DDoS protection for CGN allows for selective filtering to match traffic based on destination IP addresses and destination IP port. Selective filtering tracks the number of protocol packets received to these 2-tuples. An excess of packets is registered as a DDoS attack, and all packets above the configured threshold are dropped.
Selective filtering is enabled by default. The default value is 3000 packets for TCP or UDP protocol, exclusive, or 3000 packets per source-IP. For all other protocols combined, the default value is 10000 packets.
Stage 1: If the IP entry is created, a L4 entry will not be created since all ports of this IP are dropped. Conversely, if the L4 entry is created, an IP entry will also be created if the packets-per-second to a single NAT IP exceeds the configured DDoS protection packets-per-second IP threshold. In this scenario, the processing moves to Stage 2.
Stage2: Processing depends on the Layer4 protocol:
• TCP/UDP – If the "bad" packets-per-second to a single (NAT IP:port) pair exceeds the configured threshold, then that pair gets the selective filtering entry. For example, if UDP packets that hit a NAT IP on port 5000 exceed the threshold, then only UDP packets to port 5000 will be blocked. Other UDP packets to that NAT IP will not be affected.
• Other Layer4 protocols – If the “bad"packets-per-second to a single (NAT IP: Layer 4 protocol) pair exceeds the configured threshold, that pair gets an entry. For example, if GRE (ip protocol 47) packets to one NAT IP exceeds the threshold for Other protocols, then only GRE packets to that NAT IP will be blocked.
Is there any way on F5 to track IP + Port for TCP and UDP and IP + L4 Protocol for protocols other than TCP and UDP ?