.. _ddos_protection:

ddos protection
===============

DDOS protection


protection Specification
------------------------

	===================================== ========================================================
	 **Parameter**                         **Value** 

	===================================== ========================================================
	 **Type**                              *Configuration Resource*

	 **Element Name**                      protection

	 **Element URI**                       /axapi/v3/ddos/protection

	 **Element Attributes**                protection_attributes

	 **Partition Visibility**              shared

	 **Operational Data URI**              /axapi/v3/ddos/protection/oper

	 **Schema**                             :download:`protection schema <ddos-protection/ddos-protection.txt>`
	===================================== ========================================================





	**Operations Allowed:**




.. raw:: html

   <script type="text/javascript">
 function showExample(a,b) { document.getElementById(a+'_div').style.display = 'block'; document.getElementById(a+'_cl').style.display = 'block'; document.getElementById(a+'_eg').style.display = 'none';}
   function closeExample(a,b) { document.getElementById(a+'_div').style.display = 'none'; document.getElementById(a+'_cl').style.display = 'none'; document.getElementById(a+'_eg').style.display = 'block';}
 </script>
   <table width='90%' style='margin-left:5%'>



.. raw:: html

   <tr style='border-bottom: thin solid; border-top: thin solid'><th width=15%>Operation</th><th width=10%>Method</th><th>URI</th><th width=15%>Payload</th><th width=10%></th></tr>




.. raw:: html

   <tr  style='border-bottom: thin solid;'><td valign = 'top'>


Create Object



.. raw:: html

   </td><td valign = 'top'>


POST



.. raw:: html

   </td><td valign = 'top'>


/axapi/v3/ddos/protection



.. raw:: html

   </td><td valign = 'top'>


:ref:`1128_protection_attributes`



.. raw:: html

   </td><td><button id='post_eg' onClick="showExample('post')">example</button> <button id='post_cl' onClick="closeExample('post')" style='display:none'>close</button></td></tr>




.. raw:: html

   <tr><td colspan=5 style='padding: 0         % 0    %;' valign = 'top'><div id='post_div' style='display:none'>


.. include:: ../artifacts/ddos_protection_POST.txt
   :literal:




.. raw:: html

   </div></td></tr>


.. raw:: html

   <tr  style='border-bottom: thin solid;'><td valign = 'top'>


Get Object



.. raw:: html

   </td><td valign = 'top'>


GET



.. raw:: html

   </td><td valign = 'top'>


/axapi/v3/ddos/protection



.. raw:: html

   </td><td valign = 'top'>


:ref:`1128_protection_attributes`



.. raw:: html

   </td><td></td></tr>




.. raw:: html

   <tr  style='border-bottom: thin solid;'><td valign = 'top'>


Modify Object



.. raw:: html

   </td><td valign = 'top'>


POST



.. raw:: html

   </td><td valign = 'top'>


/axapi/v3/ddos/protection



.. raw:: html

   </td><td valign = 'top'>


:ref:`1128_protection_attributes`



.. raw:: html

   </td><td></td></tr>




.. raw:: html

   <tr  style='border-bottom: thin solid;'><td valign = 'top'>


Replace Object



.. raw:: html

   </td><td valign = 'top'>


PUT



.. raw:: html

   </td><td valign = 'top'>


/axapi/v3/ddos/protection



.. raw:: html

   </td><td valign = 'top'>


:ref:`1128_protection_attributes`



.. raw:: html

   </td><td></td></tr>




.. raw:: html

   <tr  style='border-bottom: thin solid;'><td valign = 'top'>


Delete Object



.. raw:: html

   </td><td valign = 'top'>


DELETE



.. raw:: html

   </td><td valign = 'top'>


/axapi/v3/ddos/protection



.. raw:: html

   </td><td valign = 'top'>


:ref:`1128_protection_attributes`



.. raw:: html

   </td><td></td></tr>




.. raw:: html

   </table>

.. _1128_protection_attributes:

protection attributes
---------------------

    **blacklist-reason-tracking**

        **Description** Enable blacklist reason tracking

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **close-sess-for-unauth-src-without-rst**

        **Description** When closing unauthenticated sessions, don't send TCP RST for established TCP sessions. (Default disabled / sending TCP RST for

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **disable-advanced-core-analysis**

        **Description** Disable advanced context info in coredump file

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **disable-delay-dynamic-src-learning**

        **Description** Disable delay dynamic src entry learning

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **disable-on-reboot**

        **Description** Disable DDoS protection upon reboot/reload

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **disallow-rst-ack-in-syn-auth**

        **Description** Disallow RST-ACK passing syn-auth

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **enable-now**

        **Description** Override disable-on-reboot to enable runtime DDOS protection

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **fast-aging**

        **Description:** fast-aging is a **JSON Block**.  Please see below for :ref:`1128_fast-aging` 

        **Type:** Object

    **fast-path-disable**

        **Description** Disable fast path in SLB processing

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **force-routing-on-transp**

        **Description** Force use of routing in transparent mode

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **force-traffic-to-same-blade-disable**

        **Description** Allow traffic to be distributed among blades on Chassis

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **hw-blocking-enable**

        **Description** Enable hardware blacklist blocking for src or dst default entries (default disabled)

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **hw-blocking-threshold-limit**

        **Description** Threshold to initiate hardware blocking (default 10000)

        **Type:** number

        **Range:** 1-16000000

        **Default:** 10000

    **ipv6-src-hash-mask-bits**

        **Description:** ipv6-src-hash-mask-bits is a **JSON Block**.  Please see below for :ref:`1128_ipv6-src-hash-mask-bits` 

        **Type:** Object

        **Reference Object:** :doc:`/axapi/v3/ddos/protection/ipv6-src-hash-mask-bits <ddos_protection_ipv6_src_hash_mask_bits>`

    **mpls**

        **Description** Enable MPLS packet inspection

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **multi-pu-zone-distribution**

        **Description:** multi-pu-zone-distribution is a **JSON Block**.  Please see below for :ref:`1128_multi-pu-zone-distribution` 

        **Type:** Object

        **Reference Object:** :doc:`/axapi/v3/ddos/protection/multi-pu-zone-distribution <ddos_protection_multi_pu_zone_distribution>`

    **non-zero-win-size-syncookie**

        **Description** Send syn-cookie with fix TCP window size if SYN packet has zero window size  (default disabled)

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **progression-tracking**

        **Description** 'enable': enable; 'disable': disable; 

        **Type:** string

        **Supported Values:** enable, disable

        **Default:** enable

    **rate-interval**

        **Description** '100ms': 100ms; '1sec': 1sec; 

        **Type:** string

        **Supported Values:** 100ms, 1sec

        **Default:** 100ms

    **rexmit-syn-log**

        **Description** Enable ddos per flow rexmit syn exceeded log

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **src-dst-entry-limit**

        **Description** '8M': 8 Million; '16M': 16 Million; 'unlimited': Unlimited; 'platform-default': Half of platform maximum; 

        **Type:** string

        **Supported Values:** 8M, 16M, unlimited, platform-default

        **Default:** 16M

    **src-ip-hash-bit**

        **Description** Configure which bit hashed on

        **Type:** number

        **Range:** 0-31

        **Default:** 2

    **src-ipv6-hash-bit**

        **Description** Configure which bit hashed on

        **Type:** number

        **Range:** 0-127

        **Default:** 2

    **src-zone-port-entry-limit**

        **Description** '8M': 8 Million; '16M': 16 Million; 'unlimited': Unlimited; 'platform-default': Half of platform maximum; 

        **Type:** string

        **Supported Values:** 8M, 16M, unlimited, platform-default

        **Default:** 16M

    **toggle**

        **Description** 'enable': enable; 'disable': disable; 

        **Type:** string

        **Supported Values:** enable, disable

        **Default:** disable

    **use-route**

        **Description** Use route table, default use receive hop for device initiated traffic

        **Type:** boolean

        **Supported Values:** true, false, 1, 0

        **Default:** 0

    **uuid**

        **Description** uuid of the object

        **Type:** string

        **Maximum Length:** 64 characters

        **Maximum Length:** 1 characters

.. _1128_fast-aging:

fast-aging
^^^^^^^^^^
	=============================== ===================================================
	**Specification**                 **Value**
	=============================== ===================================================
	 **Type**                        *object*

	=============================== ===================================================

    **half-open-conn-ratio**

        **Description** Minimum half-open session to total session ratio before session fast aging will take effect (default 25)

        **Type:** number

        **Range:** 1-99

        **Default:** 25

    **half-open-conn-threshold**

        **Description** Minimum half-open session (percentage) before session fast aging will take effect (default 1)

        **Type:** number

        **Range:** 1-99

        **Default:** 1

.. _1128_ipv6-src-hash-mask-bits:

ipv6-src-hash-mask-bits
^^^^^^^^^^^^^^^^^^^^^^^
	=============================== ===================================================
	**Specification**                 **Value**
	=============================== ===================================================
	 **Type**                        *object*

	=============================== ===================================================

    **mask-bit-offset-1**

        **Description** Configure mask bits

        **Type:** number

        **Range:** 0-127

    **mask-bit-offset-2**

        **Description** Configure mask bits

        **Type:** number

        **Range:** 0-127

    **mask-bit-offset-3**

        **Description** Configure mask bits

        **Type:** number

        **Range:** 0-127

    **mask-bit-offset-4**

        **Description** Configure mask bits

        **Type:** number

        **Range:** 0-127

    **mask-bit-offset-5**

        **Description** Configure mask bits

        **Type:** number

        **Range:** 0-127

    **uuid**

        **Description** uuid of the object

        **Type:** string

        **Maximum Length:** 64 characters

        **Maximum Length:** 1 characters

.. _1128_multi-pu-zone-distribution:

multi-pu-zone-distribution
^^^^^^^^^^^^^^^^^^^^^^^^^^
	=============================== ===================================================
	**Specification**                 **Value**
	=============================== ===================================================
	 **Type**                        *object*

	=============================== ===================================================

    **cpu-threshold-per-entry**

        **Description** Entry/zone percentage threshold of CPU usage for source hash mode. Requires distribution-method cpu-usage. Default:60

        **Type:** number

        **Range:** 30-100

        **Default:** 60

    **cpu-threshold-per-pu**

        **Description** Per PU percentage threshold of average CPU usage to start check entry usage. Requires distribution-method cpu-usage. Default:80

        **Type:** number

        **Range:** 60-100

        **Default:** 80

    **distribution-method**

        **Description** 'cpu-usage': Entry/Zone distribution based on CPU usage percentage; 'traffic-rate': Entry/Zone distribution based on traffic kbit/pkt rate (Default); 

        **Type:** string

        **Supported Values:** cpu-usage, traffic-rate

        **Default:** traffic-rate

    **rate-kbit-threshold**

        **Description** DDOS DST Entry/Zone kbit rate threshold for source hash mode

        **Type:** number

        **Range:** 1-150000000

        **Default:** 150000000

    **rate-pkt-threshold**

        **Description** DDOS DST Entry/Zone packet rate threshold for source hash mode

        **Type:** number

        **Range:** 1-55000000

        **Default:** 55000000

    **uuid**

        **Description** uuid of the object

        **Type:** string

        **Maximum Length:** 64 characters

        **Maximum Length:** 1 characters