ddos template tcp¶
TCP template Configuration
tcp Specification¶
Parameter Value Type Collection Object Key(s) name Collection Name tcp-list Collection URI /axapi/v3/ddos/template/tcp Element Name tcp Element URI /axapi/v3/ddos/template/tcp/{name} Element Attributes tcp_attributes Partition Visibility shared Schema tcp schemaOperations Allowed:
| Operation | Method | URI | Payload | |
|---|---|---|---|---|
Create Object | POST | /axapi/v3/ddos/template/tcp | ||
Create List | POST | /axapi/v3/ddos/template/tcp | ||
Get Object | GET | /axapi/v3/ddos/template/tcp/{name} | ||
Get List | GET | /axapi/v3/ddos/template/tcp | ||
Modify Object | POST | /axapi/v3/ddos/template/tcp/{name} | ||
Replace Object | PUT | /axapi/v3/ddos/template/tcp/{name} | ||
Replace List | PUT | /axapi/v3/ddos/template/tcp | ||
Delete Object | DELETE | /axapi/v3/ddos/template/tcp/{name} | ||
tcp-list¶
tcp-list is JSON List of tcp attributes
tcp-list : [
]
tcp attributes¶
ack-authentication-synack-reset
Description Enable Reset client TCP SYN+ACK for authentication (DST support only)
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
action-cfg
Description: action-cfg is a JSON Block. Please see below for action-cfg
Type: Object
action-on-ack-rto-retry-count
Description Take action if action-on-ack RTO-authentication fail over retry time(default:5)
Type: number
Range: 2-10
action-on-syn-rto-retry-count
Description Take action if action-on-syn RTO-authentication fail over retry time(default:5)
Type: number
Range: 2-10
action-syn-cfg
Description: action-syn-cfg is a JSON Block. Please see below for action-syn-cfg
Type: Object
age
Description Session age in minutes
Type: number
Range: 1-63
allow-ra
Description Allow RA packets to be used for auth
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
allow-syn-otherflags
Description Treat TCP SYN+PSH as a TCP SYN (DST tcp ports support only)
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
allow-synack-skip-authentications
Description Allow create sessions on SYNACK without syn-auth and ack-auth (ASYM Mode only)
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
allow-tcp-tfo
Description Allow TCP Fast Open
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
black-list-out-of-seq
Description Black list Src IP if out of seq pkts exceed configured threshold
Type: number
Range: 1-64000
Mutual Exclusion: black-list-out-of-seq and per-conn-out-of-seq-rate-limit are mutually exclusive
black-list-retransmit
Description Black list Src IP if retransmit pkts exceed configured threshold
Type: number
Range: 1-64000
Mutual Exclusion: black-list-retransmit and per-conn-retransmit-rate-limit are mutually exclusive
black-list-zero-win
Description Black list Src IP if zero window pkts exceed configured threshold
Type: number
Range: 1-250
Mutual Exclusion: black-list-zero-win and per-conn-zero-win-rate-limit are mutually exclusive
conn-rate-limit-on-syn-only
Description Only count SYN-initiated connections towards connection-rate tracking
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
create-conn-on-syn-only
Description Enable connection establishment on SYN only
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
drop-known-resp-src-port-cfg
Description: drop-known-resp-src-port-cfg is a JSON Block. Please see below for drop-known-resp-src-port-cfg
Type: Object
dst
Description: dst is a JSON Block. Please see below for dst
Type: Object
filter-list
Type: List
Reference Object: /axapi/v3/ddos/template/tcp/{name}/filter/{tcp-filter-seq}
name
Description
Type: string
Format: string-rlx
Maximum Length: 63 characters
Maximum Length: 1 characters
per-conn-out-of-seq-rate-action
Description ‘drop’: Drop packets for out-of-seq rate exceed (Default); ‘blacklist-src’: help Blacklist-src for out-of-seq rate exceed; ‘ignore’: help Ignore out-of-seq rate exceed;
Type: string
Supported Values: drop, blacklist-src, ignore
Default: drop
per-conn-out-of-seq-rate-limit
Description Take action if out-of-seq pkt rate exceed configured threshold
Type: number
Range: 1-16000000
Mutual Exclusion: per-conn-out-of-seq-rate-limit and black-list-out-of-seq are mutually exclusive
per-conn-pkt-rate-action
Description ‘drop’: Drop packets for per-conn-pkt-rate exceed (Default); ‘blacklist-src’: help Blacklist-src for per-conn-pkt-rate exceed; ‘ignore’: Ignore per-conn-pkt-rate-exceed;
Type: string
Supported Values: drop, blacklist-src, ignore
Default: drop
per-conn-pkt-rate-limit
Description Packet rate limit per connection per rate-interval
Type: number
Range: 1-16000000
per-conn-rate-interval
Description ‘100ms’: 100ms; ‘1sec’: 1sec; ’10sec’: 10sec;
Type: string
Supported Values: 100ms, 1sec, 10sec
Default: 1sec
per-conn-retransmit-rate-action
Description ‘drop’: Drop packets for retransmit rate exceed (Default); ‘blacklist-src’: help Blacklist-src for retransmit rate exceed; ‘ignore’: help Ignore retransmit rate exceed;
Type: string
Supported Values: drop, blacklist-src, ignore
Default: drop
per-conn-retransmit-rate-limit
Description Take action if retransmit pkt rate exceed configured threshold
Type: number
Range: 1-16000000
Mutual Exclusion: per-conn-retransmit-rate-limit and black-list-retransmit are mutually exclusive
per-conn-zero-win-rate-action
Description ‘drop’: Drop packets for zero-win rate exceed (Default); ‘blacklist-src’: help Blacklist-src for zero-win rate exceed; ‘ignore’: help Ignore zero-win rate exceed;
Type: string
Supported Values: drop, blacklist-src, ignore
Default: drop
per-conn-zero-win-rate-limit
Description Take action if zero window pkt rate exceed configured threshold
Type: number
Range: 1-16000000
Mutual Exclusion: per-conn-zero-win-rate-limit and black-list-zero-win are mutually exclusive
progression-tracking
Description: progression-tracking is a JSON Block. Please see below for progression-tracking
Type: Object
Reference Object: /axapi/v3/ddos/template/tcp/{name}/progression-tracking
src
Description: src is a JSON Block. Please see below for src
Type: Object
syn-auth
Description ‘send-rst’: Send RST to client upon client ACK; ‘force-rst-by-ack’: Force client RST via the use of ACK; ‘force-rst-by-synack’: Force client RST via the use of bad SYN|ACK; ‘disable’: Disable TCP SYN Authentication;
Type: string
Supported Values: send-rst, force-rst-by-ack, force-rst-by-synack, disable, send-rst-once
Default: send-rst
syn-cookie
Description Enable SYN Cookie
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
synack-rate-limit
Description Config SYNACK rate limit
Type: number
Range: 1-16000000
Mutual Exclusion: synack-rate-limit and track-together-with-syn are mutually exclusive
track-together-with-syn
Description SYNACK will be counted in Dst Syn-rate limit
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
Mutual Exclusion: track-together-with-syn and synack-rate-limit are mutually exclusive
tunnel-encap
Description: tunnel-encap is a JSON Block. Please see below for tunnel-encap
Type: Object
user-tag
Description Customized tag
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
tunnel-encap¶
Specification Value Type object gre-cfg
Description: gre-cfg is a JSON Block. Please see below for tunnel-encap_gre-cfg
Type: Object
ip-cfg
Description: ip-cfg is a JSON Block. Please see below for tunnel-encap_ip-cfg
Type: Object
tunnel-encap_ip-cfg¶
Specification Value Type object always
Description: always is a JSON Block. Please see below for tunnel-encap_ip-cfg_always
Type: Object
ip-encap
Description Enable Tunnel encapsulation using IP in IP
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
tunnel-encap_ip-cfg_always¶
Specification Value Type object ipv4-addr
Description IPv4 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.)
Type: string
Format: ipv4-address
ipv6-addr
Description IPv6 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.)
Type: string
Format: ipv6-address
preserve-src-ipv4
Description Use original source ip for encapsulation
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
preserve-src-ipv6
Description Use original source ip for encapsulation
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
tunnel-encap_gre-cfg¶
Specification Value Type object gre-always
Description: gre-always is a JSON Block. Please see below for tunnel-encap_gre-cfg_gre-always
Type: Object
gre-encap
Description Enable Tunnel encapsulation using GRE
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
tunnel-encap_gre-cfg_gre-always¶
Specification Value Type object gre-ipv4
Description IPv4 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.)
Type: string
Format: ipv4-address
gre-ipv6
Description IPv6 address (IPv6-over-IPv4 / IPv4-over-IPv6 are not supported.)
Type: string
Format: ipv6-address
key-ipv4
Description Encapsulate with key (Hexadecimal 0x0-0xFFFFFFFF,decimal 0-4294967295)
Type: string
Maximum Length: 10 characters
Maximum Length: 1 characters
key-ipv6
Description Encapsulate with key (Hexadecimal 0x0-0xFFFFFFFF,decimal 0-4294967295)
Type: string
Maximum Length: 10 characters
Maximum Length: 1 characters
preserve-src-ipv4-gre
Description Use original source ip for encapsulation
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
preserve-src-ipv6-gre
Description Use original source ip for encapsulation
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
dst¶
Specification Value Type object rate-limit
Description: rate-limit is a JSON Block. Please see below for dst_rate-limit
Type: Object
dst_rate-limit¶
Specification Value Type object syn-rate-limit
Description: syn-rate-limit is a JSON Block. Please see below for dst_rate-limit_syn-rate-limit
Type: Object
dst_rate-limit_syn-rate-limit¶
Specification Value Type object dst-syn-rate-action
Description ‘drop’: Drop packets for syn-rate exceed (Default); ‘ignore’: Ignore syn-rate-exceed;
Type: string
Supported Values: drop, ignore
Default: drop
dst-syn-rate-limit
Description
Type: number
Range: 1-16000000
action-cfg¶
Specification Value Type object action-on-ack
Description Monitor tcp ack for age-out session
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
authenticate-only
Description Apply action-on-ack once per source address for authentication purpose
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
min-retry-gap
Description Min gap between 2 ACKs for action-on-ack pass in 100ms interval
Type: number
Range: 1-80
reset
Description Send RST to client
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
rto-authentication
Description Estimate the RTO and apply the exponential back-off for authentication
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
timeout
Description ACK retry timeout in sec
Type: number
Range: 1-31
progression-tracking¶
Specification Value Type object connection-tracking
Description: connection-tracking is a JSON Block. Please see below for progression-tracking_connection-tracking
Type: Object
Reference Object: /axapi/v3/ddos/template/tcp/{name}/progression-tracking/connection-tracking
first-request-max-time
Description Set the maximum wait time from connection creation until the first data is transmitted over the connection (100 ms)
Type: number
Range: 1-65535
profiling-connection-life-model
Description Enable auto-config progression tracking learning for connection model
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
profiling-request-response-model
Description Enable auto-config progression tracking learning for request response model
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
profiling-time-window-model
Description Enable auto-config progression tracking learning for time window model
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
progression-tracking-action
Description ‘drop’: Drop packets for progression tracking violation exceed (Default); ‘blacklist-src’: Blacklist-src for progression tracking violation exceed;
Type: string
Supported Values: drop, blacklist-src
Default: drop
Mutual Exclusion: progression-tracking-action and progression-tracking-action-list-name are mutually exclusive
progression-tracking-action-list-name
Description Configure action-list to take when progression tracking violation exceed
Type: string
Format: string-rlx
Maximum Length: 63 characters
Maximum Length: 1 characters
Mutual Exclusion: progression-tracking-action-list-name and progression-tracking-action are mutually exclusive
Reference Object: /axapi/v3/ddos/action-list
progression-tracking-enabled
Description ‘enable-check’: Enable Progression Tracking Check;
Type: string
Supported Values: enable-check
request-length-max
Description Set the maximum request length
Type: number
Range: 1-65535
request-length-min
Description Set the minimum request length
Type: number
Range: 1-65535
request-response-model
Description ‘enable’: Enable Request Response Model; ‘disable’: Disable Request Response Model;
Type: string
Supported Values: enable, disable
Default: enable
request-to-response-max-time
Description Set the maximum request to response time (100 ms)
Type: number
Range: 1-65535
response-length-max
Description Set the maximum response length
Type: number
Range: 1-4294967295
response-length-min
Description Set the minimum response length
Type: number
Range: 1-65535
response-request-max-ratio
Description Set the maximum response to request ratio (in unit of 0.1% [1:1000])
Type: number
Range: 1-4294967295
response-request-min-ratio
Description Set the minimum response to request ratio (in unit of 0.1% [1:1000])
Type: number
Range: 1-65535
response-to-request-max-time
Description Set the maximum response to request time (100 ms)
Type: number
Range: 1-65535
time-window-tracking
Description: time-window-tracking is a JSON Block. Please see below for progression-tracking_time-window-tracking
Type: Object
Reference Object: /axapi/v3/ddos/template/tcp/{name}/progression-tracking/time-window-tracking
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
violation
Description Set the violation threshold
Type: number
Range: 1-255
progression-tracking_connection-tracking¶
Specification Value Type object conn-duration-max
Description Set the maximum duration time (in unit of 100ms, up to 24 hours)
Type: number
Range: 1-864000
conn-duration-min
Description Set the minimum duration time (in unit of 100ms, up to 24 hours)
Type: number
Range: 1-864000
conn-rcvd-max
Description Set the maximum total received byte
Type: number
Range: 1-65535
conn-rcvd-min
Description Set the minimum total received byte
Type: number
Range: 1-65535
conn-rcvd-sent-ratio-max
Description Set the maximum received to sent ratio (in unit of 0.1% [1:1000])
Type: number
Range: 1-65535
conn-rcvd-sent-ratio-min
Description Set the minimum received to sent ratio (in unit of 0.1% [1:1000])
Type: number
Range: 1-65535
conn-sent-max
Description Set the maximum total sent byte
Type: number
Range: 1-65535
conn-sent-min
Description Set the minimum total sent byte
Type: number
Range: 1-65535
conn-violation
Description Set the violation threshold
Type: number
Range: 1-255
progression-tracking-conn-action
Description ‘drop’: Drop packets for progression tracking violation exceed (Default); ‘blacklist-src’: Blacklist-src for progression tracking violation exceed;
Type: string
Supported Values: drop, blacklist-src
Default: drop
Mutual Exclusion: progression-tracking-conn-action and progression-tracking-conn-action-list-name are mutually exclusive
progression-tracking-conn-action-list-name
Description Configure action-list to take when progression tracking violation exceed
Type: string
Format: string-rlx
Maximum Length: 63 characters
Maximum Length: 1 characters
Mutual Exclusion: progression-tracking-conn-action-list-name and progression-tracking-conn-action are mutually exclusive
Reference Object: /axapi/v3/ddos/action-list
progression-tracking-conn-enabled
Description ‘enable-check’: Enable General Progression Tracking per Connection;
Type: string
Supported Values: enable-check
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
progression-tracking_time-window-tracking¶
Specification Value Type object progression-tracking-win-enabled
Description ‘enable-check’: Enable Progression Tracking per Time Window;
Type: string
Supported Values: enable-check
progression-tracking-windows-action
Description ‘drop’: Drop packets for progression tracking violation exceed (Default); ‘blacklist-src’: Blacklist-src for progression tracking violation exceed;
Type: string
Supported Values: drop, blacklist-src
Default: drop
Mutual Exclusion: progression-tracking-windows-action and progression-tracking-windows-action-list-name are mutually exclusive
progression-tracking-windows-action-list-name
Description Configure action-list to take when progression tracking violation exceed
Type: string
Format: string-rlx
Maximum Length: 63 characters
Maximum Length: 1 characters
Mutual Exclusion: progression-tracking-windows-action-list-name and progression-tracking-windows-action are mutually exclusive
Reference Object: /axapi/v3/ddos/action-list
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
window-rcvd-max
Description Set the maximum total received byte
Type: number
Range: 1-65535
window-rcvd-min
Description Set the minimum total received byte
Type: number
Range: 1-65535
window-rcvd-sent-ratio-max
Description Set the maximum received to sent ratio (in unit of 0.1% [1:1000])
Type: number
Range: 1-65535
window-rcvd-sent-ratio-min
Description Set the minimum received to sent ratio (in unit of 0.1% [1:1000])
Type: number
Range: 1-65535
window-sent-max
Description Set the maximum total sent byte
Type: number
Range: 1-65535
window-sent-min
Description Set the minimum total sent byte
Type: number
Range: 1-65535
window-violation
Description Set the violation threshold
Type: number
Range: 1-255
filter-list¶
Specification Value Type list Block object keys byte-offset-filter
Description Filter Expression using Berkeley Packet Filter syntax
Type: string
Format: string-rlx
Maximum Length: 1275 characters
Maximum Length: 1 characters
tcp-filter-action
Description ‘blacklist-src’: Also blacklist the source when action is taken; ‘whitelist-src’: Whitelist the source after filter passes, packets are dropped until then; ‘count-only’: Take no action and continue processing the next filter;
Type: string
Supported Values: blacklist-src, whitelist-src, count-only
tcp-filter-regex
Description Regex Expression
Type: string
Format: string-rlx
Maximum Length: 1275 characters
Maximum Length: 1 characters
tcp-filter-seq
Description Sequence number
Type: number
Range: 1-5
tcp-filter-unmatched
Description action taken when it does not match
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
user-tag
Description Customized tag
Type: string
Format: string-rlx
Maximum Length: 127 characters
Maximum Length: 1 characters
uuid
Description uuid of the object
Type: string
Maximum Length: 64 characters
Maximum Length: 1 characters
src¶
Specification Value Type object rate-limit
Description: rate-limit is a JSON Block. Please see below for src_rate-limit
Type: Object
src_rate-limit¶
Specification Value Type object syn-rate-limit
Description: syn-rate-limit is a JSON Block. Please see below for src_rate-limit_syn-rate-limit
Type: Object
src_rate-limit_syn-rate-limit¶
Specification Value Type object src-syn-rate-action
Description ‘drop’: Drop packets for syn-rate exceed (Default); ‘blacklist-src’: Blacklist-src for syn-rate exceed; ‘ignore’: Ignore syn-rate-exceed;
Type: string
Supported Values: drop, blacklist-src, ignore
Default: drop
src-syn-rate-limit
Description
Type: number
Range: 1-16000000
action-syn-cfg¶
Specification Value Type object action-on-syn
Description Monitor tcp syn for age-out session
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
action-on-syn-gap
Description Min gap between 2 SYNs for action-on-syn pass in 100ms interval
Type: number
Range: 1-80
action-on-syn-reset
Description Send RST to client
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
action-on-syn-rto
Description Estimate the RTO and apply the exponential back-off for authentication
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
action-on-syn-timeout
Description SYN retry timeout in sec
Type: number
Range: 1-31
drop-known-resp-src-port-cfg¶
Specification Value Type object drop-known-resp-src-port
Description Drop well-known if src-port is less than 1024
Type: boolean
Supported Values: true, false, 1, 0
Default: 0
exclude-src-resp-port
Description excluding src port equal destination port
Type: boolean
Supported Values: true, false, 1, 0
Default: 0