Manual Chapter :
Event Messages and Attack Types
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Analytics
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Link Controller
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP PEM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP DNS
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Event Messages and Attack Types
Fields in ASM Violations event messages
This table lists the fields contained in event messages that might display in ASM logs.
The fields are listed in the order in which they appear in a message in the log.
Field name and type |
Example value |
Description |
---|---|---|
unit_hostname (string) |
bigip-4.pme-ds.f5.com |
BIG-IP system FQDN |
management_ip_address (IP address) |
192.168.1.246 |
BIG-IP system management IP address |
http_class_name (string) |
/Common/topaz4-web4 |
HTTP policy name |
policy_name (string) |
My security policy |
Name of the security policy reporting the violation |
violations (string) |
Attack signature detected |
Violation name |
support_id (non-negative integer) |
18205860747014045721 |
Internally-generated integer to assist with client access support |
request_status (string) |
Blocked |
Action applied to the client request |
response_code (non-negative integer) |
200 |
The HTTP response code returned by the back-end server (application). This
information is only relevant for requests that are not blocked. |
ip_client (IP address) |
192.168.5.10 |
Client source IP address |
route_domain (non-negative integer) |
0 (zero) |
Route domain number |
method (string) |
GET |
HTTP method requested by client |
protocol (string) |
HTTP, HTTPS |
Protocol name |
query_string (string) |
key1=val1&key2=val2 |
Query sent by client; query appears in the first line of the HTTP request after
the path and the question mark (?) |
x_forwarded_for_header_value (string) |
192.168.5.10 |
Value of the XFF HTTP header |
sig_ids (positive non-zero integer) |
200021069 |
Signature ID number |
sig_names (string) |
Automated client access %22wget%22 |
Signature name |
date_time (string) |
2012-09-19 13:52:29 |
Data and time in the format: YYYY-MM-DD HH:MM:SS |
severity (string) |
Error |
Severity category to which the event belongs |
attack_type (string) |
Non-browser client |
Name of identified attack |
geo_location (string) |
USA/NY |
Country/city location information |
ip_address_intelligence (string) |
Botnets, Scanners |
List of IP intelligence categories found for an IP address |
username (string) |
Admin |
User name for client session |
session_id (hexadeicmal number) |
a9141b68ac7b4958 |
TCP session ID |
src_port (non-negative integer) |
52974 |
Client protocol source port |
dest_port (non-negative integer) |
80 |
Requested service listening port number |
dest_ip (IP address) |
192.168.5.11 |
Requested service IP address |
sub_violations (string) |
Bad HTTP version, Null in request |
Comma-separated list of sub-violation strings |
virus_name (string) |
Melissa |
Virus name |
uri (string) |
/ |
URI requested by client |
request (string) |
GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept:
*/*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n |
Request string sent by client |
headers |
Host: myhost.com; Connection: close |
Found in request logs |
response |
HTTP/1.1 200 OK Content-type: text/html Content-Length: 7 <html/> |
HTTP response from server when response logging is configured |
violation_details (string) |
<?xml version='1.0'
encoding='UTF-8'?><BAD_MSG><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name>
<http_sanity_checks_status>65536</http_sanity_checks_status><http_sub_violation_status>65536</http_sub_violation_status><http_sub_violation>SFRUUCB2ZXJzaW9uIG5vdCBmb3VuZA==</http_sub_violation></violation></request-violations></BAD_MSG> |
Extended information about a violation on a transaction |
avr_id |
1 |
avr id |
blocking_exception_reason |
IP is in Whitelist |
A reason why the illegal request was not blocked |
captcha_result |
incorrect |
The result of a captcha |
client_type |
Mobile App |
The type of client that sent the request mobile/browser/bot |
device_id |
121564864531 |
Collected finger print |
fragment |
a=7&b=5 |
Query string when # (fragment) was the separator |
ip_with_route_domain |
172.26.36.17/5 |
src ip with the route domian |
is_truncated |
truncated |
If the request is too long the logged request is
truncated |
management_ip_address_2 |
172.26.36.17 |
Alternative IP Address of Management Port (dual stack support) |
microservice |
/a.com/index.php |
The configured microservice that was matched to the
request |
mobile_application_name |
Shop Ttt |
Mobile application name |
mobile_application_version |
4.1.5 |
Mobile application version |
policy_apply_date |
2018-08-06 10:17:56 |
The last time policy was updated |
sig_set_names |
{Generic Detection Signatures;Generic Detection Signatures
(High/Medium Accuracy)},{Generic Detection Signatures;Generic Detection Signatures
(High/Medium Accuracy)}" |
Signatures sets' names |
slot_number |
1 |
The slot number |
staged_sig_ids |
Comma-separated list |
Staged Signature ID numbers list |
staged_sig_names |
XSS script tag end (Headers),XSS script tag
(Headers) |
Staged Signature nems |
staged_sig_set_names |
{Generic Detection Signatures;Generic Detection Signatures
(High/Medium Accuracy)},{Generic Detection Signatures;Generic Detection Signatures
(High/Medium Accuracy)}" |
Staged sig set names |
staged_threat_campaign_names |
XSS script tag end (Headers),XSS script tag
(Headers) |
Staged threat campaign names |
threat_campaign_names |
XSS script tag end (Headers),XSS script tag
(Headers) |
Threat campaign names |
violation_rating |
4 |
Calculation of all violation rating according to a
algorithm |
vs_name |
Common/my_vs |
Reporting virtual server name and partition |
websocket_direction |
clientToServer |
websocket direction |
websocket_message_type |
Handshake |
websocket message type |
login_result |
N/A, Successful Login, Failed Login, "", Unknown Login
Result |
States if backend server returned failed or successful
login according to configured criteria for asm login url |
ASM Violations example events
This list contains examples of events you might find in ASM logs.
Examples of ASM log messages in the ArcSight CEF format
<134>Sep 19 13:35:00 bigip-4.pme-ds.f5.com ASM:CEF:0|F5|ASM|11.3.0|Successful Request|Successful Request|2| dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 11:38:36 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045699 act=passed cn1=200 cn1Label=response_code src=10.4.1.101 spt=52963 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:35:00 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=2e769a9e1ea8b777 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n
<131>Sep 19 13:53:34 bigip-4.pme-ds.f5.com ASM:CEF:0|F5|ASM|11.3.0|200021069|Automated client access "wget"|5|dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 13:49:25 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045723 act=blocked cn1=0 cn1Label=response_code src=10.4.1.101 spt=52975 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:53:33 deviceExternalId=0 cs4=Non-browser Client cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=86c4f8bf7349cac9 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n
Example of ASM log message in the Remote Server format
<134>Sep 19 13:42:41 bigip-4.pme-ds.f5.com ASM:"", "2012-09-19 13:42:40","10.4.1.200","80","N/A","/Common/topaz4-web4" "N/A","10.4.1.101","10.4.1.101%0","172.16.73.34","GET", "2012-09-19 11:38:36","topaz4-web4","HTTP","", "GET / HTTP/1.0\r\nUser-Agent: Wget/1.12(linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n","passed", "Response logging disabled","200","0","7514e0ee8f0eb493","Informational", "","","52965","","18205860747014045703","bigip-4.pme-ds.f5.com","/","N/A", "<?xml version='1.0' encoding='UTF-8'?><BAD_MSG> <request-violations><violation><viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>request</context><sig_data> <sig_id>200021069</sig_id><blocking_mask>4</blocking_mask> <kw_data><buffer>VXNlci1BZ2VudDogV2dldC8xLjEyIChsaW51eC1nbn ;UpDQpBY2NlcHQ6ICovKg0KSG9zdDogMTAuNC4xLjIwMA0KQ29 ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KDQo=</buffer> <offset>0</offset><length>16</length></kw_data> </sig_data></violation></request-violations> </BAD_MSG>","","N/A","N/A"
Example of ASM log message in the Remote Syslog format
23003140
Examples of ASM log messages in the Reporting Server format
<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36", violations="",support_id="18205860747014045701",request_status="passed", response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET", protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A", sig_ids="",sig_names="",date_time="2012-09-19 13:40:26", severity="Informational",attack_type="",geo_location="N/A", ip_address_intelligence="N/A",username="N/A", session_id="98630496c8413322",src_port="52964",dest_port="80", dest_ip="10.4.1.200",sub_violations="",virus_name="N/A",uri="/", request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"
<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36", violations="",support_id="18205860747014045701",request_status="passed", response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET", protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A", sig_ids="",sig_names="",date_time="2012-09-19 13:40:26", severity="Informational",attack_type="",geo_location="N/A", ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322", src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_violations="", virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"
<131>Sep 19 13:52:30 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 13:49:25", violations="Attack signature detected",support_id="18205860747014045721", request_status="blocked",response_code="0",ip_client="10.4.1.101", route_domain="0",method="GET",protocol="HTTP",query_string="", x_forwarded_for_header_value="N/A",sig_ids="200021069", sig_names="Automated client access %22wget%22", date_time="2012-09-19 13:52:29",severity="Error", attack_type="Non-browser Client",geo_location="N/A", ip_address_intelligence="N/A",username="N/A",session_id="a9141b68ac7b4958", src_port="52974",dest_port="80",dest_ip="10.4.1.200",sub_violations="", virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"
Fields in ASM Brute Force and Web Scraping event messages
This table lists the fields contained in event messages that might display in ASM logs.
The fields are listed in alphabetical order by field name.
Field name and type |
Example value |
Description |
---|---|---|
act (string) |
Alerted or Blocked |
Action taken in response to attack |
anomaly_attack_type (string) |
DoS attack or Brute Force attack |
Type of attack |
attack_id (integer) |
12345678 |
Unique identifier of an attack |
attack_status (string) |
Started, Ended, or Ongoing |
Status of an attack |
current_mitigation (string) |
Source IP-based client-side integrity defense, URL-based client-side integrity defense, Source IP-based rate limiting, URL-based rate limiting, or Transparent |
How the attack is being mitigated |
date_time (string) |
2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50 |
Current date and time in format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY
HH:MM:SS |
detection_average (integer) |
400 |
Historical average of TPS, latency, or failed logins |
detection_mode (string) |
For DoS Attacks: TPS Increased or Latency Increased; For Brute Force Attacks: Number of Failed Logins Increased |
How the attack was detected |
dropped_requests (integer) |
10000 |
Number of dropped requests |
dvc (IP address) |
192.168.1.246 |
BIG-IP system management IP address |
dvchost (string) |
bigip-4.asm-ds.f5.com |
BIG-IP system host name |
geo_location (string) |
USA/NY |
Country/city location information |
ip_list (IP addresses) |
192.168.5.10:ny, ny, usa:150 |
Comma-delineated list of attacker IP addresses in the format: client_ip_addr:geo_location:drops_counter |
management_ip_address (IP address) |
192.168.1.246 |
BIG-IP system management IP address |
operation_mode (string) |
Transparent or Blocking |
Current operation mode in the security policy |
policy_apply_date |
2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50 |
The date and time the policy was last applied in the format: YYYY-MM-DD HH:MM:SS,
or for ArcSight: MMM DD YYYY HH:MM:SS |
policy_name (string) |
My policy |
Name of current active policy reporting the violation |
request (URL) |
www.siterequest.com |
Login URL attacked by Brute Force attack |
rt (string) |
Nov 07 2012 06:53:50 |
Current date and time in the format: MMM DD YYYY HH:MM:SS |
severity (string) |
Emergency |
Severity category for attacks is always: Emergency |
source_ip (IP address) |
192.168.4.1:ny, ny, usa:150000 |
IP address from which the attack originates in the format: client_ip_addr:geo_location:drops_counter |
src (IP address) |
192.168.4.1 |
IP address from which the attack originates |
unit_hostname (string) |
bigip-4.asm-ds.f5.com
|
BIG-IP system FQDN |
uri (string) |
/ |
Login URL that was subject to a Brute Force attack |
url_list (URLs) |
192.168.50.1:sf, ca, usa:200 |
Comma-delineated list of attacked URLs in the format: client_ip_addr:geo_location:drops_counter |
violation_counter (integer) |
100 |
Number of violations |
web_application_name |
My PTO |
Name of the web application in which the violation occurred |
ASM Anomaly example events
This list contains examples of events you might find in ASM logs.
Example of ASM Anomaly log messages in the ArcSight CEF format |
---|
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status request=%s src=%s cs6=%s cs6Label=geo_location cs5=%s cs5Label=detection_mode rt=%s cn1=%d cn1Label=detection_average cn2=%llu cn2Label=dropped_requests |
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location cn2=%llu cn2Label=dropped_requests rt=%s |
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location rt=%s cn2=%llu cn2Label=dropped_requests cn4=%u cn4Label=violation_counter |
Example of ASM Anomaly log messages in the Reporting Server format |
---|
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s",anomaly_attack_type="%s",uri="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", detection_mode="%s", detection_average="%ld",current_mitigation="%s",ip_list="%s",url_list="%s", date_time="%s",severity="%s" |
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s", anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu",date_time="%s",severity="%s" |
Example of ASM Anomaly log message in the Web Scraping format |
---|
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s" policy_apply_date="%s",anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu:%u",date_time="%s",severity="%s" |
Fields in AFM event messages
This table lists the fields that are contained in event messages that might display in
AFM logs. The fields are listed in alphabetical order by field name.
Field name and type |
Example value |
Description |
---|---|---|
acl_rule_name (string) |
Non-browser client |
Name of ACL rule |
action (string) |
Accept, Accept decisively, Drop, Reject, Established, Closed |
Action performed |
hostname (string) |
FQDN |
BIG-IP system FQDN |
bigip_mgmt_ip (IP address) |
192.168.1.246 |
BIG-IP system management IP address |
context_name (string) |
/Common/topaz3-web3 |
Name of the object to which the rule applies |
context_type (string) |
Global, Route Domain, Virtual Server, Self IP address, or Management port |
Category of the object to which the rule applies |
date_time (string) |
01 11 2012 13:11:10 |
Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS |
dest_ip (IP address) |
192.168.3.1 |
Destination IP address |
dest_port (integer) |
80 |
Protocol port number |
device_product (string) |
Advanced Firewall Module |
Name of BIG-IP system generating the event message |
device_vendor (string) |
F5 |
F5 static keyword |
device_version (string) |
11.3.0.2012.0 |
BIG-IP system software version in the format
version.point_release.0.yyyy.0 |
drop_reason (string) |
(empty), <name of error>, Policy |
Reason action performed. |
errdefs_msgno (integer) |
23003137 |
Event number |
errdefs_msg_name (string) |
Network event |
Event name |
ip_protocol (string) |
TCP, UDP, ICMP |
Name of protocol |
severity (integer) |
8 |
Level of the event by number |
partition_name (string) |
Common |
Name of the partition or folder in which the object resides |
route_domain (integer) |
1 |
Route domain number (non-negative) |
src_ip (IP address) |
192.168.3.1 |
Source IP address |
src_port (integer) |
80 |
Protocol port number (non-negative) |
vlan (string) |
External |
VLAN interface name |
AFM example events
This list contains examples of events you might find in AFM logs.
Examples of AFM log messages in the ArcSight CEF format |
---|
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=39321 dst=10.3.1.200 dpt=443 proto=TCP cs1=/Common/topaz3-all3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Accept c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=allow_https cs5Label=acl_rule_name |
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Open c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name |
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Closed c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name |
CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|23003137|Network Event|8|rt=Nov 08 2012 18:35:15 dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 src= spt=20 dst= dpt=80 proto=TCP cs1= cs1Label=Global cs2=/Common/VLAN10 cs2Label=vlan act=Accept c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=TCP cs5Label=acl_rule_name |
Examples of AFM log messages in the Reporting Server format |
---|
acl_rule_name="allow_http",action="Accept",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-web3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="52807",vlan="/Common/external" |
acl_rule_name="",action="Open",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external" |
acl_rule_name="",action="Closed",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external" |
Examples of AFM log messages in the Splunk format |
---|
acl_rule_name="TCP",action="Accept",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",context_type="Global",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10" |
acl_rule_name="",action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="/Common/vs10_TCP_IPv6",context_type="Virtual Server",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="Bad TCP checksum",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10" |
Example of AFM log message in the Syslog format |
---|
23003137 [F5@12276 acl_rule_name="TCP" action="Accept" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" context_type="Global" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept","" |
23003137 [F5@12276 acl_rule_name="" action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="/Common/vs10_TCP_IPv6" context_type="Virtual Server" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="Bad TCP checksum" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum" |
Example of AFM log message in the Syslog BSD format |
---|
23003137 "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept","" |
23003137 "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum" |
Example of AFM log message in the Syslog Legacy F5 format |
---|
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 allow_dns-tcp,Accept,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,2607,,192.168.73.33,TCP,0,10.3.1.101,47910,/Common/external |
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Open,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external |
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Closed,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external |
Fields in Network DoS
Protection event messages
This table lists the fields that are contained in event
messages that might display in the DoS Protection logs.
Field name and
type |
Example value |
Description |
---|---|---|
action (string) |
Allow, Drop, None |
Action performed or
reported |
hostname (string) |
FQDN |
BIG-IP system FQDN |
bigip_mgmt_ip (IP
address) |
192.168.1.246 |
BIG-IP system management IP
address |
date_time (string) |
01 11 2012 13:11:10 |
Date and time the event occurred
in this format: MMM DD YYYY HH:MM:SS |
dest_ip (IP address) |
192.168.3.1 |
Destination IP address |
dest_port (integer) |
80 |
Protocol port number
(non-negative) |
device_product (string) |
Advanced Firewall
Module |
Name of BIG-IP system generating
the event message |
device_vendor (string) |
F5 |
F5 static keyword |
device_version (string) |
11.3.0.2012.0 |
BIG-IP system software version in
the format mm.dd.0.yyyy.0 |
dos_attack_event
(string) |
Attack started, Attack Sampled,
Attack Stopped |
Attack instances start and stop
events |
dos_attack_id (string) |
2760296639 |
Unique, non-negative, attack
ID |
dos_attack_name
(string) |
ICMP Flood, Bad TCP
checksum |
Network DoS event |
errdefs_msgno (integer) |
23003138 |
Static number |
errdefs_msg_name
(string) |
Network DoS event |
Static keyword |
severity (integer) |
8 |
Event severity value (non-negative
integer) |
partition_name (string) |
Common |
Name of the partition in which the
virtual server resides |
route_domain (integer) |
1 |
Route domain number
(non-negative) |
src_ip (IP address) |
192.168.3.1 |
Source IP address |
src_port (integer) |
80 |
Protocol port number
(non-negative) |
vlan (string) |
External |
Name of the VLAN
interface |
timestamp |
-none- |
Date and time of the request |
reported_entity_type (string) |
Source IP |
Which entity is reported at this time. Should be self-explanatory. Source IP,
Geo-Location, URL, Site-Wide |
profile_name |
dos1 |
Dos profile name |
event_id |
-none- |
-none- |
dos_mitigation_reason |
Abnormal volume |
Why this mitigation happened on an entity. Abnormal volume: Happened due to an
unusual high volume of traffic coming from this entity. Other entity in request:
The entity is reported since it was sending traffic to /from a mitigated mitigated
entity (for example, a non suspicious IP is sending traffic to a mitigated URL and thus
get blocked. This IP should be reported with other entity in request). Not
mitigated: this entity was not mitigated; it is still suspicious. Bot Signature
Matched: A bot signature was matched on the entity. There is no information on which bot
signature is matched. Bot filtering: Dropped due to proactive bot defense system
(may be seen also not during attacks). Auto-detected heavy URL: Detected as heavy
URL automatically and therefore mitigated. Configured heavy URL: Detected as heavy
URL manually and therefore mitigated. Disallowed GEO-location: Traffic is coming
from a configured disallowed geo location. Behavioral Anomaly: Mitigated by the
behavioral dos. |
dos_mitigate_to_threshold |
-none- |
Apply mitigation until threshold is back to this rate |
bigip_mgmt_ip_2 |
-none- |
Alternative IP Address of Management Port (dual stack support) |
dos_incoming_requests_count |
1 |
The number of incoming requests getting into the attacked VS/profile
pair |
dos_dropped_requests_count |
1 |
Number of dropped requests or incoming requests. This is actually incoming
requests – outgoing requests. Includes challenges replies – so even if the
challenge ends up answering it will be counted as a single drop. |
dos_detection_threshold |
1 |
What threshold was crossed |
dos_detection_condition |
-none- |
Threshold type |
dos_current_traffic_percent |
-none- |
Current entity Traffic Share (for geo entity only) |
dos_baseline_traffic_percent |
-none- |
Legitimate entity Traffic Share (for geo entity only) |
dos_baseline_tps |
-none- |
Legitimate entity TPS |
dos_baseline_latency |
-none- |
Legitimate entity latency |
dos_attack_tps |
1 |
Entity TPS |
dos_attack_latency |
1 |
Entity latency |
dos_attack_detection_mode |
TPS Increased |
How the attack was detected TPS Increased: Attack was detected due to an increase in the TPS. Server Stress Detected: Attack was detected due to server latency (stress) increase along with an
IP or URL that has passed a TPS threshold. |
device_id |
-none- |
Device-ID (relevant for IP entity only) |
device_blade |
-none- |
Blade ID |
context_type |
Virtual Server |
Virtual Server |
context_name |
v1 |
The Virtual Server name |
configuration_date_time |
-none- |
Date and time entry of the last configuration update |
client_request_uri |
/ |
URL (Relevant only for URL entity) |
client_ip_geo_location |
-none- |
Geo location (relevant for IP/GEO entity) |
Default Device DoS/DDoS attack signatures
The following tables, organized by DoS category, list AFM default device DoS attacks, and provide a short description and relevant information. You can adjust the thresholds in device protection by clicking the attack types and adjusting the properties.
Network attack
types
Vector | Information | Hardware accelerated |
---|---|---|
ARP Flood | ARP packet flood | Yes |
Bad ICMP Checksum | An ICMP frame checksum is bad. Reuse the TCP or UDP
checksum bits in the packet. | Yes |
Bad ICMP Frame | The ICMP frame is either the wrong size or not one of
the valid IPv4 or IPv6 types. | Yes |
Bad IGMP Frame | IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. | Yes |
Bad IP TTL Value | Time-to-live equals zero for an IPv4 address. | Yes |
Bad IP Version | The IPv4 address version in the IP header is not
4. | Yes |
Bad IPv6 Addr | IPv6 source IP = 0xff00:: | Yes |
Bad IPV6 Hop Count | Both the terminated (cnt=0) and forwarding packet
(cnt=1) counts are bad. | Yes |
Bad IPV6 Version | The IPv6 address version in the IP header is not
6. | Yes |
Bad SCTP Checksum | Bad SCTP packet checksum. | No |
Bad Source | The IPv4 source IP = 255.255.255.255 or 0xe0000000U . | Yes |
Bad TCP Checksum | The TCP checksum does not match. | Yes |
Bad TCP Flags (All Cleared) | Bad TCP flags (all cleared and SEQ#=0). | Yes |
Bad TCP Flags (All Flags Set) | Bad TCP flags (all flags set). | Yes |
Bad UDP Checksum | The UDP checksum is not correct. | Yes |
Bad UDP Header (UDP Length > IP Length or L2 Length) | UDP length is greater than IP length or Layer 2
length. | Yes |
Ethernet Broadcast Packet | Ethernet broadcast packet flood | Yes |
Ethernet MAC Source Address == Destination
Address | Ethernet MAC source address equals the destination
address. | Yes |
Ethernet Multicast Packet | Ethernet multicast packet flood | Yes |
FIN Only Set | Bad TCP flags (only FIN is set). | Yes |
Header Length > L2 Length | No room in Layer 2 packet for IP header (including
options) for IPv4 address | Yes |
Header Length Too Short | IPv4 header length is less than 20 bytes. | Yes |
Host Unreachable | Host unreachable error | Yes |
ICMP Fragment | ICMP fragment flood | Yes |
ICMP Frame Too Large | The ICMP frame exceeds the declared IP data length or
the maximum datagram length. To tune this value, in tmsh : modify sys db dos.maxicmpframesize , where value
value is <=65515 . | Yes |
ICMPv4 Flood | Flood with ICMPv4 packets | Yes |
ICMPv6 Flood | Flood with ICMPv6 packets | Yes |
IGMP Flood | Flood with IGMP packets (IPv4 packets with IP protocol
number 2) | Yes |
IGMP Fragment Flood | Fragmented packet flood with IGMP protocol | Yes |
IP Error Checksum | The header checksum is not correct. | Yes |
IP Fragment Error | Other IPv4 fragment error | Yes |
IP Fragment Flood | Fragmented packet flood with IPv4 | Yes |
IP Fragment Overlap | IPv4 overlapping fragment error | No |
IP Fragment Too Small | IPv4 short fragment error | Yes |
IP Length > L2 Length | The total length in the IPv4 address header or payload
length in the IPv6 address header is greater than the Layer 3 length in a Layer 2
packet. | Yes |
IP Option Frames | IPv4 address packets that are part of an IP option frame
flood. On the command line, option.db variable tm.acceptipsourceroute must be enabled to
receive IP options. | Yes |
IP Option Illegal Length | Option present with illegal length. | No |
IP uncommon proto | Sets thresholds for and tracks packets containing IP
protocols considered to be uncommon. By default, all IP protocols other than TCP,
UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list. | Yes |
IP Unknown protocol | Unknown IP protocol | No |
IPv4 mapped IPv6 | The IPv6 stack is receiving IPv4 address
packets. | Yes |
IPV6 Atomic Fragment | IPv6 Frag header present with M=0 and FragOffset
=0. | Yes |
IPv6 duplicate extension headers | An extension header should occur only once in an IPv6
packet, except for the Destination Options extension header. | Yes |
IPv6 Extended Header Frames | IPv6 address contains extended header frames. | Yes |
IPv6 extended headers wrong order | Extension headers in the IPv6 header are in the wrong
order. | Yes |
IPv6 extension header too large | An extension header is too large. To tune this value, in tmsh : modify sys db dos.maxipv6extsize , where value value is 0-1024 . | Yes |
IPv6 Fragment Error | Other IPv6 fragment error | Yes |
IPv6 Fragment Flood | Fragmented packet flood with IPv6 | Yes |
IPv6 Fragment Overlap | IPv6 overlapping fragment error | No |
IPv6 Fragment Too Small | IPv6 short fragment error | Yes |
IPv6 hop count <= <tunable> | The IPv6 extended header hop count is less than or equal
to <tunable>. To tune this value, in tmsh : modify sys db dos.ipv6lowhopcnt , where value
value is 1-4 . | Yes |
IPv6 Length > L2 Length | IPv6 address length is greater than the Layer 2
length. | Yes |
L2 Length >> IP Length | Layer 2 packet length is much greater than the payload
length in an IPv4 address header, and the Layer 2 length is greater than the minimum
packet size. | Yes |
LAND Attack | Source IP equals destination IP address | Yes |
No L4 | No Layer 4 payload for IPv4 address. | Yes |
No L4 (Extended Headers Go To Or Past End of
Frame) | Extended headers go to the end or past the end of the L4
frame. | Yes |
No Listener Match | This can occur if the listener is down as it attempts to
make a connection, or if it was not started or was configured improperly. It may
also be caused by a network connectivity problem. | |
Non TCP Connection | Sets a connection rate limit for non-TCP flows that
takes into account all other connections per second. | |
Option Present With Illegal Length | Packets contain an option with an illegal
length. | Yes |
Payload Length < L2 Length | Specified IPv6 payload length is less than the L2 packet
length. | Yes |
Routing Header Type 0 | Identifies flood packets containing type 0 routing
headers, which can be used to amplify traffic to initiate a DoS attack. | Yes |
Single Endpoint Flood | Flood to a single endpoint and can come from many
sources. You can configure packet types to check for, and packets per second for
both detection and rate limiting. | No |
Single Endpoint Sweep | Sweep on a single endpoint. You can configure packet
types to check for, and packets per second for both detection and rate
limiting. | No |
SYN && FIN Set | Bad TCP flags (SYN and FIN set). | Yes |
TCP BADACK Flood | TCP ACK packet flood | No |
TCP Flags - Bad URG | Packet contains a bad URG flag; this is likely
malicious. | Yes |
TCP Half Open | TCP connection whose state is out of synchronization
between the two communicating hosts | Yes |
TCP Header Length > L2 Length | The TCP header length exceeds the Layer 2
length. | Yes |
TCP Header Length Too Short (Length < 5) | The Data Offset value in the TCP header is less than
five 32-bit words. | Yes |
TCP Option Overruns TCP Header | The TCP option bits overrun the TCP header. | Yes |
TCP PUSH Flood | TCP PUSH flood | Yes |
TCP RST Flood | TCP RST flood | Yes |
TCP SYN ACK Flood | TCP SYN/ACK flood | Yes |
TCP SYN Flood | TCP SYN flood | Yes |
TCP SYN Oversize | Detects TCP data SYN packets larger than the maximum
specified by the dos.maxsynsize parameter. To tune this value in tmsh:
modify sys db dos.maxsynsize value . The default size in
bytes is 64 and the
maximum allowable value is 9216 . | Yes |
TCP Window Size | The TCP window size in packets is above the maximum
size. To tune this value in tmsh: modify sys db dos.tcplowwindowsize
value where value is <=
128 . | Yes |
TIDCMP | ICMP source quench attack | Yes |
Too Many Extension Headers | For an IPv6 address, there are too many extended headers
(the default is 4 ). To tune this value in tmsh : modify sys db dos.maxipv6exthdrs , where value
value is 0-15 . | Yes |
TTL <= <tunable> | An IP packet with a destination that is not multicast
and that has a TTL greater than 0 and less than or equal to a tunable value, which
is 1 by default. To tune this value, in tmsh : modify sys db dos.iplowttl , where value
value is 1-4 . | Yes |
UDP Flood | UDP flood attack | Yes |
Unknown Option Type | Unknown IP option type. | No |
Unknown TCP Option Type | Unknown TCP option type. | Yes |
DNS attack
vectors
Vector | Information | Hardware accelerated |
---|---|---|
DNS A Query | UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db
dos.dnsvlan , where value
value is 0-4094 . | Yes |
DNS AAAA Query | UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value value is 0-4094 .. To tune this value, in tmsh: modify sys db dos.dnsvlan , where value value is 0-4094 . | Yes |
DNS AXFR Query | UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value value is 0-4094 . | Yes |
DNS Any Query | UDP packet, DNS Qtype is ANY_QRY, VLAN is
<tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value
value is 0-4094 . | Yes |
DNS CNAME Query | UDP DNS query, DNS Qtype is CNAME, VLAN is
<tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value
value is 0-4094 . | Yes |
DNS IXFR Query | UDP DNS query, DNS Qtype is IXFR, VLAN is
<tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value
value is 0-4094 . | Yes |
DNS MX Query | UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value value is 0-4094 . | Yes |
DNS Malformed | Malformed DNS packet | Yes |
DNS NS Query | UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value value is 0-4094 . | Yes |
DNS NXDOMAIN Query | DNS query. Queried domain name does not exist. | Yes |
DNS OTHER Query | UDP DNS query, DNS Qtype is OTHER, VLAN is
<tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value
value is 0-4094 . | Yes |
DNS Oversize | Detects oversized DNS headers. To tune this value, in tmsh : modify sys db dos.maxdnssize , where value value is 256-8192 . | Yes |
DNS PTR Query | UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value value is 0-4094 . | Yes |
DNS Question Items != 1 | DNS Query, DNS Qtype is ANY_QRY, the DNS query has more
than one question. | Yes |
DNS Response Flood | UDP DNS Port= 53 , packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value value is 0-4094 . | Yes |
DNS SOA Query | UDP packet, DNS Qtype is SOA_QRY, VLAN is
<tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value
value is 0-4094 . | Yes |
DNS SRV Query | UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value value is 0-4094 . | Yes |
DNS TXT Query | UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan , where value value is 0-4094 . | Yes |
SIP attack
vectors
Vector | Information | Hardware accelerated |
---|---|---|
SIP ACK Method | SIP ACK packets | Yes |
SIP BYE Method | SIP BYE packets | Yes |
SIP CANCEL Method | SIP CANCEL packets | Yes |
SIP INVITE Method | SIP INVITE packets | Yes |
SIP Malformed | Malformed SIP packets | Yes |
SIP MESSAGE Method | SIP MESSAGE packets | Yes |
SIP NOTIFY Method | SIP NOTIFY packets | Yes |
SIP OPTIONS Method | SIP NOTIFY packets | Yes |
SIP OTHER Method | Other SIP method packets | Yes |
SIP PRACK Method | SIP PRACK packets | Yes |
SIP PUBLISH Method | SIP PUBLISH packets | Yes |
SIP REGISTER Method | SIP REGISTER packets | Yes |
SIP SUBSCRIBE Method | SIP SUBSCRIBE packets | Yes |
SIP URI Limit | The SIP URI exceeds the limit. | Yes |
Network DoS Protection example events
This list contains examples of events you might find in Network (layer 2 - 4) DoS
Protection logs.
Example of Network DOS Protection log message in the ArcSight format |
---|
CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|Bad TCP checksum|Drop|8|dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 rt=Nov 08 2012 17:58:02 act=Drop cn1=3083822789 cn1Label=attack_id cs1=Attack Sampled cs1Label=attack_status src= spt=20 dst= dpt=80 cs2=/Common/VLAN10 cs2Label=vlan cs3= cs3Label=virtual_name cn4=0 cn4Label=route_domain c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address |
Example of Network DoS Protection log message in the Remote Syslog format |
---|
"Nov 06 2012 02:17:27","192.168.69.245","asm245.labt.ts.example.com","","10.10.10.2","10.10.10.200","20","80","0","/Common/vlan1","Bad
TCP checksum","3044184075","Attack Sampled","Drop" |
Examples of Network DoS Protection log messages in Reporting Server
format |
---|
Oct 30 13:59:38 192.168.57.163
action="None",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep
20 2012 15:30:43",dest_ip="",dest_port="",device_product="Advanced Firewall
Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack
Started",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast
packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS
Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan=""
|
Oct 30 13:59:38 192.168.57.163
action="Drop",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep
20 2012 15:30:44",dest_ip="",dest_port="",device_product="Advanced Firewall
Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack
Sampled",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast
packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS
Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan="/Common/external"
|
Example of Network DoS Protection log message in the Splunk format |
---|
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="",configuration_date_time="Nov
01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual
Server",date_time="Nov 01 2012
05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS
Increased",dos_attack_event="Attack
ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7
attack",dos_attack_tps="0
tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate
Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS
Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip="192.168.32.22%0" |
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="/short.txt",configuration_date_time="Nov
01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual
Server",date_time="Nov 01 2012
05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS
Increased",dos_attack_event="Attack
ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7
attack",dos_attack_tps="0
tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate
Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS
Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip=""
|
action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",date_time="Nov 08 2012 17:58:46",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",dos_attack_event="Attack Sampled",dos_attack_id="3083822789",dos_attack_name="Bad TCP checksum",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10" |
Example of Network DoS Protection log message in the Syslog format |
---|
23003138 [F5@12276 action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" date_time="Nov 08 2012 18:26:02" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" dos_attack_event="Attack Sampled" dos_attack_id="1493601923" dos_attack_name="Bad TCP checksum" errdefs_msgno="23003138" errdefs_msg_name="Network DoS Event" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "Nov 08 2012 18:26:02","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop" |
Example of Network DoS Protection log message in the Syslog F5 format |
---|
23003138 "Nov 08 2012 18:23:14","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop" |
Fields in Protocol Security event messages
This table lists the fields that are contained in event messages that might display in
the Protocol Security logs. The fields are listed in the order in which they appear in a message in the log.
Field name and type |
Example value |
Description |
---|---|---|
date_time (string) |
110513:11:10 |
Date and time the event occurred in this format: MMM DD HH:MM:SS |
hostname (string) |
bigip-4.pme-ds.f5.com
|
BIG-IP system FQDN |
PSM: (string) |
PME:keword |
Static value keyword |
protocol (string) |
FTP, SMPTP, HTTP, DNS |
Protocol name |
ip_client (IP address) |
192.168.5.10 |
Client source IP address |
dest_ip (IP address) |
192.168.3.1 |
Destination IP address |
vs_name (string) |
Common/my_vs |
Reporting virtual server name and partition |
policy_name (string) |
My security policy |
Name of the security policy reporting the violatio |
violations (string) |
Active mode |
Violation name |
virus_name (string) |
<name of virus> |
Virus name |
management_ip_address (IP address) |
192.168.1.246 |
BIG-IP system management IP address |
unit_hostname (string) |
bigip-4.pme-ds.f5.com
|
BIG-IP system FQDN |
request_status (string) |
Blocked |
Action applied to the client request |
dest_port (integer) |
80 |
Protocol port number (non-negative) |
src_port (integer) |
80 |
Protocol port number (non-negative) |
route_domain (integer) |
1 |
Route domain number (non-negative) |
geo_location (string) |
NY, NY, USA |
City, state, country location information |
violation_details (string) |
port/sendport 10,3,0,33,42,88 |
Violation description and the values passed |
Protocol Security example events
This list contains examples of events you might find in the Protocol Security
logs.
Example of Protocol Security log message in the ArcSight format |
---|
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|Active
mode|Active mode|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21
cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name
dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A
cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address
c6a3= c6a3Label=destination_address cs3=port/sendport 10,3,0,33,7,223
cs3Label=violation_details msg=N/A |
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP
commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21
cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name
dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A
cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address
c6a3= c6a3Label=destination_address cs3=nlist/mls cs3Label=violation_details msg=N/A
|
Oct 5 11:49:23 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP
commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21
cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name
dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A
cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address
c6a3= c6a3Label=destination_address cs3=pwd cs3Label=violation_details
msg=N/A |
Example of Protocol Security log message in the Remote Server format |
---|
Oct 5 11:55:18 bigip-3.pme-ds.f5.com
PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="Active mode",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com",
request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="port/sendport 10,3,0,33,42,88" |
Oct 5 11:55:18 bigip-3.pme-ds.f5.com
PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3",
policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com",
request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="list/dir/mdir"
|
Oct 5 11:55:23 bigip-3.pme-ds.f5.com
PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3",
policy_name="ftp_security",violations="FTP commands",virus_name="N/A",
management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com",
request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="pwd" |
Example of Protocol Security log message in the Syslog format |
---|
Oct 5 11:37:14 bigip-3.pme-ds.f5.com
PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active
mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","port/sendport
10,3,0,33,42,22" |
Oct 5 11:37:14 bigip-3.pme-ds.f5.com
PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP
commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","nlist/mls"
|
Oct 5 11:37:23 bigip-3.pme-ds.f5.com
PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP
commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","cwd
.." |
Example of Protocol Security log message in the Syslog BSD format |
---|
Oct 5 11:46:26 bigip-3.pme-ds.f5.com
PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active
mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","port/sendport
10,3,0,33,7,217" |
Oct 5 11:46:26 bigip-3.pme-ds.f5.com
PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP
commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","nlist/mls"
|
Example of Protocol Security log message in the Syslog legacy format |
---|
Oct 5 11:43:01 bigip-3.pme-ds.f5.com
PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active
mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","port/sendport
10,3,0,33,7,197" |
Oct 5 11:43:01 bigip-3.pme-ds.f5.com
PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP
commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","nlist/mls"
|
Fields in DNS event messages
This table lists the fields that are contained in event messages that might display in
the DNS logs. The fields are listed in the order in which they appear in a message in the
log.
Field name and type |
Example value |
Description |
---|---|---|
errdefs_msgno (integer) |
23003141 |
Static number 23003141 |
date_time (string) |
11 13 2012 12:12:10 |
Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS |
bigip_mgmt_ip (IP address) |
192.168.1.246
|
BIG-IP system management IP address |
hostname (string) |
bigip-4.pme-ds.f5.com
|
BIG-IP system FQDN |
context_name (string) |
/Common/vs1_udp |
Partition in which the virtual server resides and name of virtual
server |
vlan (string) |
External |
Name of the VLAN interface |
query_type (string) |
A |
Type of DNS query causing the attack |
dns_query_name (string) |
siterequest.com |
Name being queried |
partition_name (string) |
Common |
Name of the partition in which the virtual server resides |
attack_type (string) |
CNAME |
DNS query causing the attack |
action (string) |
None, Drop, Allow |
Action performed or reported |
src_ip (IP address) |
192.168.3.1 |
Source IP address |
dest_ip (IP address) |
192.168.3.2 |
Destination IP address |
src_port (integer) |
80 |
Protocol port number (non-negative) |
dest_port (integer) |
80 |
Protocol port number (non-negative) |
route_domain (integer) |
1 |
Route domain number (non-negative) |
DNS attack types
This table lists DNS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name. These attacks are the DNS queries that a client can request. If the requests are received at a high rate and exceed the configured watermark they generate a DNS DoS event
Attack name (RFC number) |
Description |
---|---|
a6 (1035) |
Returns a 32-bit IPv4 IP address record |
aaaa (3596) |
Returns a 128-bit IPv6 address record |
afsdb (1183) |
Location of database servers of an AFS database record record |
any (1035) |
Returns all cached records of all types |
atma |
ATM address |
axfr (1035) |
Authoritative zone transfer |
cert (4398) |
Stores PKIX, SPKI, and PGP certificate record |
cname (1035) |
Alias of one name to another (canonical name record) |
dname (2672) |
DNAME (delegation name) creates an alias for a name and all its subnames |
eid |
Endpoint identifier |
gpos (1712) |
Geographical position (state, country) |
hinfo (1035) |
Host information |
isdn (1183) |
ISDN address |
ixfr (1996) |
Incrementatl zone transfer |
key (2535, 2930) |
Used only for SIG(0) (RFC 2931) and TKEY (RFC 2930).[5] key records |
kx (2535, 2930) |
Key exchange record identifies a key management agent for the associated domain-name
(not associated with DNSSEC) |
loc (1876) |
Location record |
maila (1035) |
Request for mail agent resource records |
mailb (1035) |
Mailbox or mail list information (MINFO) |
mb (1035) |
Mailbox domain name |
md |
Mail destination |
mf (1035) |
Mail forwarder |
mg (1035) |
Mail group member |
minfo (1035) |
Mailbox or mail list information |
mr (1035) |
Mail rename domain name |
mx (1035) |
Mail exchange record |
naptr (3403) |
Naming authority pointer |
nimloc (1002) |
Nimrod locator |
ns (1035) |
Nameserver record |
nsap (1706) |
NSAP style A record |
nsap-ptr (1348) |
NSAP style domain name pointer |
null (1035) |
Null resource record |
nxt (2535) |
Next domain |
opt (2671) |
Pseudo DNS record type that supports EDNS |
ptr (1035) |
Pointer to a canonical name |
px (2163) |
X.400 mail mapping information |
rp (1183) |
Contact information for the person(s) responsible for the domain |
rt (1183) |
Route through |
sg (2535) |
Signature record |
sink |
DNS sinkhole |
soa (1035) |
Start of authority record |
srv (2782) |
Service locator record |
tkey (2930) |
Secret key record |
tsig (2845) |
Transaction signature that authenticates dynamic updates as coming from an approved
client, or authenticates responses as coming from an approved recursive name
server |
txt (1035) |
Text record |
wks |
Sender Policy Framework, DKIM, and DMARC DNS-SD |
x25 (1183) |
X.25 PSDN address |
zxfr |
Compressed zone transfer |
DNS example events
This list contains examples of events you might find in the DNS logs.
Example of DNS log message in the ArcSight CEF format |
---|
Oct 12 13:35:47 10.3.0.33 CEF:0|F5|Advanced Firewall
Module|11.3.0.2206.0|23003139|DNS Event|8|rt=Oct 12 2012 13:29:24
dvchost=bigip-3.pme-ds.f5.com dvc=192.68.73.33 src=10.3.1.104 spt=54629
dst=10.3.1.202 dpt=53 cs1=/Common/DNS-3-udp-vs cs1Label=virtual_name
cs2=/Common/external cs2Label=vlan cs3=SRV cs3Label=query_type act=Drop
cs4=_ldap._tcp.dc._msdcs.siterequest.com cs4Label=query_name cs5=query opcode
cs5Label=attack_type c6a2= c6a2Label=source_address c6a3=
c6a3Label=destination_address
|
Example of DNS log message in the Reporting Server format |
---|
"Oct 26 2012
06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0"
|
Example of DNS log message in the Syslog format |
---|
"Oct 26 2012
06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0"
|
Fields in DNS DoS event messages
This table lists the fields that are contained in event messages that might display in
the Network DNS DoS logs. The fields are listed in the order in which they appear in a message in the
log.
Field name and type |
Example value |
Description |
---|---|---|
errdefs_msgno (integer) |
23003141 |
Static number |
errdefs_msg_name (string) |
DNS DoS Event |
Name of event |
date_time (string) |
11 13 2012 12:12:10 |
Date and time event occurred in this format: MMM DD YYYY HH:MM:SS |
bigip_mgmt_ip (IP address) |
192.168.1.246 |
BIG-IP system management IP address |
hostname (string) |
bigip-4.pme-ds.f5.com
|
BIG-IP system FQDN |
context_name (string) |
/Common/vs1_udp |
Partition in which the virtual server resides and name of virtual
server |
vlan (string) |
External |
Name of VLAN interface |
dns_query_type (string) |
A |
Type of DNS query causing the attack |
dns_query_name (string) |
f5.com |
Name being queried |
src_ip (IP address) |
192.168.3.1 |
Source IP address |
dest_ip (IP address) |
192.168.3.1 |
Destination IP address |
src_port (integer) |
80 |
Protocol port number (non-negative) |
dest_port (integer) |
80 |
Protocol port number (non-negative) |
partition_name (string) |
Common |
Name of the partition in which the virtual server resides |
dos_attack_name (string) |
A query DOS |
Name of attack |
dos_attack_id (integer) |
1005891899 |
Unique, non-negative, attack instance ID |
dos_attack_event (string) |
Attack Sampled |
Status of attack |
action (string) |
None, Drop, Allow |
Action performed or reported |
DNS DoS attack types
This table lists DNS DoS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name.
Attack name (RFC) |
Description |
Value description |
---|---|---|
A query DOS (RFC 1035) |
Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP
address of the host, but also used for DNSBLs, storing subnet masks in RFC
1101. |
Address record |
PTR query DOS (RFC 1035) |
Pointer to a canonical name. Unlike a CNAME, DNS processing does not proceed, and only the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD. |
Pointer record |
NS query DOS (1035) |
Delegates a DNS zone to use the given authoritative name servers. |
Name service record |
SOA query DOS (1035) |
Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone. |
Start of authority record |
CNAME query DOS (1035) |
Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name. |
Canonical name record |
MX query DOS (1035) |
Maps a domain name to a list of message transfer agents for that domain. |
Mail exchange record |
AAAA query DOS (3596) |
Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host. |
IPv6 address record |
TXT query DOS (1035) |
Originally for arbitrary human-readable text in a DNS record, however, this record often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, and DMARC DNS-SD. |
Text record |
SRV query DOS (2782) |
Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX. |
Service locator |
AXFR query DOS (1035) |
Request for a transfer of an entire zone. |
Request |
IXFR query DOS (1995) |
Incremental transfer of records in the zone. |
Request |
ANY query DOS (1035) |
Request for all records. |
Request |
Malformed DOS |
Generated by a DNS packet in which one of the fields, for example, opcode,
query_type or query_name, contains invalid information. |
|
Malicious DOS |
Generated by malicious packets, that is, malformed DNS packets with references
that are invalid. |
|
Other Query DOS |
Queries, not listed in this table, which are being used to attack
nameservers. |
DNS DoS example events
This list contains examples of events you might find in the DNS DoS attack
logs.
Example of DNS DoS attack log message in the Syslog format |
---|
"Oct 30 2012
10:57:09","192.168.56.179","Surya_BIG_IP_VM1.example.com","/Common/vs_192_168_57_177_53_gtm","/Common/external","A","surya.example.com","192.168.56.171","192.168.57.177","43835","53","0","A
query DOS","1005891899","Attack Sampled","Allow"
|
BIG-IP system process example events
This list contains examples of events you might find in BIG-IP system logs. Please be
aware that system log messages might be truncated, because the UDP protocol cannot send large
messages. Note that using the TCP protocol impacts performance.
Example Syslog log entry for the system audit log
This log entry provides confirmation of a successful configuration save.
1 2012-11-01T18:07:13Z bigip-3.pme-ds.f5.com tmsh 29639 01420002:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01420002:5:"] AUDIT - pid=29639 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=save / sys config partitions all
Example Syslog log entry for the application security log
This log entry provides confirmation of the end of a DoS attack.
Nov 01 14:15:44 10.3.0.33 1 2012-11-01T18:09:38Z bigip-3.pme-ds.f5.com 2 28965 01010253:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01010253:5:"] A DOS attack has stopped for vector Ethernet broadcast packet, Attack ID 188335952.