TCP / UDP Flood

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

TCP / UDP Flood

L3 Networker

Hi all,

I have set up a dos rule from outside to my server zone.

Why sometimes I can see attacker and victim IP and sometimes not?

 

4 REPLIES 4

L3 Networker

Cyber Elite
Cyber Elite

@s_quasar,

Depends heavily on what type of profile you have configured and what profile they actually hit; Classified will be able to provide you a source-ip because there is a sole address to give you, while Aggregate won't give you a source-ip because it accounts for anything connecting to that protected resource. 

I supposed this. Maybe I can see specific IP attacker and victim because before I activeted a classified rule (now is aggregate).

See the IPs is very useful because I can check in other websites if it is a bad or good IP.

Maybe I can use an aggregate rule as a test and than activete again a classified rule.

@s_quasar,

Remember that you can assign both an aggregate profile and a classified profile in the same DoS entry. If you are just working on building these out now, it might be best to follow this method:

  • Set Alarm connection rates about where you expect it to be
  • Set Activate Rate to an extremely high value (100,000)
  • Set Max Rate to an extremely high value (100,000)

You can play around with the alarm rate and watch the logs to see when you actually start getting alerts and start to narrow down what your Activate and Max rates should be under normal traffic loads. The only thing that you won't be able to really analyze like this is the max concurrent session limit, but that should be easily generated from your logs and your session table over a period of time.

 

  • 5113 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!