The Anomaly configuration allows the user to manage anomaly signatures, which is used to define the traffic behaviors of known anomalies.
Equipped with Intelligent Anomaly Traffic Detection (ATD) engine, the Ukrtelecom DDoS detector is able to detect malicious traffic with a network-wide view, and enables the system operators to locate the victims promptly, precisely and accurately. The system adopts the host-based anomaly traffic detection and targets suspicious host IP address to collect and analyze the anomaly traffic. Below are the supported anomaly detections of the system:
TCP SYN Flooding: huge amount of TCP SYN packets are sent to a certain host.
IP Protocol Null: Anomaly traffic is detected when IP Protocol = 0.
TCP Flag Null or Misuse: Found TCP Flag = 0 or SYN+FIN, SYN+RST, FIN, ACK and RST misuse in TCP packets.
TCP Fragmentation: Fragmented packets do not have TCP headers (except for the first one); hence the system uses this trait to detect excess TCP fragments.
UDP Fragmentation: Fragmented packets do not have UDP headers (except for the first one); hence the system uses this trait to detect excess UDP fragments.
ICMP Misuse: ICMP packets are sent to a certain host in large number and exceed the threshold value configured.
Land Attack: Source IP address is mistakenly equivalent to destination IP address.
TCP RST Flooding: TCP RST packets are sent to a certain host in large number and exceed the threshold value configured.
UDP Flooding: UDP packets are sent to a certain host in large number and exceed the threshold value configured.
All baseline configurations for the anomalies are listed in the window. The user can configure two sets of baselines for detecting DDoS attacks toward different target victims: Home victims or Non-home victims, and configure parameters such as severity latency, recovery latency, status and event threshold. An anomaly baseline is a set of thresholds and parameters for triggering the traffic anomaly event. The user can build various baseline templates with different thresholds and applies required traffic baselines to different anomaly signatures to detect traffic anomaly effectively.
The user is allowed to configure the anomaly Top-N reports with one or more Top-N keys specified. The anomaly Top-N report allows the user much more flexibility in defining specific reports they need. The system provides the following pre-defined anomaly Top-N reports:
Source IP: Top-N ranking for the anomaly traffic that comes from the source IP addresses
Destination IP: Top-N ranking for the anomaly traffic that goes to the destination IP addresses
Source Protocol Port: Top-N ranking for the anomaly traffic that comes from the source protocol ports
Destination Protocol Port: Top-N ranking for the anomaly traffic that goes to the destination protocol ports
Protocol: Top-N ranking of the protocols associated with the anomaly traffic
TCP Flag: Top-N ranking of the TCP Flags associated with the anomaly traffic
Anomaly Device/Interface: Top-N ranking of the anomaly devices/interfaces associated with the anomaly traffic