Monitoring & Operations
Once the DDoS Detector is active, the primary operational concept is the Confidence Score -- a single value that represents the degree of agreement between the module's Analytical Experts. Understanding how to read and act on confidence scores is the foundation of day-to-day operations.
Confidence Scores
The Confidence Score is generated by the Correlator after aggregating findings across the active Analytical Experts. The higher the score, the more independent lines of evidence are pointing to the same conclusion.
| Confidence Score | Meaning | Operational Response |
|---|---|---|
| High (90-100%) | Multiple experts (e.g., Protocol Integrity and Volumetric) strongly agree an attack is occurring. | Critical: Trigger immediate automated mitigation or emergency SOC response. |
| Medium (50-89%) | Significant anomalies detected, but behavior could resemble a legitimate "Flash Crowd." | Investigate: Review the "Victim" traffic to see if a marketing event or scheduled task is responsible. |
| Low (< 50%) | Deviations detected by a single expert; potentially background noise or a minor anomaly. | Monitor: No immediate action required; used for long-term trend analysis. |
Operational Best Practices
- Threshold Tuning: While NFO is operational within 15 minutes without a baseline, you can refine the sensitivity of specific Experts via Module Parameters to better suit your unique traffic patterns.
- Incident Forensics: Use the historical data in Splunk to perform a post-mortem on blocked attacks. This helps in adjusting firewall policies or upstream ISP scrubbing rules.
- Correlation with Identity: Combine DDoS alerts with NFO’s identity enrichment to see if an attack is originating from compromised internal assets or known external botnets.
NFO can forward DDoS alerts to any supported destination via Syslog or JSON. Purpose-built visualization and alerting is currently available for Splunk via the DDoS Detector App -- see DDoS Detector App for Splunk for installation and dashboard documentation.