Table Of Contents
Monitoring Zone and Device Operations
Using the MDM Global Diagnostic Tools
Viewing the Network Summary Screen
Displaying the Global Guard Counters
Clearing the Guard Global Counters
Displaying the Network Event Log
Displaying the Current Status of all Zones
Using the Zone Diagnostic Tools
Displaying the Zone Status Screen
Zone Status Bar
Zone Traffic Rate Statistics and Graph
Zone Status Table
Zone Recent Events Table
Displaying the Zone Counters
Using Zone Counters to Analyze Traffic Flow
Clearing the Zone Counters
Displaying the Device Status and Device-Specific Counter Information
Displaying the Zone Event Log
Displaying the Zone Attacks Summary Report
Displaying Details of an Attack Report
Displaying Report Details of a Past Attack
Displaying Details of a Current Attack
Understanding Attack Report Details
General Attack Information
Attack Statistics
Dropped/Bounced Packets
Detected Anomalies
Displaying Details of Detected Anomalies
Mitigated Attacks
Displaying Mitigated Attack Details
HTTP Detected Zombies
Exporting Zone Attack Reports
Using the Attack Summary Screen Method for Exporting Attack Reports
Using the Zone Menu Method for Exporting Attack Reports
Deleting Attack Reports
Displaying the HTTP Zombies List
Displaying the Drop Statistics Table
Monitoring Zone and Device Operations
This chapter describes how to monitor the status of the Cisco DDoS MultiDevice Manager (MDM) network. You can monitor the network on a global basis, looking at all zones and devices as a whole, or on a more detailed, per-zone basis. Using the MDM statistical tools, you can diagnose problems related to the zone traffic flow.
The MDM gathers statistical information from the devices that you define on the network device list. The MDM aggregates the information to provide you with several statistical and status reporting tools for analyzing your network's operation. The MDM's consolidated reporting system allows you to display the following information:
•
Traffic counters and graphs—Aggregated counter information provides details on the rates associated with legitimate and malicious traffic.
•Zone operating status—Operation status of the zone devices, such as Under Detection, Protected, or Tuning Thresholds.
•Attack reports—The MDM highlights any current attacks and provides instant access to attack details
•Events—Events reported by the zone Detectors and Guards.
Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.
This chapter contains the following sections:
•Using the MDM Global Diagnostic Tools
•Using the Zone Diagnostic Tools
Using the MDM Global Diagnostic Tools
The MDM provides diagnostic information to assist you in monitoring and troubleshooting global events that occur within the MDM network. This section contains the following topics:
•Viewing the Network Summary Screen
•Displaying the Global Guard Counters
•Clearing the Guard Global Counters
•Displaying the Network Event Log
•Displaying the Current Status of all Zones
Viewing the Network Summary Screen
The MDM Network Summary screen (see Figure 11-1) provides a summary of the current network activity and is the first screen to appear when connecting to the MDM server. You can also access the Network Summary screen using the following methods:
•From the navigation pane, click Network Summary.
•From the information area located in the upper right corner, click Home.
•From the Network Summary menu, choose Main > Network Summary.
Figure 11-1 Network Summary Screen
The Network Summary screen provides a list of the activated zones that are currently under attack, with the most recent attack appearing at the top. To view the details of a particular zone under attack, click in the table row to display the associated Zone Summary screen.
Table 11-1 describes the fields of the Network Summary table.
Table 11-1 Field Descriptions for Network Summary Table
Fields
|
Description
|
Zone
|
Zone name. The zone name also provides a link to the zone status screen of the specified zone.
|
Attack Start Time
|
Date and time that the most recent attack on the zone was detected.
|
#DF
|
Number of dynamic filters that the zone Guards have created to mitigate the attack.
|
#PF
|
Number of pending dynamic filters. The display shows N/A (not applicable) if the zone is operating in automatic mode (not interactive mode). The devices automatically activate any dynamic filter that they produce as a result of the attack.
|
Legitimate Rate
|
Current rate of legitimate traffic (in bits per second) received by the devices. The zone Guards inject legitimate traffic back into the network.
|
Malicious Rate
|
Current rate of malicious traffic (in bits per second) received by the Guards and dropped.
|
Received Rate
|
Current rate of all traffic (in bits per second) received by the Guards. The received rate is equal to the legitimate rate plus the malicious rate.
|
Thumbnail of the zone traffic summary
|
Graph that displays a summary of the traffic (in bits per second) to the zone in the last half hour. The traffic rates are color-coded and display the following information:
•Green—Legitimate traffic rate
•Red—Malicious traffic rate
•Azure—Master receive rate (this rate displays only when the master device is a Detector)
|
Displaying the Global Guard Counters
The Counters screen provides an in-depth analysis of the counter information that the MDM receives from all of the Guards that you have defined in the MDM device list. The Global Current Counter/Rates table within the Counters screen displays aggregated statistical information, such as the number of legitimate or malicious traffic packets, that the Guards have received. The Counters screen also provides a graphical representation of the counter statistical information.
To display the global Guard counters, follow these steps:
Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.
Step 2 From the Network Summary menu, choose Diagnostics > Counters > Guards Counters. The Counters screen appears, which includes the Global Current Counters/Rates table (see Table 11-2).
Step 3 (Optional) Add or remove information on the counters that the MDM displays in the Guard Traffic Rate graph by checking the check box next to the counters that you want to display or uncheck the check box next to the counters that you want to remove from the graph. Click Update Graph. The MDM updates the graph.
Step 4 (Optional) Modify the period of time that displays in the graph by choosing the period of time from the Graph Period drop-down list. Click Update Graph. The MDM updates the graph.
By default, the traffic rate graph displays counter information recorded in the last 2 hours.
Step 5 (Optional) Change the unit of measurement that the MDM uses in the traffic rate graph by choosing a unit of measurement from the Graph Type drop-down list. Click Update Graph. The MDM updates the graph.
The units of measurement options are as follows:
•pps—Packets per second
•bps—Bits per second (default setting)
Step 6 (Optional) Click Clear Counters to clear the Guard counters. The MDM clears the current counters and the traffic rates. Clear the Guard counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
Table 11-2 describes the fields in the Global Current Counters/Rates table.
Table 11-2 Field Descriptions for the Global Current Counters/Rates Table
Field
|
Description
|
Shown in Graph
|
Selected counter information that the Guard Traffic Rates graph displays.
|
Counter
|
Type of traffic packets that the counter tracks.
|
Legitimate
|
Legitimate traffic forwarded by the Guards to the zones.
|
Malicious
|
Malicious traffic that targets the zones. Malicious traffic is the sum of Dropped packets and Spoofed packets (including the Zombie packets).
|
Received
|
Packets received and handled by the Guards. Received packets are the sum of legitimate traffic and malicious traffic.
|
Dropped
|
Packets that were identified by the Guards as malicious and dropped.
|
Replied
|
Packets to which replies were sent to the initiating client as part of the antispoofing or antizombie functions in order to verify whether they are part of authentic traffic or part of an attack.
|
Spoofed
|
Packets that were identified by the Guards as Spoofed packets and not forwarded to the zones. Spoofed packets are Replied (bounced) packets to which no replies were received. Spoofed packets include Zombie packets.
|
Packets
|
Total number of packets since the last reload or clear counter of each Guard.
|
Bits
|
Total number of bits since the last reload or clear counter of each Guard.
|
pps
|
Current traffic rate measured in packets per second.
|
bps
|
Current traffic rate measured in bits per second.
|
A legend that identifies the different counters appears below the graph. The minimum, maximum, and average rates for each counter displays for the time period that you selected.
Clearing the Guard Global Counters
You can clear the counters information that the MDM displays if you are going to perform testing and want to be sure that the counters include information from the testing session only.
To clear the counters, follow these steps:
Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.
Step 2 From the Network summary menu, choose Diagnostics > Counters > Guards Counters. The Counters screen appears.
Step 3 Click Clear Counters. The MDM clears the current counters and the traffic rates.
Displaying the Network Event Log
The MDM automatically creates a log in which it aggregates the various events reported by all of the network devices, which includes the system activity related to the protected zones and to the operations of all the zone devices. The MDM sorts all log entries according to the time stamp that each device assigns to an event. You can display the MDM logs to review and track the activity that the MDM monitors and records.
Each event that the MDM records is assigned with one of the severity levels described in Table 11-3.
Table 11-3 Event Log Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
To display the contents of the network event log, follow these steps:
Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.
Step 2 From the Network Summary menu, choose Diagnostics > Event log. The Events screen appears. Use the navigation tool provided above the Events table to scroll through the events.
Step 3 (Optional) Control which events display in the Events table by choosing one of the following options and then click Filter Events. The MDM updates the Events table.
•Show all Events—Displays the events of each severity level.
•Show events with severity level—Displays only the events of the severity levels that you select. See Table 11-3 for a description of the various event severity levels.
Displaying the Current Status of all Zones
From the Network Summary screen, you can display a list of the zones currently configured on the device. The zone list includes the current operating status of each zone and whether it is operating in automatic or interactive mode.
To display the list all the zones configured on the device, follow these steps:
Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.
Step 2 From the Network Summary menu, choose Zones > Zone List. The Zones List screen appears.
Step 3 (Optional) Click Show Active Zones (located above the Zones List table) to display only the active zones. By default, the MDM displays a complete list of the zones configured on the device, whether they are active or inactive.To return to the complete list, click Show All Zones.
Step 4 (Optional) Click a zone name to display the detailed status screen for the selected zone.
From the Zones List screen, you can also add or delete zones. For more information on these functions, see the "Creating a Zone" section on page 5-3 and the "Deleting a Zone" section on page 5-18.
Using the Zone Diagnostic Tools
The MDM provides diagnostic information to assist you in monitoring and troubleshooting zone events.
Note The rate values that the MDM displays in the maximum (max) and peak columns of the various zone attack reports represent the sum of the maximum rate values that the zone Guard devices experience during the report time period. Because the Guards may have experienced the maximum rates at different times, the displayed values do not necessarily represent the maximum rates experienced by the zone at any given point in time. If the Guards experience the maximum rates at different times, the actual maximum rate experienced by the zone at any point in time would be less than the value that the MDM displays.
This section contains the following topics:
•Displaying the Zone Status Screen
•Displaying the Zone Counters
•Clearing the Zone Counters
•Displaying the Device Status and Device-Specific Counter Information
•Displaying the Zone Event Log
•Displaying the Zone Attacks Summary Report
•Displaying Details of an Attack Report
•Understanding Attack Report Details
•Exporting Zone Attack Reports
•Deleting Attack Reports
•Displaying the HTTP Zombies List
•Displaying the Drop Statistics Table
Displaying the Zone Status Screen
The Zone Status screen (see Figure 11-2) provides a summary of the zone operating status that you select. You can navigate to this screen using one of the following methods:
•From the Zones list in the navigation pane located on the left side of the window, click the zone name.
•From the Network Summary menu, click Zones > Zone list and then click a zone name.
Figure 11-2 Zone Status Screen
The Zone Status screen is divided into four areas:
•Zone Status bar (see the "Zone Status Bar" section)
•Traffic Rate table (see the "Zone Traffic Rate Statistics and Graph" section)
•Zone Status table (see the "Zone Status Table" section)
•Recent Events table (see the "Zone Recent Events Table" section)
Above the Traffic Rate graph, the MDM displays one or more toggling function buttons. The buttons that display depend on the device types that you assign to the zone and the current activation state of each device type.
•Detect—Displays only when you associate Detectors with the zone and toggles between Detect and Deactivate. Click Detect to activate anomaly detection on all zone Detectors. Click Deactivate to stop anomaly detection.
•Protect—Displays only when you associate Guards with the zone and toggles between Protect and Deactivate. Click Protect to activate zone protection on all zone Guards. Click Deactivate to stop zone protection.
•Deactivate—Displays only when you activate Detect and Protect simultaneously. Click Deactivate to choose the activation state to stop: Detect, Protect, or both.
•Report—Displays only when the zone is active and under attack. Click Report to display the zone attack report.
Zone Status Bar
The zone status bar, which is across the top of the Zone Status screen, provides a quick reference to the current operating status of the zone. The zone status bar provides the following information:
•Name of the zone.
•Manner in which the zone devices perform anomaly detection or zone protection—Indicates whether the devices are operating in automatic or interactive protect mode for the zone. See the "Automatic and Interactive Zone Operation Modes" section on page 10-3 and the "Changing Zone Operation Modes" section on page 10-17 for information on zone operation mode settings.
•Zone operating state—Indicates the current operating state of the zone. The operating state is divided into two sections: the aggregated state of all Guards and the aggregated state of all Detectors. If only some of the devices of the same device type are in a certain state (for example, Protect), the MDM displays an (S) near the state to indicate a subset of the device type.
The status bar displays the following zone operating states:
–Inactive—The zone devices are not performing anomaly detection (Detect) or zone protection (Protect).
–Construct Policies—The zone device that you have selected to learn zone traffic is performing the policy construction phase of the learning process. For information on selecting the zone device to learn traffic, see "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section on page 9-5.
–Tuning Thresholds—The zone device you have selected to learn zone traffic is performing the threshold tuning construction phase of the learning process. You can enable this operation with the Detect and Protect operations. For information on selecting the zone device to learn traffic, see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section on page 9-5.
–Under Detection—The zone Detectors are activated and performing anomaly detection.
–Protected—The zone Guards are activated and performing zone protection.
–Under Attack—The activated zone devices have detected a traffic anomaly.
•Zone Status icons—Depending on the operating state, one of the following status icons displays for each device type: Inactive, Protect, Detect, or Learning.
•Recommendation icon—Indicates that new dynamic filter recommendations are available. This indication displays only when the zone operation mode is set to interactive. You must respond to the dynamic filter recommendations that the device creates during an attack.
Zone Traffic Rate Statistics and Graph
The Traffic Rate table contains a graph that displays the aggregated traffic rate of all zone Guards over the last 2 hours, measured in bits per second (bps). Also included in the table is statistical information related to the following traffic counters:
•Legitimate rate—Valid, or clean, traffic that the Guards forwarded to the zone. This traffic displays in green in the graph.
•Malicious rate—Attack traffic that was targeting the zone and dropped by the Guards. This traffic displays in red in the graph.
•Master Receive rate—Traffic received by the master device. This field displays only when you have a Detector defined as the master device. This traffic displays in azure in the graph.
Table 11-4 describes the fields that appear below the zone traffic rate graph.
Table 11-4 Field Descriptions for Fields below Zone Traffic Rate Graph
Field
|
Description
|
Min
|
Minimum aggregated traffic rate measured over the last 2 hours in bps.
|
Max
|
Maximum aggregated traffic rate measured over the last 2 hours in bps.
|
Avg
|
Average aggregated traffic rate measured over the last 2 hours in bps.
|
Cur
|
Current aggregated traffic rate in bps.
|
Zone Status Table
The Zone Status table provides information about the current operation of the zone and contains the following information:
•Active Dynamic filters—Sum of the active dynamic filters created by all of the zone devices. The number of active dynamic filters is greater than 1 when the Guard identifies anomalies in the zone traffic.
Click Active Dynamic filters to view the dynamic filters screen. See the "Managing a Dynamic Filter" section on page 10-8 for more information on dynamic filters.
•Pending Dynamic filters—Sum of the pending dynamic filters on all of the zone devices. The number of pending dynamic filters is greater than 1 when the zone is in interactive protect mode and there are new recommendations.
Click Pending Dynamic filters to display the Recommendations screen. See the "Managing a Dynamic Filter" section on page 10-8 for more information on dynamic filters. See the "Managing Device Recommendations for Dynamic Filters" section on page 10-13 for more information on MDM recommendations.
•Last attack time—Date and time that the last (and current) attack on the zone was first detected by a device.
•Activation time—Date and time that zone protection was activated.
Zone Recent Events Table
The recent events table displays the reported zone events with a minimum severity level of notify. The MDM also records the events in the zone event log and the Guard event log.
Displaying the Zone Counters
The zone counters enable you to analyze zone-specific traffic information in order to verify the zone status and determine whether or not zone protection is functioning properly.With the exception of the Master Received rate, all displayed counter rates are Guard counter rates (the MDM provides an aggregated display of the counter information that it receives from the various zone Guards). The Master Received rate displays only when you select a Detector as the master device.
You can adjust the period of time that is displayed in the zone counters graph view to see how zone protection is evolving.
To display the zone counter information, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone main menu, choose Diagnostics > Counters > Zone Counters. The Zone Counters screen appears.
Step 3 (Optional) Modify the view of the traffic rates graph by checking the check box next to the counters that you want to include in the graph. Click Update Graph. The MDM updates the traffic rate graph.
The MDM can display the following types of traffic counters:
•Legitimate—Legitimate traffic forwarded by the Guards to the zones.
•Malicious—Malicious traffic identified by the Guards. The malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).
•Received—Total amount of traffic received and handled by the Guards. Received packets are the sum of the legitimate traffic and the malicious traffic.
•Dropped—Packets that were identified by the Guards as part of an attack and dropped.
•Replied—Packets to which replies were sent by the Guards to the initiating client as part of the antispoofing or antizombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.
•Spoofed—Packets that were identified by the Guards as Spoofed packets and were not forwarded to the zone. Spoofed packets are Replied (bounced) packets to which no replies were received. Spoofed packets include Zombie packets.
•Master Received—Traffic received by the Detector master device. The MDM displays this field only when the master device is a Detector.
Step 4 (Optional) Modify the period of time that displays in the graph by choosing a period of time from the Graph Period drop-down list. Click Update Graph. The MDM updates the graph.
By default, the Traffic Rates graph displays the legitimate and malicious traffic over the last 2 hours, measured in bits per second (bps). If the zone master device is a Detector, then the graph also displays the Master Receive traffic rate.
Step 5 (Optional) Change the unit of measurement that the MDM uses in the Traffic Rate graph by choosing a unit of measurement from the Graph Type drop-down list. Click Update Graph. The MDM updates the graph.
The units of measurement can be one of the following:
•pps—Packets per second
•bps—Bits per second (the default)
Step 6 (Optional) Click Clear Counters to clear the zone counters. The MDM clears the current counters and the traffic rates. Clear the zone counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.
Table 11-5 describes the fields of the Zone Current Counters/Rates graph.
Table 11-5 Field Descriptions for the Zone Current Counters/Rates Graph
Field
|
Description
|
Shown in Graph
|
Status of whether the counter is displayed in the graph.
|
Counter
|
Type of available counters.
|
pps
|
Current traffic rate destined to the zone, measured in packets per second.
|
bps
|
Current traffic rate destined to the zone, measured in bits per second.
|
A legend that identifies the counters appears below the Traffic Rates graph. The minimum, maximum, and average rates for each counter displays for the time period that you select.
Using Zone Counters to Analyze Traffic Flow
You should analyze the traffic flow to determine if traffic is flowing to an active zone and is being analyzed by the zone Detectors and Guards. Follow these guidelines to analyze traffic flow and recognize possible problems:
•The zone devices are active and processing traffic when the Received and Master Received counter rates are greater than zero. A Received rate greater than zero indicates that the zone Guards are processing traffic and performing zone protection. A Master Receive rate greater than zero indicates that the Detector master device is processing traffic and performing anomaly detection. The Master Receive rate displays only when the master device is a Detector.
•When the zone contains Guards, the zone is under attack when the Malicious counter rate is greater than zero. This counter rate is the aggregated count of the zone Guards that are mitigating the attack. To verify that the zone is under attack, display the zone summary screen to see if the Guards are producing dynamic filters to handle the attack (see the "Displaying the Zone Status Screen" section).
When the zone contains Detectors only and you want to verify that the Detectors are responding to an attack, you must display the zone summary screen to see if the Detectors are producing dynamic filters to handle the attack (see the "Displaying the Zone Status Screen" section).
The MDM also allows you to display individual device status and counter rate information to help isolate problems (see the "Displaying the Device Status and Device-Specific Counter Information" section).
Based on your experience and knowledge of the network traffic, you should follow these guidelines:
•If there are dropped packets, you should verify if a trusted source IP address is blocked by a dynamic filter created by the Guards. You can configure the traffic from that particular source IP address to bypass the Guard functions (see the "Managing a Bypass Filter" section on page 6-11). You must modify the zone configuration and synchronize the zone (if enabled) while the zone is inactive. Reactivate the zone after making the required modifications.
•If a policy has produced dynamic filters that drop too many IP flows, you should verify if filters are blocking flows from source IP addresses that seem legitimate but are sending traffic at rates above the thresholds. You can increase the policy threshold or prevent the policy from producing additional dynamic filters by deactivating the policy. See Chapter 8, "Managing Zone Policies," for information about configuring the zone policies. You must modify the zone configuration and synchronize the zone (if enabled) while the zone is inactive. Reactivate the zone after making the required modifications.
•If you activate Protect and the Guards do not receive the packets destined to the zone (Received counter = 0), look for a traffic diversion that is preventing the Guards from receiving network traffic.
•If the Guards receive and block all of the zone traffic, the Guards may be dropping traffic because they falsely identified the traffic as malicious. Check if the Received rate is greater than zero and Legitimate is equal to zero over a period of time (see Figure 11-3).
Scan the dynamic filters that the Guards produced for a drop-action filter and do the following:
–Delete the drop-action dynamic filter.
–Deactivate the policy that produced the drop-action dynamic filter. If you do not take this action, the drop-action filter reappears when you delete the dynamic filter because the Guard continues to identify the traffic as malicious. See Chapter 8, "Managing Zone Policies," for information about configuring the zone policies. You must modify the zone configuration and synchronize the zone (if enabled) while the zone is inactive. Reactivate the zone after making the required modifications.
Figure 11-3 Problem Analysis for Received Traffic: Rcv >0, Legitimate = 0
Caution When you deactivate a policy, you may compromise zone protection because the Guards cannot apply the policy to the traffic flow.
Clearing the Zone Counters
You can clear the zone counters if you are going to perform testing and want to be sure that the counter rates include information from the testing session only.
To clear the zone counters, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Counters > Zone Counters. The zone Counters screen appears.
Step 3 Click Clear Counters. The MDM clears the current zone counters display.
Displaying the Device Status and Device-Specific Counter Information
While the zone status page provides an aggregated view of the zone device counters, you can view a detailed look at the status and counter information associated with each zone device.
To display device-specific counter information, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > General. The General Configuration screen appears.
Step 3 Scroll down to the Device List table to display the status and counter information for each zone device (see Table 11-6).
Table 11-6 describes the fields of the Device List table.
Table 11-6 Field Descriptions for the Device List Table
Field
|
Description
|
Hostname
|
Status of whether the counter is displayed in the graph.
|
Type
|
Type of available counters.
|
State
|
Connection status between the MDM and the device. The connection status is one of the following states:
•Connected—The MDM can communicate with the device.
•Disconnected—The MDM can communicate with the device. This state may be caused by one of the following reasons:
–You suspended communication with the device.
–The MDM is currently initializing the device.
–A communication failure exists in the network.
To troubleshoot this problem, open the MDM device list (Main > Devices List) from the Network Summary menu to display a more detailed connection status information (see the "Adding a Device to the MDM Device List" section in Chapter 3, "Managing Devices on the MDM Network").
|
#DF
|
Number of dynamic filters that the device created and are currently active. Because the device creates a dynamic filter only when it detects an anomaly, a #DF value greater that zero indicates that the device is currently handling an attack on the zone.
|
#PF
|
Number of pending dynamic filters that the device has queued and is waiting for your input. The number of pending dynamic filters is greater than 1 when the zone is in operating interactive protect mode and there are new recommendations.
|
Legitimate Rate
|
Current rate of legitimate traffic (in bps) forwarded by the device to the zones.
|
Malicious Rate
|
Current rate of malicious traffic (in bps) that the device is handling.
|
Displaying the Zone Event Log
The MDM automatically logs system activity and events that occur across all of the zone devices. You can display the MDM logs to review and track the zone activity.
Table 11-7 describes the zone event severity levels.
Table 11-7 Event Log Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
To display the contents of the zone event log, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Event log. The zone Events screen appears.
Step 3 (Optional) To control which events display in the events table by using one of the following methods and then click Filter Events:
•Show all Events—Displays the events of each severity level.
•Show events with severity level—Displays only the events of the severity levels that you choose (see Table 11-7).
The MDM updates the events table.
Displaying the Zone Attacks Summary Report
The MDM provides a high-level summary report of the attacks for each zone. The report summarizes the DDoS attacks made on the zone during a user-defined period of time. When you request the attack summary report, the MDM creates the report from attack information that it gathers from the zone devices. The report provides information about the total number and intensity of the attacks with a short summary for each attack. The MDM also presents the attack data in a graph format.
To display the zone attacks summary report, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks summary screen appears. By default, the report displays attack information for the last month.
Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates. Click Get Reports. You can enter the dates manually or click the calendar icon at the right of each date field and then choose a date from the calendar popup.
The Attack Summary Report screen contains the following areas:
•Protection Graph—Provides a graphical summary of the attacks during the period of time that you defined (see Figure 11-4).
Figure 11-4 Zone Protection Summary Report—Protection Graph
The X-axis displays the time over which the attack occurred. The Y-axis displays the average attack rate in packets per second (pps). Each attack is represented by a bar. If you hold your mouse over any of the attack bars for a few seconds, the average attack rate displays.
To display the attack details, click the attack bar in the graph to open the attack report (see the "Displaying Details of an Attack Report" section).
•Total Attacks Statistics table—Provides information about the number of attacks on the zone and the aggregated attack details during the period of time that you defined.
Table 11-8 describes the fields in the Total Attack Statistics table.
Table 11-8 Field Descriptions for Total Attack Statistics Table
Field
|
Description
|
Attacks Mitigated
|
Number of attacks mitigated.
|
Attacks Duration
|
Aggregated duration of the mitigated attacks.
|
Max. Traffic Rate
|
Estimated maximum rate of malicious traffic destined to the zone.
|
Total Rx
|
Total amount of traffic that the Guards received that was destined to the zone.
|
Total Blocked
|
Total amount of traffic destined to the zone that the Guards dropped.
|
Legitimate vs. Malicious Traffic
|
Pie chart display of the percentage of the malicious traffic (displayed in red) and legitimate traffic (displayed in blue) in the total zone traffic.
|
•Per Attack Summary Table—Provides a table with a list of the DDoS attacks on the zone during the period of time that you defined. You can delete the information currently displayed in the Per Attack Summary table (see the "Deleting Attack Reports" section) or export the contents of an attack report (see the "Exporting Zone Attack Reports" section).
To display attack details, click in any of the rows of the Per Attack Summary table (see the "Displaying Details of an Attack Report" section).
Table 11-9 describes the fields in the columns of the Per Attack Summary table.
Table 11-9 Field Descriptions for the Per Attack Summary Report
Field
|
Description
|
#
|
Identification number (ID) that the device assigns to the mitigated attack. The MDM displays a value of Curr for an ongoing attack.
|
Device Name
|
Name that you assigned to the device using the CLI.
|
Start time
|
Date and time of the mitigated attack.
|
Duration
|
Duration of the mitigated attack in hours, minutes, and seconds.
|
Type
|
Type of mitigated attack. Possible values are as follows:
•Client Attack—All nonspoofed traffic anomalies.
•Malformed Packets—All traffic anomalies identified as consisting of maliciously malformed packets.
•Spoofed—Traffic anomalies identified as a DDoS attack from a spoofed source.
•User Defined—All anomalies handled by the user filters. These values can either function by default or be user configured.
•Zombie—Traffic anomalies identified as having originated by zombies.
•Hybrid—An attack made up of several attacks with different characteristics.
•Traffic Anomaly—An anomaly that was only detected for a short period of time and did not require mitigation.
|
Peak (pps)
|
Estimated maximum attack rate measured in packets per second.
|
Received Pkts
|
Total number of packets destined to the zone that was handled by the Guards during the attack.
|
Legitimate vs. Malicious Traffic
|
Pie chart that displays the percentage of malicious traffic (displayed in red) and legitimate traffic (displayed in blue) in the total traffic during the attack.
|
•Subzone Reports—Provides a list of subzones. Subzones are zones that a Guard creates to protect a partial zone (a zone that does not include the complete IP address range of the source zone). The Guard deletes the subzone when protection for the subzone ends. To display the attack reports of the subzone, click the subzone name. For more information about subzones, see the "Understanding Subzones Created by the Guard" section on page 10-3.
Displaying Details of an Attack Report
The MDM allows you to display details of an attack report. The MDM begins generating the attack report when there are indications of an attack, such as the existence of malicious traffic counter rates or the production of the first dynamic filters. The report ends when zone protection is terminated by a user decision or by the action of a timeout parameter.
The MDM gathers the attack information from the zone devices and organizes the data into categories. You can display the details of past and current attacks.
This section contains the following topics:
•Displaying Report Details of a Past Attack
•Displaying Details of a Current Attack
Displaying Report Details of a Past Attack
To display the report details of a past zone attack, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone status screen and the zone main menu appear.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks Summary screen appears, displaying attack information for the past month.
Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates. Click Get Reports. You can enter the dates manually or click the calendar icon at the right of each date field and then choose a date from the calendar popup.
Step 4 Display details of the attack report by using one of the following methods:
•Click the attack bar in the Protection Graph.
•Click any of the fields for the attack listed in the Per Attack Summary table.
Displaying Details of a Current Attack
When an attack on a zone is in progress, the MDM displays a Report function button on the zone's status screen.
To view the current attack report of a zone, follow these steps:
Step 1 Choose a zone under attack from the navigation pane. The zone status screen and the zone main menu appear.
Step 2 Use one of the following methods to display the report of the current attack on the zone:
•On the zone status screen, click Report.
•Choose Diagnostics > Attack Reports > Attack Summary from the zone menu, and then click any of the fields of the attack in progress in the Per Attack Summary table. The MDM displays a value of Curr for the identification number (#) of an ongoing attack.
Understanding Attack Report Details
This section contains the following topics:
•General Attack Information
•Attack Statistics
•Dropped/Bounced Packets
•Detected Anomalies
•Displaying Details of Detected Anomalies
•Mitigated Attacks
•Displaying Mitigated Attack Details
•HTTP Detected Zombies
General Attack Information
The first section of the attack report provides information about the timing of the attack, which includes when the attack started, when it ended, and how long it lasted.
To display additional report details, click i or Show details for all events.
All counters are integers except for the rate. You can select the statistics unit of measurement from the general attack information area of the screen.
To change the statistic unit of measurement, choose the desired units to use from the Statistics units drop-down list and then click Set units. The MDM updates the display.
Attack Statistics
The attack statistics table provides information about the following packet types:
•Received—Traffic received by the Guards destined to the zone.
•Forwarded—Legitimate traffic that the Guards forwarded to the zone.
•Replied—Traffic sent to the client as part of the Guards antispoofing and antizombie features.
•Dropped—Total number of packets destined to the zone and dropped by the Guards.
Table 11-10 describes the information for each packet type.
Table 11-10 Attack Statistics
Field
|
Description
|
Total
|
Total number of packets in the category.
|
Estimated Max Rate
|
Estimated maximum packet rate that was measured by the devices.
|
Average Rate
|
Average packet rate.
|
%
|
Number of packets as a percentage of the received packets.
|
The traffic rate is displayed in the units that you selected from the drop-down list in the "General Attack Information" section.
Dropped/Bounced Packets
The Dropped/Bounced table provides statistics for packets that the Guards identified as malicious traffic and dropped or replied (bounced). The packets are classified based on the Guard function that identified them.
The Guard function, which displays in the rows of the table, can be one of the following:
•Rate Limiter—Packets dropped by the rate limiter of the zone or by user filters for which a rate limit was configured. See the "Creating a Zone Using a Zone Template" section on page 5-3 for information on configuring the rate limiter.
•Flex-content filter—Packets dropped by the flex-content filter. See the "Managing a Flex-Content Filter" section on page 6-2 for information on using the Flex-content filter.
•User filter—Packets dropped by the user filters. See the "Managing a User Filter" section on page 6-14 for information on using user filters.
•Dynamic filter—Packets dropped by the dynamic filters. See the "Managing a Dynamic Filter" section on page 10-8 for information on using dynamic filters.
•Spoofed—Packets that were identified by the Guards as spoofed packets or packets originated by zombies and not forwarded to the zone. Spoofed packets are packets to which no replies were received.
•Malformed—Packets destined to the zone and dropped because the Guards determined them to be malformed.
Table 11-11 describes the information that is available for each type of packet.
Table 11-11 Field Descriptions for Dropped/Bounced Packets
Field
|
Description
|
Total
|
Total number of dropped/bounced packets.
|
Estimated Max Rate
|
Estimated maximum packet rate measured by the devices.
|
Average Rate
|
Average packet rate.
|
%
|
Number of packets as a percentage of the total dropped/bounced packets.
|
The traffic rate displays in the units that were selected from the drop-down list in the "General Attack Information" section.
Detected Anomalies
The Detected Anomalies table provides details of the anomalies that the Guards detected in the zone traffic. The Guards classify the traffic as being an anomaly when the traffic requires the production of a dynamic filter. Traffic anomalies can occur infrequently or can turn into systematic DDoS attacks. A Guard clusters anomalies with the same type and flow parameters (such as a source IP address or destination port) under one anomaly type.
Table 11-12 describes the information that displays for each anomaly.
Table 11-12 Field Descriptions for Detected Anomalies Table
Field
|
Description
|
#
|
Identification number (ID) that a Guard assigned to the detected anomaly.
|
Start time
|
Date and time that the anomaly was detected.
|
Duration
|
Duration of the anomaly in hours, minutes, and seconds.
|
Type
|
Type of the detected anomaly. Possible values are as follows:
•Tcp_connections—Detected flow with an unusual number of TCP concurrent connections, with or without data.
•HTTP—Unusual HTTP traffic flow.
•Tcp incoming—Detected flow that attacks a TCP service when the zone is a server.
•Tcp outgoing—Detected attack flow in which the client appears to be the zone, such as SYN-ACK attacks on connections initiated by the zone when the zone is the client.
•Unauthenticated tcp—Detected flow that the Guard antispoofing functions have not succeeded in authenticating. For example, ACK flood, FIN flood, or any other flood of unauthenticated packets.
•DNS (UDP)—Attacking DNS-UDP protocol flow.
•DNS (TCP)—Attacking DNS-TCP protocol flow.
•UDP—Attacking UDP protocol flow.
•Non tcp/udp protocols—Non-TCP/UDP attacking protocol flow.
•Fragments—Detected flow with an unusual amount of fragmented traffic.
•TCP ratio—Detected flow with an unusual ratio between different types of TCP packets (for example, SYN packets versus FIN/RST packets).
•IP scan—Detected flow initiated from a source IP address that tried to access many zone destination IP addresses.
•port scan—Detected flow initiated from a source IP address that tried to access many zone ports.
•user detected—Anomaly flow detected by user definitions.
•SIP (UDP)—Detected VoIP anomaly flow using SIP over UDP to establish the VoIP sessions.
|
Devices
|
Name that you assigned to the device using the CLI.
|
Max. Triggering rate
|
Estimated maximum anomaly traffic rate that exceeded a policy threshold.
|
% Threshold
|
Percentage by which the triggering rate is above the policy threshold.
|
Anomaly Flow
|
Anomaly traffic flow. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow, and the flow packet type.
If the anomaly flow is on a specific port, it is displayed as dst=ip address:port
|
Details
|
Status of whether additional information can be viewed for this filter. Click i for additional information (see the "Displaying Details of Detected Anomalies" section).
|
An asterisk (*),which is used as a wildcard, for one of the parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly parameter.
A number sign (#), followed by a number, for any of the parameters indicates the number of values measured for that parameter.
Displaying Details of Detected Anomalies
The Detected Anomalies Details table provides additional information about the dynamic filters that are associated with the detected anomaly.
To display the Detected Anomalies Details table, click i in the details column for the filter in the Detected Anomalies table.
Table 11-13 describes the detailed anomaly information that the MDM provides.
Table 11-13 Field Descriptions for Detected Anomalies Details Table
Field
|
Description
|
Start time
|
Date and time that the anomaly was detected.
|
End time
|
Expiration date and time of the dynamic filter.
|
Rate (pps)
|
Rate measured in packets per second:
•Thresh—Policy threshold that was exceeded by the detected anomaly.
•Triggered—Anomaly traffic rate that exceeded a policy threshold.
|
Device
|
Name that you assigned to the device using the CLI.
|
Detected flow
|
Information on the detected attack flow that caused the production of the dynamic filter:
•Prot.—Protocol number
•Src IP—Source IP address
•Src Port—Source port number
•Dst IP—Destination IP address
•Dst Port—Destination port number
•frag.—Fragmentation characteristics
•Type—Detected anomaly type
|
Action flow
|
Information on the action flow that was addressed by the dynamic filter. The action flow can have a wider range than the detected flow. The action flow may indicate all source ports for the specified source IP address. The columns represent the dynamic filter traffic data:
•Prot.—Protocol number
•Src IP—Source IP address
•Src Port—Source port number
•Dst IP—Destination IP address
•Dst Port—Destination port number
•frag.—Fragmentation characteristics
|
Mitigated Attacks
The Mitigated Attacks table provides the actions that the Guards took to protect the zone and the mitigated attacks that proved to be a hazard for the zone. The attacks are described in the Detected Anomalies table. The MDM groups mitigation actions with the same types and flow parameters and displays them in the table.
Table 11-14 describes the fields of the Mitigated Attacks table.
Table 11-14 Field Descriptions for Mitigated Attacks Table
Field
|
Description
|
#
|
Identification number that a Guard assigned to the mitigated attack.
|
Start time
|
Date and time of the mitigated attack.
|
Duration
|
Duration of the mitigated attack in hours, minutes, and seconds.
|
Attack Type
|
Type of the mitigated attack. Possible values are as follows:
•Spoofed—Traffic anomalies identified as a DDoS attack from a spoofed IP source.
•Client Attack—Traffic anomalies identified as a DDoS attack from an unauthenticated source IP address.
•User Defined—DDoS attacks identified by user-defined filters, such as anomalies handled by the user filters. See the "Managing a User Filter" section on page 6-14 for information on using user filters.
•Zombie—Traffic anomalies identified as a DDoS attack originated by zombies.
•Malformed Packets—Traffic anomalies identified as a DDoS attack that consists of maliciously malformed packets.
The protection level (Basic or Strong) is shown in brackets.
|
Device
|
Name that you assigned to the device using the CLI.
|
Max. Triggering rate
|
Estimated maximum traffic rate of the mitigated attack. The triggering rate applies only for client attacks or user-defined attacks. It does not apply for spoofed or malformed attacks.
|
% Threshold
|
Mitigated attack rate as a percentage of the policy threshold.
|
Anomaly Flow
|
Traffic flow of the anomaly that was mitigated. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow, and the flow packet types.
|
Action flow
|
Traffic characteristics of the flow after the Guard mitigated the attack. The parameters of the common flow characteristics are displayed.
|
Dropped
|
Traffic that was dropped during the attack mitigation.
|
Details
|
Status of whether additional information can be displayed for this filter. Click i for additional information (see the "Displaying Mitigated Attack Details" section).
|
An asterisk (*),which is used as a wildcard, for one of the parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly parameter.
A number sign (#), followed by a number, for any of the parameters indicates the number of values measured for that parameter.
Displaying Mitigated Attack Details
The Mitigated Attack Details table provides additional information on the functions that the Guards used to mitigate the attack. To display the Mitigated Attack Details table, click i in the details column for the filter in the Mitigated Attacks table.
Table 11-15 describes the information that the MDM displays in the Detailed Mitigated Attack table.
Table 11-15 Field Descriptions for Detailed Mitigated Attack Table
Field
|
Description
|
Start time
|
Date and time of the mitigated attack.
|
End time
|
Expiration date and time of the dynamic filter that was activated.
|
Rate (pps)
|
Rate measured in packets per second:
•Thresh—Indicates the policy threshold that was exceeded by the mitigated attack.
•Triggered—Indicates the anomaly traffic rate that exceeded a policy threshold.
|
Device
|
Name that you assigned to the device using the CLI.
|
Count
|
Number of packets that were handled by the dynamic filter.
|
Detected flow
|
Information on the detected flow that was mitigated:
•Prot.—Protocol number
•Src IP—Source IP address
•Src Port—Source port number
•Dst IP—Destination IP address
•Dst Port—Destination port number
•frag.—Fragmentation characteristics
•Type—Detected anomaly type
|
Action flow
|
Information on the action flow that was addressed by the mitigation function. The action flow can have a wider range than the detected flow. For example, the detected flow could indicate a specific destination port for a specific destination IP address, and the action flow could indicate all destination ports for the specific destination IP address. The columns represent the dynamic filter traffic data.
•Prot.—Protocol number
•Src IP—Source IP address
•Src Port—Source port number
•Dst IP—Destination IP address
•Dst Port—Destination port number
•frag.—Fragmentation characteristics
|
|
HTTP Detected Zombies
An indication that an HTTP zombie attack has been detected appears in the General Attack Information area. To display the list of detected HTTP zombies, click i or Show HTTP detected zombies. See the "Displaying the HTTP Zombies List" section for information on this type of traffic anomaly.
Exporting Zone Attack Reports
The MDM supports FTP (File Transfer Protocol), SFTP (Secure FTP), and SCP (Secure Copy) for transferring files between the MDM server and your remote server. If you plan to export the attack report to a remote server using SFTP or SCP, you must have the required Secure Shell (SSH) keys loaded on both servers before you perform the following procedure. These keys enable the two servers to establish a secure channel between them. For information on setting up both servers with the required SSH keys, see the "Preparing to Use SFTP or SCP for Exporting MDM Files" section on page 2-8.
You can export attack reports from the MDM server with these two methods:
•Zone menu method—Use this method to export all of the available zone attack reports.
•Attack Summary screen method—Use this method to select specific reports to export.
This section contains the following topics:
•Using the Attack Summary Screen Method for Exporting Attack Reports
•Using the Zone Menu Method for Exporting Attack Reports
Using the Attack Summary Screen Method for Exporting Attack Reports
You can use the Attack Summary screen method to export specified reports.
To export the attack reports of a zone to a remote server from the Attack Summary screen, follow these steps:
Step 1 Select a zone from the navigation pane. The zone menu appears.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks summary screen appears.
Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates. Click Get Reports. You can enter the dates manually or click the calendar icon at the right of each date field and then select a date from the calendar pop-up.
Step 4 From the Per Attack Summary table at the bottom of the screen, check the check box next to the attack reports that you want to export. To choose all of the reports listed in the table, check the check box in the table header next to the number symbol (#).
Step 5 Click Export. The Select File Server Parameters screen opens.
Step 6 Select and define the remote server to use:
•Use automatic export file server definitions—Exports the attack reports to the remote servers that you defined in the device configuration using the CLI export reports command.
•Use the following server definition—Exports the attack reports to the remote server that you define. Enter the following network server information:
–Transfer method—Select one of the following transfer protocols to use: FTP, SFTP, or SCP.
–Address—IP address of the remote server.
–Path—Full pathname. If you do not specify a path, the server saves the files in your home directory.
–Username—Network server login name. The username argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
–Password—(Optional) Password for the remote FTP server. If you enter a username but do not enter a password, the MDM prompts you for the password.
Step 7 Click OK. The MDM exports the selected attack reports to the remote server.
Using the Zone Menu Method for Exporting Attack Reports
You can use the Zone Menu method to export all available zone attack reports.
To export the attack reports of a zone to a remote server using the zone menu option, follow these steps:
Step 1 Select a zone from the navigation pane. The zone menu appears.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Export Definitions. The Select File Server Parameters screen opens.
Step 3 Choose and define the remote server to use:
•Use automatic export file server definitions—Exports the attack reports to the remote servers that you defined in the device configuration using the CLI export reports command.
•Use the following server definition—Exports the attack reports to the remote server that you define. Enter the following network server information:
–Transfer method—Select one of the following transfer protocols to use: FTP, SFTP, or SCP.
–Address—IP address of the remote server.
–Path—Full pathname. If you do not specify a path, the server saves the files in your home directory.
–Username—Network server login name. The username argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
–Password—(Optional) Password for the remote FTP server. If you enter a user name but do not enter a password, the MDM prompts you for the password.
Step 4 Click OK. When the MDM creates a zone attack report, it exports the report to the remote server.
Deleting Attack Reports
When you use the MDM to delete an attack report, you delete the attack report that the MDM created from the information that it collected from the various attack reports on each of the devices. The attack reports on the devices remain with the devices after you delete the MDM report.
To delete attack reports, follow these steps:
Step 1 Select a zone from the navigation pane. The zone menu appears.
Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks summary screen appears.
Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates. Click Get Reports. You can enter the dates manually or click the calendar icon at the right of each date field and then select a date from the calendar pop-up.
Step 4 From the Per Attack Summary table, check the check box next to the attack reports that you want to delete. To choose all of the reports listed in the table, check the check box in the table header next to the number symbol (#).
Step 5 Click Delete. The MDM deletes the selected attack reports.
Displaying the HTTP Zombies List
The HTTP Zombies list enables you to analyze the zone traffic and display the list of current zombies that initiated the attack. You can then take action against the zombies. (To display the list of zombies associated with a historical attack report, open the report and click ! Show HTTP detected zombies.)
To display the list of HTTP Zombies, follow these steps:
Step 1 Select a zone from the navigation pane. The zone menu appears.
Step 2 From the zone main men, choose Diagnostics > Attack Reports > HTTP Zombies. The Zombie List screen appears.
Table 11-16 describes the information that the MDM displays in the HTTP Zombies table of the Zombie List screen.
Table 11-16 Field Descriptions for HTTP Zombies
Field
|
Description
|
Device Name
|
Name that you assigned to the device using the CLI.
|
IP
|
Zombie IP address.
|
Start Time
|
Date and time that the zombie connection was first identified.
|
Duration
|
Duration of the zombie attack.
|
get Requests
|
Number of HTTP GET requests sent by the zombie.
|
Displaying the Drop Statistics Table
The drop statistics table enables you to display the distribution of dropped packets for an ongoing attack by rate and counter. The rate and counter values are aggregated values based on the information that the MDM collected from all of the zone Guards.
To display the drop statistics table, follow these steps:
Step 1 Select a zone from the navigation pane. The zone menu appears.
Step 2 From the zone main menu, choose Diagnostics > Drop Statistics. The Drop Statistics screen appears.
Step 3 (Optional) Change the unit of measurement for the statistics displayed by selecting the desired unit of measurement from the drop-down list and click Set units.
The dropped packets appear in two tables based on the type of packets. Table 11-17 describes the contents of the Drop Statistics table and Table 11-18 describes the contents of the Spoofed Statistics table.
Table 11-17 Drop Statistics
Type
|
Description
|
Total dropped
|
Total amount of dropped traffic.
|
Dynamic filters
|
Amount of traffic dropped by the dynamic filters.
|
User filters
|
Amount of traffic dropped by the user filters.
|
Flex filter
|
Amount of traffic dropped by the flex-content filters.
|
Rate limit
|
Packets that are defined by the rate limit parameter of the user filters and the zone rate limit that were dropped.
|
Incoming TCP unauthenticated basic
|
Traffic that the TCP basic antispoofing functions could not authenticate and dropped. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Incoming TCP unauthenticated-strong
|
Traffic that the TCP strong antispoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Outgoing TCP unauthenticated
|
Zone-initiated connections that the TCP antispoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
UDP unauthenticated-basic
|
UDP traffic that the basic antispoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
UDP unauthenticated-strong
|
UDP traffic that the strong antispoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Other protocols unauthenticated
|
The non-TCP and non-UDP traffic that the Guard antispoofing functions could not authenticate and dropped. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
TCP fragments unauthenticated
|
TCP-fragmented packets that the Guard antispoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
UDP fragments unauthenticated
|
UDP-fragmented packets that the Guard antispoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Other protocols fragments unauthenticated
|
Fragmented packets, other than TCP and UDP fragmented packets, that the Guard antispoofing functions dropped because they could not be authenticated. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
DNS malformed replies
|
Malformed DNS replies that the Guard protection functions dropped. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
DNS spoofed replies
|
DNS packets that are in response to zone-initiated connections that the Guard antispoofing functions dropped. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
DNS short queries
|
Short (malformed) DNS queries that the Guard protection functions dropped. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Non DNS packets to/from DNS port
|
Non-DNS traffic destined to a DNS port or from a DNS port that the Guard protection functions dropped. In the attack reports, these packets are counted under the malformed packets in the Malicious Packets Statistics table.
|
Bad packets to proxy addresses
|
Malformed traffic destined to the Guard proxy IP address that the Guard protection mechanisms dropped.
|
TCP anti-spoofing mechanisms related pkts
|
Number of dropped packets as a result of additional operations that the MDM TCP antispoofing functions performed. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
DNS anti-spoofing mechanisms related pkts
|
Number of packets dropped packets as a result of additional operations that the MDM DNS antispoofing functions performed. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Anti-spoofing internal errors
|
Number of packets dropped due to the MDM antispoofing functions errors. In the attack reports, these packets are counted under the Packets table.
|
Land attack
|
Number of packets dropped because they had identical source and destination IP addresses. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Malformed packets
|
Number of packets dropped due to a malformed header. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Malformed SIP packets
|
SIP-over-UDP packets that the Guard protection functions dropped because they were malformed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
SIP anti-spoofing features related pkts
|
Number of SIP-over-UDP packets that the MDM antispoofing functions identified as spoofed and subsequently dropped. In the attack reports, these packets are counted under the malformed packets in the Dropped/Replied Packets table.
|
Table 11-18 Spoofed Statistics
Type
|
Description
|
Total spoofed
|
Total amount of spoofed traffic.
|
Spoofed incoming TCP basic
|
Traffic that the TCP basic antispoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed incoming TCP strong
|
Traffic that the TCP strong antispoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed outgoing TCP basic
|
Zone-initiated connections traffic that the TCP basic antispoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed outgoing TCP strong
|
Zone-initiated connections traffic that the TCP strong antispoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed incoming DNS
|
Traffic that incoming DNS (queries) antispoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed outgoing DNS basic
|
Traffic that outgoing DNS (replies) basic antispoofing functions tried to authenticate, but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed outgoing DNS strong
|
Traffic that outgoing DNS (replies) strong antispoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed zombie
|
Traffic that the zombie antispoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
Spoofed incoming SIP
|
Traffic that incoming SIP-over-UDP antispoofing functions tried to authenticate but failed. In the attack reports, these packets are counted under the spoofed packets in the Dropped/Replied Packets table.
|
