TCP / UDP Flood

Reply
L3 Networker

TCP / UDP Flood

Hi all,

I have set up a dos rule from outside to my server zone.

Why sometimes I can see attacker and victim IP and sometimes not?

 

L3 Networker
L7 Applicator

Re: TCP / UDP Flood

@s_quasar,

Depends heavily on what type of profile you have configured and what profile they actually hit; Classified will be able to provide you a source-ip because there is a sole address to give you, while Aggregate won't give you a source-ip because it accounts for anything connecting to that protected resource. 

L3 Networker

Re: TCP / UDP Flood

I supposed this. Maybe I can see specific IP attacker and victim because before I activeted a classified rule (now is aggregate).

See the IPs is very useful because I can check in other websites if it is a bad or good IP.

Maybe I can use an aggregate rule as a test and than activete again a classified rule.

L7 Applicator

Re: TCP / UDP Flood

@s_quasar,

Remember that you can assign both an aggregate profile and a classified profile in the same DoS entry. If you are just working on building these out now, it might be best to follow this method:

  • Set Alarm connection rates about where you expect it to be
  • Set Activate Rate to an extremely high value (100,000)
  • Set Max Rate to an extremely high value (100,000)

You can play around with the alarm rate and watch the logs to see when you actually start getting alerts and start to narrow down what your Activate and Max rates should be under normal traffic loads. The only thing that you won't be able to really analyze like this is the max concurrent session limit, but that should be easily generated from your logs and your session table over a period of time.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!