network Security vector.
When
ip-unk-prot, configures the "IP Unknown Protocol" Network Security vector.
When
ipv4-mapped-ipv6, configures the "IPv4 Mapped IPv6" Network Security vector.
When
ipv6-atomic-frag, configures the "IPv6 Atomic Fragment" Network Security vector.
When
ipv6-bad-src, configures the "Bad IPv6 Addr" Network Security vector.
When
ipv6-len-gt-l2-len, configures the "IPv6 Length > L2 Length" Network Security vector.
When
ipv6-other-frag, configures the "IPv6 Fragment Error" Network Security vector.
When
ipv6-overlap-frag, configures the "IPv6 Fragment Overlap" Network Security vector.
When
ipv6-short-frag, configures the "IPv6 Fragment Too Small" Network Security vector.
When
l2-len-ggt-ip-len, configures the "L2 Length >> IP Length" Network Security vector.
When
l4-ext-hdrs-go-end, configures the "No L4 (Extension Headers Go To Or Past The End of Frame)" Network Security vector.
When
land-attack, configures the "LAND Attack" Network Security vector.
When
no-l4, configures the "No L4" Network Security vector.
When
no-listener-match, configures the "No Listener Match" Network Security vector.
When
non-tcp-connection, configures the "Non TCP Connection" Network Security vector.
When
payload-len-ls-l2-len, configures the "Payload Length < L2 Length" Network Security vector.
When
routing-header-type-0, configures the "Routing Header Type 0" Network Security vector.
When
syn-and-fin-set, configures the "SYN && FIN Set" Network Security vector.
When
tcp-ack-flood, configures the "TCP BADACK Flood" Network Security vector.
When
tcp-hdr-len-gt-l2-len, configures the "TCP Header Length > L2 Length" Network Security vector.
When
tcp-hdr-len-too-short, configures the "TCP Header Length Too Short (Length < 5)" Network Security vector.
When
hdr-len-gt-l2-len, configures the "Header Length > L2 Length" Network Security vector.
When
hdr-len-too-short, configures the "Header Length Too Short" Network Security vector.
When
bad-ext-hdr-order, configures the "IPv6 Extended Headers Wrong order" Network Security vector.
When
ext-hdr-too-large, configures the "IPv6 extension header too large" Network Security vector.
When
hop-cnt-low, configures the "IPv6 hop count <= <tunable>" Network Security vector.
When
host-unreachable, configures the "Host Unreachable" Network Security vector.
When
icmp-frag, configures the "ICMP Fragment" Network Security vector.
When
icmp-frame-too-large, configures the "ICMP Frame Too Large" Network Security vector.
When
icmpv4-flood, configures the "ICMPv4 flood" Network Security vector.
When
icmpv6-flood, configures the "ICMPv6 flood" Network Security vector.
When
ip-frag-flood, configures the "IP Fragment Flood" Network Security vector.
When
ip-low-ttl, configures the "TTL <= <tunable>" Network Security vector.
When
ip-opt-frames, configures the "IP Option Frames" Network Security vector.
When
ipv6-ext-hdr-frames, configures the "IPv6 Extended Header Frames" Network Security vector.
When
ipv6-frag-flood, configures the "IPv6 Fragment Flood" Network Security vector.
When
opt-present-with-illegal-len, configures the "Option Present With Illegal Length" Network Security vector.
When
sweep, configures the "Sweep" Network Security vector.
When
tcp-bad-urg, configures the "TCP Flags-Bad URG" Network Security vector.
When
tcp-half-open, configures the "TCP Half Open" Network Security vector.
When
tcp-opt-overruns-tcp-hdr, configures the "TCP Option Overruns TCP Header" Network Security vector.
When
tcp-psh-flood, configures the "TCP PUSH Flood" Network Security vector.
When
tcp-rst-flood, configures the "TCP RST Flood" Network Security vector.
When
tcp-syn-flood, configures the "TCP SYN Flood" Network Security vector.
When
tcp-syn-oversize, configures the "TCP SYN Oversize" Network Security vector.
When
tcp-synack-flood, configures the "TCP SYN ACK Flood" Network Security vector.
When
tcp-window-size, configures the "TCP Window Size" Network Security vector.
When
tidcmp, configures the "TIDCMP" Network Security vector.
When
too-many-ext-hdrs, configures the "Too Many Extension Headers" Network Security vector.
When
dup-ext-hdr, configures the "IPv6 Duplicate Extension Headers" Network Security vector.
When
fin-only-set, configures the "FIN Only Set" Network Security vector.
When
ether-brdcst-pkt, configures the "Ethernet Broadcast Packet" Network Security vector.
When
ether-multicst-pkt, configures the "Ethernet Multicast Packet" Network Security vector.
When
ether-mac-sa-eq-da, configures the "Ethernet MAC Source Address == Destination Address" Network Security vector.
When
udp-flood, configures the "UDP Flood" Network Security vector.
When
unk-ipopt-type, configures the "Unknown Option Type" Network Security vector.
When
unk-tcp-opt-type, configures the "Unknown TCP Option Type" Network Security vector.
When
a, configures the "DNS A Query" DNS Protocol Security vector.
When
aaaa, configures the "DNS AAAA Query" DNS Protocol Security vector.
When
any, configures the "DNS ANY Query" DNS Protocol Security vector.
When
axfr, configures the "DNS AXFR Query" DNS Protocol Security vector.
When
cname, configures the "DNS CNAME Query" DNS Protocol Security vector.
When
dns-malformed, configures the "dns-malformed" DNS Protocol Security vector.
When
dns-nxdomain-query, configures the "dns-nxdomain-query" DNS Protocol Security vector.
When
dns-response-flood, configures the "dns-response-flood" DNS Protocol Security vector.
When
dns-oversize, configures the "dns-oversize" DNS Protocol Security vector.
When
ixfr, configures the "DNS IXFR Query" DNS Protocol Security vector.
When
mx, configures the "DNS MX Query" DNS Protocol Security vector.
When
ns, configures the "DNS NS Query" DNS Protocol Security vector.
When
other, configures the "DNS OTHER Query" DNS Protocol Security vector.
When
ptr, configures the "DNS PTR Query" DNS Protocol Security vector.
When
qdcount, configures the "DNS QDCOUNT Query" DNS Protocol Security vector.
When
soa, configures the "DNS SOA Query" DNS Protocol Security vector.
When
srv, configures the "DNS SRV Query" DNS Protocol Security vector.
When
txt, configures the "DNS TXT Query" DNS Protocol Security vector.
When
ack, configures the "SIP ACK Method" SIP Protocol Security vector.
When
bye, configures the "SIP BYE Method" SIP Protocol Security vector.
When
cancel, configures the "SIP CANCEL Method" SIP Protocol Security vector.
When
invite, configures the "SIP INVITE Method" SIP Protocol Security vector.
When
message, configures the "SIP MESSAGE Method" SIP Protocol Security vector.
When
notify, configures the "SIP NOTIFY Method" SIP Protocol Security vector.
When
options, configures the "SIP OPTIONS Method" SIP Protocol Security vector.
When
other, configures the "SIP OTHER Method" SIP Protocol Security vector.
When
prack, configures the "SIP PRACK Method" SIP Protocol Security vector.
When
publish, configures the "SIP PUBLISH Method" SIP Protocol Security vector.
When
register, configures the "SIP REGISTER Method" SIP Protocol Security vector.
When
sip-malformed, configures the "sip-malformed" SIP Protocol Security vector.
When
subscribe, configures the "SIP SUBSCRIBE Method" SIP Protocol Security vector.
When uri-limit, configures the "uri-limit" SIP Protocol Security vector.
|
|
| partition
string
|
Default:
"Common"
|
Device partition to manage resources on.
|
|
| per_source_ip_detection_threshold
string
|
Specifies the number of packets per second to identify an IP address as a bad actor.
|
||
| per_source_ip_mitigation_threshold
string
|
Specifies the rate limit applied to a source IP that is identified as a bad actor.
|
||
| profile
string / required
|
Specifies the name of the profile to manage vectors in.
The name
device-config is reserved for use by this module.
Vectors can be managed in either DoS Profiles or Device Configuration. By specifying a profile of 'device-config', this module will specifically tailor configuration of the provided vectors to the Device Configuration.
|
||
| provider
dictionary
added in 1.0.0 of f5networks.f5_modules
|
A dict object containing connection details.
|
||
| auth_provider
string
|
Configures the auth provider for to obtain authentication tokens from the remote device.
This option is really used when working with BIG-IQ devices.
|
||
| no_f5_teem
boolean
|
|
If
yes, TEEM telemetry data is not sent to F5.
You may omit this option by setting the environment variable
F5_TELEMETRY_OFF.
Previously used variable F5_TEEM is deprecated as its name was confusing.
|
|
| password
string / required
|
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable
F5_PASSWORD.
aliases: pass, pwd |
||
| server
string / required
|
The BIG-IP host.
You may omit this option by setting the environment variable F5_SERVER.
|
||
| server_port
integer
|
Default:
443
|
The BIG-IP server port.
You may omit this option by setting the environment variable F5_SERVER_PORT.
|
|
| timeout
integer
|
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
|
||
| transport
string
|
|
Configures the transport connection to use when connecting to the remote device.
|
|
| user
string / required
|
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable F5_USER.
|
||
| validate_certs
boolean
|
|
If
no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.
You may omit this option by setting the environment variable F5_VALIDATE_CERTS.
|
|
| simulate_auto_threshold
boolean
|
|
Specifies results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds.
The sweep vector does not support this parameter.
|
|
| state
string
|
|
When
state is mitigate, ensures the vector enforces limits and thresholds.
When
state is detect-only, ensures the vector does not enforce limits and thresholds (rate limiting, dropping, etc), but is still tracked in logs and statistics.
When
state is disabled, ensures the vector does not enforce limits and thresholds, but is still tracked in logs and statistics.
When state is learn-only, ensures the vector does not "detect" any attacks. Only learning and stat collecting is performed.
|
|
| threshold_mode
string
|
|
The
dns-malformed vector does not support fully-automatic or stress-based-mitigation for this parameter.
The
qdcount vector does not support fully-automatic or stress-based-mitigation for this parameter.
The sip-malformed vector does not support fully-automatic or stress-based-mitigation for this parameter.
|
|
Notes
Note
- For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
- Requires BIG-IP software version >= 12.
- The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.
Examples
- name: Enable DNS AAAA vector mitigation
bigip_firewall_dos_vector:
name: aaaa
state: mitigate
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| allow_advertisement
boolean
|
changed |
The new Allow External Advertisement setting.
Sample:
True
|
| attack_ceiling
string
|
changed |
The new Attack Ceiling EPS setting.
Sample:
infinite
|
| attack_floor
string
|
changed |
The new Attack Floor EPS setting.
Sample:
infinite
|
| auto_blacklist
boolean
|
changed |
The new Auto Blacklist setting.
|
| bad_actor_detection
boolean
|
changed |
The new Bad Actor Detection setting.
|
| blacklist_category
string
|
changed |
The new Category Name setting.
Sample:
/Common/cloud_provider_networks
|
| blacklist_detection_seconds
integer
|
changed |
The new Sustained Attack Detection Time setting.
Sample:
60
|
| blacklist_duration
integer
|
changed |
The new Category Duration Time setting.
Sample:
14400
|
| detection_threshold_eps
string
|
changed |
The new Detection Threshold EPS setting.
Sample:
infinite
|
| detection_threshold_percent
string
|
changed |
The new Detection Threshold Percent setting.
Sample:
infinite
|
| mitigation_threshold_eps
string
|
changed |
The new Mitigation Threshold EPS setting.
Sample:
infinite
|
| per_source_ip_detection_threshold
string
|
changed |
The new Per Source IP Detection Threshold EPS setting.
Sample:
23
|
| per_source_ip_mitigation_threshold
string
|
changed |
The new Per Source IP Mitigation Threshold EPS setting.
Sample:
infinite
|
| simulate_auto_threshold
boolean
|
changed |
The new Simulate Auto Threshold setting.
|
| state
string
|
changed |
The new state of the vector.
Sample:
mitigate
|
| threshold_mode
string
|
changed |
The new Mitigation Threshold EPS setting.
Sample:
infinite
|
Authors
- Tim Rupp (@caphrim007)
- Nitin Khanna (@nitinthewiz)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/f5networks/f5_modules/bigip_firewall_dos_vector_module.html