diff --git a/src/a10_plugin/configs/README.md b/src/a10_plugin/configs/README.md new file mode 100644 index 0000000..de5ccd2 --- /dev/null +++ b/src/a10_plugin/configs/README.md @@ -0,0 +1,24 @@ +#A10 Networks Thunder TPS Appliance Configs + +##Base Config v1 Functionality + + 1. Assumes TPS receives inbound traffic only (from the Internet to the protected service) + 2. Rate Limiters (GLID) for 10gbps, 1gbps, and 100mbps provided for use + 3. Basic TCP and UDP templates provided (syn-auth, UDP-auth, and low src port filter) + 4. BGP configuration for auto mitigation announcements (ddos-advertise route map) + 5. Base sFlow export configuration + 6. All events logged in CEF format + +##Basic Zone Config v1 Functionality + 1. Filters L2, L3, L4 packet anomalies (consult A10 documentation for specifics + 2. Drops ICMPv4, ICMPv6, and all fragments + 3. Performs TCP SYN Auth for TCP dest ports 21,22,25,53,80,110,143,443,587,993,995,5060,5061 + 4. Filters well-known UDP SRC ports + 5. Performs UDP Auth for UDP dest port 53 + 6. blocks all other traffic + 7. Creates a "incident" in the TPS GUI when seeing any packets to these dest ports. + +## These are just examples. Current plugin does not receive rate info from FNM. Future revisions will +Author: Eric Chou ericc@a10networks.com, Rich Groves rgroves@a10networks.com + +Feedback and Feature Requests are Appreciated and Welcomed. diff --git a/src/a10_plugin/configs/tps_base_config_v1.txt b/src/a10_plugin/configs/tps_base_config_v1.txt index f4c0ba6..3c19bf0 100644 --- a/src/a10_plugin/configs/tps_base_config_v1.txt +++ b/src/a10_plugin/configs/tps_base_config_v1.txt @@ -1,91 +1,76 @@ -system anomaly log -system attack log -system ddos-attack log +system anomaly log +system attack log +system ddos-attack log ! -hostname tps-fastnetmon +hostname A10TPS-Fastnetmon ! -interface management - ip address x.x.x.x x.x.x.x - ip control-apps-use-mgmt-port - ip default-gateway x.x.x.x - enable +interface management + ip address x.x.x.x x.x.x.x + ip control-apps-use-mgmt-port + ip default-gateway x.x.x.x + enable ! -interface ethernet 1 - name Inbound - enable - ddos outside -#Mitigation traffic comes in the "outside" port +interface ethernet 1 + name Inbound + enable ! -interface ethernet 2 - name Outbound +interface ethernet 2 + name Outbound ! ! -#optional rate limiters to latch to zones if you know the highest aggregate rate -glid 1 - description "10gbps rate limiter" - bit-rate-limit 10000000 +glid 1 + description "10gbps rate limiter" + bit-rate-limit 10000000 ! -glid 2 - description "1gbps rate limiter" - bit-rate-limit 1000000 +glid 2 + description "1gbps rate limiter" + bit-rate-limit 1000000 ! -glid 3 - description "100mbps rate limiter" - bit-rate-limit 100000 +glid 3 + description "100mbps rate limiter" + bit-rate-limit 100000 ! -ddos protection enable -ddos protection rate-interval 1sec -! -ddos resource-tracking cpu enable +ddos protection enable +ddos protection rate-interval 1sec ! -#template to allow CEF logging toward a receiver such as ELK -ddos zone-template logging cef-logger - log-format-cef - enable-action-logging +ddos resource-tracking cpu enable ! -#template for basic TCP SYN authentication -ddos zone-template tcp tcp-protect1 - syn-authentication send-rst - syn-authentication pass-action authenticate-src - syn-authentication fail-action drop +ddos zone-template logging cef-logger + log-format-cef + enable-action-logging ! -#template for UDP "authentication" and low ports filtering -ddos zone-template udp udp-protect1 - spoof-detect timeout 5 - spoof-detect min-delay 2 - spoof-detect pass-action authenticate-src - spoof-detect fail-action drop - known-resp-src-port action drop +ddos zone-template tcp tcp-protect1 + syn-authentication send-rst + syn-authentication pass-action authenticate-src + syn-authentication fail-action drop ! -ddos src default ip +ddos zone-template udp udp-protect1 + spoof-detect timeout 5 + spoof-detect min-delay 2 + spoof-detect pass-action authenticate-src + spoof-detect fail-action drop + known-resp-src-port action drop ! -ddos src default ipv6 -! -logging syslog information +logging syslog information ! -logging host x.x.x.x +logging host x.x.x.x use-mgmt-port ! -router bgp 2 - bgp log-neighbor-changes - bgp router-id x.x.x.x - neighbor x.x.x.x remote-as 1 +router bgp x + bgp log-neighbor-changes + bgp router-id x.x.x.x + neighbor x.x.x.x remote-as x neighbor x.x.x.x description upstream -#you must have this route map applied for auto announcements to work - neighbor x.x.x.x route-map ddos-advertise out + neighbor x.x.x.x route-map ddos-advertise out ! -#auto announcement route map enabled using "bgp advertised" in the zone config -route-map ddos-advertise permit 1 +route-map ddos-advertise permit 1 ! -sflow setting max-header 128 -sflow setting packet-sampling-rate 1000 +sflow setting max-header 128 +sflow setting packet-sampling-rate 1000 ! -#set this to the IP of the FNM host -sflow collector ip x.x.x.x 6343 use-mgmt-port +sflow collector ip x.x.x.x 6343 use-mgmt-port ! -sflow agent address x.x.x.x +sflow agent address x.x.x.x ! -#This turns on packet sampling on the "outside" interface sflow sampling ethernet 1 -! +! end - diff --git a/src/a10_plugin/configs/tps_zone_config_v1.txt b/src/a10_plugin/configs/tps_zone_config_v1.txt index d1d3cad..9ab3e1e 100644 --- a/src/a10_plugin/configs/tps_zone_config_v1.txt +++ b/src/a10_plugin/configs/tps_zone_config_v1.txt @@ -1,8 +1,7 @@ -ddos dst zone xxxx +ddos dst zone xxxxxxx ip x.x.x.x operational-mode monitor bgp advertised -#instructs ACOS to announce prefixes bound to the zone zone-template logging cef-logger log enable periodic ip-proto tcp @@ -15,18 +14,52 @@ ddos dst zone xxxx ip-proto icmp-v6 deny detection-enable - port other tcp -#catch all for all ports. add more specific ports if you know the specifics of the service under attack + port 20 tcp detection-enable level 0 zone-escalation-score 10 indicator pkt-rate score 20 zone-threshold 1 -#This allows TPS to create an incident automatically upon receiving the first packet for the zone level 1 zone-template tcp tcp-protect1 - port other udp + port 21 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 22 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 25 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 53 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 53 udp detection-enable level 0 zone-escalation-score 10 @@ -35,3 +68,90 @@ ddos dst zone xxxx zone-threshold 1 level 1 zone-template udp udp-protect1 + port 80 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 110 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 143 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 443 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 587 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 993 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 995 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 5060 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port 5061 tcp + detection-enable + level 0 + zone-escalation-score 10 + indicator pkt-rate + score 20 + zone-threshold 1 + level 1 + zone-template tcp tcp-protect1 + port other tcp + detection-enable + deny + port other udp + detection-enable + deny diff --git a/src/a10_plugin/json_configs/ddos_dst_zone.py b/src/a10_plugin/json_configs/ddos_dst_zone.py index 251fbbf..d6eeba9 100644 --- a/src/a10_plugin/json_configs/ddos_dst_zone.py +++ b/src/a10_plugin/json_configs/ddos_dst_zone.py @@ -3,99 +3,425 @@ ddos_dst_zone_path = '/axapi/v3/ddos/dst/zone/' def ddos_dst_zone(zone_name, ip_addr): ddos_dst_zone_payload = { - "zone-list": [ + "zone-list": [ + { + "zone-name":zone_name, + "ip": [ { - "zone-name":zone_name, - "ip": [ - { - "ip-addr":ip_addr - } - ], - "operational-mode":"monitor", - "advertised-enable":1, - "zone-template": { - "logging":"cef-logger" + "ip-addr": ip_addr, + } + ], + "operational-mode":"monitor", + "advertised-enable":1, + "zone-template": { + "logging":"cef-logger" + }, + "log-enable":1, + "log-periodic":1, + "ip-proto": { + "proto-tcp-udp-list": [ + { + "protocol":"tcp", + "drop-frag-pkt":1, }, - "log-enable":1, - "log-periodic":1, - "ip-proto": { - "proto-tcp-udp-list": [ + { + "protocol":"udp", + "drop-frag-pkt":1, + } + ], + "proto-name-list": [ + { + "protocol":"icmp-v4", + "deny":1, + "detection-enable":1, + }, + { + "protocol":"icmp-v6", + "deny":1, + "detection-enable":1, + } + ] + }, + "port": { + "zone-service-list": [ + { + "port-num":20, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ { - "protocol":"tcp", - "drop-frag-pkt":1, + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] }, { - "protocol":"udp", - "drop-frag-pkt":1, - } - ], - "proto-name-list": [ - { - "protocol":"icmp-v4", - "deny":1, - "detection-enable":1, - }, - { - "protocol":"icmp-v6", - "deny":1, - "detection-enable":1, + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, } ] }, - "port": { - "zone-service-other-list": [ + { + "port-num":21, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ { - "port-other":"other", - "protocol":"tcp", - "detection-enable":1, - "level-list": [ + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ { - "level-num":"0", - "zone-escalation-score":10, - "indicator-list": [ - { - "type":"pkt-rate", - "score":20, - "zone-threshold-num":1, - } - ] - }, - { - "level-num":"1", - "zone-template": { - "tcp":"tcp-protect1" - }, + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, } ] }, { - "port-other":"other", - "protocol":"udp", - "detection-enable":1, - "level-list": [ + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":22, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ { - "level-num":"0", - "zone-escalation-score":10, - "indicator-list": [ - { - "type":"pkt-rate", - "score":20, - "zone-threshold-num":1, - } - ] - }, - { - "level-num":"1", - "zone-template": { - "udp":"udp-protect1" - }, + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, } ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":25, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":53, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":53, + "protocol":"udp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "udp":"udp-protect1" + }, + } + ] + }, + { + "port-num":80, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":110, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":143, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":443, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":587, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":993, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":995, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":5060, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":5061, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, } ] } - } - ] + ], + "zone-service-other-list": [ + { + "port-other":"other", + "protocol":"tcp", + "detection-enable":1, + "deny":1, + }, + { + "port-other":"other", + "protocol":"udp", + "detection-enable":1, + "deny":1, + } + ] + } } + ] +} return ddos_dst_zone_payload diff --git a/src/a10_plugin/json_configs/tps_base_config_json_v1.txt b/src/a10_plugin/json_configs/tps_base_config_json_v1.txt index 2156e45..d1badf2 100644 --- a/src/a10_plugin/json_configs/tps_base_config_json_v1.txt +++ b/src/a10_plugin/json_configs/tps_base_config_json_v1.txt @@ -3,7 +3,6 @@ a10-url:/axapi/v3/admin "admin-list": [ { "user":"admin", - "uuid":"57937c0c-06cb-11e6-86f7-000c2998bd62", "password": { "encrypted-in-module":"sCyT4priW1OZSg3m1RiAf0bOyZ0Odnf1rQRp+BHohemGp1YhW+V1NjwQjLjV2wDn", } @@ -16,7 +15,7 @@ a10-url:/axapi/v3/multi-config "multi-config": { "enable":1, } -} +} a10-url:/axapi/v3/monitor { @@ -36,16 +35,6 @@ a10-url:/axapi/v3/system } } -a10-url:/axapi/v3/class-list -{ - "class-list-list": [ - { - "name":"ddos-block", - "file":1, - } - ] -} - a10-url:/axapi/v3/hostname { "hostname": { @@ -57,10 +46,10 @@ a10-url:/axapi/v3/interface/management { "management": { "ip": { - "ipv4-address":"x.x.x.x", - "ipv4-netmask":"x.x.x.x", + "ipv4-address”:”x.x.x.x", + "ipv4-netmask”:”x.x.x.x", "control-apps-use-mgmt-port":1, - "default-gateway":"x.x.x.x" + "default-gateway”:”x.x.x.x" }, "action":"enable", } @@ -73,9 +62,6 @@ a10-url:/axapi/v3/interface/ethernet "ifnum":1, "name":"Inbound", "action":"enable", - "ddos": { - "inside":1, - } }, { "ifnum":2, @@ -114,7 +100,7 @@ a10-url:/axapi/v3/ddos/protection } a10-url:/axapi/v3/ddos/resource-tracking/cpu -{ +{ "cpu": { "enable":1, } @@ -134,7 +120,7 @@ a10-url:/axapi/v3/ddos/zone-template/logging a10-url:/axapi/v3/ddos/zone-template/tcp { "tcp-list": [ - { + { "name":"tcp-protect1", "syn-authentication": { "syn-auth-type":"send-rst", @@ -174,6 +160,17 @@ a10-url:/axapi/v3/ddos/src/default ] } +a10-url:/axapi/v3/ddos/dst/default +{ + "default-list": [ + { + "default-address-type":"ip", + }, + { + "default-address-type":"ipv6", + } + ] +} a10-url:/axapi/v3/logging/syslog { "syslog": { @@ -185,7 +182,9 @@ a10-url:/axapi/v3/logging/host/ipv4addr { "ipv4addr-list": [ { - "host-ipv4":"x.x.x.x", + "host-ipv4”:”x.x.x.x", + "use-mgmt-port":1, + "tcp":0, } ] } @@ -194,15 +193,15 @@ a10-url:/axapi/v3/router/bgp { "bgp-list": [ { - "as-number":2, + "as-number”:x, "bgp": { "log-neighbor-changes":1, - "router-id":"x.x.x.x" + "router-id”:”x.x.x.x" }, "neighbor": { "ipv4-neighbor-list": [ { - "neighbor-ipv4":"x.x.x.x", + "neighbor-ipv4”:”x.x.x.x", "nbr-remote-as":1, "description":"upstream", "neighbor-route-map-lists": [ @@ -214,7 +213,7 @@ a10-url:/axapi/v3/router/bgp } ] } - } + } ] } @@ -234,14 +233,14 @@ a10-url:/axapi/v3/sflow/setting "setting": { "max-header":128, "packet-sampling-rate":1000, - } + } } a10-url:/axapi/v3/sflow/collector/ip { "ip-list": [ { - "addr":"x.x.x.x", + "addr”:”x.x.x.x", "port":6343, "use-mgmt-port":1, } @@ -251,10 +250,10 @@ a10-url:/axapi/v3/sflow/collector/ip a10-url:/axapi/v3/sflow/agent/address { "address": { - "ip":"x.x.x.x", + "ip”:”x.x.x.x", } } - + a10-url:/axapi/v3/sflow/sampling { "sampling": { @@ -266,33 +265,3 @@ a10-url:/axapi/v3/sflow/sampling ], } } - -a10-url:/axapi/v3/vcs-vblades/stat -{ - "stat-list": [ - { - "vblade-id":1, - }, - { - "vblade-id":2, - }, - { - "vblade-id":3, - }, - { - "vblade-id":4, - }, - { - "vblade-id":5, - }, - { - "vblade-id":6, - }, - { - "vblade-id":7, - }, - { - "vblade-id":8, - } - ] -} diff --git a/src/a10_plugin/json_configs/tps_zone_config_json_v1.txt b/src/a10_plugin/json_configs/tps_zone_config_json_v1.txt index 04ea336..397d6f3 100644 --- a/src/a10_plugin/json_configs/tps_zone_config_json_v1.txt +++ b/src/a10_plugin/json_configs/tps_zone_config_json_v1.txt @@ -2,10 +2,10 @@ a10-url:/axapi/v3/ddos/dst/zone { "zone-list": [ { - "zone-name":"zone-x.x.x.x", + "zone-name”:"xxxx", "ip": [ { - "ip-addr":"x.x.x.x" + "ip-addr”:”x.x.x.x" } ], "operational-mode":"monitor", @@ -40,9 +40,9 @@ a10-url:/axapi/v3/ddos/dst/zone ] }, "port": { - "zone-service-other-list": [ + "zone-service-list": [ { - "port-other":"other", + "port-num":20, "protocol":"tcp", "detection-enable":1, "level-list": [ @@ -66,7 +66,103 @@ a10-url:/axapi/v3/ddos/dst/zone ] }, { - "port-other":"other", + "port-num":21, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":22, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":25, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":53, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":53, "protocol":"udp", "detection-enable":1, "level-list": [ @@ -88,10 +184,239 @@ a10-url:/axapi/v3/ddos/dst/zone }, } ] + }, + { + "port-num":80, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":110, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":143, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":443, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":587, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":993, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":995, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":5060, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + }, + { + "port-num":5061, + "protocol":"tcp", + "detection-enable":1, + "level-list": [ + { + "level-num":"0", + "zone-escalation-score":10, + "indicator-list": [ + { + "type":"pkt-rate", + "score":20, + "zone-threshold-num":1, + } + ] + }, + { + "level-num":"1", + "zone-template": { + "tcp":"tcp-protect1" + }, + } + ] + } + ], + "zone-service-other-list": [ + { + "port-other":"other", + "protocol":"tcp", + "detection-enable":1, + "deny":1, + }, + { + "port-other":"other", + "protocol":"udp", + "detection-enable":1, + "deny":1, } ] } } ] } -