Table Of Contents
Monitoring Guard and Zone Operations
Viewing the Guard Summary Screen
Using the Guard Global Diagnostic Tools
Viewing the Global Counters
Viewing the Guard Counters in Real Time
Viewing the Guard Event Log
Viewing the Zone Status Screen
Zone Status Bar
Zone Traffic Rate Graph
Zone Status Table
Zone Recent Events Table
Using the Zone Diagnostic Tools
Viewing the Zone Counters
Using Zone Counters to Analyze Traffic Flow
Analyzing Zone Traffic Problems
Viewing the Zone Counters in Real Time
Viewing the Zone Event Log
Viewing the Attacks Summary Report
Viewing Details of an Attack Report
Viewing Report Details of a Past Attack
Viewing Details of a Current Attack
Understanding Attack Report Details
General Attack Information
Attack Statistics
Dropped/Bounced Packets
Detected Anomalies
Viewing Details of Detected Anomalies
Mitigated Attacks
Viewing Mitigated Attack Details
HTTP Detected Zombies
Exporting an Attack Report
Deleting an Attack Report
Viewing the HTTP Zombies List
Viewing the Policy Statistics Table
Viewing the Drop Statistics Table
Monitoring Guard and Zone Operations
This chapter describes how to perform tasks used for monitoring the status of the Cisco Guard and its zones. Also described in this chapter are the WBM statistical tools that enable you to diagnose problems related to zone traffic flow.
This chapter includes the following sections:
•
Viewing the Guard Summary Screen
•Using the Guard Global Diagnostic Tools
•Viewing the Zone Status Screen
•Using the Zone Diagnostic Tools
Viewing the Guard Summary Screen
The Guard Summary screen (see Figure 10-1) provides a summary of the current Guard activity. It is the first screen to appear when connecting to the Guard WBM. You can access the Guard Summary screen from the following locations within the interface:
•Click Guard Summary from the navigation pane.
•Click Home from the information area.
Figure 10-1 Guard Summary Screen
The Guard Summary screen includes the following two areas:
•Guard Summary—Graphical summary of the traffic that the Guard handled over the last two hours in bits per second (bps). Legitimate traffic the Guard forwarded to the protected zones appears in green. Malicious traffic the Guard detected appears in red.
Table 10-1 describes the information that appears below the graph.
Table 10-1 Field Descriptions for Guard Summary Graph
Field
|
Description
|
Min.
|
Minimum traffic rate measured during the last two hours in bits per second (bps).
|
Max.
|
Maximum traffic rate measured during the last two hours in bits per second (bps).
|
Avg.
|
Average traffic rate measured during the last two hours in bits per second (bps).
|
Cur.
|
Current traffic rate in bits per second (bps).
|
The information appears separately for legitimate traffic and for malicious traffic.
•Currently Protected Zones—Status information of the zones the Guard is currently protecting. The zone information the Guard displays here will vary depending on which of the following zone protection modes you activate:
–Protect—The Guard displays the zone information whether or not the zone is under attack.
–Protect and Learn—The Guard displays zone information only when the zone is under attack.
TheGuard list the zones in the order in which they encountered attacks, with the most recently attacked zone appearing at the top of the list. You can click on the information the Guard displays in each row to view the associated zone summary screen.
Table 10-2 describes the fields for currently protected zones.
Table 10-2 Field Descriptions for Zones Currently Protected
Fields
|
Description
|
Zone
|
Zone name. The zone name also provides a link to the zone status screen of the specific zone.
|
Activation Time
|
Date and time that zone protection was activated.
|
Attack Start Time
|
Date and time the most recent attack on the zone was detected.
|
#DF
|
Number of Dynamic filters. Because the Guard only creates a Dynamic filter when it detects an anomaly, a #DF value greater that zero indicates an attack on the zone.
|
#PF
|
Number of Pending Dynamic filters. The display is N/A if the zone is operating in automatic operation mode (not interactive operation mode).
|
Legitimate Rate
|
Current rate of legitimate traffic forwarded by the Guard to the zone and measured in bits per second (bps).
|
Malicious Rate
|
Current rate of malicious traffic targeting the zone and measured in bits per second (bps).
|
Thumbnail of the zone traffic summary
|
Graph displaying a summary of the traffic to the zone in the last half hour. The traffic rate appears in bits per second (bps). Legitimate traffic rate appears in green. Malicious traffic rate appears in red.
|
Using the Guard Global Diagnostic Tools
The Guard provides diagnostic information to assist you in monitoring and troubleshooting global events. The following diagnostics tools are available from the Guard Summary menu:
•Viewing the Global Counters
•Viewing the Guard Counters in Real Time
•Viewing the Guard Event Log
Viewing the Global Counters
The Counters screen provides a more in-depth analysis of the counter information the Guard displays in the Guard summary screen. From the Counters screen, you can manipulate the information the Guard displays in the traffic rates graph.
To view the Guard counters:
Step 1 Click Guard Summary from the navigation pane. The Guard summary menu appears.
Step 2 Choose Diagnostics > Counters from the Guard summary menu. The Guard Counters screen appears (see Figure 10-2). By default, the graph displays the legitimate and malicious traffic over the last two hours, measured in bits per second (bps).
Step 3 (Optional) To add or remove counter information the Guard displays in the traffic rate graph, click the check box next to the desired traffic counter type to select or deselect a counter type, then click Update Graph. The Guard updates the graph.
Traffic counter types:
•Legitimate—Legitimate traffic forwarded by the Guard to the zone.
•Malicious—Malicious traffic destined to the zone. Malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).
•Received—Packets received and handled by the Guard. Received packets are the sum of legitimate traffic and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack and dropped.
•Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guard as Spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.
Step 4 (Optional) To modify the time period of the displayed information, select a graph time period from the Graph Period drop-down list, then click Update Graph. The Guard updates the graph.
By default, the traffic rate graph displays counter information recorded in the last two hours.
Step 5 (Optional) To change the unit of measurement the Guard uses in the traffic rate graph, select a unit of measurement from the Graph Type drop-down list, then click Update Graph. The Guard updates the graph.
Units of measurement:
•pps—Packets per second
•bps—Bits per second
Figure 10-2 Guard Global Counters/Rates
Table 10-3 describes the fields for each of the counters.
Table 10-3 Field Descriptions for Counters in Counter Report
Field
|
Description
|
Shown in Graph
|
Type of counter information displayed in the traffic rates graph.
|
Packets
|
Total number of packets since the Guard was reactivated.
|
Bits
|
Total number of bits since the Guard was reactivated.
|
pps
|
Current traffic rate measured in packets per second.
|
bps
|
Current traffic rate measured in bits per second.
|
A legend identifying the different counters appears below the graph. The minimum, maximum, and average rates for each counter is displayed for the time period selected.
Viewing the Guard Counters in Real Time
The Guard allows you view the global counters information in real time.
Note You must have JRE installed on the client to view the counter information in real time (see the "Installing Java 2 Runtime Environment" section in "Introduction").
To view the counters in real time:
Step 1 Click Guard Summary from the navigation pane. The Guard summary menu appears.
Step 2 Choose Diagnostics > Real time counters from the Guard summary menu. The Real time counters screen appears.
Step 3 (Optional) To modify the view of the traffic rate graph, check the check box next to the desired traffic counter type (under Show in Graph) to include in the graph. The Guard updates traffic rate graph.
Traffic counter types:
•Legitimate—Legitimate traffic forwarded by the Guard to the zone.
•Malicious—Malicious traffic destined to the zone. Malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).
•Received—Packets received and handled by the Guard. Received packets are the sum of legitimate traffic and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack and dropped.
•Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guard as Spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.
Step 4 (Optional) To change the unit of measurement the Guard uses in the traffic rate graph, click one of the following Graph Type options. The Guard updates traffic rate graph.
•bps—bits per second
•pps—packets per second
See Table 10-3 for a description of the information in the Real Time Global Counter/Rates table.
Viewing the Guard Event Log
The Event log displays monitoring and troubleshooting information for events that relate to the protected zones and to Guard operation.
To view the contents of the event log:
Step 1 Click Guard Summary from the navigation pane. TheGuard summary menu appears.
Step 2 Choose Diagnostics > Event log from the Guard summary menu. The Events screen appears (see Figure 10-3). Use the navigation tool provided above the events table to view scroll through the events listed.
Step 3 (Optional) To control which events display in the events table, select one of the following options, then click Filter Events. The Guard updates the events table.
•Show all Events—Displays the events of every severity level.
•Show events with severity level—Displays only the events of the severity levels you select. Select the desired severity levels:
–Emergency
–Alert
–Critical
–Error
–Warning
–Notify
Figure 10-3 Event Log
Table 10-4 shows the possible event severity levels.
Table 10-4 Event Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
Note The event logs only display zone-related events with a severity level of Emergency, Alert, Critical, Error, Warning, and Notification. See the "Viewing the Zone Event Log" section for further details on zone event logs.
Viewing the Zone Status Screen
The zone status screen (see Figure 10-4) provides a summary of the zone operating status. You can navigate to this screen in the following ways:
•Select the zone from the All Zones list in the navigation pane.
•If the zone is currently in protect mode, select the zone from the Protected Zones list in the navigation pane.
•From the navigation path of any zone-specific screen, click Zone.
•Select the zone from the zone list (Guard Summary > Zones > Zone list).
The zone status screen is divided into four areas:
•Zone status bar (see the "Zone Status Bar" section)
•Zone traffic rate Graph (see the "Zone Traffic Rate Graph" section)
•Zone status table (see the "Zone Status Table" section)
•Zone recent events Table (see the "Zone Recent Events Table" section)
The zone status screen contains function buttons that display just above the traffic rates graph. The WBM displays different function buttons depending on the current operating mode of the zone.
If the zone is in standby mode, the following function buttons appear:
•Protect & Learn—Switches the zone to protect and learn operating modes. This allows you to protect a zone while performing the threshold tuning phase of the learning process.
•Protect—Switches the zone to protect operating mode. This is equivalent to selecting Protection> Protect from the zone main menu.
If the zone is currently in Protect, or Protect and Learn mode, the following function buttons appear:
•Deactivate—Deactivates the zone protect operating mode. This is equivalent to selecting Protection > Deactivate from the zone main menu. If the zone is operating in Protect and Learn mode and you click Deactivate, you have the option of deactivating zone protection, learning, or both operations.
•Report—Provides a link to the current attack report. This is equivalent to selecting Diagnostics > Attack reports from the zone main menu and clicking on the current attack (the attack with an end time of attack in progress). The Report button is only available if there is an attack in progress. See the "Viewing Details of a Current Attack" section for further details.
Figure 10-4 Zone Status Screen
Zone Status Bar
The zone status bar runs across the top of the zone status screen and provides a quick reference to the current operating status of the zone. The zone status bar provides the following information:
•The name of the zone.
•The zone operation mode—Zone operation mode setting that dictates whether the Guard operates in automatic or interactive operation mode for the zone. See the "Automatic and Interactive Zone Operation Modes" and "Changing Zone Operation Modes" sections for details on zone operation mode settings.
•The zone operating status—Zone operating state. The operating status can be Protected, Protected/Tuning Thresholds, Inactive, Constructing Policy, or Tuning Thresholds
•Indication of new recommendations—Indicates that new Dynamic filter recommendations are available. This indication is available only if the zone operation mode is set to interactive.
Zone Traffic Rate Graph
The zone traffic rate graph displays the zone-related traffic rate over the last two hours in bits per second (bps). Legitimate traffic the Guard forwarded to the zone appears in green. Malicious traffic that was targeting the zone and the Guard dropped appears in red.
Table 10-5 describes the fields that appear below the zone traffic rate graph.
Table 10-5 Field Descriptions for Fields below Zone Traffic Rate Graph
Field
|
Description
|
Min
|
Minimum traffic rate measured over the last two hours in bits per second (bps).
|
Max
|
Maximum traffic rate measured over the last two hours in bits per second (bps).
|
Avg
|
Average traffic rate measured over the last two hours in bits per second (bps).
|
Cur
|
Current traffic rate in bits per second (bps).
|
Zone Status Table
The zone status table provides the following information:
•Active Dynamic filters—Number of active Dynamic filters.
Click Active Dynamic filters to view the Dynamic filters screen. See the "Managing Dynamic Filters" section for detailed information on Dynamic filters.
•Pending Dynamic filters—Number of pending Dynamic filters. The number of pending Dynamic filters is greater than 1 when the zone is in interactive protect mode and there are new recommendations.
Click Pending Dynamic filters to view the Recommendations screen. See the "Managing Dynamic Filters" section for details on Dynamic filters. See the "Changing Zone Operation Modes" section for details on Guard recommendations.
•Last attack time—Date and time of the last attack on the zone.
•Activation time—Date and time that zone protection was activated.
Zone Recent Events Table
The recent events table displays the reported zone events with a minimum severity level of notify. The Guard also records the events in the zone event log and the Guard event log.
Using the Zone Diagnostic Tools
The Guard provides diagnostic information to assist you in monitoring and troubleshooting zone events. The following diagnostics tools are described in this section:
•Viewing the Zone Counters
•Viewing the Zone Counters in Real Time
•Viewing the Zone Event Log
•Viewing the Attacks Summary Report
•Viewing Details of an Attack Report
•Understanding Attack Report Details
•Exporting an Attack Report
•Deleting an Attack Report
•Viewing the HTTP Zombies List
•Viewing the Policy Statistics Table
•Viewing the Drop Statistics Table
Viewing the Zone Counters
The zone counters (see Figure 10-5) enable you to analyze zone-specific traffic information in order to verify the zone status and determine whether or not zone protection is functioning properly. You can adjust the time period of the zone counters graph view to see how zone protection is evolving.
To view the zone counter information:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Counters from the zone main menu. The zone Counters screen appears.
By default, the graph displays the legitimate and malicious traffic over the last two hours, measured in bits per second (bps).
Step 3 (Optional) To modify the view of the traffic rates graph, click the check box next to the desired counter information to include in the graph, then click Update Graph. The Guard updates the traffic rate graph.
Traffic counter types:
•Legitimate—Legitimate traffic forwarded by the Guard to the zones.
•Malicious—Malicious traffic destined to the zone. Malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).
•Received—Packets received and handled by the Guard. Received packets are the sum of legitimate traffic and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack and dropped.
•Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guard as Spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.
Step 4 (Optional) To modify the time period of the information the Guard displays, select the desired time period from the Graph Period drop-down list, then click Update Graph. The Guard updates the screen.
By default, the traffic rates graph displays counter information recorded for the past two hours.
Step 5 (Optional) To change the unit of measurement the Guard uses, select the desired unit of measurement from the Graph Type drop-down list, then click Update Graph. The Guard updates the screen.
Units of measurement:
•pps—Packets per second
•bps—Bits per second
Figure 10-5 Zone Counters
The Zone Current Counters/Rates table displays the following information:
•Shown in Graph—Specifies whether the counter is displayed in the graph.
•Counter—Type of available counters.
•Packets—Total number of packets destined to the zone since last activation.
•Bits—Total number of bits destined to the zone since last reload.
•pps—Current traffic rate destined to the zone, measured in packets per second.
•bps—Current traffic rate destined to the zone, measured in bits per second.
A legend identifying the counters appears below the traffic rates graph. The minimum, maximum, and average rates for each counter display for the time period you select.
Using Zone Counters to Analyze Traffic Flow
It is important that you analyze the traffic flow in order to determine whether or not traffic is flowing properly to an active zone. The following information describes how to analyze traffic flow, recognize possible problems, and provide solutions:
•If the number of received and legitimate packets is greater than zero, this indicates that the Guard traffic diversion mechanism is functioning properly.
•If the number of received packets is greater than the number of legitimate packets and the number of malicious packets is greater than zero, this indicates that the zone is under attack and zone protection is functioning properly. To verify the zone is under attack, look at the zone summary screen to see if the Guard is producing Dynamic filters to handle an attack (see the "Viewing the Zone Status Screen" section).
Based on your experience and knowledge of the network traffic, pay close attention to the following operating tips:
•If there are dropped packets, you should verify whether or not a trusted source IP address is blocked by a Dynamic filter. You may want to consider having the traffic from that source IP address bypass the Guard filters (see the "Managing Bypass Filters" section).
•If a policy has produced Dynamic filters that drop too many IP flows, verify whether or not filters are blocking flows from source IP addresses that seem legitimate but are sending traffic at rates above the thresholds. In such a situation, you may want to consider increasing the policy threshold or prevent it from producing additional Dynamic by deactivating it. Refer to "Managing Zone Policies" for details on modifying a zone policy.
•If the current rate (pps or bps) of received packets equal zero or the number of legitimate packets remains constant over a long period of time, this can indicate a problem. Refer to the "Analyzing Zone Traffic Problems" section for troubleshooting information relating to this type of situation.
Analyzing Zone Traffic Problems
If the received counters (packets or bits) or legitimate counters (packets or bits) equals zero, this could indicate a problem relating to either one, or both, of the following situations:
•The Guard does not receive the packets destined to the zone (received counters = 0)—This indicates a diversion problem with zone traffic or a network configuration problem.
•The Guard receives the zone diverted traffic packets, but blocks them from being forwarded to the zone (received counters > 0 and legitimate current rate (pps or bps) = 0 over a period of time)—This may indicate legitimate traffic was falsely identified as malicious traffic and is being dropped.
The example graph shown in Figure 10-6 illustrates a situation in which almost all the traffic destined to the zone is dropped. You should scan the Dynamic filters the Guard produced for a drop-action filter and consider the following suggestions:
–Delete the drop-action Dynamic filter.
–Deactivate the policy that produced the drop-action Dynamic filter so the policy can no longer produce drop-action Dynamic filters. If you do not take this action, the drop-action filter will reappear if you attempt to delete the filter.
Figure 10-6 Problem analysis: Rcv >0, Legitimate = 0
Caution When you deactivate a policy, you may compromise zone protection as the Guard will no longer apply the policy to the traffic flow.
Viewing the Zone Counters in Real Time
The Guard allows you to view the zone counter information in real time.
Note You must have JRE installed on the client to view the counter information in real time (see the "Installing Java 2 Runtime Environment" section in "Introduction").
To view the counters in real time:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Real time counters from the zone main menu. The zone Real time counters screen appears.
Step 3 (Optional) To modify the view of the traffic rate graph, check the check box next to the desired traffic counter type (under Show in Graph) to include in the graph. The Guard updates traffic rate graph.
Traffic counter types:
•Legitimate—Legitimate traffic forwarded by the Guard to the zone.
•Malicious—Malicious traffic destined to the zone. Malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).
•Received—Packets received and handled by the Guard. Received packets are the sum of legitimate traffic and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack and dropped.
•Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guard as Spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.
Step 4 (Optional) To change the unit of measurement the Guard uses in the traffic rate graph, click one of the following Graph Type options. The Guard updates traffic rate graph.
•bps—bits per second
•pps—packets per second
For information on using the counter information to analyze zone traffic and problems, refer to the "Using Zone Counters to Analyze Traffic Flow" and "Analyzing Zone Traffic Problems" sections.
Viewing the Zone Event Log
The zone event log provides useful monitoring and troubleshooting information.
To view the contents of the zone event log:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Event log from the zone main menu. The zone Events screen appears (see Figure 10-7).
Step 3 (Optional) To manage which events display, select one of the following options then click Filter Events to update the display:
•Show all Events—Displays the events of every severity level.
•Show events with severity level— Displays only the events of the severity levels you select. Select the desired severity levels:
–Emergency
–Alert
–Critical
–Error
–Warning
–Notify
Figure 10-7 Zone Event Log
Table 10-6 describes the different event severity levels.
Table 10-6 Event Log Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
Viewing the Attacks Summary Report
The Guard provides a high level, attacks summary report for each zone to help form a clearer picture of any attacks on the zone the Guard detects. The report summarizes the DDoS attacks made on the zone during a user-defined period of time. The Guard records the relevant details during an attack and organizes the data into different categories. The report provides details of the total number and intensity of the attacks along with a short summary for each of the attacks. The Guard also presents the attack data in a graph format.
To view the zone attacks summary report:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Attack Reports from the zone main menu. The Attacks summary screen appears. By default, the report displays attack information for the last month.
Step 3 (Optional) To change the time period of the attack report, enter the desired Period from and to dates, then click Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and select a date from the calendar pop-up.
The Attack Summary Report screen consists of the following areas:
•Protection Graph—Provides a graphical summary of the attacks during the user-defined period of time.
Figure 10-8 Zone Protection Summary Report—Protection Graph
The X-axis displays the time over which the attack occurred. The Y-axis displays the average attack rate in packets per second (pps). Each attack is represented by a bar. If you hold your mouse over any of the attack bars for a few seconds, the average attack rate is displayed.
To view attack details, click on the attack bar in the graph to open the attack report (see the "Viewing Details of an Attack Report" section).
•Total Attack Statistics Table—Provides information on the number of attacks on the zone and the aggregated attack details during the period of time you defined (see Figure 10-9).
Figure 10-9 Zone Protection Summary Report—Total Attack Statistics
Table 10-7 describes the fields in the Total Attack Statistics Table.
Table 10-7 Field Descriptions for Total Attack Statistics Table
Field
|
Description
|
Attacks Mitigated
|
Number of attacks mitigated.
|
Attacks Duration
|
Aggregated duration of the mitigated attacks.
|
Max. Traffic Rate
|
Maximum rate of malicious traffic destined to the zone.
|
Total Rx
|
Total amount of traffic the Guard received that was destined to the zone.
|
Total Blocked
|
Total amount of traffic destined to the zone, that the Guard dropped.
|
Legitimate vs. Malicious Traffic
|
Pie chart display of the percentage of the malicious traffic (displayed in red) and legitimate traffic (displayed in blue) in the total zone traffic.
|
•Per Attack Summary Table—Provides a table with a list of the DDoS attacks on the zone during the time period you defined (see Figure 10-10). You can delete the information currently displayed in the Per Attack Summary table (see the "Deleting an Attack Report" section) or export the contents of an attack report (see the "Exporting an Attack Report" section).
Figure 10-10 Zone Protection Summary Report—Per Attack Summary
Table 10-8 describes the fields in the columns of the Per Attack Summary table.
Table 10-8 Field Descriptions for Summary Report
Field
|
Description
|
#
|
Identification number (ID) of the mitigated attack.
|
Start time
|
Date and time of the mitigated attack.
|
Duration
|
Duration of the mitigated attack in hours, minutes, and seconds.
|
Type
|
Type of mitigated attack. Possible values are:
•Client Attack—All non-spoofed traffic anomalies.
•Malformed Packets—All traffic anomalies identified as consisting of maliciously malformed packets.
•Spoofed—Traffic anomalies identified as a DDoS attack coming from a spoofed source.
•User Defined—All anomalies handled by the user filters. These can either function by default or be user configured.
•Zombie—Traffic anomalies identified as having been originated by zombies.
•Hybrid—An attack made up of several attacks with different characteristics.
•Traffic Anomaly—An anomaly that was only detected for a short period of time and therefore did not require mitigation.
|
Peak (pps)
|
Maximum attack rate measured in packets per second.
|
Received Pkts
|
Total number of packets destined to the zone that was handled by the Guard during the attack.
|
Legitimate vs. Malicious Traffic
|
Pie chart that displays the percentage of malicious traffic (displayed in red), and legitimate traffic (displayed in blue) in the total traffic during the attack.
|
Note To view attack details, click in any of the rows of the Per Attack Summary table (see the "Viewing Details of an Attack Report" section).
•Sub-Zone Reports—Provides a list of sub-zones. Sub-zones are zones that the Guard created to protect a partial zone (a zone that does not include the complete IP address range of the source zone). The Guard erases the sub-zone when protection for the sub-zone ends. To view the attack reports of the sub-zone, click the sub-zone name. Refer to the "Understanding Sub-zones" section in "Creating and Configuring Zones" for additional information on sub-zones.
Viewing Details of an Attack Report
The Guard allows you to display details of an attack report listed in the Attacks Summary screen. The attack report gives details of the attack, starting with the production of the first Dynamic filter, and ending with protection termination (either by a user decision or by the action of a timeout parameter).
The Guard records the relevant details during an attack and organizes the data into categories. You can view the details of past and current attacks.
Viewing Report Details of a Past Attack
To view the report details of a past zone attack:
Step 1 Select a zone from the navigation pane. The zone status screen and the zone main menu appear.
Step 2 Choose Diagnostics > Attack Reports from the zone main menu. The Attacks summary screen appears, displaying attack information for the past month.
Step 3 (Optional) To change the time period of the attack report, enter the desired Period from and to dates, then click Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and select a date from the calendar pop-up.
Step 4 Select one of the following methods to view details of the attack report:
•Click on the attack bar in the Protection Graph.
•Click on any of the fields for the attack listed in the Per Attack Summary table.
The Attack report screen appears.
Viewing Details of a Current Attack
When an attack on a zone is in progress, the Guard displays a Report button on the status screen of the zone under attack.
To view the current attack report of a zone:
Step 1 Select the zone under attack from the navigation pane. The zone status screen and the zone main menu appear.
Step 2 Use one of the following methods to display the zone current attack report:
•Click Report on the zone status screen
•Choose Diagnostics > Attack Reports from the zone main menu and click any of the fields for the attack in progress in the Per Attack Summary table.
Understanding Attack Report Details
This section describes the information the Guard displays in the following areas of the detailed attack report:
•General Attack Information
•Attack Statistics
•Dropped/Bounced Packets
•Detected Anomalies
•Mitigated Attacks
•HTTP Detected Zombies
General Attack Information
The first section of the attack report provides information related to the timing of the attack, including when the attack started, when it ended, and how long it lasted.
To view additional report details, click i or Show details for all events.
Figure 10-11 Attack Report—General Attack Information
All counters are integers except for rate. You can select the statistics unit of measurement from the general attack information area of the screen.
To change the statistic unit of measurement:
Step 1 Select the desired units to use from the Statistics units drop-down list.
Step 2 Click Set units. The Guard updates the display.
Attack Statistics
The attack statistics table (see Figure 10-12) provides information on the following packet types:
•Received—Traffic received by the Guard destined to the zone.
•Forwarded—Legitimate traffic the Guard forwarded to the zone.
•Replied—Traffic sent to the client as part of the Guard anti spoofing and anti-zombie features.
•Dropped—Total number of packets destined to the zone and dropped by the Guard.
Figure 10-12 Attack Report—Attack Statistics
Table 10-9 describes the information for each packet type:
Table 10-9 Attack Statistics
Field
|
Description
|
Total
|
Total number of packets in the category.
|
Max Rate
|
Maximum packet rate that was measured.
|
Average Rate
|
Average packet rate.
|
%
|
Number of packets as a percentage of the received packets.
|
The traffic rate is displayed in the units that were selected from the drop-down list in the General Attack Information section.
Dropped/Bounced Packets
The Dropped/Bounced table (see Figure 10-13) provides statistics for packets that the Guard identified as malicious traffic and were dropped or replied (bounced). The packets are classified according to the Guard mechanism that identified them.
Figure 10-13 Attack Report—Dropped/Bounced Packets
The following filters are displayed in the rows of the table:
•Rate Limiter—Packets dropped by the rate limiter of the zone or by filters for which a rate limit was configured. The rate limiter limits the traffic rate of the legitimate traffic injected back to the zone by the Guard. See the "Creating a Zone from a Zone Template" section in "Creating and Configuring Zones" for details on configuring the rate limiter.
•Flex-Content filter—Packets dropped by the Flex-Content filter. The Flex-Content filter is used to count or drop a specific packet flow. See the "Managing Flex-Content Filters" section in "Configuring Zone Filters" for details on using the Flex-Content filter.
•User filter—Packets dropped by the User filters. The User filter is used to direct a specific traffic flow to the desired Guard protection modules. See the "Managing User Filters" section in "Configuring Zone Filters" for details on using User filters.
•Dynamic filter—Packets dropped by the Dynamic filters. Dynamic filters are created by the Guard as the result of the analysis of traffic flow. See the "Managing Dynamic Filters" section in "Activating Zone Protection" for details on using Dynamic filters.
•Spoofed—Packets that were identified by the Guard as spoofed packets or packets originated by zombies and therefore not forwarded to the zone. Spoofed packets are packets to which no replies were received.
•Malformed—Packets destined to the zone and dropped because the Guard determined them to be malformed.
Table 10-10 describes the information that is available for each packet.
Table 10-10 Field Descriptions for Dropped/Bounced Packets
Field
|
Description
|
Total
|
Total number of dropped/bounced packets.
|
Max Rate
|
Maximum packet rate measured.
|
Average Rate
|
Average packet rate.
|
%
|
Number of packets as a percentage of the total dropped/bounced packets.
|
The traffic rate is displayed in the units that were selected from the drop-down list in the General Attack Information section.
Detected Anomalies
The Detected Anomalies table (see Figure 10-14) provides details of the anomalies the Guard detected in the zone traffic. The Guard classifies the traffic as being an anomaly when it requires the production of a Dynamic filter. Traffic anomalies can occur infrequently or can turn into systematic DDoS attacks. The Guard clusters anomalies with the same type and flow parameters (such as source IP address or destination port) under one anomaly type.
Figure 10-14 Attack Report—Detected Anomalies
The following information is provided for each anomaly:
Table 10-11 Field Descriptions for Detected Anomalies
Field
|
Description
|
#
|
Identification number (ID) of the detected anomaly.
|
Start time
|
Date and time the anomaly was detected.
|
Duration
|
Duration of the anomaly in hours, minutes, and seconds.
|
Type
|
Type of the detected anomaly. Possible values are:
•Tcp_connections—Detected flow with an unusual number of TCP concurrent connections, with or without data.
•HTTP—Unusual HTTP traffic flow.
•Tcp incoming—Detected flow attacking a TCP service when the zone is a server.
•Tcp outgoing—Detected attack flow in which the client appears to be the zone, such as SYN-ACK attacks on connections initiated by the zone when the zone is the client.
•Unauthenticated tcp—Detected flow that the Guard anti-spoofing mechanisms have not succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.
•DNS (Udp)—Attacking DNS-UDP protocol flow.
•DNS (Tcp)—Attacking DNS-TCP protocol flow.
•Udp—Attacking UDP protocol flow.
•Non tcp/udp protocols—Non TCP/UDP attacking protocol flow.
•Fragments—Detected flow with an unusual amount of fragmented traffic.
•TCP ratio—Detected flow with an unusual ratio between different types of TCP packets (for example, SYN packets versus FIN/RST packets).
•IP scan—Detected flow initiated from a source IP address that tried to access many zone destination IP addresses.
•port scan—Detected flow initiated from a source IP address that tried to access many zone ports.
•user detected—Anomaly flow detected by user definitions.
|
Triggering rate
|
Anomaly traffic rate that violated a policy threshold.
|
% Threshold
|
Percentage by which the triggering rate is above the policy threshold.
|
Anomaly Flow
|
Anomaly traffic flow. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow and the flow packet type.
If the anomaly flow is on a specific port, it is displayed as: dst=ip address:port
|
Details
|
Indicates whether additional information can be viewed for this filter. Click i for additional information (see the "Viewing Details of Detected Anomalies" section).
|
A value of * for any of the parameters indicates one of the following conditions:
•The value is undetermined.
•More than one value was measured for the anomaly parameter.
A value of # for any of the parameters indicates the number of values measured for that anomaly parameter.
Viewing Details of Detected Anomalies
The detected anomalies details table provides additional information on the Dynamic filters that constitute the detected anomaly.
To display the detected anomalies details table, click i in the details column for the filter in the detected anomalies table.
Table 10-12 describes the detailed anomaly information the Guard provides.
Table 10-12 Field Descriptions for Detected Anomalies Details
Field
|
Description
|
Start time
|
Date and time the anomaly was detected.
|
End time
|
Expiration date and time of the Dynamic filter.
|
Rate (pps)
|
Rate measured in packets per second.
•Thresh—Indicates the policy threshold that was violated by the detected anomaly.
•Triggered—Indicates the anomaly traffic rate that violated a policy threshold.
|
Count
|
Number of packets that were handled by the Dynamic filter.
|
Detected flow
|
Provides the following information on the detected attack flow that caused the production of the Dynamic filter:
•Prot.—Protocol number.
•Src IP—Source IP address.
•Src Port—Source port number.
•Dst IP—Destination IP address.
•Dst Port—Destination port number.
•frag.—Indicates the fragmentation characteristics of the action flow.
•Type—Detected anomaly type.
|
Action flow
|
Provides information on the action flow that was addressed by the Dynamic filter. The action flow can have a wider range than the detected flow. For example, the detected flow could indicate a specific source port for a specific source IP whereas the action flow could indicate all source ports for the specific source IP. The columns represent the dynamic filter traffic data.
•Prot.—Protocol number.
•Src IP—Source IP address.
•Src Port—Source port number.
•Dst IP—Destination IP address.
•Dst Port—Destination port number.
•frag.—Indicates the fragmentation characteristics of the action flow.
|
|
Mitigated Attacks
The Mitigated Attacks table (see Figure 10-15) provides details of the actions the Guard took against the traffic anomalies, described in the Detected Anomalies table, that proved to be a hazard for the zone. These actions can be anti-spoofing or anti-zombie mechanisms, user filters with a drop action, rate limit, and so forth. The Guard groups mitigation actions with same types and flow parameters, and displays them together.
Figure 10-15 Attack Report—Mitigated Attacks
Table 10-13 describes the fields of the Mitigated Attacks table.
Table 10-13 Field Descriptions for Mitigated Attacks Table
Field
|
Description
|
#
|
Identification number assigned to the mitigated attack by the Guard.
|
Start time
|
Date and time of the mitigated attack.
|
Duration
|
Duration of the mitigated attack in hours, minutes, and seconds.
|
Attack Type
|
Type of the mitigated attack. Possible values are:
•Spoofed—Includes all traffic anomalies identified as a DDoS attack from a spoofed IP source.
•Client Attack— Includes all traffic anomalies identified as a DDoS attack from an unauthenticated source IP address.
•User Defined—Includes DDoS attacks identified by user defined filters and includes all packets dropped due to user definitions, such as anomalies handled by the User filters. See the "Managing User Filters" section in "Configuring Zone Filters" for details on using User filters.
•Zombie—Includes all traffic anomalies identified as a DDoS attack originated by zombies.
•Malformed Packets—Includes all traffic anomalies identified as a DDoS attack consisting of maliciously malformed packets.
The protection level (basic or strong) is shown in brackets.
|
Triggering rate
|
Traffic rate of the mitigated attack. The triggering rate applies only for client attacks or user defined attacks. It does not apply for spoofed or malformed attacks.
|
% Threshold
|
Mitigated attack rate as a percentage of the policy threshold.
|
Anomaly Flow
|
Traffic flow of the anomaly that was mitigated. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow and the flow packet types.
|
Action flow
|
Traffic characteristics of the flow after the attack mitigation. The parameters of the common flow characteristics are displayed.
|
Dropped
|
The counter for traffic that was dropped during the attack mitigation.
|
Details
|
Indicates whether additional information can be viewed for this filter. Click i for additional information (see the "Viewing Mitigated Attack Details" section).
|
A value of * for any of the action flow or anomaly flow parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly's parameter.
A value of # for any of the action flow or anomaly flow parameters indicates the number of values measured for that mitigated attack parameter.
Viewing Mitigated Attack Details
The mitigated attack details table provides additional information on the mechanisms that were used to mitigate the attack.
To display the mitigated attack details table, click i in the details column for the filter in the mitigated attack table.
Table 10-14 describes the information the Guard displays in the Detailed Mitigated Attack table.
Table 10-14 Field Descriptions for Detailed Mitigated Attack Table
Field
|
Description
|
Start time
|
The date and time of the mitigated attack.
|
End time
|
The expiration date and time of the Dynamic filter that was activated.
|
Rate (pps)
|
Rate measured in packets per second.
•Thresh—Indicates the policy threshold that was exceeded by the mitigated attack.
•Triggered—Indicates the anomaly traffic rate that exceeded a policy threshold.
|
Count
|
Number of packets that were handled by the Dynamic filter.
|
Detected flow
|
Provides the following information on the detected flow that was mitigated:
•Prot.—Protocol number.
•Src IP—Source IP address.
•Src Port—Source port number.
•Dst IP—Destination IP address.
•Dst Port—Destination port number.
•frag.—Indicates the fragmentation characteristics of the detected traffic flow.
•Type—Detected anomaly type.
|
Action flow
|
Provides information on the action flow that was addressed by the mitigation mechanism. The action flow can have a wider range than the detected flow. For example, the detected flow could indicate a specific destination port for a specific destination IP address, whereas the action flow could indicate all destination ports for the specific destination IP address. The columns represent the Dynamic filter traffic data.
•Prot.—Protocol number.
•Src IP—Source IP address.
•Src Port—Source port number.
•Dst IP—Destination IP address.
•Dst Port—The destination port number.
•frag.—Indicates the fragmentation characteristics of the action flow.
|
|
HTTP Detected Zombies
An indication that an HTTP zombie attack has been detected appears in the General Attack Information section (see Figure 10-16).
Figure 10-16 HTTP Detected Zombies
To view the list of detected HTTP zombies, click i or Show HTTP detected zombies. See the "Viewing the HTTP Zombies List" section for details on this type of traffic anomaly.
Exporting an Attack Report
To export an attack report to an FTP server:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Attack Reports from the zone main menu. The Attacks summary screen appears.
Step 3 (Optional) To change the time period of the attack report, enter the desired Period from and to dates, then click Get Reports. You can enter the dates manually or click on the calendar icon (at the right of each field) and select a date.
Step 4 From the Per Attack Summary table, click the check box next to the attack report to export. To select all of the reports listed in the table, click the check box in the table header next to the number symbol (#).
Step 5 Click Export. The Export FTP Server Parameters window opens.
Step 6 From the Select FTP Server Parameters form, select the FTP method to use:
–FTP—File Transfer Program
–SFTP—Secure File Transfer Program
Step 7 From the Select FTP Server Parameters form, select and define the FTP server to use:
•Use default FTP definitions—Exports the packet-dump capture to the FTP server you defined in the Guard configuration using the CLI.
•Use temporary FTP server—Exports the packet-dump capture to an FTP server not defined in the Guard configuration. Enter the following FTP server information:
–Address—IP address of the FTP server.
–Path—Full path name. If you do not specify a path, the server will save the file or files in your home directory.
–Username—(Optional) FTP server login name. The FTP server assumes an anonymous login when you do not insert a user name and will not require a password.
–Password—(Optional) Password for the remote FTP server. If you enter a user name but do not enter a password, the Guard prompts you for the password.
Step 8 Choose one of the following options:
•OK—Saves the attack report to the FTP server.
•Clear—Clears the Select FTP Server Parameters form of any information you added.
•Cancel—Closes the Export FTP Server Parameters window without saving the attack report.
Deleting an Attack Report
To delete an attack report:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Attack Reports from the zone main menu. The Attacks summary screen appears.
Step 3 (Optional) To change the time period of the attack report, enter the desired Period from and to dates, then click Get Reports. You can enter the dates manually or click on the calendar icon (at the right of each field) and select a date.
Step 4 From the Per Attack Summary table, click the check box next to the attack report to delete. To select all of the reports listed in the table, click the check box in the table header next to the number symbol (#).
Step 5 Click Delete. The Guard deletes the attack summary report.
Viewing the HTTP Zombies List
The HTTP Zombies list enables you to analyze the zone traffic and view the list of zombies that initiated the attack. You can then take action against the zombies.
To view the list of HTTP Zombies:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > HTTP Zombies from the zone main menu. The HTTP Zombies screen appears (see Figure 10-17).
Figure 10-17 HTTP Zombies list
Table 10-15 describes the information the Guard displays in the HTTP Zombies table.
Table 10-15 Field Descriptions for HTTP Zombies
Field
|
Description
|
IP
|
Zombie IP address
|
Start Time
|
Date and time the zombie connection was first identified
|
Duration
|
Duration of the zombie attack
|
"get" Requests
|
Number of HTTP "get" requests sent by the zombie
|
Viewing the Policy Statistics Table
The policy statistics table enables you to view the rate of the traffic flowing through each policy for a specific zone. This helps you to determine whether only legitimate traffic is passed to the zone and to manually tune thresholds.
To view the policy statistics table, choose Diagnostics > Policy Statistics from the zone main menu.
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Policy Statistics from the zone main menu. The Policies statistics screen appears.
Step 3 (Optional) To set a filter on the screen:
a. Click Set Screen Filter. The Policy Filter window opens.
b. Select the values of the parameters from the drop-down lists in the Policy Filter window.
c. Click OK. The Policy statistics screen is updated and displays only the selected parameters. Details of the selected path and the maximum keys per policy appear in the Screen Filter frame.
The policy statistics table displays the information in three sections. The information in each section is sorted by value, with the highest values appearing at the top:
•Rate—Rate of traffic flowing through the policy.
•Ratio—Ratio between the number of SYN flagged packets and the number of FIN/RST flagged packets. This information is available only for syn_by_fin policies.
•Connections—Number of concurrent connections or source IP addresses. This information is available for tcp_connections policies and the following packet types:
–in_nodata_conns for the Analysis protection module
–in_conns for the Strong protection module
For easier management of the information displayed, you can set screen filters to display only a partial list of the statistics available.
Note When you change one of the display parameters, the Guard automatically clears all the parameters listed below the one you changed. You must enter new values for the cleared parameters.
Table 10-16 describes the policy statistics fields.
Table 10-16 Policy Statistics
Field
|
Description
|
Policy template
|
Policy template that was used to construct the policy.
|
Service
|
Services the policy relates to.
|
Level
|
Protection level the Guard applied to the traffic flow. Possible values are:
•Analysis
•Basic
•Strong
|
Type
|
Packet type. Possible values are:
•auth_pkts—Packets that underwent either TCP handshake or UDP authentication.
•auth_tcp_pkts—Packets that underwent TCP handshake.
•auth_udp_pkts—Packets that underwent UDP authentication.
•in_conns—Zone incoming connections.
•in_pkts—Zone incoming DNS query packets.
•in_unauth_pkts—Zone incoming unauthenticated DNS queries.
•num_sources—Number of TCP source IP addresses, destined to the zone, that have been authenticated by the Guard anti-spoofing mechanisms.
•out_pkts—Zone incoming DNS reply packets.
|
Type
(continued)
|
•reqs—Request packets with data payload.
•syns—Synchronization packets—TCP SYN flagged packets.
•syn_by_fin—SYN and FIN flagged packets. Verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.
•unauth_pkts—Packets that did not undergo TCP handshake.
•pkts—All packet types that do not fall under any other category in the same protection level.
|
Policy
|
Policy name.
|
Key
|
The key (traffic characteristics) that was used to aggregate the policies.
Possible values are:
•dst_ip—Traffic destined to a zone IP address.
•dst_ip_ratio—Ratio of SYN and FIN flagged packets destined to a specific IP address.
•dst_port_ratio—Ratio of SYN and FIN flagged packets destined to a specific port.
•global—Summation of all traffic flow as defined by the other policy sections.
•src_ip—Traffic destined to the zone aggregated according to source IP address.
•dst_port—Traffic destined to a specific zone port.
|
Key
|
•protocol—Traffic destined to the zone aggregated according to protocol.
•src_ip_many_dst_ips—Key used for IP scanning. Traffic from a single IP address destined to many zone IP addresses.
•src_ip_many_port—Key used for port scanning. Traffic from one IP address destined to many zone ports.
|
Value
|
Rate, ratio, or number of connections depending on the section of the table. The information in each section is sorted by value, with the highest value appearing first.
|
Viewing the Drop Statistics Table
The drop statistics table enables you to view the distribution of dropped packets for an ongoing attack by rate and counter.
To view the drop statistics table:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Drop Statistics from the zone main menu. The Drop statistics screen appears (see Figure 10-18).
Step 3 (Optional) To change the unit of measurement for the statistics displayed, select the desired unit of measurement from the drop-down list, then click Set units.
Figure 10-18
Drop Statistics Table
The dropped packets appear in two tables according to type.
Table 10-17 and Table 10-18 describe the contents the drop statistics tables:
Table 10-17 Drop Statistics
Type
|
Description
|
Total dropped
|
Total amount of dropped traffic
|
Dynamic filters
|
Amount of traffic dropped by the dynamic filters.
|
User filters
|
Amount of traffic dropped by the user filters.
|
Flex filter
|
Amount of traffic dropped by the flex filter.
|
Rate limit
|
Amount of traffic dropped by the rate limiter.
|
Incoming TCP unauthenticated basic
|
Traffic that the TCP basic anti-spoofing mechanisms dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
Incoming TCP unauthenticated-strong
|
Traffic that the TCP Strong anti-spoofing mechanisms dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
Outgoing TCP unauthenticated
|
Zone-initiated-connections traffic that the TCP anti-spoofing mechanisms dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
UDP unauthenticated-basic
|
UDP traffic that the Basic anti-spoofing mechanisms dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
UDP unauthenticated-strong
|
UDP traffic that the Strong anti-spoofing mechanisms dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
Other protocols unauthenticated
|
Traffic, other than TCP and UDP traffic, that the Guard anti- spoofing mechanisms dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
TCP fragments unauthenticated
|
TCP fragmented packets that the Guard anti-spoofing mechanisms dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
UDP fragments unauthenticated
|
UDP fragmented packets that the Guard anti-spoofing mechanisms dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
Other protocols fragments unauthenticated
|
Fragmented packets, other than TCP and UDP fragmented packets, that the Guard anti-spoofing mechanisms dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
DNS malformed replies
|
Malformed DNS replies that the Guard protection mechanisms dropped. In the attack reports, these packets are counted under the malformed packets in the Dropped/ Replied Packets table.
|
DNS spoofed replies
|
DNS packets coming in response to zone initiated connections that the Guard anti-spoofing mechanisms dropped. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
DNS short queries
|
Short (malformed) DNS queries that the Guard protection mechanisms dropped. In the attack reports, these packets are counted under the malformed packets in the Dropped/ Replied Packets table.
|
NON DNS packets to DNS port
|
Non-DNS traffic destined to a DNS port that the Guard protection mechanisms dropped. In the attack reports, these packets are counted under the malformed packets in the Dropped/ Replied Packets table.
|
Bad packets to proxy addresses
|
Malformed traffic destined to the Guard proxy IP address that the Guard protection mechanisms dropped.
|
TCP anti-spoofing mechanisms related pkts—
|
Number of dropped packets due to side-operations of the Guard TCP anti-spoofing mechanisms. In the attack reports, these packets are counted under the malformed packets in the Dropped/ Replied Packets table.
|
DNS anti-spoofing mechanisms related pkts
|
Number of packets dropped packets due to side-operations of the Guard DNS anti-spoofing mechanisms. In the attack reports, these packets are counted under the malformed packets in the Dropped/ Replied Packets table.
|
Anti-spoofing internal errors
|
Number of packets dropped due to the Guard anti-spoofing mechanisms errors. In the attack reports, these packets are counted under Packets table.
|
Land attack
|
Number of packets dropped because they had identical source and destination IP addresses. In the attack reports, these packets are counted under the malformed packets in the Dropped/ Replied Packets table.
|
Malformed packets
|
Number of packets dropped due to a malformed header. In the attack reports, these packets are counted under the malformed packets in the Dropped/ Replied Packets table.
|
Table 10-18 Spoofed Statistics
Type
|
Description
|
Total spoofed
|
Total amount of spoofed traffic.
|
Spoofed incoming TCP basic
|
Traffic that the TCP basic anti-spoofing mechanisms tried to authenticate, but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table
|
Spoofed incoming TCP strong
|
Traffic that the TCP strong anti-spoofing mechanisms tried to authenticate, but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
Spoofed outgoing TCP basic
|
Zone-initiated-connections traffic that the TCP basic anti-spoofing mechanisms tried to authenticate, but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
Spoofed outgoing TCP strong
|
Zone-initiated-connections traffic that the TCP strong anti-spoofing mechanisms tried to authenticate, but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table
|
Spoofed incoming DNS
|
Traffic that incoming DNS (queries) anti-spoofing mechanisms tried to authenticate, but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table
|
Spoofed outgoing DNS basic
|
Traffic that outgoing DNS (replies) basic anti-spoofing mechanisms tried to authenticate, but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table
|
Spoofed outgoing DNS strong
|
Traffic that outgoing DNS (replies) strong anti-spoofing mechanisms tried to authenticate, but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table
|
Spoofed zombie
|
Traffic that the zombie anti-spoofing mechanisms tried to authenticate, but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
