DDoS Detector Module Configuration

The Module is highly configurable. Click on DDoS Detector.

You will be presented with the following screen.

Change configuration parameters as desired and press the button. You don’t need to restart NetFlow Optimizer nor enable/disable the Module in order for the new parameters to take effect.

Parameter

Description

Max number of suspicious TCP/IP sessions origins to be reported

Maximum number of TCP/IP sessions reported by the following experts: TCP/IP Information, Application Protocol Level Attack (min = 0, max = 10000, default: 25)

Min number of invalid TCP/IP sessions which makes its origin subject to be reported

Minimum number of invalid TCP/IP sessions that triggers reporting by TCP/IP Information expert and "Low and Slow" expert (min = 1, max = 100, default = 10)

Report intermediate alerts notifications

1 – report intermediate alerts notifications, 0 – do not report intermediate alerts notifications (default = 1)

Disable internal events correlation mechanism

1 – disable internal event correlator, 0 – enable internal event correlator (default = 0)

The number of "Low and Slow" hosts to be reported at a time

The number of "Low and Slow" hosts to be reported by Low and Slow Attack expert (min = 0, max = 10000, default = 25)

Enable(1) or disable (0) resolving host's Fully Qualified Domain Name

1 – enable DNS host name resolution, 0 – disable DNS host name resolution (default = 0)

Enable(1) or disable (0) reporting by host's geographic location

1 – enable GeoIP enrichment, 0 – disable GeoIP enrichment (default = 0)

Min number of different IP addresses

Minimum number of different IP addresses that triggers reporting by the New IP Addresses Arrival Rate and Elevated Noise Level experts (min = 1, max = 1000000, default = 100)

Slow connections threshold (Bps)

"Low and Slow" expert monitors only long TCP sessions, where ingress traffic rate is below this threshold and egress has no payload or vice versa. (default 1024, min 1, max 1000000)

TCP threshold (pps)

This parameter is used by "Network Traffic Properties" expert. When TCP packet rate is lower than this threshold value, the attack is not reported. (default 1000, min 1, max 1000000000)

UDP threshold (pps)

This parameter is used by "Network Traffic Properties" expert. When UDP packet rate is lower than this threshold value, the attack is not reported. (default 1000, min 1, max 1000000000)

ICMP threshold (pps)

This parameter is used by "Network Traffic Properties" expert. When ICMP packet rate is lower than this threshold value, the attack is not reported. (default 100, min 1, max 1000000000)

Continue reporting ongoing attacks

1 – continue reporting ongoing attack periodically, 0 – report only the beginning of the attack or when the confidence level is increased (default = 1)

This section contains data collection intervals for various attack type.

Please contact NetFlow Logic support before changing Data collection intervals.

Data Collection Interval

Description

Network traffic metrics

Time interval between two successive invocations of the network traffic analysis mechanism, in seconds

New IP addresses arrival rate

Time interval between two successive invocations of the IP addresses composition mechanism, in seconds

Noise level in the network

Time interval between two successive invocations of the noise level in the network tracker, in seconds

TCP/IP traffic characteristics

Time interval between two successive invocations of the TCP/IP traffic monitor, in seconds

Suspicious TCP/IP traffic reporting

Time interval between two successive invocations of the TCP/IP traffic monitor reporting function, in seconds

Application protocol requests

Time interval between two successive invocations of the Application Protocol Level Attack expert

Application active clients

Time interval between two successive invocations of the reporting of Application Protocol Level Attack sources

Low and Slow monitor

Time interval between two successive invocations of the "Low and Slow" Attack expert

Low and Slow peers reporting

Time interval between two successive invocations of the reporting of "Low and Slow" Attack sources

Maximum event reporting delay

Maximum time between event detection and reporting to external system, in seconds

This section contains Module Configuration Data set.

Specify the data set parameters.

Data set

Description

List of monitored network servers

This is the list of applications you want to protect against application level attacks. It should be specified in the following format:

[IPv4 Address],[Port],[IP Protocol],[Protocol name]

For example: 10.10.20.11,80,6,HTTP

IPv4 address block and country code

Mapping of country codes to IP addresses blocks. This list is updated by External Data Feeder for NFO, which uses the MaxMind GeoLite Country database as a source