Skip to main content
Version: Next

Monitoring & Operations

Once the DDoS Detector is active, your primary interaction with the solution shifts to the DDoS Detector for Splunk App. Unlike traditional security tools that overwhelm you with raw logs, NFO uses the intelligence of its six "Analytical Experts" to provide a prioritized view of network health.

Understanding the Dashboards

The DDoS Detection dashboards are designed to move you from a high-level alert to a detailed forensic root cause in just a few clicks.

1. The Security Posture View (Summary)

The DDoS Attacks Summary dashboard is your "Single Pane of Glass." It displays a real-time count of suspected attacks, traffic distribution (Incoming vs. Outgoing), and a specific breakdown of which experts—such as New IP Arrival Rate or Elevated Noise—are currently flagging anomalies.

  • Suspected Attacks: Total count of active incidents currently identified by the Correlator.
  • Top Victims: A bar chart identifying the internal IP addresses receiving the most suspicious traffic.
  • Attacking Countries: Geographic distribution of the sources of the current flood.

2. The Attack Detail View

When you need to investigate a specific threat, the DDoS Attack Details dashboard provides a time-series graph of attack volume over time. This view allows you to see the exact moment an attack started and how it relates to your overall traffic levels.

  • Attack Classification: The Correlator identifies the specific type of attack, such as a "TCP SYN flood from a large attacking population".
  • Confidence Levels: Each identified event is clearly marked with its confidence score (e.g., "High" or "Very High"), allowing you to prioritize your response.

3. Forensic Drill-down and Map

For deep investigation, the Drill-down view provides a granular list of every Attacker IP, their country of origin, and the specific Victim Port they are targeting. The integrated Attack Origins Map visualizes the global scale of the botnet or sources involved in the incident.

Prioritizing with Confidence Scores

The most critical feature of the NFO DDoS solution is the Confidence Score generated by the Correlator. This score represents the mathematical agreement between the different experts.

Confidence ScoreMeaningOperational Response
High (90-100%)Multiple experts (e.g., Protocol Integrity and Volumetric) strongly agree an attack is occurring.Critical: Trigger immediate automated mitigation or emergency SOC response.
Medium (50-89%)Significant anomalies detected, but behavior could resemble a legitimate "Flash Crowd."Investigate: Review the "Victim" traffic to see if a marketing event or scheduled task is responsible.
Low (< 50%)Deviations detected by a single expert; potentially background noise or a minor anomaly.Monitor: No immediate action required; used for long-term trend analysis.

Operational Best Practices

  • Threshold Tuning: While NFO is operational within 15 minutes without a baseline, you can refine the sensitivity of specific Experts via Module Parameters to better suit your unique traffic patterns.
  • Incident Forensics: Use the historical data in Splunk to perform a post-mortem on blocked attacks. This helps in adjusting firewall policies or upstream ISP scrubbing rules.
  • Correlation with Identity: Combine DDoS alerts with NFO’s identity enrichment to see if an attack is originating from compromised internal assets or known external botnets.