Skip to main content
Version: Next

DDoS Detector Module Configuration

The Module is highly configurable. Click on DDoS Detector.

You will be presented with the following screen.

Change configuration parameters as desired and press the button. You don’t need to restart NetFlow Optimizer nor enable/disable the Module in order for the new parameters to take effect.

ParameterDescription
Max number of suspicious TCP/IP sessions origins to be reportedMaximum number of TCP/IP sessions reported by the following experts: TCP/IP Information, Application Protocol Level Attack (min = 0, max = 10000, default: 25)
Min number of invalid TCP/IP sessions which makes its origin subject to be reportedMinimum number of invalid TCP/IP sessions that triggers reporting by TCP/IP Information expert and "Low and Slow" expert (min = 1, max = 100, default = 10)
Report intermediate alerts notifications1 – report intermediate alerts notifications, 0 – do not report intermediate alerts notifications (default = 1)
Disable internal events correlation mechanism1 – disable internal event correlator, 0 – enable internal event correlator (default = 0)
The number of "Low and Slow" hosts to be reported at a timeThe number of "Low and Slow" hosts to be reported by Low and Slow Attack expert (min = 0, max = 10000, default = 25)
Enable(1) or disable (0) resolving host's Fully Qualified Domain Name1 – enable DNS host name resolution, 0 – disable DNS host name resolution (default = 0)
Enable(1) or disable (0) reporting by host's geographic location1 – enable GeoIP enrichment, 0 – disable GeoIP enrichment (default = 0)
Min number of different IP addressesMinimum number of different IP addresses that triggers reporting by the New IP Addresses Arrival Rate and Elevated Noise Level experts (min = 1, max = 1000000, default = 100)
Slow connections threshold (Bps)"Low and Slow" expert monitors only long TCP sessions, where ingress traffic rate is below this threshold and egress has no payload or vice versa. (default 1024, min 1, max 1000000)
TCP threshold (pps)This parameter is used by "Network Traffic Properties" expert. When TCP packet rate is lower than this threshold value, the attack is not reported. (default 1000, min 1, max 1000000000)
UDP threshold (pps)This parameter is used by "Network Traffic Properties" expert. When UDP packet rate is lower than this threshold value, the attack is not reported. (default 1000, min 1, max 1000000000)
ICMP threshold (pps)This parameter is used by "Network Traffic Properties" expert. When ICMP packet rate is lower than this threshold value, the attack is not reported. (default 100, min 1, max 1000000000)
Continue reporting ongoing attacks1 – continue reporting ongoing attack periodically, 0 – report only the beginning of the attack or when the confidence level is increased (default = 1)

This section contains data collection intervals for various attack type.

note

Please contact NetFlow Logic support before changing Data collection intervals.

Data Collection IntervalDescription
Network traffic metricsTime interval between two successive invocations of the network traffic analysis mechanism, in seconds
New IP addresses arrival rateTime interval between two successive invocations of the IP addresses composition mechanism, in seconds
Noise level in the networkTime interval between two successive invocations of the noise level in the network tracker, in seconds
TCP/IP traffic characteristicsTime interval between two successive invocations of the TCP/IP traffic monitor, in seconds
Suspicious TCP/IP traffic reportingTime interval between two successive invocations of the TCP/IP traffic monitor reporting function, in seconds
Application protocol requestsTime interval between two successive invocations of the Application Protocol Level Attack expert
Application active clientsTime interval between two successive invocations of the reporting of Application Protocol Level Attack sources
Low and Slow monitorTime interval between two successive invocations of the "Low and Slow" Attack expert
Low and Slow peers reportingTime interval between two successive invocations of the reporting of "Low and Slow" Attack sources
Maximum event reporting delayMaximum time between event detection and reporting to external system, in seconds

This section contains Module Configuration Data set.

Specify the data set parameters.

Data setDescription
List of monitored network serversThis is the list of applications you want to protect against application level attacks. It should be specified in the following format: [IPv4 Address],[Port],[IP Protocol],[Protocol name]. For example: 10.10.20.11,80,6,HTTP
IPv4 address block and country codeMapping of country codes to IP addresses blocks. This list is updated by External Data Feeder for NFO, which uses the MaxMind GeoLite Country database as a source.