DDoS Detector Module Configuration
The Module is highly configurable. Click on DDoS Detector.
You will be presented with the following screen.
Change configuration parameters as desired and press the button. You don’t need to restart NetFlow Optimizer nor enable/disable the Module in order for the new parameters to take effect.
Parameter
Description
Max number of suspicious TCP/IP sessions origins to be reported
Maximum number of TCP/IP sessions reported by the following experts: TCP/IP Information, Application Protocol Level Attack (min = 0, max = 10000, default: 25)
Min number of invalid TCP/IP sessions which makes its origin subject to be reported
Minimum number of invalid TCP/IP sessions that triggers reporting by TCP/IP Information expert and "Low and Slow" expert (min = 1, max = 100, default = 10)
Report intermediate alerts notifications
1 – report intermediate alerts notifications, 0 – do not report intermediate alerts notifications (default = 1)
Disable internal events correlation mechanism
1 – disable internal event correlator, 0 – enable internal event correlator (default = 0)
The number of "Low and Slow" hosts to be reported at a time
The number of "Low and Slow" hosts to be reported by Low and Slow Attack expert (min = 0, max = 10000, default = 25)
Enable(1) or disable (0) resolving host's Fully Qualified Domain Name
1 – enable DNS host name resolution, 0 – disable DNS host name resolution (default = 0)
Enable(1) or disable (0) reporting by host's geographic location
1 – enable GeoIP enrichment, 0 – disable GeoIP enrichment (default = 0)
Min number of different IP addresses
Minimum number of different IP addresses that triggers reporting by the New IP Addresses Arrival Rate and Elevated Noise Level experts (min = 1, max = 1000000, default = 100)
Slow connections threshold (Bps)
"Low and Slow" expert monitors only long TCP sessions, where ingress traffic rate is below this threshold and egress has no payload or vice versa. (default 1024, min 1, max 1000000)
TCP threshold (pps)
This parameter is used by "Network Traffic Properties" expert. When TCP packet rate is lower than this threshold value, the attack is not reported. (default 1000, min 1, max 1000000000)
UDP threshold (pps)
This parameter is used by "Network Traffic Properties" expert. When UDP packet rate is lower than this threshold value, the attack is not reported. (default 1000, min 1, max 1000000000)
ICMP threshold (pps)
This parameter is used by "Network Traffic Properties" expert. When ICMP packet rate is lower than this threshold value, the attack is not reported. (default 100, min 1, max 1000000000)
Continue reporting ongoing attacks
1 – continue reporting ongoing attack periodically, 0 – report only the beginning of the attack or when the confidence level is increased (default = 1)
This section contains data collection intervals for various attack type.
Please contact NetFlow Logic support before changing Data collection intervals.
Data Collection Interval
Description
Network traffic metrics
Time interval between two successive invocations of the network traffic analysis mechanism, in seconds
New IP addresses arrival rate
Time interval between two successive invocations of the IP addresses composition mechanism, in seconds
Noise level in the network
Time interval between two successive invocations of the noise level in the network tracker, in seconds
TCP/IP traffic characteristics
Time interval between two successive invocations of the TCP/IP traffic monitor, in seconds
Suspicious TCP/IP traffic reporting
Time interval between two successive invocations of the TCP/IP traffic monitor reporting function, in seconds
Application protocol requests
Time interval between two successive invocations of the Application Protocol Level Attack expert
Application active clients
Time interval between two successive invocations of the reporting of Application Protocol Level Attack sources
Low and Slow monitor
Time interval between two successive invocations of the "Low and Slow" Attack expert
Low and Slow peers reporting
Time interval between two successive invocations of the reporting of "Low and Slow" Attack sources
Maximum event reporting delay
Maximum time between event detection and reporting to external system, in seconds
This section contains Module Configuration Data set.
Specify the data set parameters.
Data set
Description
List of monitored network servers
This is the list of applications you want to protect against application level attacks. It should be specified in the following format:
[IPv4 Address],[Port],[IP Protocol],[Protocol name]
For example: 10.10.20.11,80,6,HTTP
IPv4 address block and country code
Mapping of country codes to IP addresses blocks. This list is updated by External Data Feeder for NFO, which uses the MaxMind GeoLite Country database as a source
Last modified 2yr ago
Copy link