ddos protection¶

DDOS protection

protection Specification¶

Parameter Value

Type Configuration Resource

Element Name protection

Element URI /axapi/v3/ddos/protection

Element Attributes protection_attributes

Partition Visibility shared

Operational Data URI /axapi/v3/ddos/protection/oper

Schema protection schema

Operations Allowed:

Operation	Method	URI	Payload
Create Object	POST	/axapi/v3/ddos/protection	protection attributes
POST /axapi/v3/ddos/protection Payload: { "protection": { "toggle": "enable", "ipv6-src-hash-mask-bits": { "mask-bit-offset-1": 0, "mask-bit-offset-2": 0, "mask-bit-offset-3": 0, "mask-bit-offset-4": 0 } } }
Get Object	GET	/axapi/v3/ddos/protection	protection attributes
Modify Object	POST	/axapi/v3/ddos/protection	protection attributes
Replace Object	PUT	/axapi/v3/ddos/protection	protection attributes
Delete Object	DELETE	/axapi/v3/ddos/protection	protection attributes

protection attributes¶

blacklist-reason-tracking

Description Enable blacklist reason tracking

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

close-sess-for-unauth-src-without-rst

Description When closing unauthenticated sessions, don’t send TCP RST for established TCP sessions. (Default disabled / sending TCP RST for

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

disable-advanced-core-analysis

Description Disable advanced context info in coredump file

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

disable-delay-dynamic-src-learning

Description Disable delay dynamic src entry learning

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

disable-on-reboot

Description Disable DDoS protection upon reboot/reload

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

disallow-rst-ack-in-syn-auth

Description Disallow RST-ACK passing syn-auth

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

enable-now

Description Override disable-on-reboot to enable runtime DDOS protection

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

fast-aging

Description: fast-aging is a JSON Block. Please see below for fast-aging

Type: Object

fast-path-disable

Description Disable fast path in SLB processing

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

force-routing-on-transp

Description Force use of routing in transparent mode

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

force-traffic-to-same-blade-disable

Description Allow traffic to be distributed among blades on Chassis

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

hw-blocking-enable

Description Enable hardware blacklist blocking for src or dst default entries (default disabled)

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

hw-blocking-threshold-limit

Description Threshold to initiate hardware blocking (default 10000)

Type: number

Range: 1-16000000

Default: 10000

ipv6-src-hash-mask-bits

Description: ipv6-src-hash-mask-bits is a JSON Block. Please see below for ipv6-src-hash-mask-bits

Type: Object

Reference Object: /axapi/v3/ddos/protection/ipv6-src-hash-mask-bits

mpls

Description Enable MPLS packet inspection

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

multi-pu-zone-distribution

Description: multi-pu-zone-distribution is a JSON Block. Please see below for multi-pu-zone-distribution

Type: Object

Reference Object: /axapi/v3/ddos/protection/multi-pu-zone-distribution

non-zero-win-size-syncookie

Description Send syn-cookie with fix TCP window size if SYN packet has zero window size (default disabled)

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

progression-tracking

Description ‘enable’: enable; ‘disable’: disable;

Type: string

Supported Values: enable, disable

Default: enable

rate-interval

Description ‘100ms’: 100ms; ‘1sec’: 1sec;

Type: string

Supported Values: 100ms, 1sec

Default: 100ms

rexmit-syn-log

Description Enable ddos per flow rexmit syn exceeded log

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

src-dst-entry-limit

Description ‘8M’: 8 Million; ‘16M’: 16 Million; ‘unlimited’: Unlimited; ‘platform-default’: Half of platform maximum;

Type: string

Supported Values: 8M, 16M, unlimited, platform-default

Default: 16M

src-ip-hash-bit

Description Configure which bit hashed on

Type: number

Range: 0-31

Default: 2

src-ipv6-hash-bit

Description Configure which bit hashed on

Type: number

Range: 0-127

Default: 2

src-zone-port-entry-limit

Description ‘8M’: 8 Million; ‘16M’: 16 Million; ‘unlimited’: Unlimited; ‘platform-default’: Half of platform maximum;

Type: string

Supported Values: 8M, 16M, unlimited, platform-default

Default: 16M

toggle

Description ‘enable’: enable; ‘disable’: disable;

Type: string

Supported Values: enable, disable

Default: disable

use-route

Description Use route table, default use receive hop for device initiated traffic

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

fast-aging¶

Specification Value

Type object

half-open-conn-ratio

Description Minimum half-open session to total session ratio before session fast aging will take effect (default 25)

Type: number

Range: 1-99

Default: 25

half-open-conn-threshold

Description Minimum half-open session (percentage) before session fast aging will take effect (default 1)

Type: number

Range: 1-99

Default: 1

ipv6-src-hash-mask-bits¶

Specification Value

Type object

mask-bit-offset-1

Description Configure mask bits

Type: number

Range: 0-127

mask-bit-offset-2

Description Configure mask bits

Type: number

Range: 0-127

mask-bit-offset-3

Description Configure mask bits

Type: number

Range: 0-127

mask-bit-offset-4

Description Configure mask bits

Type: number

Range: 0-127

mask-bit-offset-5

Description Configure mask bits

Type: number

Range: 0-127

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters

multi-pu-zone-distribution¶

Specification Value

Type object

cpu-threshold-per-entry

Description Entry/zone percentage threshold of CPU usage for source hash mode. Requires distribution-method cpu-usage. Default:60

Type: number

Range: 30-100

Default: 60

cpu-threshold-per-pu

Description Per PU percentage threshold of average CPU usage to start check entry usage. Requires distribution-method cpu-usage. Default:80

Type: number

Range: 60-100

Default: 80

distribution-method

Description ‘cpu-usage’: Entry/Zone distribution based on CPU usage percentage; ‘traffic-rate’: Entry/Zone distribution based on traffic kbit/pkt rate (Default);

Type: string

Supported Values: cpu-usage, traffic-rate

Default: traffic-rate

rate-kbit-threshold

Description DDOS DST Entry/Zone kbit rate threshold for source hash mode

Type: number

Range: 1-150000000

Default: 150000000

rate-pkt-threshold

Description DDOS DST Entry/Zone packet rate threshold for source hash mode

Type: number

Range: 1-55000000

Default: 55000000

uuid

Description uuid of the object

Type: string

Maximum Length: 64 characters

Maximum Length: 1 characters