.. _ddos_protection: ddos protection =============== DDOS protection protection Specification ------------------------ ===================================== ======================================================== **Parameter** **Value** ===================================== ======================================================== **Type** *Configuration Resource* **Element Name** protection **Element URI** /axapi/v3/ddos/protection **Element Attributes** protection_attributes **Partition Visibility** shared **Operational Data URI** /axapi/v3/ddos/protection/oper **Schema** :download:`protection schema ` ===================================== ======================================================== **Operations Allowed:** .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html .. raw:: html
OperationMethodURIPayload
Create Object .. raw:: html POST .. raw:: html /axapi/v3/ddos/protection .. raw:: html :ref:`463_protection_attributes` .. raw:: html
Get Object .. raw:: html GET .. raw:: html /axapi/v3/ddos/protection .. raw:: html :ref:`463_protection_attributes` .. raw:: html
Modify Object .. raw:: html POST .. raw:: html /axapi/v3/ddos/protection .. raw:: html :ref:`463_protection_attributes` .. raw:: html
Replace Object .. raw:: html PUT .. raw:: html /axapi/v3/ddos/protection .. raw:: html :ref:`463_protection_attributes` .. raw:: html
Delete Object .. raw:: html DELETE .. raw:: html /axapi/v3/ddos/protection .. raw:: html :ref:`463_protection_attributes` .. raw:: html
.. _463_protection_attributes: protection attributes --------------------- **blacklist-reason-tracking** **Description** Enable blacklist reason tracking **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **disable-on-reboot** **Description** Disable DDoS protection upon reboot/reload **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **disallow-rst-ack-in-syn-auth** **Description** Disallow RST-ACK passing syn-auth **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **enable-now** **Description** Override disable-on-reboot to enable runtime DDOS protection **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **fast-aging** **Description:** fast-aging is a **JSON Block**. Please see below for :ref:`463_fast-aging` **Type:** Object **force-routing-on-transp** **Description** Force use of routing in transparent mode **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **hw-blocking-enable** **Description** Enable hardware blacklist blocking for src or dst default entries (default disabled) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **ipv6-src-hash-mask-bits** **Description:** ipv6-src-hash-mask-bits is a **JSON Block**. Please see below for :ref:`463_ipv6-src-hash-mask-bits` **Type:** Object **Reference Object:** :doc:`/axapi/v3/ddos/protection/ipv6-src-hash-mask-bits ` **mpls** **Description** Enable MPLS packet inspection **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **multi-pu-zone-distribution** **Description:** multi-pu-zone-distribution is a **JSON Block**. Please see below for :ref:`463_multi-pu-zone-distribution` **Type:** Object **Reference Object:** :doc:`/axapi/v3/ddos/protection/multi-pu-zone-distribution ` **non-zero-win-size-syncookie** **Description** Send syn-cookie with fix TCP window size if SYN packet has zero window size (default disabled) **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **per-service-szp-entry-limit** **Description:** per-service-szp-entry-limit is a **JSON Block**. Please see below for :ref:`463_per-service-szp-entry-limit` **Type:** Object **Reference Object:** :doc:`/axapi/v3/ddos/protection/per-service-szp-entry-limit ` **rate-interval** **Description** '100ms': 100ms; '1sec': 1sec; **Type:** string **Supported Values:** 100ms, 1sec **Default:** 100ms **src-dst-entry-limit** **Description** '8M': 8 Million; '16M': 16 Million; 'unlimited': Unlimited; 'platform-default': Half of platform maximum; **Type:** string **Supported Values:** 8M, 16M, unlimited, platform-default **Default:** 16M **src-zone-port-entry-limit** **Description** '8M': 8 Million; '16M': 16 Million; 'unlimited': Unlimited; 'platform-default': Half of platform maximum; **Type:** string **Supported Values:** 8M, 16M, unlimited, platform-default **Default:** 16M **szp-clist-warn-threshold** **Description** Set threshold percentage of "max-src-dst-entry" for generating warning logs. Including start and end. **Type:** number **Range:** 1-100 **szp-warn-exceed-enable** **Description** Send logs if src-zone-port count exceeds "max-src-dst-entry" **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **szp-warn-threshold** **Description** Set threshold percentage of "max-src-dst-entry" for generating warning logs. Including start and end. **Type:** number **Range:** 1-100 **toggle** **Description** 'enable': enable; 'disable': disable; **Type:** string **Supported Values:** enable, disable **Default:** disable **use-route** **Description** Use route table, default use receive hop for device initiated traffic **Type:** boolean **Supported Values:** true, false, 1, 0 **Default:** 0 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _463_ipv6-src-hash-mask-bits: ipv6-src-hash-mask-bits ^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **mask-bit-offset-1** **Description** Configure mask bits **Type:** number **Range:** 0-127 **mask-bit-offset-2** **Description** Configure mask bits **Type:** number **Range:** 0-127 **mask-bit-offset-3** **Description** Configure mask bits **Type:** number **Range:** 0-127 **mask-bit-offset-4** **Description** Configure mask bits **Type:** number **Range:** 0-127 **mask-bit-offset-5** **Description** Configure mask bits **Type:** number **Range:** 0-127 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _463_per-service-szp-entry-limit: per-service-szp-entry-limit ^^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **dns-tcp-limit** **Description** Szp limit for port / port-range dns-tcp **Type:** number **Range:** 0-2147483647 **dns-udp-limit** **Description** Szp limit for port / port-range dns-udp **Type:** number **Range:** 0-2147483647 **http-limit** **Description** Szp limit for port / port-range http **Type:** number **Range:** 0-2147483647 **ip-proto-custom-limit** **Description** Szp limit for custom ip-proto **Type:** number **Range:** 0-2147483647 **ip-proto-gre-limit** **Description** Szp limit for ip-proto gre **Type:** number **Range:** 0-2147483647 **ip-proto-icmp-v4-limit** **Description** Szp limit for ip-proto icmp-v4 **Type:** number **Range:** 0-2147483647 **ip-proto-icmp-v6-limit** **Description** Szp limit for ip-proto icmp-v6 **Type:** number **Range:** 0-2147483647 **ip-proto-ipv4-encap-limit** **Description** Szp limit for ip-proto ipv4-encap **Type:** number **Range:** 0-2147483647 **ip-proto-ipv6-encap-limit** **Description** Szp limit for ip-proto ipv6-encap **Type:** number **Range:** 0-2147483647 **ip-proto-other-limit** **Description** Szp limit for ip-proto other **Type:** number **Range:** 0-2147483647 **quic-limit** **Description** Szp limit for port / port-range quic **Type:** number **Range:** 0-2147483647 **sip-tcp-limit** **Description** Szp limit for port / port-range sip-tcp **Type:** number **Range:** 0-2147483647 **sip-udp-limit** **Description** Szp limit for port / port-range sip-udp **Type:** number **Range:** 0-2147483647 **ssl-l4-limit** **Description** Szp limit for port / port-range ssl-l4 **Type:** number **Range:** 0-2147483647 **tcp-limit** **Description** Szp limit for port / port-range tcp **Type:** number **Range:** 0-2147483647 **udp-limit** **Description** Szp limit for port / port-range udp **Type:** number **Range:** 0-2147483647 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters .. _463_fast-aging: fast-aging ^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **half-open-conn-ratio** **Description** Minimum half-open session to total session ratio before session fast aging will take effect (default 25) **Type:** number **Range:** 1-99 **Default:** 25 **half-open-conn-threshold** **Description** Minimum half-open session (percentage) before session fast aging will take effect (default 1) **Type:** number **Range:** 1-99 **Default:** 1 .. _463_multi-pu-zone-distribution: multi-pu-zone-distribution ^^^^^^^^^^^^^^^^^^^^^^^^^^ =============================== =================================================== **Specification** **Value** =============================== =================================================== **Type** *object* =============================== =================================================== **cpu-threshold-per-entry** **Description** Entry/zone percentage threshold of CPU usage for source hash mode. Requires distribution-method cpu-usage. Default:60 **Type:** number **Range:** 30-100 **Default:** 60 **cpu-threshold-per-pu** **Description** Per PU percentage threshold of average CPU usage to start check entry usage. Requires distribution-method cpu-usage. Default:80 **Type:** number **Range:** 60-100 **Default:** 80 **distribution-method** **Description** 'cpu-usage': Entry/Zone distribution based on CPU usage percentage; 'traffic-rate': Entry/Zone distribution based on traffic kbit/pkt rate (Default); **Type:** string **Supported Values:** cpu-usage, traffic-rate **Default:** traffic-rate **rate-kbit-threshold** **Description** DDOS DST Entry/Zone kbit rate threshold for source hash mode **Type:** number **Range:** 1-150000000 **Default:** 150000000 **rate-pkt-threshold** **Description** DDOS DST Entry/Zone packet rate threshold for source hash mode **Type:** number **Range:** 1-55000000 **Default:** 55000000 **uuid** **Description** uuid of the object **Type:** string **Maximum Length:** 64 characters **Maximum Length:** 1 characters