Manual Chapter : Event Messages and Attack Types

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.0

BIG-IP Analytics

  • 15.0.0

BIG-IP AFM

  • 15.0.0

BIG-IP PEM

  • 15.0.0

BIG-IP ASM

  • 15.0.0

BIG-IP APM

  • 15.0.0

BIG-IP LTM

  • 15.0.0
Manual Chapter

Event Messages and Attack Types

Fields in ASM Violations event messages

This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in the order in which they appear in a message in the log.
Field name and type
Example value
Description
unit_hostname (string)
bigip-4.pme-ds.f5.com
BIG-IP system FQDN
management_ip_address (IP address)
192.168.1.246
BIG-IP system management IP address
http_class_name (string)
/Common/topaz4-web4
HTTP policy name
policy_name (string)
My security policy
Name of the security policy reporting the violation
violations (string)
Attack signature detected
Violation name
support_id (non-negative integer)
18205860747014045721
Internally-generated integer to assist with client access support
request_status (string)
Blocked
Action applied to the client request
response_code (non-negative integer)
200
The HTTP response code returned by the back-end server (application). This information is only relevant for requests that are not blocked.
ip_client (IP address)
192.168.5.10
Client source IP address
route_domain (non-negative integer)
0 (zero)
Route domain number
method (string)
GET
HTTP method requested by client
protocol (string)
HTTP, HTTPS
Protocol name
query_string (string)
key1=val1&key2=val2
Query sent by client; query appears in the first line of the HTTP request after the path and the question mark (?)
x_forwarded_for_header_value (string)
192.168.5.10
Value of the XFF HTTP header
sig_ids (positive non-zero integer)
200021069
Signature ID number
sig_names (string)
Automated client access %22wget%22
Signature name
date_time (string)
2012-09-19 13:52:29
Data and time in the format: YYYY-MM-DD HH:MM:SS
severity (string)
Error
Severity category to which the event belongs
attack_type (string)
Non-browser client
Name of identified attack
geo_location (string)
USA/NY
Country/city location information
ip_address_intelligence (string)
Botnets, Scanners
List of IP intelligence categories found for an IP address
username (string)
Admin
User name for client session
session_id (hexadeicmal number)
a9141b68ac7b4958
TCP session ID
src_port (non-negative integer)
52974
Client protocol source port
dest_port (non-negative integer)
80
Requested service listening port number
dest_ip (IP address)
192.168.5.11
Requested service IP address
sub_violations (string)
Bad HTTP version, Null in request
Comma-separated list of sub-violation strings
virus_name (string)
Melissa
Virus name
uri (string)
/
URI requested by client
request (string)
GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n
Request string sent by client
headers
Host: myhost.com; Connection: close
Found in request logs
response
HTTP/1.1 200 OK Content-type: text/html Content-Length: 7 <html/>
HTTP response from server when response logging is configured
violation_details (string)
<?xml version='1.0' encoding='UTF-8'?>​<BAD_MSG><request-violations><violation>​<viol_index>14</viol_index>​<viol_name>VIOL_HTTP_PROTOCOL</viol_name>​ <http_sanity_checks_status>65536​</http_sanity_checks_status>​<http_sub_violation_status>65536​</http_sub_violation_status>​<http_sub_violation>​SFRUUCB2ZXJzaW9uIG5vdCBmb3VuZA=​=</http_sub_violation>​</violation></request-violations></BAD_MSG>
Extended information about a violation on a transaction
avr_id
1
avr id
blocking_exception_reason
IP is in Whitelist
A reason why the illegal request was not blocked
captcha_result
incorrect
The result of a captcha
client_type
Mobile App
The type of client that sent the request
mobile/browser/bot
device_id
121564864531
Collected finger print
fragment
a=7&b=5
Query string when # (fragment) was the separator
ip_with_route_domain
172.26.36.17/5
src ip with the route domian
is_truncated
truncated
If the request is too long the logged request is truncated
management_ip_address_2
172.26.36.17
Alternative IP Address of Management Port (dual stack support)
microservice
/a.com/index.php
The configured microservice that was matched to the request
mobile_application_name
Shop Ttt
Mobile application name
mobile_application_version
4.1.5
Mobile application version
policy_apply_date
2018-08-06 10:17:56
The last time policy was updated
sig_set_names
{Generic Detection Signatures;Generic Detection Signatures (High/Medium Accuracy)},{Generic Detection Signatures;Generic Detection Signatures (High/Medium Accuracy)}"
Signatures sets' names
slot_number
1
The slot number
staged_sig_ids
Comma-separated list
Staged Signature ID numbers list
staged_sig_names
XSS script tag end (Headers),XSS script tag (Headers)
Staged Signature nems
staged_sig_set_names
{Generic Detection Signatures;Generic Detection Signatures (High/Medium Accuracy)},{Generic Detection Signatures;Generic Detection Signatures (High/Medium Accuracy)}"
Staged sig set names
staged_threat_campaign_names
XSS script tag end (Headers),XSS script tag (Headers)
Staged threat campaign names
threat_campaign_names
XSS script tag end (Headers),XSS script tag (Headers)
Threat campaign names
violation_rating
4
Calculation of all violation rating according to a algorithm
vs_name
Common/my_vs
Reporting virtual server name and partition
websocket_direction
clientToServer
websocket direction
websocket_message_type
Handshake
websocket message type
login_result
N/A, Successful Login, Failed Login, "", Unknown Login Result
States if backend server returned failed or successful login according to configured criteria for asm login url

ASM Violations example events

This list contains examples of events you might find in ASM logs.

Examples of ASM log messages in the ArcSight CEF format

<134>Sep 19 13:35:00 bigip-4.pme-ds.f5.com ASM:CEF:0|F5|ASM|11.3.0|Successful Request|Successful Request|2| dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 11:38:36 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045699 act=passed cn1=200 cn1Label=response_code src=10.4.1.101 spt=52963 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:35:00 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=2e769a9e1ea8b777 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n
<131>Sep 19 13:53:34 bigip-4.pme-ds.f5.com ASM:CEF:0|F5|ASM|11.3.0|200021069|Automated client access "wget"|5|dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 13:49:25 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045723 act=blocked cn1=0 cn1Label=response_code src=10.4.1.101 spt=52975 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:53:33 deviceExternalId=0 cs4=Non-browser Client cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=86c4f8bf7349cac9 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n

Example of ASM log message in the Remote Server format

<134>Sep 19 13:42:41 bigip-4.pme-ds.f5.com ASM:"", "2012-09-19 13:42:40","10.4.1.200","80","N/A","/Common/topaz4-web4" "N/A","10.4.1.101","10.4.1.101%0","172.16.73.34","GET", "2012-09-19 11:38:36","topaz4-web4","HTTP","", "GET / HTTP/1.0\r\nUser-Agent: Wget/1.12(linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n","passed", "Response logging disabled","200","0","7514e0ee8f0eb493","Informational", "","","52965","","18205860747014045703","bigip-4.pme-ds.f5.com","/","N/A", "<?xml version='1.0' encoding='UTF-8'?><BAD_MSG> <request-violations><violation><viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>request</context><sig_data> <sig_id>200021069</sig_id><blocking_mask>4</blocking_mask> <kw_data><buffer>VXNlci1BZ2VudDogV2dldC8xLjEyIChsaW51eC1nbn ;UpDQpBY2NlcHQ6ICovKg0KSG9zdDogMTAuNC4xLjIwMA0KQ29 ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KDQo=</buffer> <offset>0</offset><length>16</length></kw_data> </sig_data></violation></request-violations> </BAD_MSG>","","N/A","N/A"

Example of ASM log message in the Remote Syslog format

23003140

Examples of ASM log messages in the Reporting Server format

<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36", violations="",support_id="18205860747014045701",request_status="passed", response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET", protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A", sig_ids="",sig_names="",date_time="2012-09-19 13:40:26", severity="Informational",attack_type="",geo_location="N/A", ip_address_intelligence="N/A",username="N/A", session_id="98630496c8413322",src_port="52964",dest_port="80", dest_ip="10.4.1.200",sub_violations="",virus_name="N/A",uri="/", request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"
<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36", violations="",support_id="18205860747014045701",request_status="passed", response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET", protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A", sig_ids="",sig_names="",date_time="2012-09-19 13:40:26", severity="Informational",attack_type="",geo_location="N/A", ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322", src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_violations="", virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"
<131>Sep 19 13:52:30 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 13:49:25", violations="Attack signature detected",support_id="18205860747014045721", request_status="blocked",response_code="0",ip_client="10.4.1.101", route_domain="0",method="GET",protocol="HTTP",query_string="", x_forwarded_for_header_value="N/A",sig_ids="200021069", sig_names="Automated client access %22wget%22", date_time="2012-09-19 13:52:29",severity="Error", attack_type="Non-browser Client",geo_location="N/A", ip_address_intelligence="N/A",username="N/A",session_id="a9141b68ac7b4958", src_port="52974",dest_port="80",dest_ip="10.4.1.200",sub_violations="", virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"

Fields in ASM Brute Force and Web Scraping event messages

This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in alphabetical order by field name.
Field name and type
Example value
Description
act (string)
Alerted or Blocked
Action taken in response to attack
anomaly_attack_type (string)
DoS attack or Brute Force attack
Type of attack
attack_id (integer)
12345678
Unique identifier of an attack
attack_status (string)
Started, Ended, or Ongoing
Status of an attack
current_mitigation (string)
Source IP-based client-side integrity defense, URL-based client-side integrity defense, Source IP-based rate limiting, URL-based rate limiting, or Transparent
How the attack is being mitigated
date_time (string)
2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50
Current date and time in format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS
detection_average (integer)
400
Historical average of TPS, latency, or failed logins
detection_mode (string)
For DoS Attacks: TPS Increased or Latency Increased; For Brute Force Attacks: Number of Failed Logins Increased
How the attack was detected
dropped_requests (integer)
10000
Number of dropped requests
dvc (IP address)
192.168.1.246
BIG-IP system management IP address
dvchost (string)
bigip-4.asm-ds.f5.com
BIG-IP system host name
geo_location (string)
USA/NY
Country/city location information
ip_list (IP addresses)
192.168.5.10:ny, ny, usa:150
Comma-delineated list of attacker IP addresses in the format: client_ip_addr:geo_location:drops_counter
management_ip_address (IP address)
192.168.1.246
BIG-IP system management IP address
operation_mode (string)
Transparent or Blocking
Current operation mode in the security policy
policy_apply_date
2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50
The date and time the policy was last applied in the format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS
policy_name (string)
My policy
Name of current active policy reporting the violation
request (URL)
www.siterequest.com
Login URL attacked by Brute Force attack
rt (string)
Nov 07 2012 06:53:50
Current date and time in the format: MMM DD YYYY HH:MM:SS
severity (string)
Emergency
Severity category for attacks is always: Emergency
source_ip (IP address)
192.168.4.1:ny, ny, usa:150000
IP address from which the attack originates in the format: client_ip_addr:geo_location:drops_counter
src (IP address)
192.168.4.1
IP address from which the attack originates
unit_hostname (string)
bigip-4.asm-ds.f5.com
BIG-IP system FQDN
uri (string)
/
Login URL that was subject to a Brute Force attack
url_list (URLs)
192.168.50.1:sf, ca, usa:200
Comma-delineated list of attacked URLs in the format: client_ip_addr:geo_location:drops_counter
violation_counter (integer)
100
Number of violations
web_application_name
My PTO
Name of the web application in which the violation occurred

ASM Anomaly example events

This list contains examples of events you might find in ASM logs.
Example of ASM Anomaly log messages in the ArcSight CEF format
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status request=%s src=%s cs6=%s cs6Label=geo_location cs5=%s cs5Label=detection_mode rt=%s cn1=%d cn1Label=detection_average cn2=%llu cn2Label=dropped_requests
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location cn2=%llu cn2Label=dropped_requests rt=%s
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location rt=%s cn2=%llu cn2Label=dropped_requests cn4=%u cn4Label=violation_counter
Example of ASM Anomaly log messages in the Reporting Server format
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s",anomaly_attack_type="%s",uri="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", detection_mode="%s", detection_average="%ld",current_mitigation="%s",ip_list="%s",url_list="%s", date_time="%s",severity="%s"
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s", anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu",date_time="%s",severity="%s"
Example of ASM Anomaly log message in the Web Scraping format
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s" policy_apply_date="%s",anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu:%u",date_time="%s",severity="%s"

Fields in AFM event messages

This table lists the fields that are contained in event messages that might display in AFM logs. The fields are listed in alphabetical order by field name.
Field name and type
Example value
Description
acl_rule_name (string)
Non-browser client
Name of ACL rule
action (string)
Accept, Accept decisively, Drop, Reject, Established, Closed
Action performed
hostname (string)
FQDN
BIG-IP system FQDN
bigip_mgmt_ip (IP address)
192.168.1.246
BIG-IP system management IP address
context_name (string)
/Common/topaz3-web3
Name of the object to which the rule applies
context_type (string)
Global, Route Domain, Virtual Server, Self IP address, or Management port
Category of the object to which the rule applies
date_time (string)
01 11 2012 13:11:10
Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
dest_ip (IP address)
192.168.3.1
Destination IP address
dest_port (integer)
80
Protocol port number
device_product (string)
Advanced Firewall Module
Name of BIG-IP system generating the event message
device_vendor (string)
F5
F5 static keyword
device_version (string)
11.3.0.2012.0
BIG-IP system software version in the format version.point_release.0.yyyy.0
drop_reason (string)
(empty), <name of error>, Policy
Reason action performed.
errdefs_msgno (integer)
23003137
Event number
errdefs_msg_name (string)
Network event
Event name
ip_protocol (string)
TCP, UDP, ICMP
Name of protocol
severity (integer)
8
Level of the event by number
partition_name (string)
Common
Name of the partition or folder in which the object resides
route_domain (integer)
1
Route domain number (non-negative)
src_ip (IP address)
192.168.3.1
Source IP address
src_port (integer)
80
Protocol port number (non-negative)
vlan (string)
External
VLAN interface name

AFM example events

This list contains examples of events you might find in AFM logs.
Examples of AFM log messages in the ArcSight CEF format
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=39321 dst=10.3.1.200 dpt=443 proto=TCP cs1=/Common/topaz3-all3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Accept c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=allow_https cs5Label=acl_rule_name
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Open c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Closed c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name
CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|23003137|Network Event|8|rt=Nov 08 2012 18:35:15 dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 src= spt=20 dst= dpt=80 proto=TCP cs1= cs1Label=Global cs2=/Common/VLAN10 cs2Label=vlan act=Accept c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=TCP cs5Label=acl_rule_name
Examples of AFM log messages in the Reporting Server format
acl_rule_name="allow_http",action="Accept",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-web3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="52807",vlan="/Common/external"
acl_rule_name="",action="Open",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external"
acl_rule_name="",action="Closed",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external"
Examples of AFM log messages in the Splunk format
acl_rule_name="TCP",action="Accept",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",context_type="Global",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"
acl_rule_name="",action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="/Common/vs10_TCP_IPv6",context_type="Virtual Server",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="Bad TCP checksum",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"
Example of AFM log message in the Syslog format
23003137 [F5@12276 acl_rule_name="TCP" action="Accept" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" context_type="Global" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept",""
23003137 [F5@12276 acl_rule_name="" action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="/Common/vs10_TCP_IPv6" context_type="Virtual Server" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="Bad TCP checksum" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum"
Example of AFM log message in the Syslog BSD format
23003137 "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept",""
23003137 "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum"
Example of AFM log message in the Syslog Legacy F5 format
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 allow_dns-tcp,Accept,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,2607,,192.168.73.33,TCP,0,10.3.1.101,47910,/Common/external
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Open,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Closed,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external

Fields in Network DoS Protection event messages

This table lists the fields that are contained in event messages that might display in the DoS Protection logs.
Field name and type
Example value
Description
action (string)
Allow, Drop, None
Action performed or reported
hostname (string)
FQDN
BIG-IP system FQDN
bigip_mgmt_ip (IP address)
192.168.1.246
BIG-IP system management IP address
date_time (string)
01 11 2012 13:11:10
Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
dest_ip (IP address)
192.168.3.1
Destination IP address
dest_port (integer)
80
Protocol port number (non-negative)
device_product (string)
Advanced Firewall Module
Name of BIG-IP system generating the event message
device_vendor (string)
F5
F5 static keyword
device_version (string)
11.3.0.2012.0
BIG-IP system software version in the format mm.dd.0.yyyy.0
dos_attack_event (string)
Attack started, Attack Sampled, Attack Stopped
Attack instances start and stop events
dos_attack_id (string)
2760296639
Unique, non-negative, attack ID
dos_attack_name (string)
ICMP Flood, Bad TCP checksum
Network DoS event
errdefs_msgno (integer)
23003138
Static number
errdefs_msg_name (string)
Network DoS event
Static keyword
severity (integer)
8
Event severity value (non-negative integer)
partition_name (string)
Common
Name of the partition in which the virtual server resides
route_domain (integer)
1
Route domain number (non-negative)
src_ip (IP address)
192.168.3.1
Source IP address
src_port (integer)
80
Protocol port number (non-negative)
vlan (string)
External
Name of the VLAN interface
timestamp
-none-
Date and time of the request
reported_entity_type (string)
Source IP
Which entity is reported at this time. Should be self-explanatory. Source IP, Geo-Location, URL, Site-Wide
profile_name
dos1
Dos profile name
event_id
-none-
-none-
dos_mitigation_reason
Abnormal volume
Why this mitigation happened on an entity.
Abnormal volume: Happened due to an unusual high volume of traffic coming from this entity.
Other entity in request: The entity is reported since it was sending traffic to /from a mitigated mitigated entity (for example, a non suspicious IP is sending traffic to a mitigated URL and thus get blocked. This IP should be reported with other entity in request).
Not mitigated: this entity was not mitigated; it is still suspicious.
Bot Signature Matched: A bot signature was matched on the entity. There is no information on which bot signature is matched.
Bot filtering: Dropped due to proactive bot defense system (may be seen also not during attacks).
Auto-detected heavy URL: Detected as heavy URL automatically and therefore mitigated.
Configured heavy URL: Detected as heavy URL manually and therefore mitigated.
Disallowed GEO-location: Traffic is coming from a configured disallowed geo location.
Behavioral Anomaly: Mitigated by the behavioral dos.
dos_mitigate_to_threshold
-none-
Apply mitigation until threshold is back to this rate
bigip_mgmt_ip_2
-none-
Alternative IP Address of Management Port (dual stack support)
dos_incoming_requests_count
1
The number of incoming requests getting into the attacked VS/profile pair
dos_dropped_requests_count
1
Number of dropped requests or incoming requests. This is actually incoming requests – outgoing requests.
Includes challenges replies – so even if the challenge ends up answering it will be counted as a single drop.
dos_detection_threshold
1
What threshold was crossed
dos_detection_condition
-none-
Threshold type
dos_current_traffic_percent
-none-
Current entity Traffic Share (for geo entity only)
dos_baseline_traffic_percent
-none-
Legitimate entity Traffic Share (for geo entity only)
dos_baseline_tps
-none-
Legitimate entity TPS
dos_baseline_latency
-none-
Legitimate entity latency
dos_attack_tps
1
Entity TPS
dos_attack_latency
1
Entity latency
dos_attack_detection_mode
TPS Increased
How the attack was detected
TPS Increased: Attack was detected due to an increase in the TPS.
Server Stress Detected: Attack was detected due to server latency (stress) increase along with an IP or URL that has passed a TPS threshold.
device_id
-none-
Device-ID (relevant for IP entity only)
device_blade
-none-
Blade ID
context_type
Virtual Server
Virtual Server
context_name
v1
The Virtual Server name
configuration_date_time
-none-
Date and time entry of the last configuration update
client_request_uri
/
URL (Relevant only for URL entity)
client_ip_geo_location
-none-
Geo location (relevant for IP/GEO entity)

Default Device DoS/DDoS attack signatures

The following tables, organized by DoS category, list AFM default device DoS attacks, and provide a short description and relevant information. You can adjust the thresholds in device protection by clicking the attack types and adjusting the properties.

Network attack types

Vector
Information
Hardware accelerated
ARP Flood
ARP packet flood
Yes
Bad ICMP Checksum
An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet.
Yes
Bad ICMP Frame
The ICMP frame is either the wrong size or not one of the valid IPv4 or IPv6 types.
Yes
Bad IGMP Frame
IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad.
Yes
Bad IP TTL Value
Time-to-live equals zero for an IPv4 address.
Yes
Bad IP Version
The IPv4 address version in the IP header is not 4.
Yes
Bad IPv6 Addr
IPv6 source IP =
0xff00::
Yes
Bad IPV6 Hop Count
Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad.
Yes
Bad IPV6 Version
The IPv6 address version in the IP header is not 6.
Yes
Bad SCTP Checksum
Bad SCTP packet checksum.
No
Bad Source
The IPv4 source IP =
255.255.255.255
or
0xe0000000U
.
Yes
Bad TCP Checksum
The TCP checksum does not match.
Yes
Bad TCP Flags (All Cleared)
Bad TCP flags (all cleared and SEQ#=0).
Yes
Bad TCP Flags (All Flags Set)
Bad TCP flags (all flags set).
Yes
Bad UDP Checksum
The UDP checksum is not correct.
Yes
Bad UDP Header (UDP Length > IP Length or L2 Length)
UDP length is greater than IP length or Layer 2 length.
Yes
Ethernet Broadcast Packet
Ethernet broadcast packet flood
Yes
Ethernet MAC Source Address == Destination Address
Ethernet MAC source address equals the destination address.
Yes
Ethernet Multicast Packet
Ethernet multicast packet flood
Yes
FIN Only Set
Bad TCP flags (only FIN is set).
Yes
Header Length > L2 Length
No room in Layer 2 packet for IP header (including options) for IPv4 address
Yes
Header Length Too Short
IPv4 header length is less than 20 bytes.
Yes
Host Unreachable
Host unreachable error
Yes
ICMP Fragment
ICMP fragment flood
Yes
ICMP Frame Too Large
The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in
tmsh
:
modify sys db dos.maxicmpframesize
value
, where
value
is <=
65515
.
Yes
ICMPv4 Flood
Flood with ICMPv4 packets
Yes
ICMPv6 Flood
Flood with ICMPv6 packets
Yes
IGMP Flood
Flood with IGMP packets (IPv4 packets with IP protocol number 2)
Yes
IGMP Fragment Flood
Fragmented packet flood with IGMP protocol
Yes
IP Error Checksum
The header checksum is not correct.
Yes
IP Fragment Error
Other IPv4 fragment error
Yes
IP Fragment Flood
Fragmented packet flood with IPv4
Yes
IP Fragment Overlap
IPv4 overlapping fragment error
No
IP Fragment Too Small
IPv4 short fragment error
Yes
IP Length > L2 Length
The total length in the IPv4 address header or payload length in the IPv6 address header is greater than the Layer 3 length in a Layer 2 packet.
Yes
IP Option Frames
IPv4 address packets that are part of an IP option frame flood. On the command line,
option.db variable tm.acceptipsourceroute
must be enabled to receive IP options.
Yes
IP Option Illegal Length
Option present with illegal length.
No
IP uncommon proto
Sets thresholds for and tracks packets containing IP protocols considered to be uncommon. By default, all IP protocols other than TCP, UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list.
Yes
IP Unknown protocol
Unknown IP protocol
No
IPv4 mapped IPv6
The IPv6 stack is receiving IPv4 address packets.
Yes
IPV6 Atomic Fragment
IPv6 Frag header present with M=0 and FragOffset =0.
Yes
IPv6 duplicate extension headers
An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header.
Yes
IPv6 Extended Header Frames
IPv6 address contains extended header frames.
Yes
IPv6 extended headers wrong order
Extension headers in the IPv6 header are in the wrong order.
Yes
IPv6 extension header too large
An extension header is too large. To tune this value, in
tmsh
:
modify sys db dos.maxipv6extsize
value
, where
value
is
0-1024
.
Yes
IPv6 Fragment Error
Other IPv6 fragment error
Yes
IPv6 Fragment Flood
Fragmented packet flood with IPv6
Yes
IPv6 Fragment Overlap
IPv6 overlapping fragment error
No
IPv6 Fragment Too Small
IPv6 short fragment error
Yes
IPv6 hop count <= <tunable>
The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in
tmsh
:
modify sys db dos.ipv6lowhopcnt
value
, where
value
is
1-4
.
Yes
IPv6 Length > L2 Length
IPv6 address length is greater than the Layer 2 length.
Yes
L2 Length >> IP Length
Layer 2 packet length is much greater than the payload length in an IPv4 address header, and the Layer 2 length is greater than the minimum packet size.
Yes
LAND Attack
Source IP equals destination IP address
Yes
No L4
No Layer 4 payload for IPv4 address.
Yes
No L4 (Extended Headers Go To Or Past End of Frame)
Extended headers go to the end or past the end of the L4 frame.
Yes
No Listener Match
This can occur if the listener is down as it attempts to make a connection, or if it was not started or was configured improperly. It may also be caused by a network connectivity problem.
Non TCP Connection
Sets a connection rate limit for non-TCP flows that takes into account all other connections per second.
Option Present With Illegal Length
Packets contain an option with an illegal length.
Yes
Payload Length < L2 Length
Specified IPv6 payload length is less than the L2 packet length.
Yes
Routing Header Type 0
Identifies flood packets containing type 0 routing headers, which can be used to amplify traffic to initiate a DoS attack.
Yes
Single Endpoint Flood
Flood to a single endpoint and can come from many sources. You can configure packet types to check for, and packets per second for both detection and rate limiting.
No
Single Endpoint Sweep
Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting.
No
SYN && FIN Set
Bad TCP flags (SYN and FIN set).
Yes
TCP BADACK Flood
TCP ACK packet flood
No
TCP Flags - Bad URG
Packet contains a bad URG flag; this is likely malicious.
Yes
TCP Half Open
TCP connection whose state is out of synchronization between the two communicating hosts
Yes
TCP Header Length > L2 Length
The TCP header length exceeds the Layer 2 length.
Yes
TCP Header Length Too Short (Length < 5)
The Data Offset value in the TCP header is less than five 32-bit words.
Yes
TCP Option Overruns TCP Header
The TCP option bits overrun the TCP header.
Yes
TCP PUSH Flood
TCP PUSH flood
Yes
TCP RST Flood
TCP RST flood
Yes
TCP SYN ACK Flood
TCP SYN/ACK flood
Yes
TCP SYN Flood
TCP SYN flood
Yes
TCP SYN Oversize
Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value in tmsh:
modify sys db dos.maxsynsize value
. The default size in bytes is
64
and the maximum allowable value is
9216
.
Yes
TCP Window Size
The TCP window size in packets is above the maximum size. To tune this value in tmsh:
modify sys db dos.tcplowwindowsize value
where
value
is <=
128
.
Yes
TIDCMP
ICMP source quench attack
Yes
Too Many Extension Headers
For an IPv6 address, there are too many extended headers (the default is
4
). To tune this value in
tmsh
:
modify sys db dos.maxipv6exthdrs
value
, where
value
is
0-15
.
Yes
TTL <= <tunable>
An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in
tmsh
:
modify sys db dos.iplowttl
value
, where
value
is
1-4
.
Yes
UDP Flood
UDP flood attack
Yes
Unknown Option Type
Unknown IP option type.
No
Unknown TCP Option Type
Unknown TCP option type.
Yes

DNS attack vectors

Vector
Information
Hardware accelerated
DNS A Query
UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, in tmsh:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS AAAA Query
UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.. To tune this value, in tmsh:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS AXFR Query
UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS Any Query
UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS CNAME Query
UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS IXFR Query
UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS MX Query
UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS Malformed
Malformed DNS packet
Yes
DNS NS Query
UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS NXDOMAIN Query
DNS query. Queried domain name does not exist.
Yes
DNS OTHER Query
UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS Oversize
Detects oversized DNS headers. To tune this value, in
tmsh
:
modify sys db dos.maxdnssize
value
, where
value
is
256-8192
.
Yes
DNS PTR Query
UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS Question Items != 1
DNS Query, DNS Qtype is ANY_QRY, the DNS query has more than one question.
Yes
DNS Response Flood
UDP DNS Port=
53
, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS SOA Query
UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS SRV Query
UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes
DNS TXT Query
UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, in
tmsh
:
modify sys db dos.dnsvlan
value
, where
value
is
0-4094
.
Yes

SIP attack vectors

Vector
Information
Hardware accelerated
SIP ACK Method
SIP ACK packets
Yes
SIP BYE Method
SIP BYE packets
Yes
SIP CANCEL Method
SIP CANCEL packets
Yes
SIP INVITE Method
SIP INVITE packets
Yes
SIP Malformed
Malformed SIP packets
Yes
SIP MESSAGE Method
SIP MESSAGE packets
Yes
SIP NOTIFY Method
SIP NOTIFY packets
Yes
SIP OPTIONS Method
SIP NOTIFY packets
Yes
SIP OTHER Method
Other SIP method packets
Yes
SIP PRACK Method
SIP PRACK packets
Yes
SIP PUBLISH Method
SIP PUBLISH packets
Yes
SIP REGISTER Method
SIP REGISTER packets
Yes
SIP SUBSCRIBE Method
SIP SUBSCRIBE packets
Yes
SIP URI Limit
The SIP URI exceeds the limit.
Yes

Network DoS Protection example events

This list contains examples of events you might find in Network (layer 2 - 4) DoS Protection logs.
Example of Network DOS Protection log message in the ArcSight format
CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|Bad TCP checksum|Drop|8|dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 rt=Nov 08 2012 17:58:02 act=Drop cn1=3083822789 cn1Label=attack_id cs1=Attack Sampled cs1Label=attack_status src= spt=20 dst= dpt=80 cs2=/Common/VLAN10 cs2Label=vlan cs3= cs3Label=virtual_name cn4=0 cn4Label=route_domain c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address
Example of Network DoS Protection log message in the Remote Syslog format
"Nov 06 2012 02:17:27","192.168.69.245","asm245.labt.ts.example.com","","10.10.10.2","10.10.10.200","20","80","0","/Common/vlan1","Bad TCP checksum","3044184075","Attack Sampled","Drop"
Examples of Network DoS Protection log messages in Reporting Server format
Oct 30 13:59:38 192.168.57.163 action="None",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:43",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Started",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan=""
Oct 30 13:59:38 192.168.57.163 action="Drop",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:44",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Sampled",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan="/Common/external"
Example of Network DoS Protection log message in the Splunk format
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="",configuration_date_time="Nov 01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual Server",date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS Increased",dos_attack_event="Attack ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip="192.168.32.22%0"
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="/short.txt",configuration_date_time="Nov 01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual Server",date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS Increased",dos_attack_event="Attack ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip=""
action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",date_time="Nov 08 2012 17:58:46",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",dos_attack_event="Attack Sampled",dos_attack_id="3083822789",dos_attack_name="Bad TCP checksum",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"
Example of Network DoS Protection log message in the Syslog format
23003138 [F5@12276 action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" date_time="Nov 08 2012 18:26:02" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" dos_attack_event="Attack Sampled" dos_attack_id="1493601923" dos_attack_name="Bad TCP checksum" errdefs_msgno="23003138" errdefs_msg_name="Network DoS Event" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "Nov 08 2012 18:26:02","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop"
Example of Network DoS Protection log message in the Syslog F5 format
23003138 "Nov 08 2012 18:23:14","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop"

Fields in Protocol Security event messages

This table lists the fields that are contained in event messages that might display in the Protocol Security logs. The fields are listed in the order in which they appear in a message in the log.
Field name and type
Example value
Description
date_time (string)
110513:11:10
Date and time the event occurred in this format: MMM DD HH:MM:SS
hostname (string)
bigip-4.pme-ds.f5.com
BIG-IP system FQDN
PSM: (string)
PME:keword
Static value keyword
protocol (string)
FTP, SMPTP, HTTP, DNS
Protocol name
ip_client (IP address)
192.168.5.10
Client source IP address
dest_ip (IP address)
192.168.3.1
Destination IP address
vs_name (string)
Common/my_vs
Reporting virtual server name and partition
policy_name (string)
My security policy
Name of the security policy reporting the violatio
violations (string)
Active mode
Violation name
virus_name (string)
<name of virus>
Virus name
management_ip_address (IP address)
192.168.1.246
BIG-IP system management IP address
unit_hostname (string)
bigip-4.pme-ds.f5.com
BIG-IP system FQDN
request_status (string)
Blocked
Action applied to the client request
dest_port (integer)
80
Protocol port number (non-negative)
src_port (integer)
80
Protocol port number (non-negative)
route_domain (integer)
1
Route domain number (non-negative)
geo_location (string)
NY, NY, USA
City, state, country location information
violation_details (string)
port/sendport 10,3,0,33,42,88
Violation description and the values passed

Protocol Security example events

This list contains examples of events you might find in the Protocol Security logs.
Example of Protocol Security log message in the ArcSight format
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|Active mode|Active mode|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=port/sendport 10,3,0,33,7,223 cs3Label=violation_details msg=N/A
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=nlist/mls cs3Label=violation_details msg=N/A
Oct 5 11:49:23 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=pwd cs3Label=violation_details msg=N/A
Example of Protocol Security log message in the Remote Server format
Oct 5 11:55:18 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="Active mode",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="port/sendport 10,3,0,33,42,88"
Oct 5 11:55:18 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="list/dir/mdir"
Oct 5 11:55:23 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="pwd"
Example of Protocol Security log message in the Syslog format
Oct 5 11:37:14 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","port/sendport 10,3,0,33,42,22"
Oct 5 11:37:14 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","nlist/mls"
Oct 5 11:37:23 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","cwd .."
Example of Protocol Security log message in the Syslog BSD format
Oct 5 11:46:26 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","port/sendport 10,3,0,33,7,217"
Oct 5 11:46:26 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","nlist/mls"
Example of Protocol Security log message in the Syslog legacy format
Oct 5 11:43:01 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","port/sendport 10,3,0,33,7,197"
Oct 5 11:43:01 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","nlist/mls"

Fields in DNS event messages

This table lists the fields that are contained in event messages that might display in the DNS logs. The fields are listed in the order in which they appear in a message in the log.
Field name and type
Example value
Description
errdefs_msgno (integer)
23003141
Static number 23003141
date_time (string)
11 13 2012 12:12:10
Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
bigip_mgmt_ip (IP address)
192.168.1.246
BIG-IP system management IP address
hostname (string)
bigip-4.pme-ds.f5.com
BIG-IP system FQDN
context_name (string)
/Common/vs1_udp
Partition in which the virtual server resides and name of virtual server
vlan (string)
External
Name of the VLAN interface
query_type (string)
A
Type of DNS query causing the attack
dns_query_name (string)
siterequest.com
Name being queried
partition_name (string)
Common
Name of the partition in which the virtual server resides
attack_type (string)
CNAME
DNS query causing the attack
action (string)
None, Drop, Allow
Action performed or reported
src_ip (IP address)
192.168.3.1
Source IP address
dest_ip (IP address)
192.168.3.2
Destination IP address
src_port (integer)
80
Protocol port number (non-negative)
dest_port (integer)
80
Protocol port number (non-negative)
route_domain (integer)
1
Route domain number (non-negative)

DNS attack types

This table lists DNS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name. These attacks are the DNS queries that a client can request. If the requests are received at a high rate and exceed the configured watermark they generate a DNS DoS event
Attack name (RFC number)
Description
a6 (1035)
Returns a 32-bit IPv4 IP address record
aaaa (3596)
Returns a 128-bit IPv6 address record
afsdb (1183)
Location of database servers of an AFS database record record
any (1035)
Returns all cached records of all types
atma
ATM address
axfr (1035)
Authoritative zone transfer
cert (4398)
Stores PKIX, SPKI, and PGP certificate record
cname (1035)
Alias of one name to another (canonical name record)
dname (2672)
DNAME (delegation name) creates an alias for a name and all its subnames
eid
Endpoint identifier
gpos (1712)
Geographical position (state, country)
hinfo (1035)
Host information
isdn (1183)
ISDN address
ixfr (1996)
Incrementatl zone transfer
key (2535, 2930)
Used only for SIG(0) (RFC 2931) and TKEY (RFC 2930).[5] key records
kx (2535, 2930)
Key exchange record identifies a key management agent for the associated domain-name (not associated with DNSSEC)
loc (1876)
Location record
maila (1035)
Request for mail agent resource records
mailb (1035)
Mailbox or mail list information (MINFO)
mb (1035)
Mailbox domain name
md
Mail destination
mf (1035)
Mail forwarder
mg (1035)
Mail group member
minfo (1035)
Mailbox or mail list information
mr (1035)
Mail rename domain name
mx (1035)
Mail exchange record
naptr (3403)
Naming authority pointer
nimloc (1002)
Nimrod locator
ns (1035)
Nameserver record
nsap (1706)
NSAP style A record
nsap-ptr (1348)
NSAP style domain name pointer
null (1035)
Null resource record
nxt (2535)
Next domain
opt (2671)
Pseudo DNS record type that supports EDNS
ptr (1035)
Pointer to a canonical name
px (2163)
X.400 mail mapping information
rp (1183)
Contact information for the person(s) responsible for the domain
rt (1183)
Route through
sg (2535)
Signature record
sink
DNS sinkhole
soa (1035)
Start of authority record
srv (2782)
Service locator record
tkey (2930)
Secret key record
tsig (2845)
Transaction signature that authenticates dynamic updates as coming from an approved client, or authenticates responses as coming from an approved recursive name server
txt (1035)
Text record
wks
Sender Policy Framework, DKIM, and DMARC DNS-SD
x25 (1183)
X.25 PSDN address
zxfr
Compressed zone transfer

DNS example events

This list contains examples of events you might find in the DNS logs.
Example of DNS log message in the ArcSight CEF format
Oct 12 13:35:47 10.3.0.33 CEF:0|F5|Advanced Firewall Module|11.3.0.2206.0|23003139|DNS Event|8|rt=Oct 12 2012 13:29:24 dvchost=bigip-3.pme-ds.f5.com dvc=192.68.73.33 src=10.3.1.104 spt=54629 dst=10.3.1.202 dpt=53 cs1=/Common/DNS-3-udp-vs cs1Label=virtual_name cs2=/Common/external cs2Label=vlan cs3=SRV cs3Label=query_type act=Drop cs4=_ldap._tcp.dc._msdcs.siterequest.com cs4Label=query_name cs5=query opcode cs5Label=attack_type c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address
Example of DNS log message in the Reporting Server format
"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","​/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0"
Example of DNS log message in the Syslog format
"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","​/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0"

Fields in DNS DoS event messages

This table lists the fields that are contained in event messages that might display in the Network DNS DoS logs. The fields are listed in the order in which they appear in a message in the log.
Field name and type
Example value
Description
errdefs_msgno (integer)
23003141
Static number
errdefs_msg_name (string)
DNS DoS Event
Name of event
date_time (string)
11 13 2012 12:12:10
Date and time event occurred in this format: MMM DD YYYY HH:MM:SS
bigip_mgmt_ip (IP address)
192.168.1.246
BIG-IP system management IP address
hostname (string)
bigip-4.pme-ds.f5.com
BIG-IP system FQDN
context_name (string)
/Common/vs1_udp
Partition in which the virtual server resides and name of virtual server
vlan (string)
External
Name of VLAN interface
dns_query_type (string)
A
Type of DNS query causing the attack
dns_query_name (string)
f5.com
Name being queried
src_ip (IP address)
192.168.3.1
Source IP address
dest_ip (IP address)
192.168.3.1
Destination IP address
src_port (integer)
80
Protocol port number (non-negative)
dest_port (integer)
80
Protocol port number (non-negative)
partition_name (string)
Common
Name of the partition in which the virtual server resides
dos_attack_name (string)
A query DOS
Name of attack
dos_attack_id (integer)
1005891899
Unique, non-negative, attack instance ID
dos_attack_event (string)
Attack Sampled
Status of attack
action (string)
None, Drop, Allow
Action performed or reported

DNS DoS attack types

This table lists DNS DoS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name.
Attack name (RFC)
Description
Value description
A query DOS (RFC 1035)
Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but also used for DNSBLs, storing subnet masks in RFC 1101.
Address record
PTR query DOS (RFC 1035)
Pointer to a canonical name. Unlike a CNAME, DNS processing does not proceed, and only the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.
Pointer record
NS query DOS (1035)
Delegates a DNS zone to use the given authoritative name servers.
Name service record
SOA query DOS (1035)
Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
Start of authority record
CNAME query DOS (1035)
Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name.
Canonical name record
MX query DOS (1035)
Maps a domain name to a list of message transfer agents for that domain.
Mail exchange record
AAAA query DOS (3596)
Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.
IPv6 address record
TXT query DOS (1035)
Originally for arbitrary human-readable text in a DNS record, however, this record often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, and DMARC DNS-SD.
Text record
SRV query DOS (2782)
Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
Service locator
AXFR query DOS (1035)
Request for a transfer of an entire zone.
Request
IXFR query DOS (1995)
Incremental transfer of records in the zone.
Request
ANY query DOS (1035)
Request for all records.
Request
Malformed DOS
Generated by a DNS packet in which one of the fields, for example, opcode, query_type or query_name, contains invalid information.
Malicious DOS
Generated by malicious packets, that is, malformed DNS packets with references that are invalid.
Other Query DOS
Queries, not listed in this table, which are being used to attack nameservers.

DNS DoS example events

This list contains examples of events you might find in the DNS DoS attack logs.
Example of DNS DoS attack log message in the Syslog format
"Oct 30 2012 10:57:09","192.168.56.179","Surya_BIG_IP_VM1.example.com","/Common/vs_192_168_57_177_53_gtm","​/Common/external","A","surya.example.com","192.168.56.171","192.168.57.177","43835","53","0","A query DOS","1005891899","Attack Sampled","Allow"

BIG-IP system process example events

This list contains examples of events you might find in BIG-IP system logs. Please be aware that system log messages might be truncated, because the UDP protocol cannot send large messages. Note that using the TCP protocol impacts performance.

Example Syslog log entry for the system audit log

This log entry provides confirmation of a successful configuration save.
1 2012-11-01T18:07:13Z bigip-3.pme-ds.f5.com tmsh 29639 01420002:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01420002:5:"] AUDIT - pid=29639 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=save / sys config partitions all

Example Syslog log entry for the application security log

This log entry provides confirmation of the end of a DoS attack.
Nov 01 14:15:44 10.3.0.33 1 2012-11-01T18:09:38Z bigip-3.pme-ds.f5.com 2 28965 01010253:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01010253:5:"] A DOS attack has stopped for vector Ethernet broadcast packet, Attack ID 188335952.