Try SpotterManage attack vector configuration in an AFM DoS profile
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Tim Rupp (@caphrim007), Nitin Khanna (@nitinthewiz)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Manage the attack vector configuration in an AFM (Advanced Firewall Manager) DoS profile. In addition to the normal AFM DoS profile vectors, this module can manage the device-configuration vectors. See the module documentation for details about this method.
- name: Enable DNS AAAA vector mitigation
bigip_firewall_dos_vector:
name: aaaa
state: mitigate
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
name:
choices:
- bad-icmp-chksum
- bad-icmp-frame
- bad-igmp-frame
- bad-ip-opt
- bad-ipv6-hop-cnt
- bad-ipv6-ver
- bad-sctp-chksum
- bad-tcp-chksum
- bad-tcp-flags-all-clr
- bad-tcp-flags-all-set
- bad-ttl-val
- bad-udp-chksum
- bad-udp-hdr
- bad-ver
- arp-flood
- flood
- igmp-flood
- igmp-frag-flood
- ip-bad-src
- ip-err-chksum
- ip-len-gt-l2-len
- ip-other-frag
- ip-overlap-frag
- ip-short-frag
- ip-uncommon-proto
- ip-unk-prot
- ipv4-mapped-ipv6
- ipv6-atomic-frag
- ipv6-bad-src
- ipv6-len-gt-l2-len
- ipv6-other-frag
- ipv6-overlap-frag
- ipv6-short-frag
- l2-len-ggt-ip-len
- l4-ext-hdrs-go-end
- land-attack
- no-l4
- no-listener-match
- non-tcp-connection
- payload-len-ls-l2-len
- routing-header-type-0
- syn-and-fin-set
- tcp-ack-flood
- tcp-hdr-len-gt-l2-len
- tcp-hdr-len-too-short
- hdr-len-gt-l2-len
- hdr-len-too-short
- bad-ext-hdr-order
- ext-hdr-too-large
- hop-cnt-low
- host-unreachable
- icmp-frag
- icmp-frame-too-large
- icmpv4-flood
- icmpv6-flood
- ip-frag-flood
- ip-low-ttl
- ip-opt-frames
- ipv6-ext-hdr-frames
- ipv6-frag-flood
- opt-present-with-illegal-len
- sweep
- tcp-bad-urg
- tcp-half-open
- tcp-opt-overruns-tcp-hdr
- tcp-psh-flood
- tcp-rst-flood
- tcp-syn-flood
- tcp-syn-oversize
- tcp-synack-flood
- tcp-window-size
- tidcmp
- too-many-ext-hdrs
- dup-ext-hdr
- fin-only-set
- ether-brdcst-pkt
- ether-multicst-pkt
- ether-mac-sa-eq-da
- udp-flood
- unk-ipopt-type
- unk-tcp-opt-type
- a
- aaaa
- any
- axfr
- cname
- dns-malformed
- dns-nxdomain-query
- dns-response-flood
- dns-oversize
- ixfr
- mx
- ns
- other
- ptr
- qdcount
- soa
- srv
- txt
- ack
- bye
- cancel
- invite
- message
- notify
- options
- other
- prack
- publish
- register
- sip-malformed
- subscribe
- uri-limit
description:
- Specifies the name of the vector to modify.
- Vectors that ship with the device are "hard-coded" in that the list of vectors is
known to the system and users cannot add new vectors. Users only manipulate the
existing vectors; all of which are disabled by default.
- When C(bad-icmp-chksum), configures the "Bad ICMP Checksum" Network Security vector.
- When C(bad-icmp-frame), configures the "Bad ICMP Frame" Network Security vector.
- When C(bad-igmp-frame), configures the "Bad IGMP Frame" Network Security vector.
- When C(bad-ip-opt), configures the "IP Option Illegal Length" Network Security vector.
- When C(bad-ipv6-hop-cnt), configures the "Bad IPv6 Hop Count" Network Security vector.
- When C(bad-ipv6-ver), configures the "Bad IPv6 Version" Network Security vector.
- When C(bad-sctp-chksum), configures the "Bad SCTP Checksum" Network Security vector.
- When C(bad-tcp-chksum), configures the "Bad TCP Checksum" Network Security vector.
- When C(bad-tcp-flags-all-clr), configures the "Bad TCP Flags (All Cleared)" Network
Security vector.
- When C(bad-tcp-flags-all-set), configures the "Bad TCP Flags (All Flags Set)" Network
Security vector.
- When C(bad-ttl-val), configures the "Bad IP TTL Value" Network Security vector.
- When C(bad-udp-chksum), configures the "Bad UDP Checksum" Network Security vector.
- When C(bad-udp-hdr), configures the "Bad UDP Header (UDP Length > IP Length or L2
Length)" Network Security vector.
- When C(bad-ver), configures the "Bad IP Version" Network Security vector.
- When C(arp-flood), configures the "ARP Flood" Network Security vector.
- When C(flood), configures the "Single Endpoint Flood" Network Security vector.
- When C(igmp-flood), configures the "IGMP Flood" Network Security vector.
- When C(igmp-frag-flood), configures the "IGMP Fragment Flood" Network Security vector.
- When C(ip-bad-src), configures the "Bad Source" Network Security vector.
- When C(ip-err-chksum), configures the "IP Error Checksum" Network Security vector.
- When C(ip-len-gt-l2-len), configures the "IP Length > L2 Length" Network Security
vector.
- When C(ip-other-frag), configures the "IP Fragment Error" Network Security vector.
- When C(ip-overlap-frag), configures the "IP Fragment Overlap" Network Security vector.
- When C(ip-short-frag), configures the "IP Fragment Too Small" Network Security vector.
- When C(ip-uncommon-proto), configures the "IP Uncommon Proto" Network Security vector.
- When C(ip-unk-prot), configures the "IP Unknown Protocol" Network Security vector.
- When C(ipv4-mapped-ipv6), configures the "IPv4 Mapped IPv6" Network Security vector.
- When C(ipv6-atomic-frag), configures the "IPv6 Atomic Fragment" Network Security
vector.
- When C(ipv6-bad-src), configures the "Bad IPv6 Addr" Network Security vector.
- When C(ipv6-len-gt-l2-len), configures the "IPv6 Length > L2 Length" Network Security
vector.
- When C(ipv6-other-frag), configures the "IPv6 Fragment Error" Network Security vector.
- When C(ipv6-overlap-frag), configures the "IPv6 Fragment Overlap" Network Security
vector.
- When C(ipv6-short-frag), configures the "IPv6 Fragment Too Small" Network Security
vector.
- When C(l2-len-ggt-ip-len), configures the "L2 Length >> IP Length" Network Security
vector.
- When C(l4-ext-hdrs-go-end), configures the "No L4 (Extension Headers Go To Or Past
The End of Frame)" Network Security vector.
- When C(land-attack), configures the "LAND Attack" Network Security vector.
- When C(no-l4), configures the "No L4" Network Security vector.
- When C(no-listener-match), configures the "No Listener Match" Network Security vector.
- When C(non-tcp-connection), configures the "Non TCP Connection" Network Security
vector.
- When C(payload-len-ls-l2-len), configures the "Payload Length < L2 Length" Network
Security vector.
- When C(routing-header-type-0), configures the "Routing Header Type 0" Network Security
vector.
- When C(syn-and-fin-set), configures the "SYN && FIN Set" Network Security vector.
- When C(tcp-ack-flood), configures the "TCP BADACK Flood" Network Security vector.
- When C(tcp-hdr-len-gt-l2-len), configures the "TCP Header Length > L2 Length" Network
Security vector.
- When C(tcp-hdr-len-too-short), configures the "TCP Header Length Too Short (Length
< 5)" Network Security vector.
- When C(hdr-len-gt-l2-len), configures the "Header Length > L2 Length" Network Security
vector.
- When C(hdr-len-too-short), configures the "Header Length Too Short" Network Security
vector.
- When C(bad-ext-hdr-order), configures the "IPv6 Extended Headers Wrong order" Network
Security vector.
- When C(ext-hdr-too-large), configures the "IPv6 extension header too large" Network
Security vector.
- When C(hop-cnt-low), configures the "IPv6 hop count <= <tunable>" Network Security
vector.
- When C(host-unreachable), configures the "Host Unreachable" Network Security vector.
- When C(icmp-frag), configures the "ICMP Fragment" Network Security vector.
- When C(icmp-frame-too-large), configures the "ICMP Frame Too Large" Network Security
vector.
- When C(icmpv4-flood), configures the "ICMPv4 flood" Network Security vector.
- When C(icmpv6-flood), configures the "ICMPv6 flood" Network Security vector.
- When C(ip-frag-flood), configures the "IP Fragment Flood" Network Security vector.
- When C(ip-low-ttl), configures the "TTL <= <tunable>" Network Security vector.
- When C(ip-opt-frames), configures the "IP Option Frames" Network Security vector.
- When C(ipv6-ext-hdr-frames), configures the "IPv6 Extended Header Frames" Network
Security vector.
- When C(ipv6-frag-flood), configures the "IPv6 Fragment Flood" Network Security vector.
- When C(opt-present-with-illegal-len), configures the "Option Present With Illegal
Length" Network Security vector.
- When C(sweep), configures the "Sweep" Network Security vector.
- When C(tcp-bad-urg), configures the "TCP Flags-Bad URG" Network Security vector.
- When C(tcp-half-open), configures the "TCP Half Open" Network Security vector.
- When C(tcp-opt-overruns-tcp-hdr), configures the "TCP Option Overruns TCP Header"
Network Security vector.
- When C(tcp-psh-flood), configures the "TCP PUSH Flood" Network Security vector.
- When C(tcp-rst-flood), configures the "TCP RST Flood" Network Security vector.
- When C(tcp-syn-flood), configures the "TCP SYN Flood" Network Security vector.
- When C(tcp-syn-oversize), configures the "TCP SYN Oversize" Network Security vector.
- When C(tcp-synack-flood), configures the "TCP SYN ACK Flood" Network Security vector.
- When C(tcp-window-size), configures the "TCP Window Size" Network Security vector.
- When C(tidcmp), configures the "TIDCMP" Network Security vector.
- When C(too-many-ext-hdrs), configures the "Too Many Extension Headers" Network Security
vector.
- When C(dup-ext-hdr), configures the "IPv6 Duplicate Extension Headers" Network Security
vector.
- When C(fin-only-set), configures the "FIN Only Set" Network Security vector.
- When C(ether-brdcst-pkt), configures the "Ethernet Broadcast Packet" Network Security
vector.
- When C(ether-multicst-pkt), configures the "Ethernet Multicast Packet" Network Security
vector.
- When C(ether-mac-sa-eq-da), configures the "Ethernet MAC Source Address == Destination
Address" Network Security vector.
- When C(udp-flood), configures the "UDP Flood" Network Security vector.
- When C(unk-ipopt-type), configures the "Unknown Option Type" Network Security vector.
- When C(unk-tcp-opt-type), configures the "Unknown TCP Option Type" Network Security
vector.
- When C(a), configures the "DNS A Query" DNS Protocol Security vector.
- When C(aaaa), configures the "DNS AAAA Query" DNS Protocol Security vector.
- When C(any), configures the "DNS ANY Query" DNS Protocol Security vector.
- When C(axfr), configures the "DNS AXFR Query" DNS Protocol Security vector.
- When C(cname), configures the "DNS CNAME Query" DNS Protocol Security vector.
- When C(dns-malformed), configures the "dns-malformed" DNS Protocol Security vector.
- When C(dns-nxdomain-query), configures the "dns-nxdomain-query" DNS Protocol Security
vector.
- When C(dns-response-flood), configures the "dns-response-flood" DNS Protocol Security
vector.
- When C(dns-oversize), configures the "dns-oversize" DNS Protocol Security vector.
- When C(ixfr), configures the "DNS IXFR Query" DNS Protocol Security vector.
- When C(mx), configures the "DNS MX Query" DNS Protocol Security vector.
- When C(ns), configures the "DNS NS Query" DNS Protocol Security vector.
- When C(other), configures the "DNS OTHER Query" DNS Protocol Security vector.
- When C(ptr), configures the "DNS PTR Query" DNS Protocol Security vector.
- When C(qdcount), configures the "DNS QDCOUNT Query" DNS Protocol Security vector.
- When C(soa), configures the "DNS SOA Query" DNS Protocol Security vector.
- When C(srv), configures the "DNS SRV Query" DNS Protocol Security vector.
- When C(txt), configures the "DNS TXT Query" DNS Protocol Security vector.
- When C(ack), configures the "SIP ACK Method" SIP Protocol Security vector.
- When C(bye), configures the "SIP BYE Method" SIP Protocol Security vector.
- When C(cancel), configures the "SIP CANCEL Method" SIP Protocol Security vector.
- When C(invite), configures the "SIP INVITE Method" SIP Protocol Security vector.
- When C(message), configures the "SIP MESSAGE Method" SIP Protocol Security vector.
- When C(notify), configures the "SIP NOTIFY Method" SIP Protocol Security vector.
- When C(options), configures the "SIP OPTIONS Method" SIP Protocol Security vector.
- When C(other), configures the "SIP OTHER Method" SIP Protocol Security vector.
- When C(prack), configures the "SIP PRACK Method" SIP Protocol Security vector.
- When C(publish), configures the "SIP PUBLISH Method" SIP Protocol Security vector.
- When C(register), configures the "SIP REGISTER Method" SIP Protocol Security vector.
- When C(sip-malformed), configures the "sip-malformed" SIP Protocol Security vector.
- When C(subscribe), configures the "SIP SUBSCRIBE Method" SIP Protocol Security vector.
- When C(uri-limit), configures the "uri-limit" SIP Protocol Security vector.
required: true
type: str
state:
choices:
- mitigate
- detect-only
- learn-only
- disabled
description:
- When C(state) is C(mitigate), ensures the vector enforces limits and thresholds.
- When C(state) is C(detect-only), ensures the vector does not enforce limits and
thresholds (rate limiting, dropping, etc), but is still tracked in logs and statistics.
- When C(state) is C(disabled), ensures the vector does not enforce limits and thresholds,
but is still tracked in logs and statistics.
- When C(state) is C(learn-only), ensures the vector does not "detect" any attacks.
Only learning and stat collecting is performed.
type: str
profile:
description:
- Specifies the name of the profile to manage vectors in.
- The name C(device-config) is reserved for use by this module.
- Vectors can be managed in either DoS Profiles or Device Configuration. By specifying
a profile of 'device-config', this module will specifically tailor configuration
of the provided vectors to the Device Configuration.
required: true
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP or the BIG-IQ.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host or the BIG-IQ host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 443
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- rest
default: rest
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
partition:
default: Common
description:
- Device partition to manage resources on.
type: str
attack_floor:
description:
- Specifies packets per second to identify an attack.
- These settings provide an absolute minimum of packets to allow before the attack
is identified.
- As the automatic detection thresholds adjust to traffic and CPU usage on the system
over time, this attack floor becomes less relevant.
- This value may not exceed the value in C(attack_floor).
type: str
attack_ceiling:
description:
- Specifies the absolute maximum allowable for packets of this type.
- This setting rate limits packets to the packets per second setting, when specified.
- To set no hard limit and allow automatic thresholds to manage all rate limiting,
set this to C(infinite).
type: str
auto_blacklist:
description:
- Automatically blacklists detected bad actors.
- To enable this parameter, the C(bad_actor_detection) must also be enabled.
- This parameter is not supported by the C(dns-malformed) vector.
- This parameter is not supported by the C(qdcount) vector.
type: bool
threshold_mode:
choices:
- manual
- stress-based-mitigation
- fully-automatic
description:
- The C(dns-malformed) vector does not support C(fully-automatic) or C(stress-based-mitigation)
for this parameter.
- The C(qdcount) vector does not support C(fully-automatic) or C(stress-based-mitigation)
for this parameter.
- The C(sip-malformed) vector does not support C(fully-automatic) or C(stress-based-mitigation)
for this parameter.
type: str
blacklist_duration:
description:
- Duration the blacklist will last, in seconds.
type: int
allow_advertisement:
description:
- Specifies addresses that are identified for blacklisting are advertised to BGP routers.
type: bool
bad_actor_detection:
description:
- Whether Bad Actor detection is enabled or disabled for a vector, if available.
- This parameter must be enabled to enable the C(auto_blacklist) parameter.
- This parameter is not supported by the C(dns-malformed) vector.
- This parameter is not supported by the C(qdcount) vector.
type: bool
detection_threshold_eps:
aliases:
- rate_threshold
description:
- Lists how many packets per second the system must discover in traffic in order to
detect this attack.
type: str
simulate_auto_threshold:
description:
- Specifies results of the current automatic thresholds are logged, though manual
thresholds are enforced, and no action is taken on automatic thresholds.
- The C(sweep) vector does not support this parameter.
type: bool
mitigation_threshold_eps:
aliases:
- rate_limit
description:
- Specifies the maximum number of this type of packet per second the system allows
for a vector.
- The system drops packets once the traffic level exceeds the rate limit.
type: str
blacklist_detection_seconds:
description:
- Detection before blacklisting occurs, in seconds.
type: int
detection_threshold_percent:
aliases:
- rate_increase
description:
- Lists the threshold percent increase over time that the system must detect in traffic
in order to detect this attack.
- The C(tcp-half-open) vector does not support this parameter.
type: str
per_source_ip_detection_threshold:
description:
- Specifies the number of packets per second to identify an IP address as a bad actor.
type: str
per_source_ip_mitigation_threshold:
description:
- Specifies the rate limit applied to a source IP that is identified as a bad actor.
type: str
allow_advertisement: description: The new Allow External Advertisement setting. returned: changed sample: true type: bool attack_ceiling: description: The new Attack Ceiling EPS setting. returned: changed sample: infinite type: str attack_floor: description: The new Attack Floor EPS setting. returned: changed sample: infinite type: str auto_blacklist: description: The new Auto Blacklist setting. returned: changed sample: false type: bool bad_actor_detection: description: The new Bad Actor Detection setting. returned: changed sample: false type: bool blacklist_category: description: The new Category Name setting. returned: changed sample: /Common/cloud_provider_networks type: str blacklist_detection_seconds: description: The new Sustained Attack Detection Time setting. returned: changed sample: 60 type: int blacklist_duration: description: The new Category Duration Time setting. returned: changed sample: 14400 type: int detection_threshold_eps: description: The new Detection Threshold EPS setting. returned: changed sample: infinite type: str detection_threshold_percent: description: The new Detection Threshold Percent setting. returned: changed sample: infinite type: str mitigation_threshold_eps: description: The new Mitigation Threshold EPS setting. returned: changed sample: infinite type: str per_source_ip_detection_threshold: description: The new Per Source IP Detection Threshold EPS setting. returned: changed sample: 23 type: str per_source_ip_mitigation_threshold: description: The new Per Source IP Mitigation Threshold EPS setting. returned: changed sample: infinite type: str simulate_auto_threshold: description: The new Simulate Auto Threshold setting. returned: changed sample: false type: bool state: description: The new state of the vector. returned: changed sample: mitigate type: str threshold_mode: description: The new Mitigation Threshold EPS setting. returned: changed sample: infinite type: str