Table Of Contents
Monitoring Guard and Zone Operations
Viewing the Guard Summary Screen
Using the Guard Global Diagnostic Tools
Displaying the Global Counters
Clearing the Guard Counters
Viewing the Guard Counters in Real Time
Viewing the Guard Event Log
Viewing the Zone Status Screen
Zone Status Bar
Zone Traffic Rate Graph
Zone Status Table
Zone Recent Events Table
Using the Zone Diagnostic Tools
Viewing the Zone Counters
Using Zone Counters to Analyze Traffic Flow
Analyzing Zone Traffic Problems
Clearing the Zone Counters
Viewing the Zone Counters in Real Time
Viewing the Zone Event Log
Displaying the Attacks Summary Report
Displaying Details of an Attack Report
Displaying Report Details of a Past Attack
Displaying Details of a Current Attack
Understanding Attack Report Details
General Attack Information
Attack Statistics
Dropped/Bounced Packets
Detected Anomalies
Viewing Details of Detected Anomalies
Mitigated Attacks
Viewing Details of Mitigated Attacks
HTTP Detected Zombies
Exporting Attack Reports
Deleting Attack Reports
Viewing the HTTP Zombies List
Viewing the Policy Statistics Table
Viewing the Drop Statistics Table
Monitoring Guard and Zone Operations
This chapter describes how to perform tasks that you can use to monitor the status of the Cisco Guard (Guard) and its zones and the statistical tools that enable you to diagnose problems that are related to the zone traffic flow.
This chapter contains the following sections:
•
Viewing the Guard Summary Screen
•Using the Guard Global Diagnostic Tools
•Viewing the Zone Status Screen
•Using the Zone Diagnostic Tools
Viewing the Guard Summary Screen
The Guard Summary screen (see Figure 10-1) provides a summary of the current Guard activity and is the first screen to appear when connecting to the Guard WBM. You can access the Guard Summary screen from the following locations within the interface:
•From the navigation pane, click Guard Summary.
•From the information area, click Home.
Figure 10-1 Guard Summary Screen
The Guard Summary screen contains the following two areas:
•Guard Summary—Graphical summary of the traffic that the Guard handled over the last 2 hours in bits per second (bps). The legitimate traffic that the Guard forwarded to the protected zones appears in green. The malicious traffic that the Guard detected appears in red.
Table 10-1 describes the information that appears below the graph.
Table 10-1 Field Descriptions for Guard Summary Graph
Field
|
Description
|
Min.
|
Minimum traffic rate measured during the last 2 hours in bits per second.
|
Max.
|
Maximum traffic rate measured during the last 2 hours in bits per second.
|
Avg.
|
Average traffic rate measured during the last 2 hours in bits per second.
|
Cur.
|
Current traffic rate in bits per second.
|
The information appears separately for legitimate traffic and for malicious traffic.
•Currently Protected Zones—Status information of the zones that the Guard is currently protecting. The zone information can vary depending on which of the following zone protection modes that you activate:
–Protect—Displays the zone information when the zone is under attack and in normal traffic conditions.
–Protect and Learn—Displays zone information only when the zone is under attack.
The Guard lists the zones in the order in which they encountered attacks with the most recently attacked zone appearing at the top of the list. Click on the information that the Guard displays in each row to view the associated zone summary screen.
Table 10-2 describes the fields for currently protected zones.
Table 10-2 Field Descriptions for Zones Currently Protected
Fields
|
Description
|
Zone
|
Zone name. The zone name also provides a link to the zone status screen of the specific zone.
|
Activation Time
|
Date and time that zone protection was activated.
|
Attack Start Time
|
Date and time that the most recent attack on the zone was detected.
|
#DF
|
Number of dynamic filters. Because the Guard only creates a dynamic filter when it detects an anomaly, a #DF value greater that zero indicates an attack on the zone.
|
#PF
|
Number of pending dynamic filters. The display is N/A if the zone is operating in automatic protect mode (not interactive protect mode).
|
Legitimate Rate
|
Current rate of legitimate traffic (in bits per second) forwarded by the Guard to the zone.
|
Malicious Rate
|
Current rate of malicious traffic (in bits per second) targeting the zone.
|
Thumbnail of the zone traffic summary
|
Graph that displays a summary of the traffic (in bits per second) to the zone in the last half hour. The legitimate traffic rate appears in green. The malicious traffic rate appears in red.
|
Using the Guard Global Diagnostic Tools
The Guard provides diagnostic information to assist you in monitoring and troubleshooting global events. This section contains the following topics:
•Displaying the Global Counters
•Clearing the Guard Counters
•Viewing the Guard Counters in Real Time
•Viewing the Guard Event Log
Displaying the Global Counters
The Counters screen provides a more in-depth analysis of the counter information that the Guard displays in the Guard Summary screen. From the Counters screen, you can filter the information that the Guard displays in the traffic rates graph.
To display the Guard counters, perform the following steps:
Step 1 From the navigation pane, click Guard Summary. The Guard Summary menu appears.
Step 2 From the Guard Summary menu, choose Diagnostics > Counters > Guard Counters. The Counters screen appears. By default, the graph displays the legitimate and malicious traffic over the last 2 hours, measured in bits per second.
Step 3 (Optional) Check the check box next to the counters that you want to display to add information on counters that the Guard displays in the traffic rate graph, or uncheck the check box next to the counters that you want to remove from the graph.
Step 4 Click Update Graph. The Guard updates the graph.
The Guard can display the following traffic counters:
•Legitimate—Legitimate traffic forwarded by the Guard to the zone.
•Malicious—Malicious traffic destined to the zone. The malicious traffic is the sum of dropped and spoofed packets (which also include the zombie packets).
•Received—Packets received and handled by the Guard. Received packets are the sum of the legitimate traffic and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack and dropped.
•Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie functions in order to verify whether they are part of the authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guard as spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.
Step 5 (Optional) Choose the period of time from the Graph Period drop-down list to modify the period of time that is displayed in the graph and click Update Graph. The Guard updates the graph.
By default, the traffic rate graph displays the counter information recorded in the last 2 hours.
Step 6 (Optional) Change the unit of measurement that the Guard uses in the traffic rate graph by choosing a unit of measurement from the Graph Type drop-down list and then clicking Update Graph. The Guard updates the graph.
The units of measurement can be one of the following:
•pps—Packets per second
•bps—Bits per second
Step 7 (Optional) Click Clear Counters to clear the Guard counters.
The Guard clears the current counters and the traffic rates.
You can clear the Guard counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
Table 10-3 describes the fields for each of the counters.
Table 10-3 Field Descriptions for Counters in Counter Report
Field
|
Description
|
Shown in Graph
|
Type of counter information displayed in the traffic rates graph.
|
Packets
|
Total number of packets since the Guard was reloaded.
|
Bits
|
Total number of bits since the Guard was reloaded.
|
pps
|
Current traffic rate measured in packets per second.
|
bps
|
Current traffic rate measured in bits per second.
|
A legend identifying the different counters appears below the graph. The minimum, maximum, and average rates for each counter is displayed for the time period selected.
Clearing the Guard Counters
You can clear the Guard counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
To clear the Guard counters, perform the following steps:
Step 1 From the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Diagnostics > Counters > Guard Counters. The Guard Counters screen appears.
Step 3 Click Clear Counters.
The Guard clears the current counters and the traffic rates.
Viewing the Guard Counters in Real Time
The Guard allows you view the global counters information in real time.
Note You must have Java 2 Runtime Environment (JRE) installed on the client to view the counter information in real time (see the "Installing Java 2 Runtime Environment" section).
To view the counters in real time, perform the following steps:
Step 1 From the navigation pane, click Guard Summary. The Guard summary menu appears.
Step 2 From the Guard summary menu, choose Diagnostics > Counters > Real time counters. The Real time counters screen appears.
Step 3 (Optional) Check the check box next to the traffic counter type that you want to display (under Show in Graph) to modify the view of the traffic rate graph. The Guard updates the traffic rate graph.
The Guard can display the following traffic counters:
•Legitimate—Legitimate traffic forwarded by the Guard to the zone.
•Malicious—Malicious traffic destined to the zone. Malicious traffic is the sum of the dropped and spoofed packets (which also include the zombie packets).
•Received—Packets received and handled by the Guard. Received packets are the sum of the legitimate and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack and dropped.
•Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of the authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guard as spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.
Step 4 (Optional) Choose one of the following Graph Type options to change the unit of measurement that the Guard uses in the traffic rate graph:
•pps—Packets per second
•bps—Bits per second
The Guard updates the traffic rate graph.
Table 10-4 describes the fields of the Real time counters.
Table 10-4 Field Descriptions of Real Time Counters
Field
|
Description
|
Shown in Graph
|
Type of counter information displayed in the traffic rates graph.
|
Packets
|
Total number of packets since the Guard was reactivated.
|
Bits
|
Total number of bits since the Guard was reactivated.
|
pps
|
Current traffic rate measured in packets per second.
|
bps
|
Current traffic rate measured in bits per second.
|
Viewing the Guard Event Log
The Guard automatically logs system activity and events that relate to the protected zones and to Guard operation. You can display the Guard logs to review and track the Guard activity.
Table 10-5 describes the event severity levels.
Table 10-5 Event Log Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
Note The event logs only display zone-related events with a severity level of Emergency, Alert, Critical, Error, Warning, and Notification. See the "Viewing the Zone Event Log" section for more information about zone event logs.
To view the contents of the event log, perform the following steps:
Step 1 From the navigation pane, click Guard Summary. The Guard Summary menu appears.
Step 2 From the Guard Summary menu, choose Diagnostics > Event log. The Events screen appears. Use the navigation tool provided above the events table to scroll through the events.
Step 3 (Optional) Choose one of the following options to control which events display in the Events table:
•Show all Events—Displays the events of every severity level.
•Show events with severity level—Displays only the events of the severity levels that you choose (see Table 10-5).
Step 4 Click Filter Events.
The Guard updates the Events table.
Viewing the Zone Status Screen
The zone status screen (see Figure 10-2) provides a summary of the zone operating status. You can navigate to this screen as follows:
•From the All Zones list in the navigation pane, click the zone name.
•If zone protection is currently enabled, from the Protected Zones list in the navigation pane, click the zone name.
•From the navigation path of any zone-specific screen, click Zone.
•From the zone list (Guard Summary > Zones > Zone list), click the zone name.
Figure 10-2 Zone Status Screen
The zone status screen is divided into four areas (zone status bar, zone traffic rate graph, zone status table, and zone recent events table) and is described in the following topics:
•Zone Status Bar
•Zone Traffic Rate Graph
•Zone Status Table
•Zone Recent Events Table
The zone status screen contains function buttons. The WBM displays different function buttons depending on the current operating mode of the zone.
If the zone is in standby, the following function buttons appear:
•Protect & Learn—Activates the zone Protect and Learn function. The Protect and Learn function allows you to protect a zone while performing the threshold tuning phase of the learning process. This function is equivalent to choosing Protection> Protect and then Learning > Tune Thresholds (the order is not important) from the zone main menu.
•Protect—Activates zone protection. This function is equivalent to choosing Protection> Protect from the zone main menu.
If zone protection or the Protect and Learn function are currently enabled, the following function buttons appear:
•Deactivate—Deactivates zone protection. This is equivalent to choosing Protection > Deactivate from the zone main menu.
If the Protect and Learn function is enabled and you click Deactivate, you have the option of deactivating zone protection, the learning process, or both operations.
•Report—Provides a link to the current attack report. This function is equivalent to choosing Diagnostics > Attack reports > Attack Summary from the zone main menu and clicking on the current attack (the attack with an identification number (#) of Curr). The Report button is available only if there is an attack in progress. See the "Displaying Details of a Current Attack" section for more information.
Zone Status Bar
The zone status bar runs across the top of the zone status screen and provides a quick reference to the current operating status of the zone. The zone status bar provides the following information:
•The name of the zone.
•The way that the Guard performs zone protection—Indicates whether the Guard is operating in automatic or interactive protect mode for the zone. See the "Automatic and Interactive Zone Operation Modes" and "Activating Automatic or Interactive Protect Mode" sections for details about zone operation mode settings.
•The zone operating state—The current operating state of the zone. The operating state can be one of the following: Protected, Protected/Tuning Thresholds, Inactive, Constructing Policy, or Tuning Thresholds.
•Indication of new recommendations—Indicates that new dynamic filter recommendations that are available for you to review and and decide whether to accept, ignore, or direct the recommendations to automatic activation. This indication is available only when you set the zone operation mode to interactive.
Zone Traffic Rate Graph
The zone traffic rate graph displays the zone-related traffic rate over the last two hours, measured in bps. Legitimate traffic that the Guard forwarded to the zone appears in green. Malicious traffic that was targeting the zone and that the Guard dropped appears in red.
Table 10-6 describes the fields that appear below the zone traffic rate graph.
Table 10-6 Field Descriptions for Fields below Zone Traffic Rate Graph
Field
|
Description
|
Min
|
Minimum traffic rate measured over the last two hours in bits per second.
|
Max
|
Maximum traffic rate measured over the last two hours in bits per second.
|
Avg
|
Average traffic rate measured over the last two hours in bits per second.
|
Cur
|
Current traffic rate in bits per second.
|
Zone Status Table
The zone status table provides information on the current operation of the zone and contains the following information:
•Active Dynamic filters—Number of active dynamic filters. The number of active dynamic filters is greater than 1 when the Guard identifies anomalies in the zone traffic.
Click Active Dynamic filters to view the Dynamic filters screen. See the "Managing Dynamic Filters" section section for detailed information about dynamic filters.
•Pending Dynamic filters—Number of pending dynamic filters. The number of pending dynamic filters is greater than 1 when the zone is in interactive protect mode and there are new recommendations.
Click Pending Dynamic filters to view the Recommendations screen. See the "Managing Dynamic Filters" section section for details on dynamic filters. See the "Managing Guard Recommendations for Dynamic Filters" section section for details about Guard recommendations.
•Last attack time—Date and time of the last attack on the zone.
•Activation time—Date and time that zone protection was activated.
Zone Recent Events Table
The Recent Events table displays the reported zone events with a minimum severity level of notify. The Guard also records the events in the zone event log and the Guard event log.
Using the Zone Diagnostic Tools
The Guard provides diagnostic information to assist you in monitoring and troubleshooting zone events. This section contains the following topics:
•Viewing the Zone Counters
•Clearing the Zone Counters
•Viewing the Zone Counters in Real Time
•Viewing the Zone Event Log
•Displaying the Attacks Summary Report
•Displaying Details of an Attack Report
•Understanding Attack Report Details
•Exporting Attack Reports
•Deleting Attack Reports
•Viewing the HTTP Zombies List
•Viewing the Policy Statistics Table
•Viewing the Drop Statistics Table
Viewing the Zone Counters
The zone counters enable you to analyze zone-specific traffic information in order to verify the zone status and determine if zone protection is functioning properly. You can adjust the period of time that is displayed in the zone counters graph view to see how zone protection is evolving.
To view the zone counter information, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Counters > Zone Counters. The zone Counters screen appears.
By default, the graph displays the legitimate and malicious traffic over the last 2 hours measured in bits per second.
Step 3 (Optional) Check the check box next to the counters that you want to include in the graph to modify the view of the traffic rates graph.
Step 4 Click Update Graph. The Guard updates the traffic rate graph.
The Guard can display the following traffic counters:
•Legitimate—Legitimate traffic forwarded by the Guard to the zones.
•Malicious—Malicious traffic destined to the zone. The malicious traffic is the sum of dropped and spoofed packets (which also include the zombie packets).
•Received—Packets received and handled by the Guard. Received packets are the sum of legitimate and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack and dropped.
•Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of the authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guard as spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.
Step 5 (Optional) Modify the period of time that is displayed in the graph by choosing a period of time from the Graph Period drop-down list.
Step 6 Click Update Graph. The Guard updates the graph.
By default, the traffic rate graph displays counter information recorded in the last 2 hours.
Step 7 (Optional) Change the unit of measurement that the Guard uses in the traffic rate graph by choosing a unit of measurement from the Graph Type drop-down list. The units of measurement can be one of the following:
•pps—Packets per second
•bps—Bits per second
Step 8 Click Update Graph. The Guard updates the graph.
Step 9 (Optional) Click Clear Counters to clear the Guard counters. The Guard clears the current counters and the traffic rates. You can clear the zone counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
The Zone Current Counters/Rates table displays the following information:
•Shown in Graph—Specifies whether the counter is displayed in the graph.
•Counter—Type of available counters.
•Packets—Total number of packets destined to the zone since the Guard was last reloaded.
•Bits—Total number of bits destined to the zone since the Guard was last reloaded.
•pps—Current traffic rate destined to the zone, measured in packets per second.
•bps—Current traffic rate destined to the zone, measured in bits per second.
A legend that identifies the counters appears below the traffic rates graph. The minimum, maximum, and average rates for each counter displays for the time period that you chose.
This section contains the following topics:
•Using Zone Counters to Analyze Traffic Flow
•Analyzing Zone Traffic Problems
Using Zone Counters to Analyze Traffic Flow
You must analyze the traffic flow in order to determine if the traffic is flowing properly to an active zone. The following information describes how to analyze traffic flow, recognize possible problems, and provide solutions:
•A number of received and legitimate packets greater than zero indicates that a diversion of the zone traffic to the Guard is functioning properly.
•A number of received packets greater than the number of legitimate packets and a number of malicious packets greater than zero, indicates that the zone is under attack and zone protection is functioning. To verify that the zone is under attack, view the zone summary screen to see if the Guard is producing dynamic filters to handle an attack (see the "Viewing the Zone Status Screen" section).
Based on your experience and knowledge of the network traffic, follow these guidelines:
•If there are dropped packets, you should check to see if a trusted source IP address is blocked by a dynamic filter. To allow the trusted traffic to pass through the Guard, you can configure a bypass filter for the traffic from the trusted source IP address (see the "Managing Bypass Filters" section section).
•If a policy has produced dynamic filters that drop too many IP flows, check to see if the filters are blocking flows from source IP addresses that seem legitimate but are sending traffic at rates above the thresholds. You can increase the policy threshold or prevent the policy from producing additional dynamic filters by deactivating the policy. See "Managing Zone Policies," for information about configuring the zone policies.
•If the current rate (packets per second or bits per second) of received packets equals zero or the number of legitimate packets remains constant over a long period of time, this may indicate a problem. See the "Analyzing Zone Traffic Problems" section for troubleshooting information.
Analyzing Zone Traffic Problems
If the received counters (packets or bits) or legitimate counters (packets or bits) equal zero, this could indicate one or both of the following situations:
•The Guard does not receive the packets destined to the zone (received counters = 0)—Indicates a diversion problem with the zone traffic or a network configuration problem.
•The Guard receives the zone-diverted traffic but blocks the packets from being forwarded to the zone (received counters > 0 and legitimate current rate [packets per second and bits per second] = 0 over a period of time)—Indicates that the Guard is dropping traffic because it falsely identified the traffic as malicious.
Figure 10-3 shows a situation in which almost all the traffic destined to the zone is dropped. You should scan the dynamic filters that the Guard produced for a drop-action filter and follow these guidelines:
–Delete the drop-action dynamic filter.
–Deactivate the policy that produced the drop-action dynamic filter so that the policy can no longer produce drop-action dynamic filters. If you do not take this action, the drop-action filter will reappear if you delete the dynamic filter and the Guard will continue to identify the same type of traffic.
Figure 10-3 Problem Analysis: Rcv >0, Legitimate = 0
Caution When you deactivate a policy, you may compromise zone protection because the Guard no longer applies the policy to the traffic flow.
Clearing the Zone Counters
You can clear the zone counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
To clear the zone counters, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Counters > Zone Counters. The zone Counters screen appears.
Step 3 Click Clear Counters. The Guard clears the current zone counters and the traffic rates.
Viewing the Zone Counters in Real Time
The Guard allows you to view the zone counter information in real time.
Note You must have JRE installed on the client to view the counter information in real time (see the "Installing Java 2 Runtime Environment" section).
To view the counters in real time, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Counters > Real Time Counters. The zone Real Time Counters/Rates screen appears.
Step 3 (Optional) Check the check box next to the traffic counter type that you want to display (under Show in Graph) to modify the view of the traffic rate graph. The Guard updates the traffic rate graph.
The Guard can display the following traffic counters:
•Legitimate—Legitimate traffic forwarded by the Guard to the zone.
•Malicious—Malicious traffic destined to the zone. The malicious traffic is the sum of dropped and spoofed packets (which also include the zombie packets).
•Received—Packets received and handled by the Guard. Received packets are the sum of legitimate and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack and dropped.
•Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of the authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guard as spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.
Step 4 (Optional) Change the unit of measurement that the Guard uses in the traffic rate graph by choosing one of the following Graph Type options:
•bps—Bits per second
•pps—Packets per second
The Guard updates the traffic rate graph.
For information about using the counter information to analyze the zone traffic and problems, see the "Using Zone Counters to Analyze Traffic Flow" section and "Analyzing Zone Traffic Problems" section sections.
Viewing the Zone Event Log
The Guard automatically logs system activity and events. You can display the Guard logs to review and track the Guard activity.
Table 10-7 describes the event severity levels.
Table 10-7 Event Log Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
To view the contents of the zone event log, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Event log. The zone Events screen appears.
Step 3 (Optional) To control which events display in the Events table, choose one of the following options:
•Show all Events—Displays the events of every severity level.
•Show events with severity level—Displays only the events of the severity levels that you chose (see Table 10-7).
Step 4 Click Filter Events. The Guard updates the Events table.
Displaying the Attacks Summary Report
The Guard provides a high level summary report (see Figure 10-4) of attacks for each zone to help you analyze the attacks on the zone that the Guard detects. The report summarizes the DDoS attacks made on the zone during a user-defined period of time. The Guard records information during an attack and organizes the data into different categories. The report provides details of the total number and intensity of the attacks with a short summary for each attack. The Guard also presents the attack data in a graph format.
To display the attacks summary report, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks Summary screen appears. By default, the report displays attack information for the last month.
Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates and then clicking Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and then choose a date from the calendar popup window.
The Attack Summary Report screen contains the following areas:
•Protection Graph—Provides a graphical summary of the attacks during the period of time that you defined.
Figure 10-4 Zone Protection Summary Report—Protection Graph
The X-axis displays the time over which the attack occurred. The Y-axis displays the average attack rate in packets per second (pps). Each attack is represented by a bar. If you hold your mouse over any of the attack bars for a few seconds, the average attack rate displays.
To view the attack details, click on the attack bar in the graph to open the attack report (see the "Displaying Details of an Attack Report" section).
•Total Attack Statistics table—Provides information about the number of attacks on the zone and the aggregated attack details during the period of time that you defined.
Table 10-8 describes the fields in the Total Attack Statistics table.
Table 10-8 Field Descriptions for Total Attack Statistics Table
Field
|
Description
|
Attacks Mitigated
|
Number of attacks mitigated.
|
Attacks Duration
|
Aggregated duration of the mitigated attacks.
|
Max. Traffic Rate
|
Maximum rate of malicious traffic destined to the zone.
|
Total Rx
|
Total amount of traffic that the Guard received that was destined to the zone.
|
Total Blocked
|
Total amount of traffic destined to the zone that the Guard dropped.
|
Legitimate vs. Malicious Traffic
|
Pie chart display of the percentage of the malicious traffic (displayed in red) and legitimate traffic (displayed in blue) in the total zone traffic.
|
•Per Attack Summary table—Provides a table with a list of the DDoS attacks on the zone during the period of time that you defined. You can delete the information currently displayed in the Per Attack Summary table (see the "Deleting Attack Reports" section) or export the contents of an attack report (see the "Exporting Attack Reports" section).
To view the attack details, click in any of the rows of the Per Attack Summary table (see the "Displaying Details of an Attack Report" section).
Table 10-9 describes the fields in the columns of the Per Attack Summary table.
Table 10-9 Field Descriptions for Summary Report
Field
|
Description
|
#
|
Identification number (ID) of the mitigated attack. The Guard displays a value of Curr for an ongoing attack.
|
Start time
|
Date and time of the mitigated attack.
|
Duration
|
Duration of the mitigated attack in hours, minutes, and seconds.
|
Type
|
Type of mitigated attack. Possible values are as follows:
•Client Attack—All nonspoofed traffic anomalies.
•Malformed Packets—All traffic anomalies identified as consisting of maliciously malformed packets.
•Spoofed—Traffic anomalies identified as a DDoS attack coming from a spoofed source.
•User Defined—All anomalies handled by the user filters. These can either function by default or be user configured.
•Zombie—Traffic anomalies identified as having been originated by zombies.
•Hybrid—An attack made up of several attacks with different characteristics.
•Traffic Anomaly—An anomaly that was only detected for a short period of time and did not require mitigation.
|
Peak (pps)
|
Maximum attack rate measured in packets per second.
|
Received Pkts
|
Total number of packets destined to the zone that was handled by the Guard during the attack.
|
Legitimate vs. Malicious Traffic
|
Pie chart that displays the percentage of malicious traffic (displayed in red) and legitimate traffic (displayed in blue) in the total traffic during the attack.
|
•Subzone Reports—Provides a list of subzones. Subzones are zones that the Guard created to protect a partial zone (a zone that does not include the complete IP address range of the source zone). The Guard erases the subzone when protection for the subzone ends. To view the attack reports of the subzone, click the subzone name. See the "Understanding Subzones" section for additional information on subzones.
Displaying Details of an Attack Report
The Guard allows you to display details of an attack report. The attack report provides details of the attack, starting with the production of the first dynamic filter and ending with protection termination (either by a user decision or by the action of a timeout parameter).
The Guard records the information during an attack and organizes the data into categories. You can view the details of past and current attacks.
This section contains the following topics:
•Displaying Report Details of a Past Attack
•Displaying Details of a Current Attack
Displaying Report Details of a Past Attack
To view the report details of a past zone attack, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone status screen and the zone main menu appear.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks Summary screen appears, displaying attack information for the past month.
Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates, and then clicking Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and then choose a date from the calendar popup window.
Step 4 Choose one of the following methods to view details of the attack report:
•Click on the attack bar in the Protection Graph.
•Click on any of the fields for the attack listed in the Per Attack Summary table.
The Attack report screen appears.
Displaying Details of a Current Attack
When an attack on a zone is in progress, the Guard displays a Report button on the status screen of the zone under attack.
To view the current attack report of a zone, perform the following steps:
Step 1 From the navigation pane, choose the zone under attack. The zone status screen and the zone main menu appear.
Step 2 Use one of the following methods to display the report of the current attack on the zone:
•On the zone status screen, click Report.
•Choose Diagnostics > Attack Reports > Attack Summary from the zone main menu and then click any of the fields of the attack in progress in the Per Attack Summary table. The Guard displays a value of Curr for the identification number (#) of an ongoing attack.
Understanding Attack Report Details
This section describes the information that the Guard displays in the following areas of the detailed attack report:
•General Attack Information
•Attack Statistics
•Dropped/Bounced Packets
•Detected Anomalies
•Viewing Details of Detected Anomalies
•Mitigated Attacks
•Viewing Details of Mitigated Attacks
•HTTP Detected Zombies
General Attack Information
The first section of the attack report provides information about the timing of the attack, which includes when the attack started, when it ended, and how long it lasted.
To view additional report details, click i or click Show details for all events.
All counters are integers except for the rate. You can choose the statistics unit of measurement from the general attack information area of the screen.
To change the statistic unit of measurement, perform the following steps:
Step 1 Choose the desired units to use from the Statistics units drop-down list.
Step 2 Click Set units. The Guard updates the display.
Attack Statistics
The attack statistics table provides information on the following packet types:
•Received—Traffic received by the Guard destined to the zone.
•Forwarded—Legitimate traffic that the Guard forwarded to the zone.
•Replied—Traffic sent to the client as part of the Guard anti-spoofing and anti-zombie features.
•Dropped—Total number of packets destined to the zone and dropped by the Guard.
Table 10-10 describes the information for each packet type.
Table 10-10 Attack Statistics
Field
|
Description
|
Total
|
Total number of packets in the category.
|
Max Rate
|
Maximum packet rate that was measured.
|
Average Rate
|
Average packet rate.
|
%
|
Number of packets as a percentage of the received packets.
|
The traffic rate is displayed in the units that you chose from the drop-down list in the "General Attack Information" section.
Dropped/Bounced Packets
The Dropped/Bounced table provides statistics for packets that the Guard identified as malicious traffic and dropped or replied (bounced). The packets are classified based on the Guard function that identified them.
The Guard functions, which display in the rows of the table, are as follows:
•Rate Limiter—Packets dropped by the rate limiter of the zone or by user filters for which a rate limit was configured. See the "Creating a Zone from a Zone Template" section for information about configuring the rate limiter.
•Flex-content filter—Packets dropped by the flex-content filter. See the "Managing Flex-Content Filters" section for information about using the flex-content filter.
•User filter—Packets dropped by the user filters. See the "Managing User Filters" section for information about using user filters.
•Dynamic filter—Packets dropped by the dynamic filters. See the "Managing Dynamic Filters" section for information about using dynamic filters.
•Spoofed—Packets that were identified by the Guard as spoofed packets or packets originated by zombies and not forwarded to the zone. Spoofed packets are packets to which no replies were received.
•Malformed—Packets destined to the zone and dropped because the Guard determined them to be malformed.
Table 10-11 describes the information that is available for each type of packets.
Table 10-11 Field Descriptions for Dropped/Bounced Packets
Field
|
Description
|
Total
|
Total number of dropped/bounced packets.
|
Max Rate
|
Maximum packet rate measured.
|
Average Rate
|
Average packet rate.
|
%
|
Number of packets as a percentage of the total dropped/bounced packets.
|
The traffic rate is displayed in the units that were selected from the drop-down list in the "General Attack Information" section.
Detected Anomalies
The Detected Anomalies table provides details of the anomalies that the Guard detected in the zone traffic. The Guard classifies the traffic as being an anomaly when it requires the production of a dynamic filter. Traffic anomalies can occur infrequently or can turn into systematic DDoS attacks. The Guard clusters anomalies with the same type and flow parameters (such as a source IP address or a destination port) under one anomaly type.
Table 10-12 describes the information that is provided for each anomaly.
Table 10-12 Field Descriptions for Detected Anomalies
Field
|
Description
|
#
|
Identification number (ID) of the detected anomaly.
|
Start time
|
Date and time that the anomaly was detected.
|
Duration
|
Duration of the anomaly in hours, minutes, and seconds.
|
Type
|
Type of the detected anomaly. Possible values are as follows:
•Tcp_connections—Detected flow with an unusual number of TCP concurrent connections with or without data.
•HTTP—Unusual HTTP traffic flow.
•Tcp incoming—Detected flow that attacks a TCP service when the zone is a server.
•Tcp outgoing—Detected attack flow in which the client appears to be the zone such as SYN-ACK attacks on connections initiated by the zone when the zone is the client.
•Unauthenticated tcp—Detected flow that the Guard anti-spoofing functions have not succeeded in authenticating. For example, ACK flood, FIN flood, or any other flood of unauthenticated packets.
•DNS (UDP)—Attacking DNS-UDP protocol flow.
•DNS (TCP)—Attacking DNS-TCP protocol flow.
•UDP—Attacking UDP protocol flow.
•Non tcp/udp protocols—Non TCP/UDP attacking protocol flow.
•Fragments—Detected flow with an unusual amount of fragmented traffic.
•TCP ratio—Detected flow with an unusual ratio between different types of TCP packets (for example, SYN packets instead of FIN/RST packets).
•IP scan—Detected flow initiated from a source IP address that tried to access many zone destination IP addresses.
•port scan—Detected flow initiated from a source IP address that tried to access many zone ports.
|
Type (continued)
|
•user detected—Anomaly flow detected by user definitions.
•SIP (UDP)—A detected Voice-over-IP (VoIP) anomaly flow using the Session Initiation Protocol (SIP) over UDP to establish the VoIP sessions.
|
Triggering rate
|
Anomaly traffic rate that exceeded a policy threshold.
|
% Threshold
|
Percentage by which the triggering rate is above the policy threshold.
|
Anomaly Flow
|
Anomaly traffic flow. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow, and the flow packet type.
If the anomaly flow is on a specific port, it is displayed as dst=ip address:port
|
Details
|
Status of whether additional information can be viewed for this filter. Click i for additional information (see the "Viewing Details of Detected Anomalies" section).
|
An asterisk (*),which is used as a wildcard, for one of the parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly parameter.
A number sign (#), followed by a number, for any of the parameters indicates the number of values measured for that parameter.
Viewing Details of Detected Anomalies
The Detected Anomalies Details table provides additional information about the dynamic filters that are related to the detected anomaly.
To display the Detected Anomalies Details table, click i in the details column for the filter in the Detected Anomalies table.
Table 10-13 describes the detailed anomaly information that the Guard provides.
Table 10-13 Field Descriptions for Detected Anomalies Details
Field
|
Description
|
Start time
|
Date and time that the anomaly was detected.
|
End time
|
Expiration date and time of the dynamic filter.
|
Rate (pps)
|
Rate measured in packets per second:
•Thresh—Indicates the policy threshold that was exceeded by the detected anomaly.
•Triggered—Indicates the anomaly traffic rate that exceeded a policy threshold.
|
Count
|
Number of packets that were handled by the dynamic filter.
|
Detected flow
|
Information about the detected attack flow that caused the production of the dynamic filter:
•Prot.—Protocol number
•Src IP—Source IP address
•Src Port—Source port number
•Dst IP—Destination IP address
•Dst Port—Destination port number
•frag.—Fragmentation characteristics
•Type—Detected anomaly type
|
Action flow
|
Information about the action flow that was addressed by the dynamic filter. The action flow can have a wider range than the detected flow. The action flow may indicate all source ports for the specified source IP address. The columns represent the dynamic filter traffic data.
•Prot.—Protocol number
•Src IP—Source IP address
•Src Port—Source port number
•Dst IP—Destination IP address
•Dst Port—Destination port number
•frag.—Fragmentation characteristics
|
Mitigated Attacks
The Mitigated Attacks table provides actions that the Guard took to protect the zone and mitigated attacks that proved to be a hazard for the zone. The attacks are described in the Detected Anomalies table. The Guard groups mitigation actions with same types and flow parameters, and displays them together.
Table 10-14 describes the fields of the Mitigated Attacks table.
Table 10-14 Field Descriptions for Mitigated Attacks Table
Field
|
Description
|
#
|
Identification number assigned to the mitigated attack by the Guard.
|
Start time
|
Date and time of the mitigated attack.
|
Duration
|
Duration of the mitigated attack in hours, minutes, and seconds.
|
Attack Type
|
Type of the mitigated attack. Possible values are as follows:
•Spoofed—Traffic anomalies identified as a DDoS attack from a spoofed IP source.
•Client Attack— Traffic anomalies identified as a DDoS attack from an unauthenticated source IP address.
•User Defined—DDoS attacks identified by user-defined filters, such as anomalies handled by the user filters. See the "Managing User Filters" section for details on using user filters.
•Zombie—Traffic anomalies identified as a DDoS attack originated by zombies.
•Malformed Packets—Traffic anomalies identified as a DDoS attack consisting of maliciously malformed packets.
The protection level (Basic or Strong) is shown in brackets.
|
Triggering rate
|
Traffic rate of the mitigated attack. The triggering rate applies to client attacks or user defined attacks only and does not apply to spoofed or malformed attacks.
|
% Threshold
|
Mitigated attack rate as a percentage of the policy threshold.
|
Anomaly Flow
|
Traffic flow of the anomaly that was mitigated. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow, and the flow packet types.
|
Action flow
|
Traffic characteristics of the flow after the Guard mitigated the attack. The parameters of the common flow characteristics are displayed.
|
Dropped
|
Traffic that was dropped during the attack mitigation.
|
Details
|
Whether additional information can be viewed for this filter. Click i for additional information (see the "Viewing Details of Mitigated Attacks" section).
|
An asterisk (*),which is used as a wildcard, for one of the parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly parameter.
A number sign (#), followed by a number, for any of the parameters indicates the number of values measured for that parameter.
Viewing Details of Mitigated Attacks
The Mitigated Attack Details table provides additional information about the functions that the Guard used to mitigate the attack.
To display the Mitigated Attack Details table, click i in the details column for the filter in the Mitigated Attacks table.
Table 10-15 describes the information that the Guard displays in the Detailed Mitigated Attack table.
Table 10-15 Field Descriptions for Detailed Mitigated Attack
Table
Field
|
Description
|
Start time
|
Date and time of the mitigated attack.
|
End time
|
Expiration date and time of the dynamic filter that was activated.
|
Rate (pps)
|
Rate measured in packets per second:
•Thresh—Indicates the policy threshold that was exceeded by the mitigated attack.
•Triggered—Indicates the anomaly traffic rate that exceeded a policy threshold.
|
Count
|
Number of packets that were handled by the dynamic filter.
|
Detected flow
|
Information about the detected flow that was mitigated:
•Prot.—Protocol number
•Src IP—Source IP address
•Src Port—Source port number
•Dst IP—Destination IP address
•Dst Port—Destination port number
•frag.—Fragmentation characteristics
•Type—Detected anomaly type
|
Action flow
|
Information about the action flow that was addressed by the mitigation function. The action flow can have a wider range than the detected flow. For example, the detected flow could indicate a specific destination port for a specific destination IP address, and the action flow could indicate all destination ports for the specific destination IP address. The columns represent the dynamic filter traffic data.
•Prot.—Protocol number
•Src IP—Source IP address
•Src Port—Source port number
•Dst IP—Destination IP address
•Dst Port—The destination port number
•frag.—Fragmentation characteristics
|
|
HTTP Detected Zombies
An indication that an HTTP zombie attack has been detected appears in the "General Attack Information" section (see Figure 10-5).
Figure 10-5 HTTP Detected Zombies
To view the list of detected HTTP zombies, click i or click Show HTTP detected zombies. See the "Viewing the HTTP Zombies List" section for details about this type of traffic anomaly.
Exporting Attack Reports
To export attack reports to a network server, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks Summary screen appears.
Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates, and then clicking Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and then choose a date from the calendar popup window.
Step 4 From the Per Attack Summary table, check the check box next to the attack reports that you want to export. To choose all of the reports listed in the table, check the check box in the table header next to the number symbol (#).
Step 5 Click Export. The Export File Server Parameters window opens.
Step 6 From the Select File Server Parameters form, choose and define the network server to use:
•Use automatic export file server definitions—Exports the attack reports to the network servers that you defined in the Guard configuration by using the CLI export reports command.
•Use the following server definition—Exports the attack reports to the network server that you define. Enter the following network server information:
–Transfer method—Choose one of the following transfer protocols to use:
FTP—Specifies the File Transport Protocol.
SFTP—Specifies the Secure File Transport Protocol.
SCP—Specifies the Secure Copy Protocol.
Because SFTP and SCP rely on Secure Shell (SSH) for their secure transport, if you do not configure the key that the Guard uses for the secure communication before you export attack reports to an SFTP or SCP server, the Guard prompts you for the password. You can only configure the key for SFTP and SCP using the Guard CLI.
–Address—IP address of the network server.
–Path—Full pathname. If you do not specify a path, the server saves the files in your home directory.
–Username—Network server login name. The username argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
–Password—(Optional) Password for the remote FTP server. If you enter a username but do not enter a password, the Guard prompts you for the password.
Step 7 Click OK to export the attack reports to the network server.
Deleting Attack Reports
To delete attack reports, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks Summary screen appears.
Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates and then clicking Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and then choose a date from the calendar popup window.
Step 4 From the Per Attack Summary table, check the check box next to the attack reports that you want to delete. To choose all of the reports listed in the table, check the check box in the table header next to the number symbol (#).
Step 5 Click Delete. The Guard deletes the attack report.
Viewing the HTTP Zombies List
The HTTP Zombies list enables you to analyze the zone traffic and view the list of zombies that initiated the attack.You can then take action against the zombies.
To view the list of HTTP Zombies, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main men, choose Diagnostics > Attack Reports > HTTP Zombies. The HTTP Zombies screen appears.
Table 10-16 describes the information that the Guard displays in the HTTP Zombies table.
Table 10-16 Field Descriptions for HTTP Zombies
Field
|
Description
|
IP
|
Zombie IP address.
|
Start Time
|
Date and time that the zombie connection was first identified.
|
Duration
|
Duration of the zombie attack.
|
"get" Requests
|
Number of HTTP GET requests sent by the zombie.
|
Viewing the Policy Statistics Table
You can view the rate of the traffic that flows through a zone policy or a group of zone policies. You can determine whether the type of services and volume represent the zone traffic. The Guard displays the traffic flows forwarded to the zone with the highest rates as measured by the policies. The rate is calculated based on traffic samples.
To view the Policy Statistics table, perform the following steps.
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Statistics > Policy Statistics. The Policies Statistics screen appears.
Step 3 (Optional) Set a filter on the screen and view selected policies as follows:
a. Click Set Screen Filter. The Policy Filter window opens.
b. Configure the screen filters to use and then click OK. Table 10-17 describes the screen filter parameters listed in the Policy Filter window. Choose the desired display parameters from the corresponding drop-down lists.
To change multiple filter parameters, begin from the top and work your way down the parameters of the Policy Filter window.
Note When you change one of the filtering parameters, all the parameters listed below it are automatically reset to their default setting.
Table 10-17 Policy Filter Parameters
Parameter
|
Restricts the display to . . .
|
Policy template
|
Policies that were created from the selected policy template.
|
Service
|
Policies that were created for the selected service.
|
Protection level
|
Policies of the selected protection level.
|
Type
|
Policies of the selected packet type.
|
Policy
|
Policies of the selected key.
|
State
|
Policies of the selected operating state.
|
Action
|
Policies configured with the selected action.
|
Policies
|
Policies of the current configuration or of a snapshot (if available).
|
A partial list of the policies, meeting the criteria that you specified, is displayed. The details of the selected path, state, and action are displayed in the Screen Filter frame.
The Policy Statistics table displays the information in three sections. The information in each section is sorted by value with the highest values appearing at the top:
•Rate—Rate of traffic that flows through the policy.
•Ratio—Ratio between the number of SYN flagged packets and the number of FIN/RST flagged packets. This information is available only for syn_by_fin policies.
•Connections—Number of concurrent connections or source IP addresses. This information is available for tcp_connections policies and the following packet types:
–in_nodata_conns for the Analysis protection module
–in_conns for the Strong protection module
For easier management of the information displayed, you can set screen filters to display only a partial list of the statistics available.
Table 10-18 describes the policy statistics fields.
Table 10-18 Policy Statistics
Field
|
Description
|
Policy template
|
Policy template that was used to construct the policy.
|
Service
|
Services that the policy monitors.
|
Level
|
Protection level that the Guard applied to the traffic flow. Possible values are Analysis, Basic, and Strong.
|
Type
|
Packet type. Possible values are as follows:
•auth_pkts—Packets that underwent either a TCP handshake or UDP authentication.
•auth_tcp_pkts—Packets that underwent a TCP handshake.
•auth_udp_pkts—Packets that underwent UDP authentication.
•in_conns—Zone incoming connections.
•in_pkts—Zone incoming DNS query packets.
•in_unauth_pkts—Zone incoming unauthenticated DNS queries.
•num_sources—Number of TCP source IP addresses, destined to the zone, that have been authenticated by the Guard anti-spoofing functions.
•out_pkts—Zone incoming DNS reply packets.
•reqs—Request packets with data payload.
•syns—Synchronization packets (TCP SYN flagged packets).
•syn_by_fin—SYN and FIN flagged packets (verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets).
|
Type
(continued)
|
•unauth_pkts—Packets that did not undergo a TCP handshake.
•pkts—All packet types that do not fall under any other category in the same protection level.
|
Policy
|
Policy name.
|
Key
|
Key (traffic characteristics) that was used to aggregate the policies.
Possible values are as follows:
•dst_ip—Traffic destined to a zone IP address.
•dst_ip_ratio—Ratio of SYN and FIN flagged packets destined to a specific IP address.
•dst_port_ratio—Ratio of SYN and FIN flagged packets destined to a specific port.
•global—Summation of all traffic flow as defined by the other policy sections.
•src_ip—Traffic destined to the zone aggregated based on the source IP address.
•dst_port—Traffic destined to a specific zone port.
•protocol—Traffic destined to the zone aggregated based on the protocol number.
•src_ip_many_dst_ips—Key used for IP scanning (traffic from a single IP address destined to many zone IP addresses).
•src_ip_many_port—Key used for port scanning (traffic from one IP address destined to many zone ports).
|
Value
|
Rate, ratio, or number of connections depending on the section of the table. The information in each section is sorted by value with the highest value appearing at the top.
|
Viewing the Drop Statistics Table
The Drop Statistics table enables you to view the distribution of dropped packets for an ongoing attack by the rate and the counter.
To view the Drop Statistics table, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Statistics > Drop Statistics. The Drop Statistics screen appears.
Step 3 (Optional) Change the unit of measurement for the statistics displayed by choosing the desired unit of measurement from the drop-down list and then clicking Set units.
The dropped packets appear in two tables based on the type of packets.
Table 10-19 describes the contents of the Drop Statistics table and Table 10-20 describes the contents of the Spoofed Statistics table.
Table 10-19 Drop Statistics
Type
|
Description
|
Total dropped
|
Total amount of dropped traffic.
|
Dynamic filters
|
Amount of traffic dropped by the dynamic filters.
|
User filters
|
Amount of traffic dropped by the user filters.
|
Flex filter
|
Amount of traffic dropped by the flex-content filters.
|
Rate limit
|
Packets that are defined by the rate limit parameter of the user filters and the zone rate limit that were dropped.
|
Incoming TCP unauthenticated basic
|
Traffic that the TCP basic anti-spoofing functions could not authenticate and dropped. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
Incoming TCP unauthenticated-strong
|
Traffic that the TCP Strong anti-spoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
Outgoing TCP unauthenticated
|
Zone-initiated connections that the TCP anti-spoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
UDP unauthenticated-basic
|
UDP traffic that the Basic anti-spoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
UDP unauthenticated-strong
|
UDP traffic that the Strong anti-spoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Other protocols unauthenticated
|
Non-TCP and non-UDP traffic that the Guard anti-spoofing functions could not authenticate and dropped. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
TCP fragments unauthenticated
|
TCP fragmented packets that the Guard anti-spoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
UDP fragments unauthenticated
|
UDP fragmented packets that the Guard anti-spoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Other protocols fragments unauthenticated
|
Fragmented packets, other than TCP and UDP fragmented packets, that the Guard anti-spoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
DNS malformed replies
|
Malformed DNS replies that the Guard protection functions dropped. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
DNS spoofed replies
|
DNS packets coming in response to zone-initiated connections that the Guard anti-spoofing functions dropped. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
DNS short queries
|
Short (malformed) DNS queries that the Guard protection functions dropped. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Non DNS packets to/from DNS port
|
Non-DNS traffic destined to a DNS port or from a DNS port that the Guard protection functions dropped. In the attack reports, these packets are counted under the malformed packets in the Malicious Packets Statistics table.
|
Bad packets to proxy addresses
|
Malformed traffic destined to the Guard proxy IP address that the Guard protection mechanisms dropped.
|
TCP anti-spoofing mechanisms related pkts
|
Number of dropped packets due to side operations that the Guard TCP anti-spoofing functions performed. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
DNS anti-spoofing mechanisms related pkts
|
Number of packets dropped packets due to side operations that the Guard DNS anti-spoofing functions performed. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Anti-spoofing internal errors
|
Number of packets dropped due to errors of the Guard anti-spoofing functions. In the attack reports, these packets are counted under the Packets table.
|
Land attack
|
Number of packets dropped because they had identical source and destination IP addresses. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Malformed packets
|
Number of packets dropped due to a malformed header. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Malformed SIP packets
|
Session Initiation Protocol (SIP) over UDP packets that the Guard protection functions dropped because they were malformed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/ Replied Packets table.
|
SIP anti-spoofing features related pkts
|
Number of SIP over UDP packets that the Guard anti-spoofing functions identified as spoofed due to side operations and dropped. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Table 10-20 Spoofed Statistics
Type
|
Description
|
Total spoofed
|
Total amount of spoofed traffic.
|
Spoofed incoming TCP basic
|
Traffic that the TCP basic anti-spoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed incoming TCP strong
|
Traffic that the TCP strong anti-spoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed outgoing TCP basic
|
Zone-initiated-connections traffic that the TCP basic anti-spoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed outgoing TCP strong
|
Zone-initiated-connections traffic that the TCP strong anti-spoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed incoming DNS
|
Traffic that incoming Domain Name System (DNS) (queries) anti-spoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed outgoing DNS basic
|
Traffic that outgoing DNS (replies) basic anti-spoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed outgoing DNS strong
|
Traffic that outgoing DNS (replies) strong anti-spoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed zombie
|
Traffic that the zombie anti-spoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed incoming SIP
|
Traffic that incoming SIP over UDP anti-spoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
