.. _ddos_template_tcp: ddos template tcp ================= TCP template Configuration tcp Specification ----------------- ===================================== ================================================================= **Parameter** **Value** ===================================== ================================================================= **Type** *Collection* **Object Key(s)** *name* **Collection Name** :ref:`444_tcp_list` **Collection URI** /axapi/v3/ddos/template/tcp **Element Name** tcp **Element URI** /axapi/v3/ddos/template/tcp/{name} **Element Attributes** tcp_attributes **Partition Visibility** None **Schema** :download:`tcp schema ` ===================================== ================================================================= **Operations Allowed:** .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html
OperationMethodURIPayload
Create Object .. raw:: html POST .. raw:: html /axapi/v3/ddos/template/tcp .. raw:: html :ref:`444_tcp_attributes` .. raw:: html
Create List .. raw:: html POST .. raw:: html /axapi/v3/ddos/template/tcp .. raw:: html :ref:`444_tcp_attributes` .. raw:: html
Get Object .. raw:: html GET .. raw:: html /axapi/v3/ddos/template/tcp/{name} .. raw:: html :ref:`444_tcp_attributes` .. raw:: html
Get List .. raw:: html GET .. raw:: html /axapi/v3/ddos/template/tcp .. raw:: html :ref:`444_tcp_list` .. raw:: html
Modify Object .. raw:: html POST .. raw:: html /axapi/v3/ddos/template/tcp/{name} .. raw:: html :ref:`444_tcp_attributes` .. raw:: html
Replace Object .. raw:: html PUT .. raw:: html /axapi/v3/ddos/template/tcp/{name} .. raw:: html :ref:`444_tcp_attributes` .. raw:: html
Replace List .. raw:: html PUT .. raw:: html /axapi/v3/ddos/template/tcp .. raw:: html :ref:`444_tcp_list` .. raw:: html
Delete Object .. raw:: html DELETE .. raw:: html /axapi/v3/ddos/template/tcp/{name} .. raw:: html :ref:`444_tcp_attributes` .. raw:: html
.. _444_tcp_list: tcp-list -------- tcp-list is **JSON List** of :ref:`444_tcp_attributes` tcp-list : [ { :ref:`444_tcp_attributes` }, { :ref:`444_tcp_attributes` }, ... ] .. _444_tcp_attributes: tcp attributes -------------- **ack-authentication-synack-reset** **Description** Enable Reset client TCP SYN+ACK for authentication (DST support only) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **action-cfg** **Description:** action-cfg is a **JSON Block**. Please see below for :ref:`444_action-cfg` **Type:** Object **action-on-ack-rto-retry-count** **Description** Take action if action-on-ack RTO-authentication fail over retry time(default:5) **Type:** number **Range:** 2-10 **action-on-syn-rto-retry-count** **Description** Take action if action-on-syn RTO-authentication fail over retry time(default:5) **Type:** number **Range:** 2-10 **action-syn-cfg** **Description:** action-syn-cfg is a **JSON Block**. Please see below for :ref:`444_action-syn-cfg` **Type:** Object **age** **Description** Session age in minutes **Type:** number **Range:** 1-63 **allow-syn-otherflags** **Description** Treat TCP SYN+PSH as a TCP SYN (DST tcp ports support only) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **allow-synack-skip-authentications** **Description** Allow create sessions on SYNACK without syn-auth and ack-auth (ASYM Mode only) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **allow-tcp-tfo** **Description** Allow TCP Fast Open **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **black-list-out-of-seq** **Description** Black list Src IP if out of seq pkts exceed configured threshold **Type:** number **Range:** 1-64000 **Mutual Exclusion:** black-list-out-of-seq and per-conn-out-of-seq-rate-limit are mutually exclusive **black-list-retransmit** **Description** Black list Src IP if retransmit pkts exceed configured threshold **Type:** number **Range:** 1-64000 **Mutual Exclusion:** black-list-retransmit and per-conn-retransmit-rate-limit are mutually exclusive **black-list-zero-win** **Description** Black list Src IP if zero window pkts exceed configured threshold **Type:** number **Range:** 1-250 **Mutual Exclusion:** black-list-zero-win and per-conn-zero-win-rate-limit are mutually exclusive **conn-rate-limit-on-syn-only** **Description** Only count SYN-initiated connections towards connection-rate tracking **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **create-conn-on-syn-only** **Description** Enable connection establishment on SYN only **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **drop-known-resp-src-port-cfg** **Description:** drop-known-resp-src-port-cfg is a **JSON Block**. Please see below for :ref:`444_drop-known-resp-src-port-cfg` **Type:** Object **dst** **Description:** dst is a **JSON Block**. Please see below for :ref:`444_dst` **Type:** Object **filter-list** **Type:** List **Reference Object:** :doc:`/axapi/v3/ddos/template/tcp/{name}/filter/{tcp-filter-seq} ` **name** **Description** **Type:** string **Format:** string-rlx **Maximum Length:** 63 characters **Maximum Length:** 1 characters **per-conn-out-of-seq-rate-action** **Description** 'drop': Drop packets for out-of-seq rate exceed (Default); 'blacklist-src': help Blacklist-src for out-of-seq rate exceed; 'ignore': help Ignore out-of-seq rate exceed; **Type:** string **Supported Values:** drop, blacklist-src, ignore **Default:** drop **per-conn-out-of-seq-rate-limit** **Description** Take action if out-of-seq pkt rate exceed configured threshold **Type:** number **Range:** 1-16000000 **Mutual Exclusion:** per-conn-out-of-seq-rate-limit and black-list-out-of-seq are mutually exclusive **per-conn-pkt-rate-action** **Description** 'drop': Drop packets for per-conn-pkt-rate exceed (Default); 'blacklist-src': help Blacklist-src for per-conn-pkt-rate exceed; 'ignore': Ignore per-conn-pkt-rate-exceed; **Type:** string **Supported Values:** drop, blacklist-src, ignore **Default:** drop **per-conn-pkt-rate-limit** **Description** Packet rate limit per connection per rate-interval **Type:** number **Range:** 1-16000000 **per-conn-rate-interval** **Description** '100ms': 100ms; '1sec': 1sec; '10sec': 10sec; **Type:** string **Supported Values:** 100ms, 1sec, 10sec **Default:** 1sec **per-conn-retransmit-rate-action** **Description** 'drop': Drop packets for retransmit rate exceed (Default); 'blacklist-src': help Blacklist-src for retransmit rate exceed; 'ignore': help Ignore retransmit rate exceed; **Type:** string **Supported Values:** drop, blacklist-src, ignore **Default:** drop **per-conn-retransmit-rate-limit** **Description** Take action if retransmit pkt rate exceed configured threshold **Type:** number **Range:** 1-16000000 **Mutual Exclusion:** per-conn-retransmit-rate-limit and black-list-retransmit are mutually exclusive **per-conn-zero-win-rate-action** **Description** 'drop': Drop packets for zero-win rate exceed (Default); 'blacklist-src': help Blacklist-src for zero-win rate exceed; 'ignore': help Ignore zero-win rate exceed; **Type:** string **Supported Values:** drop, blacklist-src, ignore **Default:** drop **per-conn-zero-win-rate-limit** **Description** Take action if zero window pkt rate exceed configured threshold **Type:** number **Range:** 1-16000000 **Mutual Exclusion:** per-conn-zero-win-rate-limit and black-list-zero-win are mutually exclusive **src** **Description:** src is a **JSON Block**. Please see below for :ref:`444_src` **Type:** Object **syn-auth** **Description** 'send-rst': Send RST to client upon client ACK; 'force-rst-by-ack': Force client RST via the use of ACK; 'force-rst-by-synack': Force client RST via the use of bad SYN|ACK; 'disable': Disable TCP SYN Authentication; 'send-rst-all': Send RST to client for all auth attempts; **Type:** string **Supported Values:** send-rst, force-rst-by-ack, force-rst-by-synack, disable, send-rst-all **Default:** send-rst **syn-cookie** **Description** Enable SYN Cookie **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **synack-rate-limit** **Description** Config SYNACK rate limit **Type:** number **Range:** 1-16000000 **Mutual Exclusion:** synack-rate-limit and track-together-with-syn are mutually exclusive **track-together-with-syn** **Description** SYNACK will be counted in Dst Syn-rate limit **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **Mutual Exclusion:** track-together-with-syn and synack-rate-limit are mutually exclusive **tunnel-encap** **Description:** tunnel-encap is a **JSON Block**. Please see below for :ref:`444_tunnel-encap` **Type:** Object **user-tag** **Description** Customized tag **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _444_tunnel-encap: tunnel-encap ^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **gre-cfg** **Description:** gre-cfg is a **JSON Block**. Please see below for :ref:`444_tunnel-encap_gre-cfg` **Type:** Object **ip-cfg** **Description:** ip-cfg is a **JSON Block**. Please see below for :ref:`444_tunnel-encap_ip-cfg` **Type:** Object .. _444_tunnel-encap_ip-cfg: tunnel-encap_ip-cfg ^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **always** **Description:** always is a **JSON Block**. Please see below for :ref:`444_tunnel-encap_ip-cfg_always` **Type:** Object **ip-encap** **Description** Enable Tunnel encapsulation using IP in IP **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 .. _444_tunnel-encap_ip-cfg_always: tunnel-encap_ip-cfg_always ^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **ipv4-addr** **Description** IPv4 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.) **Type:** string **Format:** ipv4-address **ipv6-addr** **Description** IPv6 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.) **Type:** string **Format:** ipv6-address **preserve-src-ipv4** **Description** Use original source ip for encapsulation **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **preserve-src-ipv6** **Description** Use original source ip for encapsulation **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 .. _444_tunnel-encap_gre-cfg: tunnel-encap_gre-cfg ^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **gre-always** **Description:** gre-always is a **JSON Block**. Please see below for :ref:`444_tunnel-encap_gre-cfg_gre-always` **Type:** Object **gre-encap** **Description** Enable Tunnel encapsulation using GRE **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 .. _444_tunnel-encap_gre-cfg_gre-always: tunnel-encap_gre-cfg_gre-always ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **gre-ipv4** **Description** IPv4 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.) **Type:** string **Format:** ipv4-address **gre-ipv6** **Description** IPv6 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.) **Type:** string **Format:** ipv6-address **key-ipv4** **Description** Encapsulate with key (Hexadecimal 0x0-0xFFFFFFFF,decimal 0-4294967295) **Type:** string **Maximum Length:** 10 characters **Maximum Length:** 1 characters **key-ipv6** **Description** Encapsulate with key (Hexadecimal 0x0-0xFFFFFFFF,decimal 0-4294967295) **Type:** string **Maximum Length:** 10 characters **Maximum Length:** 1 characters **preserve-src-ipv4-gre** **Description** Use original source ip for encapsulation **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **preserve-src-ipv6-gre** **Description** Use original source ip for encapsulation **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 .. _444_dst: dst ^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **rate-limit** **Description:** rate-limit is a **JSON Block**. Please see below for :ref:`444_dst_rate-limit` **Type:** Object .. _444_dst_rate-limit: dst_rate-limit ^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **syn-rate-limit** **Description:** syn-rate-limit is a **JSON Block**. Please see below for :ref:`444_dst_rate-limit_syn-rate-limit` **Type:** Object .. _444_dst_rate-limit_syn-rate-limit: dst_rate-limit_syn-rate-limit ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **dst-syn-rate-action** **Description** 'drop': Drop packets for syn-rate exceed (Default); 'ignore': Ignore syn-rate-exceed; **Type:** string **Supported Values:** drop, ignore **Default:** drop **dst-syn-rate-limit** **Description** **Type:** number **Range:** 1-16000000 .. _444_action-cfg: action-cfg ^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **action-on-ack** **Description** Monitor tcp ack for age-out session **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **authenticate-only** **Description** Apply action-on-ack once per source address for authentication purpose **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **min-retry-gap** **Description** Min gap between 2 ACKs for action-on-ack pass in 100ms interval **Type:** number **Range:** 1-80 **reset** **Description** Send RST to client **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **rto-authentication** **Description** Estimate the RTO and apply the exponential back-off for authentication **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **timeout** **Description** ACK retry timeout in sec **Type:** number **Range:** 1-31 .. _444_filter-list: filter-list ^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *list* **Block object keys** =============================== =================================================== **byte-offset-filter** **Description** Filter Expression using Berkeley Packet Filter syntax **Type:** string **Format:** string-rlx **Maximum Length:** 1275 characters **Maximum Length:** 1 characters **tcp-filter-action** **Description** 'blacklist-src': Also blacklist the source when action is taken; 'whitelist-src': Whitelist the source after filter passes, packets are dropped until then; 'count-only': Take no action and continue processing the next filter; **Type:** string **Supported Values:** blacklist-src, whitelist-src, count-only **tcp-filter-regex** **Description** Regex Expression **Type:** string **Format:** string-rlx **Maximum Length:** 1275 characters **Maximum Length:** 1 characters **tcp-filter-seq** **Description** Sequence number **Type:** number **Range:** 1-5 **tcp-filter-unmatched** **Description** action taken when it does not match **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **user-tag** **Description** Customized tag **Type:** string **Format:** string-rlx **Maximum Length:** 127 characters **Maximum Length:** 1 characters **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _444_src: src ^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **rate-limit** **Description:** rate-limit is a **JSON Block**. Please see below for :ref:`444_src_rate-limit` **Type:** Object .. _444_src_rate-limit: src_rate-limit ^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **syn-rate-limit** **Description:** syn-rate-limit is a **JSON Block**. Please see below for :ref:`444_src_rate-limit_syn-rate-limit` **Type:** Object .. _444_src_rate-limit_syn-rate-limit: src_rate-limit_syn-rate-limit ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **src-syn-rate-action** **Description** 'drop': Drop packets for syn-rate exceed (Default); 'blacklist-src': Blacklist-src for syn-rate exceed; 'ignore': Ignore syn-rate-exceed; **Type:** string **Supported Values:** drop, blacklist-src, ignore **Default:** drop **src-syn-rate-limit** **Description** **Type:** number **Range:** 1-16000000 .. _444_action-syn-cfg: action-syn-cfg ^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **action-on-syn** **Description** Monitor tcp syn for age-out session **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **action-on-syn-gap** **Description** Min gap between 2 SYNs for action-on-syn pass in 100ms interval **Type:** number **Range:** 1-80 **action-on-syn-reset** **Description** Send RST to client **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **action-on-syn-rto** **Description** Estimate the RTO and apply the exponential back-off for authentication **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **action-on-syn-timeout** **Description** SYN retry timeout in sec **Type:** number **Range:** 1-31 .. _444_drop-known-resp-src-port-cfg: drop-known-resp-src-port-cfg ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **drop-known-resp-src-port** **Description** Drop well-known if src-port is less than 1024 **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **exclude-src-resp-port** **Description** excluding src port equal destination port **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0