DDoS Secure Operation Guide R13 (16.1.50) PDF

DDoS Secure
Operation Guide
DDoS Secure Operation Guide
Version History
Each document has a version and a build number. You can tell the exact version and
build of this document by checking the top row of the table below.
Document updates are released in electronic form from time to time and the most up to
date version of this document will always be found on Allot’s online Knowledge Base.
Doc Revision Internal Product Published Changes

Build Version
13 b3 DDoS Secure 17/11/2019 Log in information updated

16.1.50
13 b2 DDoS Secure 30/06/2019 Supports 16.1.50 GA.
16.1.50 Port Mapping added to Section 3.2.4.
13 b1 DDoS Secure 28/05/2019 IPv6 Support added, Initial Dashboard
16.1.10 Added, GEO, APN and Attack Indicators
Added.
12 b4 DDoS Secure 30/08/2018 Product Renaming and GUI enhancements.
15.1
12 b3 SP15.1 18/03/2018 General Updates
12 b2 SP15.1 03/01/2018 Guide Rebranding
12 b1 SP15.1 07/11/2017 General Updates and GUI Enhancements
DDoS Secure Operation Guide ii

Contents
1 Introduction to DDoS Secure ........................................................................................ 1-1
1.1 Overview ........................................................................................................... 1-1
WHAT IS IT? ......................................................................................... 1-1
HOW DOES IT WORK? ......................................................................... 1-1
WHAT ARE THE COMPONENTS? ......................................................... 1-1
PROCESS FLOW .................................................................................... 1-2
HOW IS IT MANAGED? ........................................................................ 1-2
1.2 Common terms and concepts .......................................................................... 1-3
Botnet .................................................................................................. 1-3
CLI ........................................................................................................ 1-3
Data Filter ............................................................................................ 1-3
DDoS attack ......................................................................................... 1-3
Flood .................................................................................................... 1-4
Groups ................................................................................................. 1-4
GUI ....................................................................................................... 1-4
HBAD ................................................................................................... 1-4
NBAD ................................................................................................... 1-5
Report .................................................................................................. 1-5
DDoS Secure Profile ............................................................................. 1-5
Spam .................................................................................................... 1-5
Spambot .............................................................................................. 1-5
View ..................................................................................................... 1-5
Worm ................................................................................................... 1-5
Zero Day Attack ................................................................................... 1-6
Zombies ............................................................................................... 1-6
2 DDoS Secure GUI ........................................................................................................... 2-1
2.1 Introduction ...................................................................................................... 2-1
2.2 Web browser support ...................................................................................... 2-1
2.3 System requirements ....................................................................................... 2-2
Operator Access .................................................................................. 2-2
Administrator Access .......................................................................... 2-2
DDoS Secure Operation Guide iii

Alerts Reception .................................................................................. 2-2

2.4 Accessing the GUI ............................................................................................. 2-3
Navigating the GUI .............................................................................. 2-5
3 Generating Views .......................................................................................................... 3-1
3.1 Traffic Views ..................................................................................................... 3-2
Traffic Detail ........................................................................................ 3-2
Traffic Trend ........................................................................................ 3-4
Traffic Mitigation Detail ...................................................................... 3-5
Traffic Mitigation Trend ...................................................................... 3-6
3.2 NBAD ................................................................................................................. 3-7
NBAD Activity ...................................................................................... 3-8
NBAD Trend ....................................................................................... 3-13
NBAD Distribution ............................................................................. 3-14
NBAD Event View .............................................................................. 3-16
NBAD Top Sources ............................................................................. 3-24
NBAD Top Targets ............................................................................. 3-25
NBAD Mitigation................................................................................ 3-26
NBAD Remote Trigger ....................................................................... 3-28
3.3 HBAD/Quarantine ........................................................................................... 3-30
HBAD Workflow................................................................................. 3-31
HBAD Activity .................................................................................... 3-33
HBAD Trend ....................................................................................... 3-35
HBAD Distribution ............................................................................. 3-36
HBAD Event View .............................................................................. 3-38
HBAD Top Sources ............................................................................. 3-40
HBAD Top Targets ............................................................................. 3-41
HBAD Mitigation ................................................................................ 3-43
HBAD Subscriber Info ........................................................................ 3-44
3.4 Drill Down Views ............................................................................................. 3-45
Pattern Page ...................................................................................... 3-46
Capture Page ..................................................................................... 3-50
4 Reports .......................................................................................................................... 4-1
DDoS Secure Operation Guide iv

DDoS Secure Operation Guide v

1 Introduction to DDoS Secure
1.1 Overview
WHAT IS IT?
Allot DDoS Secure is a network security system used for reducing problems caused
by outbound spam, abusive or infected behavior and botnet infections; and for
protection against distributed denial of service (DDoS) attacks. Allot DDoS Secure is
designed to monitor high volumes of aggregated traffic in wired/wireless/mobile
ISP environments and is deployed on access aggregation links (such as between
GGSN, PDSN, BRAS, CMTS and core network) and/or Internet transit and peering
links.
HOW DOES IT WORK?

Allot DDoS Secure uses a behavioral approach for identifying misbehaving hosts or
network attacks. The behavioral approach provides more effective and scalable
detection for large ISPs than traditional Intrusion Detection/Prevention Systems,
blacklists and content inspection techniques. Allot DDoS Secure uses two different
behavioral approaches for identifying these threats (called NBAD and HBAD). These
technologies are outlined below.
NBAD
Network Behavioral Anomaly Detection is used for identifying distributed denial of
service (DDoS) attacks.
HBAD
Host Behavioral Anomaly Detection identifies hosts (subscribers and/or IP)
exhibiting symptoms of malware infection or deliberately engaging in behavior
abusive of acceptable use policies.
WHAT ARE THE COMPONENTS?

Allot DDoS Secure comprises of several components:
DDoS Secure Controller (SPC) – provides the management platform for
DDoS Secure which involves centralized configuration, data storage,
process coordination of one or more Sensors and for sending notifications
and enforcement actions

Introduction to DDoS Secure
DDoS Secure Sensor (SPS) – intelligent network monitoring device

deployed inside Allot’s Service Gateway platform or as external appliances
that enable Service Gateways to surgically filter packets and perform
mitigation based on packet patterns received from SPC
PROCESS FLOW
In the event of misbehaving hosts, SPC communicates directly with one or more
Allot Subscriber Management Platforms (SMP) to trigger enforcement policies on
the subscriber. Enforcement policies are determined by preconfigured subscriber
service plans designed to notify the subscriber of their misbehavior via HTTP
redirection to a captive portal and/or throttling or blocking all traffic or selected
traffic. For example, spamming behavior is controlled by blocking 25/TCP for the
subscriber to prevent leakage of spam from out of the network. The SPC is also
integrated with Allot NetXplorer in order to provide IP based enforcement in a
similar fashion.
In HBAD Mitigation, SPS detects an HBAD anomaly within the network and sends
that information to the SPC. The SPC resolves the name of the subscriber from the
SMP then tells the SMP to change the service plan of the offending subscriber.
In NMAD Mitigation, the SPS detects incoming anomalies and sends a report to the
SPC. The SPC then extracts the attack pattern and sends the information to the In-
line Platform for mitigation.
In the event of DDoS or network flooding, the SPC communicates directly with the
In-line Platform to transfer the filtering pattern.
HOW IS IT MANAGED?
A typical DDoS Secure deployment will have a cluster of Sensors (Service Gateway
or standalone sensor) managed by a single SPC. The SPC has a web and CLI based
management interface where operators and administrators can connect for the day
to day operation, as well as administration of the system. This interface is also used
to communicate with the various Service Gateways or standalone sensor units on
the network. Users connect via secured protocols such as SSH and HTTPS.
Sensors have a management interface for communications with SPC. SPS will have
several Ethernet monitoring interfaces including 10/100/1000 copper, 1GE fiber
and 10GE fiber interfaces. Monitoring interfaces receive traffic non-intrusively via
network taps or span/mirror ports.
DDoS Secure Operation Guide 1-2

A Sensor embedded on a Service Gateway does not connect directly to any links as
it is integrated with the regular In-line Platform packet processing flow.
In this guide, all operational procedures for working with DDoS Secure and
generating views will be outlined.
1.2 Common terms and concepts

The following terms and concepts are defined as they pertain to the DDoS Secure
and the Allot solution.
Botnet
The Internet has become a dangerous place. At one time you had to download
infected software in order to get a virus infection. Today, simply visiting a website
or receiving a malicious email is enough to infect an unprotected computer.
Botnets are networks of infected hosts that collectively create huge reservoirs of
spare processing power. These machines are then used to launch DDoS attacks,
send spam, or search for other machines to infect.
CLI
The Command Line Interface, or CLI, is the administrative portal for the system.
This is where the system administrator performs initial setup, and where the
underlying configuration is performed. System operators do not require access to
the CLI, and depending upon your administrator, probably won't receive CLI
permissions. For more information see the DDoS Secure Installation and
Administration Guide.
Data Filter
Drop down menus at the top of each View, allowing you to control the data to be
displayed.
DDoS attack
A distributed denial-of-service (DDoS) attack is one in which a multitude of
compromised systems (aka zombies) attack a single target, thereby causing denial
of service for users of the targeted system. The flood of incoming messages to the
target system essentially forces it to shut down, thereby denying service to the
system to legitimate users.

Flood
Network floods are a way to clog the network infrastructure (Bandwidth
consumption) or to overwhelm a service.
Groups
Subnet groups, or simply groups, are the basis for all traffic classification within
DDoS Secure. The system is designed to present information to the user with human
readability in mind. Grouping is a method of creating logical collections of addresses
that perform a similar task from the point of view of the operator. Simply put, the
operator will find it easier to understand a group called "DSL Customers", rather than
a bunch of IP addresses or a few subnet prefixes. Grouping allows the administrator to
group several prefixes into a single, easy to understand entity. So instead of simply
naming subnet prefixes then managing several of these, grouping allows the
creation of a single group, then the addition of one or more prefixes to it. The
secret of effectively using DDoS Secure is to get the grouping correct from the very
beginning. Groups are setup by an administrator.
Groups should be configured in a manner that provides sufficient diversity in terms
of traffic types: TCP, DNS, other UDP, etc. For example, a group containing only
DNS servers might make sense from a customer’s POV, but may not exhibit
sufficiently diversified traffic types from NBAD’s perspective, as it may only contain
DNS traffic.
GUI
The Graphical User Interface. This is where operators will view traffic charts, NBAD
and HBAD Views and receive information from the system. The GUI is secured and
is visible via https on a web browser.
HBAD
Host Behavioral Anomaly Detection. HBAD, or Quarantine, detects subscribers
infected with botnet software according to their behavioral patterns. Infected
machines frequently demonstrate huge numbers of connections to the network,
and these profiles are used for detection.

NBAD
Network Behavioral Anomaly Detection. NBAD or floods, is used to detect incoming
attacks. NBAD is the exact opposite of HBAD. While HBAD detects the infected
machines in your network launching attacks, NBAD detects incoming attacks,
usually resulting for infected machines on the internet or on your own network.
Report
A collection of views, downloaded as a PDF.
DDoS Secure Profile

Administrators are usually interested in events that have an impact on their network.
Most networks will have a certain amount of "noise" - minor events that are either
benign or simply too small to have an impact. DDoS Secure Profiles are a method of
selecting only those events of interest while discarding all the rest. Only floods
meeting the criteria of the Profiles will be displayed.
Spam
Unsolicited e-mail. Usually either mass e-mailings by commercial sites to recipients
who have not requested any contact, or e-mails sent to intentionally annoy or
harass the recipient, including crashing his or her computer by overloading its e-
mail capacity. Sending lots and lots of spam might cause an ISP to be blacklisted as
a mail relay spammer.
Spambot
A (usually) compromised machine sending spam
View
A single DDoS Secure graph or page.
Worm
A computer worm is a self-replicating computer program. It uses a network to send
copies of itself to other computers and it does so without any user intervention. It
does so by exploiting unknown, undisclosed or un-patched computer application
vulnerabilities

Zero Day Attack

A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit
unknown or undisclosed computer application vulnerabilities or vulnerabilities for
which no security fix is available. A vulnerability window exists between the time a
threat is revealed and the time security vendors release patches.
Zombies
A zombie computer (often shortened as zombie) is a computer attached to the
Internet that has been compromised by a hacker (which uses a worm, a virus, or a
Trojan horse). Most owners of zombie computers are unaware that their system is
being used in this way.

2 DDoS Secure GUI
2.1 Introduction
The DDoS Secure GUI offers fast access to network traffic views and data analysis,
categorized by subnet groups and collected from the DDoS Secure Sensors
throughout your network. After the initial configuration and once the system is
running, this is where most of the day-to-day system operation is conducted. The
GUI consists of three main types of Views –Traffic, NBAD/Floods and
HBAD/Quarantine. The Traffic section is dedicated to providing detailed insight into
traffic volumes and trends. The NBAD/Floods section is the access point into the
floods Views, pattern analysis, Profiles, and samples, and the HBAD/Quarantine
section is the portal into infected hosts analysis. Traffic pages are interactive and
can display events at user-selected times or ranges.
The GUI opens with the Allot NBAD Summary Dashboard which provides a high-
level view of your network’s security status and inbound network DDoS attacks.
Figure 2-1: Dashboard

The Dashboard acts as your home page in DDoS Secure, delivering wide ranging
information at a glance
2.2 Web browser support

The Allot DDoS Secure GUI is designed to be used with a browser that supports
WebKit, such as Chrome.

DDoS Secure GUI
2.3 System requirements

Depending upon the specific task, various components of DDoS Secure have
different system requirements. For example, an operator who is only using the
GUI will require a workstation with a supported web browser, while an
administrator will require shell access too.
The three types of access are listed below:
Operator access
Administrator access
Alerts Reception
Operator Access
Operators typically manage the system using only the GUI for seeing Views. They
will require a workstation with a web browser. Cookies and Javascript must be
enabled. The GUI is served via https on TCP port 443.
Administrator Access
Administrators will use both the CLI and the GUI. The GUI will require a
workstation with a web browser. Cookies and Javascript must be enabled. The CLI
will require a secure shell client, using TCP port 22. On Windows several ssh software
packages exist. Putty and Poderosa are examples of free ssh software. On Linux or
Unix, it's usually known as SSH. Several commercial packages are available too.
Alerts Reception
A typical DDoS Secure system will be configured to send alerts when predefined
events occur. This is a proactive means by which operators can be notified on the
detection of floods and other important events. Alerts can be sent via any of the
following 3 transport mechanisms - Email, Syslog, SNMP, in any combination, and
to any number of recipients.
Email Alerts
The SPC can send emails to one or more designated recipients. A valid email address
must be supplied, in addition to a mail server reachable by the SPC. The recipient
obviously requires a means of reading mail.

DDoS Secure GUI
Syslog alerts
The SPC can send syslog messages. A server capable of receiving syslog messages is
required. Syslog messages are sent on UDP port 514.
SNMP alerts
The SPC can send SNMP traps. An SNMP server is required. Traps are sent to UDP
port 162
2.4 Accessing the GUI

The DDoS Secure GUI is accessible using a web browser. From the operator's point of
view, all of the tasks encountered during the day to day use of the system will be
conducted via this portal. This includes access to all of the traffic charts and access
to the NBAD and HBAD analysis pages. System configuration is not covered in this
guide. Please refer to the Administrators guide for system configuration.
HTTPS access is required to work with the DDoS Secure GUI.
Note: Administrative features of the DDoS Secure such as CLI access require an SSH
connection.
Open up your browser and browse to http://<SPC IP>/webui. You will be
presented with the main login screen.
In the User Name field, enter admin and in the Password field, enter allot or the
password that was established at set up. These are the default user name and
password. They may be different if you changed them during the initial
configuration. Click Login to enter the GUI.
If you are working on a shared computer, select the Shared Computer checkbox to
ensure your user name and password are cleared when you log out.
Depending upon the privileges your administrator granted, you may receive
different levels of access. Admin/Root Users see everything while GUI Users can
have full visibility or be limited to specific groups or sensors.

DDoS Secure GUI
Figure 2-2: Log In Screen

Once you have successfully logged in you will see a screen similar to the one
below. The level of detail available may be limited by the rights your administrator
has granted.
Note: The GUI requires a resolution of 1024x768
The administrator can control user access with fine granularity and may limit
access to specific SPS units and specific groups. For more information see the
DDoS Secure Installation and Administration Guide.

DDoS Secure GUI
Navigating the GUI

The Dashboard
Figure 2-3: Dashboard

Upon login, you are presented with a preset NBAD Dashboard which provides an
initial high-level summary from which you can then drill-down further to more
details, time-bands etc. This is not a detailed analysis, and is more of a snapshot of
what’s going on at this moment. The screen auto refreshes every few seconds.
The Dashboard is made up of the following elements:
Network real-time attack status
 Provides a real-time indication of the network status
 Status is indicated by two states: 'Under Attack' or 'Peace' and lists
the date and time of the indication, refreshing every minute/60
seconds
Key attack statistics
 All attacks – the total number of attack over the last 24 hours
 High importance – the number of attacks classified as High
Importance
 Short Lived – attacks which last up to 10 minutes
 Peak Bandwidth – maximum bandwidth of attack seen over the last 24
hours.
 Max Duration – the maximum duration of attack

DDoS Secure GUI
Note: Stats are calculated based on data from the last 24 hours and the Dashboard
includes information about the change from the previous 24 hours
Top Attackers/Targets
 Top Attacker is the top source IP that generated the DDoS attack
 Top Target is the IP most attacked by DDoS events
 Top Attackers/Targets are presented by number of events
 Top Attackers/Targets visual display is a horizontal bar chart, so that
the IP addresses can be read easily
 The Top Attackers/Targets is based on last week's attack information
excluding attacks classified as Importance == Ignore.
 Click on the Options button to switch between Attackers and Targets.
DDoS Attacks
 Displays the top attacks distributed by attack type
 Click on the Options button to switch:
 Events - Total number of Events
 Bandwidth - Total Bandwidth
 Packets per second – total PPS
 DDoS Attacks are based on last week's data
Recent Attacks
 Displays the top recent attacks over the last week.
 Default display is the top 10 attacks but from the drop down menu
you can opt to display 10, 25, 50 or 100 attacks.
 100 attacks displays the most recent 100 attacks chronologically
 10, 25 and 50 attacks displays the top attacks according to
priority selected from the last 100 attacks chronologically.
 Recent attacks are displayed in a table format including the following
columns:
 Data – date and time
 Attack – attack name
 Group- protection group on which attack was detected
 Importance
 Status – attack status: active or Idle

DDoS Secure GUI
 The columns may be sorted as follows.

 Sort Date by chronological order
 Sort Attacks by alphabetical order which will allow for example
seeing outbound attacks first, starting with 'Out-
 Sort Group by alphabetical order
 Sort Importance with the high importance attacks first
 Sort Status by alphabetical order
 A search field is also available
Traffic Daily Distribution
 Displays the distribution over the last week, with a daily resolution of
non-attack traffic (indicated by Total Traffic) and attack traffic
(indicated by Mitigated Traffic).
 Mitigated traffic is colored differently than non-attack traffic
The Main Menu

The Menu button on the top left hand corner is the main access to the various
Views supplied by the system. The menu items are:
Dashboard – The page you receive upon login into the system. this page is
described above
Traffic (Detail, Trend, Mitigation Detail & Mitigation Trend) – Access to
interactive traffic charts and trend data
NBAD (Activity, Trend, Distribution, Event View, Top Sources, Top Targets,
Mitigation and Remote Trigger) – access to the NBAD/flood detection
system and Views
HBAD (Activity, Trend, Distribution, Event View, Top Sources, Top Targets,
Mitigation & Subscriber Info) – Access to the HBAD/quarantine detection
system and Views
Reports (Selected Report and Report List) – Access to preset combinations
of Views.
Help –Downloadable guides in pdf form
Logout
To the right of the Menu button are several Quick Access buttons that open other
views in the same Menu item.

DDoS Secure GUI
Data Filters
Several Data Filters are found in the upper portion of each page or View. These
may vary depending on the specific Data Filters required. Some of the more
common are listed below:
Sensors and Sensor Clusters– Devices physically connected to the network
and monitoring traffic.
Note: Sensor clusters are groups of sensors that are treated by DDoS Secure as a
single sensor for the purpose of NBAD detection and mitigation. Clusters are
created and configured via the CLI only. For information see the DDoS Secure
Installation and Administration Guide.
Groups – Logical collections of network prefixes
Time range – Preset or user selected times
Timezone – Displays the View in the selected timezone. By default the SPC
time zone is used, and can be changed using this control
Chart options – Several different ways of displaying the requested View,
usually appearing as a series of radio buttons.
View-specific controls – Other controls specific to that View. usually
controls that are unique to the View being requested, such as Protocols, or
Direction.
Time
Main Menu Range
Data Filters
Chart
Options
Graph Graph
Controls
(Traffic
Views)
Figure 2-4: Main GUI

Each Data Filter has the following two checkboxes:
The Select All Items button, depicted as a star. This selects all the items in
the list directly below.

DDoS Secure GUI
The Sum Selected Items button depicted as a sigma sign. This collects the
information from all the marked items and joins their values into a single
trace.
Select All Items

Button
Sum Selected Items

Button
Figure 2-5: All and Join Buttons

For example, if all protocols in the ‘traffic detail’ View were selected and the Sum
Selected Items button was not selected, each protocol would be charted as a
separate line. If Sum Selected Items were selected, only one trace would be
displayed, the aggregate of all the selected protocols.
Clicking the Update button will regenerate the View. After the update button has
been pressed, the button changes to “No update in Xs”. This is a counter that
counts down to zero, when the View is automatically refreshed. Click this button if
you want the screen not to update automatically. The button then changes to
“Update” where you can initiate the automatic update once again.
In some cases an option to restore previous values will appear on the chart. This
display alerts the user to a difference between the current chart information and
the selection made by the user. For example, the user requests a chart, and the
chart is displayed. Then the user changes their selection but hasn’t yet pressed the
update button. There is now a difference between the selection and the chart. At
this point the browser will display the undo button on the chart.
The user has two choices – click the ‘update’ button to update the chart with the
newer View request or click the undo button to change the selection back to what
was made originally.

DDoS Secure GUI
Figure 2-6: Data Restoration Option - Detail

DDoS Secure GUI
Navigation Example
Figure 2-7: Navigation Details

In this example, the Select All Items option for the sensors list has been selected.
All groups have been selected via the Select All Items button. Both directions of
traffic have been selected. We are also interested in a breakdown by protocol so
we selected all protocols but haven’t joined them.
In the time range selection, we’ve requested a full day beginning at a predefined
time. The chart will show the bit rate and will be displayed as a stacked area chart.
Note that TCP, UDP, ICMP, ESP and Fragmented protocols are displayed. Other
protocols are present too, but they are not displayed individually because they do
not appear in significant amounts. They have been aggregated automatically into
Other.

3 Generating Views
DDoS Secure Views enable you to monitor and record your network activity from a
security perspective. Each View displays a different interactive graph allowing you
to get an in-depth picture of exactly what sort of traffic is coming in and out of your
network and assesses what threats, if any, exist.
Different types of Views provide different information, and may all be accessed via
the Main Menu:
Traffic Views (Detail, Trend, Mitigation Detail & Mitigation Trend) –
Display network traffic charts and trend data
NBAD Views (Activity, Trend, Distribution, Event View, Top Sources, Top
Targets & Mitigation) – Display NBAD/flood detection information. NBAD
Views display incoming attacks, usually coming from infected machines on
the internet or on your own network.
HBAD Views (Activity, Trend, Distribution, Event View, Top Sources, Top
Targets, Mitigation & Subscriber Info) – Display HBAD/quarantine
information. HBAD Views can be used to identify subscribers infected with
botnet software according to their behavioral patterns. Infected machines
frequently demonstrate huge numbers of connections to the network and
other traits which appear in Views.

Generating Views
3.1 Traffic Views

Traffic Detail
Figure 3-1: Traffic – Detail View

Traffic - Detail Views provide visibility into traffic rates over a selected period of time.
This data is collected at a 1 minute resolution and is stored in the database
indefinitely, or until the database fills up and cycles. DDoS Secure supports charting
of traffic data from any time period that is contained in the database.
Graph Controls
Figure 3-2: Display Controls

Each interactive traffic chart View contains four Graph Controls:

Generating Views
Inspect Mode – click to select points or mark areas. NBAD and HBAD
events within the marked areas will be listed below the chart. More than
one area can be selected.
Pan Mode – Click and drag the chart to pan left and right.
Zoom In – Mark the area requested and the chart updates to match.
When this mode is activated, you may click on any area of a graph to zoom
in to that spot. Double clicking this button zooms in 3x.
Zoom Out – Click and hold, then move the mouse to one side to zoom
out. Double clicking this button zooms out 3x.
View Generation
Select the SPS units and Groups to include in this View, the protocols you wish to plot
and the direction of the traffic.
You can display one of four traffic statistics:
Bit rate
Byte rate
Packet rate (Pkt rate)
Average packet size (Pkt size)
The data can be plotted in a variety of charts: Area chart, Line chart (linear or
Log) or Plain text. The plain text can be exported to software such as Excel. You
can select either a preset time range, or customize your own. Use the ‘before now’
preset to provide a constantly updating chart of the last X time, or the ‘starting at’
to display a fixed time.
The Select All Items checkbox (represented by an asterisk) on the select boxes
selects all items in the list and the Sum Selected Items checkbox (represented by a
sigma symbol) aggregates data from the selected items.
Once a selection has been made, click the Update button to update the View with
your selected data. Views that use the ‘before now’ option will auto update every
minute; a countdown timer is displayed in the button. Views that have a “starting
at” time do not update since the time range is fixed anyway.
Once the View appears, use ‘inspect mode’ to see NBAD events during a selected
time. The top 5 events will be displayed for each selection.
Clicking that event takes you to the NBAD Event Report page for that event.

Generating Views
Traffic Trend
Figure 3-3: Traffic – Trend View

Traffic - Trend provides visibility into traffic trends over a selected period of time.
This View uses the same traffic data as Traffic - Detail, therefore the data available
is the same as for the Traffic View.
The time selection area on the top allows different time ranges or preset values to
be selected.
The Traffic - Trend View is very similar to Traffic - Detail. The major select boxes
are identical (Sensors, Groups, Protocols, Directions, and the output charts). Once
you've selected the data to be charted, select duration and choose the output
format (Units and Display). You can receive Bytes, Packets or packet size charts,
and display them in one of four formats (Bar chart stacked, normal bar chart, Pie
chart or Text Table).

Generating Views
Traffic Mitigation Detail
Figure 3-4: Traffic – Mitigation Detail View

be selected.

Generating Views
Traffic Mitigation Trend
Figure 3-5: Traffic – Mitigation Trend View

be selected.

Generating Views
3.2 NBAD
The NBAD/floods detection feature is designed for the detection of DDoS attacks but
is applicable to network flooding events in general such as worm propagation
activity and excessive connections from one IP address to another IP.
NBAD detection technology is explained as follows:
Network behavior can be modeled in terms of various combinations of
layer 3 and 4 network packet rate statistics of incoming and outgoing
traffic (or ‘network ratios’)
Under normal conditions, the network ratios are largely time invariant and
remain invariant despite flash crowds, downloads and daily peaks and
troughs in normal (non attack condition) traffic
However, under DDoS attacks, connection/packet flooding events and
dramatic levels of address scanning (usually associated with outbreaks of
zero day Worms) will cause abnormal spikes in the network ratios
These events are invariably found to cause anomalies in network ratios
(but not all anomalies are attacks!)
Network flooding attacks are differentiated simply by the fact that they
produce dramatic anomalies in the network ratios
Compared with other anomaly detection approaches that analyze flow data, Allot
DDoS Secure has a superior approach because it will not suffer from secondary
flooding due to excessive flow records generated during flooding attacks, does not
impact the router in any way, and can extract more granular filtering patterns
directly from captured packets.

Generating Views
NBAD Activity
Figure 3-6: NBAD Activity View

The NBAD Activity page is the main portal to viewing and analyzing floods. The
page layout is consistent with the rest of the GUI. On the left are the familiar
Sensors and Groups selection boxes and the Select All Items checkboxes. The Types
select box lists the types of the floods that have been detected so far. On a newly
installed system this select box will be blank, and will get populated as new floods
types are detected. At the top of the View you may set the time period covered
by the graph.
Click Change Many in the NBAD Activity banner to add checkboxes which allow
you to set the importance of multiple Floods at once. Just click the checkboxes
of all those Floods you wish to change.
Attack Types
DDoS Secure has several built-in flood types that appear in the Types drop down
menu. By default, no actual flood names appear in the list - they are added upon
detection.
The built-in flood types are:
ID DESCRIPTION
ack Incoming TCP ACK without data flood
ack-data Incoming TCP ACK with data flood
fin Incoming TCP FIN flood

Generating Views
ID DESCRIPTION
frag Incoming Fragmented packet flood
icmp Incoming ICMP flood
other Incoming OTHER (not TCP, UDP or ICMP) flood
ping Incoming PING (ICMP echo request) flood
pong Incoming PONG (ICMP echo reply) flood
rst Incoming TCP RST flood
syn Incoming TCP SYN flood
TCP-inval Incoming Invalid TCP flood
udp Incoming UDP flood
unr Incoming UNR (ICMP destination unreachable) flood
out-ack
Outgoing TCP ACK without data flood
out-ack-data Outgoing TCP ACK with data flood

out-fin Outgoing TCP FIN flood
out-frag
Outgoing Fragmented packet flood
out-icmp Outgoing ICMP flood
out-other Outgoing OTHER (not TCP, UDP or ICMP) flood

out-ping Outgoing PING (ICMP echo request) flood
out-pong Outgoing PONG (ICMP echo reply) flood
out-rst Outgoing TCP RST flood
out-syn
Outgoing TCP SYN flood
out-TCP-inval Outgoing Invalid TCP flood

out-udp
Outgoing UDP flood
out-unr
Outgoing UNR (ICMP destination unreachable) flood
Next is the Profiles select box. Here, existing DDoS Secure Profiles are listed,
allowing the display of only those floods that match filtering criteria. Detailed DDoS

Generating Views
Secure Profiles are defined in the CLI and provide superior filtering capabilities to
those of the GUI.
The far right of the window contains Data Filter settings allowing you to fine tune the
View to display items of interest.
Minimum Bit rate and Minimum Pkt rate filter out floods whose traffic
volumes fall below this value. The % textbox describes the flood's
deviation percentage from the expected value
Min Duration textbox accepts values in seconds. This is the minimum
flood duration that will be included in the View. The longest flood is 60
minutes, after which tracking ceases.
Min Shape Sev Data Filter defines floods with the minimum shape severity
to be added to the View. Every flood is assigned a Shape severity. This is
a value between 0-4 and describes how much the flood resembles a
deliberate attack. The higher values of 3 and 4 are the most significant and
will deserve the most attention.
Pattern ID textbox accepts pattern ids and is useful for searching the
floods database for specific patterns. This situation is especially useful
when analyzing attacks and you need to know if the attack has occurred in
the past.
IP Endpoint textbox narrows the search to floods where the stated
endpoints appeared for a detected pattern.
Payload limits the search to floods where the stated payload portion
appeared in a detected pattern.
Running a simple View provides a number of events. Active events are always
displayed at the top, followed by the rest of the events sorted by the selected
order. Columns with the ‘*’ mark can be sorted in ascending or descending order.
The sorted column and sort order is displayed using a blue arrow on that column.

Generating Views
Figure 3-7: NBAD/Floods – Activity Detail

Next to the ‘pattern’ column, a letter may appear – D, S, M, B or any combination.
This letter gives an indication to the type of activity involved. The system runs
internal checks against the capture and based upon the analysis, suggests these
types:
D – DDoS. Defined as many source IPs connecting to few destination IPs.
The actual calculation is a result of viewing the overall ratio of source
hosts to destination hosts while taking into account the traffic volumes for
these hosts.
S – Scanning activity. The opposite of DDoS, this is a single host
connecting to multiple destination hosts. This kind of activity resembles
worm scanning, or IP scanning for vulnerable hosts.
M – Malformed packets. The capture is run through tcpdump and three
kinds of packet errors are searched for – truncated, bad checksum, and
malformed. If these errors are found, an ‘M’ is assigned.
B – Bogon. This indicates that a Bogon space has been detected. The
source IP is one of the typically bogus “reserved IP addresses” (10.0.0.0/8
127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16)
Further information and advanced analysis is documented in the floods analysis
pages and will be covered in detail in the next section.

Generating Views
Using the Activity Page

Flood column shows the serial number of the flood. Flood IDs begin at 1
and are incremented by 1 for every new flood that is detected. This value is
never reset.
Flood Type column describes the type of flood that has been detected. This
is a descriptive name that originates from a built-in list. This list may have
user defined values too, a result of the Thresholds settings.
Sensor column lists the SPS that detected this flood. In a typical distributed
deployment, multiple SPS units will be monitoring several links, so it is
highly likely that different SPS units will detect different flood events.
Group describes the group that is affected by this flood. Every IP address
falls into a prefix that belongs to a group. Non defined prefixes fall under
the Catch-All group that typically describes the Internet.
Detected At column lists the time the flood was detected.
Duration column displays the duration of the flood. If the flood has
ended, this will be the true length of the flood (see the Active column to
check whether the flood is currently active or not), and if the flood is still
alive, this will be its current length. Floods are tracked for one hour, after
which tracking ceases. Therefore, floods shorter than one hour will have
the correct duration displayed. Those longer than one hour will be
truncated.
Shape Sev column lists the shape severity of the flood.
Bitrate and Packetrate columns display the bitrate and packetrate of the
floods.
Patterns column displays the pattern count for this flood. This is the
number of patterns detected so far for the flood. For active floods this
value is “as of time of display” and may grow as more samples are taken
or if the flood evolves.
Active column shows whether the flood is currently active or has ceased'.
Clicking on the flood link opens the NBAD Event Report page for that flood.

Generating Views
NBAD Trend
Figure 3-8: NBAD Trend View

The NBAD Trend View displays flood trends as a factor of time.
This way you can visually display the count of specific events in a predefined time
range. The Policy drop-down menu allows you to display events matching that
particular DDoS Secure Policy. This option is also useful for searching for trends in
recurring events. This is best achieved by using a DDoS Secure Policy that matches
events of interest (for example, events that have characteristics of large DDoS), and
may be given higher priority via the implementation of DDoS Secure Policies.
By selecting a radio button under Graph, you may choose to display the
distribution by Event Count, time Coverage, Bytes or Packets. The Display value
may be set to present the information as a Stacked Bar chart, normal bar chart, Pie
chart or Text Table.
View to display items of interest. Below those are three buttons which allow you to
add the current View to a Report, to download the View as a PDF or to download it
as a CSV file.

Generating Views
NBAD Distribution
Figure 3-9: NBAD Distribution View

The NBAD Distribution View displays NBAD events sorted based on certain
parameters such as packet rate or duration. The page layout is consistent with the
rest of the GUI. At the top of the View you may set the time period covered by
the graph. On the left are the familiar Data Filters, Sensors and Groups selection
boxes and the All/Sum checkboxes. The Types select box lists the types of the floods
that have been detected so far.
Next you may set the minimum importance of the floods that will be displayed
followed by the Policy drop down menu. Here, existing DDoS Secure Policies are
listed, allowing the display of only those floods that match filtering criteria.
By selecting a radio button under Graph, you may choose to display the
distribution by number of events, Bytes or Packets. Under By, you may choose to
distribute the events based on Duration, Bit Rate, Packet rate, the Hours the events
occur at, the Days they occur on or their Importance.
The Display value may be set to present the information as a Stacked Bar chart,
normal bar chart, Pie chart or Text Table.

Generating Views
as a CSV file.

Generating Views
NBAD Event View
Figure 3-10: NBAD/Flood Events Report

The top right corner displays the Flood ID. It’s possible to browse forward
and back using the arrow buttons.

Generating Views
The Flood Summary window on the left repeats important information

about the flood. The majority of this information was present in the
previous ‘flood activity’ page. Alerts shows any of the alerts features from
the previous screen (M – malformed packets, D – DDoS, S – Scanning, B-
Bogon). Matched Profiles shows if the flood matched any DDoS Secure
Profiles that were setup in the CLI. If any Profiles did match, their names
are displayed here.
DNS amplification floods are marked in the GUI for NBAD events. The GUI
also shows the specific pattern amplification & percentage. The mark
appears in the Patterns value in the Event Summary
Both of the following conditions should exist to identify amplification
floods:
 Flood type is fragmented, UDP or DNS
 2 - 10% or more of initial-fragment (/ non-fragmented) pattern-
matching packets in the sample are UDP, longer than 300B and with
one of the following Tx ports (i.e. source port respective to flood
direction):
17 (QOTD)
19 (CHARGEN)
53 (DNS)
111 (Portmap)
123 (NTP)
137 (NetBIOS)
161 (SNMP)
520 (RIP)
1900 (SSDP)
5353 (mDNS)

Generating Views
Below is the Statistics window. Here, important model detection

information is displayed. Expected is the volume of traffic for this
particular statistic as expected by the model. Observed is the true traffic
on the wire. Deviation is the difference between observed and expected
(the delta) and is the anomalous part of the traffic. In this example we see
that the deviation is significantly more than the traffic expected by the
model, which is typical for this kind of flood.
The Charts windows to the right display the tracked statistic within the
model. The upper chart displays the packet rate for that statistic while the
lower chart displays the tracked ratio which was breached. In our
example, the tracked ratio is “incoming TCP syn” to “outgoing TCP fin”. We
observed an increase in “incoming TCP syn” packets, so the upper chart
displays this statistic.
On both charts the observed values are drawn in red. This is the reality on
the wire. The expected value is displayed in blue. This is what the model is
expecting. Note that for some floods such as the one in this example, the
expected value is very low and is very close to the zero line.
Vertical yellow bars demonstrate the position in time and duration of
packet samples that were taken. When a flood is detected, a sample is
taken at the beginning, then subsequently every 3 minutes.
These two charts when clicked open a new window with a zoomed version
of the chart
Above the Charts window, on the far right is a link to the Traffic Detail
page. Clicking this link will open the traffic detail page with the correct
time range, group and protocols automatically selected, and the current
flood will be superimposed over the traffic.
Below the Statistics window is the Mitigation History, in which you can
see the NBAD Mitigation events connected with the flood. Using the
toggle in the title bar, you may opt to see the Mitigation requests only,
displaying who requested the Mitigation and its parameters, or a list of all
events connected to the pattern for this flood.

Generating Views
Below the Charts window is the Mitigation State window, displaying the
current Mitigation actions of each Service Gateway and allowing the user
to select the Pattern, Mitigation Action and the time period (while flood
lasts, for 30 minutes, for 60 minutes, for 2 hours, indefinitely) for the
Mitigation.
Possible Mitigation Actions are:

NONE (default)
BLOCK
BLOCK TARGET HOST - pattern for mitigation using the top Rx host of the
extracted pattern as destination IP, with all other octets as wildcards.
BLOCK TARGET HOST+PROTOCOL - same as above, with the exception that
the IP protocol field is taken from the extracted pattern.
Below the Mitigation State window is the Rx Host Remote Trigger
window, in which existing hosts may selected Remote Triggers for this
event, meaning that the Remote Trigger Agent notifies all the BGP
neighbors of the triggered host of the situation, and traffic with the
triggered host as destination will be routed to a “black hole” to be dealt
with. This ensures that the links upstream of the attack do not become
congested and visibility for adjacent hosts is preserved.
Table 1. Rx Host Remote Trigger Parameters

PARAMETER VALUES
Remote trigger state: (state is in None: No action was taken on this remote trigger
the context of this NBAD event Triggered: At least one host was triggered
ONLY. It doesn't trigger these
Withdrawn: All hosts that were advertised are withdrawn
hosts/subnets in the context of
other NBAD events).
Pattern: Select the pattern to use
for the manual activation out of
the available patterns. Default
pattern is the pattern that the
system has selected as the most
relevant one.

Generating Views
PARAMETER VALUES
Host/Subnet: Shows the list of Check box: Used to select the host in order to either trigger or
hosts and the status of each host. withdraw this host (there is a global checkbox to select/unselect all
For each host the following hosts at once)
attributes are shown: IP address– IP address for rx host. IP subnets are created out of the
rx hosts.
Group/Prefix – Group name and prefix name related to this rx host.
Name – Domain name of host.
BW % - Percentage of pattern traffic going to this host. A high
percentage would indicate this host should be triggered.
State: Shows the state in the event (local) and the global state (in all
other events). Global state shows only if this host is triggered in
any other event in the system or if no trigger (None) is activated on
that host in other events.
 None – No action taken on this host
 Triggered <policy_name> – Advertised to BGP neighbors. If
trigger was done automatically through policy, the Policy
name appears in the state.
 Withdrawn – Triggered host was withdrawn
Last change: Shows the time (YYYY-MM-DD HH:MM) when the host
changed its recent state. If there was no state change on for this
host, time is shown as N/A)
Withdraw ET: Shows the expected time (YYYY-MM-DD HH:MM) that
triggered host is going to be withdrawn (if host state is
None/withdrawn, time is shown as N/A)
Withdraw timeout: Selects the
timeout that is set for host
withdrawal. There are several
preset timeout values: 10/20/60
minutes or 2/6/24/48 hours
There are 2 actions that can be performed on the selected hosts:

Route: Advertise selected hosts
Withdraw: Withdraw selected hosts

Generating Views
Below the Rx Host Remote Trigger window is the Rx Subnet Remote

Trigger window, in which existing subnets may selected Remote Triggers
for this event, meaning that the Remote Trigger Agent notifies all the BGP
neighbors of the triggered subnet of the situation, and traffic with the
triggered subnet as destination will be routed to another location for
filtering.
Table 2. Rx Subnet Remote Trigger Parameters
PARAMETER VALUES
State: Shows the state in the event None: No action was taken on this remote trigger
(local) and the global state (in all Triggered: At least one host was triggered
other events). Global state shows
Withdrawn: All hosts that were advertised are withdrawn
only if this subnet is triggered in
any other event in the system or if
no trigger (None) is activated on
that subnet in other events.
Pattern: Select the pattern to use

for the manual activation out of
the available patterns. Default
pattern is the pattern that the
system has selected as the most
relevant one.

Generating Views
PARAMETER VALUES
Subnet: Shows the list of subnet Check box: Used to select the subnet in order to either trigger or
and the status of each subnet. For withdraw this subnet (there is a global checkbox to select/unselect
each subnet the following all subnets at once)
attributes are shown: IP address– IP address for subnet.
Group/Prefix – Group name and prefix name related to this rx
subnet.
BW % - Percentage of pattern traffic going to this subnet. A high
percentage would indicate this subnet should be triggered.
State: Shows the state in the event (local) and the global state (in all
other events). Global state shows only if this subnet is triggered in
any other event in the system or if no trigger (None) is activated on
that subnet in other events.
 None – No action taken on this subnet
 Triggered <policy_name> – Advertised to BGP neighbors. If
trigger was done automatically through policy, the Policy
name appears in the state.
 Withdrawn – Triggered host was withdrawn
Last change: Shows the time (YYYY-MM-DD HH:MM) when the
subnet changed its recent state. If there was no state change on for
this subnet, time is shown as N/A)
Withdraw ET: Shows the expected time (YYYY-MM-DD HH:MM) that
triggered subnet is going to be withdrawn (if subnet state is
None/withdrawn, time is shown as N/A)
Withdraw timeout: Selects the
timeout that is set for host
withdrawal. There are several
preset timeout values: 10/20/60
minutes or 2/6/24/48 hours
There are 2 actions that can be performed on the selected subnets:

• Route: Advertise selected hosts
• Withdraw: Withdraw selected hosts
Below the Mitigation History window is the Remote Trigger History, in
which you can see the Remote Trigger events connected with the flood.

Generating Views
The Patterns section displays the various patterns that were detected
during the flood. The system automatically orders patterns by relevance
and places the most relevant patterns on the top.
Some of the ports listed will also be indicated by the name of the service
generally associated with that port appearing in parentheses. These
include such ports as port 80 = HTTP, port 53 = DNS, port 22 = SSH, port 21
= FTP and so on.
Format: Source IP: source port -> destination IP: destination port
protocol signature length
To the right, the header and payload signature lengths are displayed
(these are the number of consistent bytes in the header and payload – the
“blue” bytes), then the pattern relevance and finally a host count. The
pattern relevance displays how relevant the pattern is to the overall flood.
When calculating the relevance, the algorithm checks if the pattern
accounts for the “deviation” but not the “expected” part of the flood.
After all, the deviation is the anomalous portion of the flood and should
be depicted by the pattern. In addition, we calculate this for the entire
length of the flood, and a more relevant pattern should cover a larger
portion, if not all of the flood.
The hosts count displays the number of source hosts talking to the count
of destination hosts. A large number of sources to a low number of
destinations resembles a DDoS attack, whereas a single host talking to
multiple destinations seems like scanning activity.
The last portion of the screen shows the Packet Captures that occurred
during the flood.
Packet captures are taken once every three minutes, to the maximum life
of a flood of one hour. Shorter floods will have fewer samples. Packet
samples may not be taken at all if the deviation is smaller than 10%.

Generating Views
Each packet capture displays a Capture ID, the capture timestamp, the
deviation from the model in percent, the number of packets, their size,
and finally a link to download the capture.
The All Packets link at the very bottom includes all packets from the entire
life of the flood.
NBAD Top Sources
Figure 3-11: NBAD/Flood Top Sources

The NBAD Top Sources View displays a list of the top sources generating NBAD
events. The page layout is consistent with the rest of the GUI. On the left are the
familiar Sensors and Groups selection boxes and the Select All Items checkboxes.
The Types select box lists the types of the floods that have been detected so far.
followed by the Policy select box. Here, existing DDoS Secure Policies are listed,
allowing the display of only those floods that match filtering criteria.
as a CSV file.
Source indicates the IP address that is generating the NBAD event.
Times Detected indicates the number of times an NBAD event originating
from that Source has been detected.

Generating Views
Average Bit Rate lists the average bit rate of all the NBAD events
originating from that Source.
Average Packet Rate lists the average packet rate of all the NBAD events
Clicking on any of the listed Sources will open a Flood Activity View listing all floods
Figure 3-12: NBAD Activity View
NBAD Top Targets
Figure 3-13: NBAD Top Targets

The NBAD Top Targets View displays a list of the top targets of NBAD events. The
page layout is consistent with the rest of the GUI. On the left are the familiar
Sensors and Groups selection boxes and the Select All Items checkboxes. The Types
select box lists the types of the floods that have been detected so far.

Generating Views
as a CSV file.
Target indicates the IP address that is being hit with the NBAD event.
Times Detected indicates the number of times an NBAD event targeting
that IP has been detected.
Average Bit Rate lists the average bit rate of all the NBAD events targeting
that IP.
Average Packet Rate lists the average packet rate of all the NBAD events
targeting that IP.
Clicking on any of the listed Targets will open a Flood Activity View listing all floods
targeting that IP.
NBAD Mitigation
NBAD mitigation provides surgical filtering of network floods on Allot Service
Gateway platforms which are running Allot Operating System (AOS).
Note: NBAD Mitigation requires a separate software license per platform
Figure 3-14: NBAD Mitigation

In the NBAD Mitigation view, there are several main screen elements. The top
panel displays the status of NBAD mitigation devices. The columns are described
below:

Generating Views
AOS Host column lists NBAD mitigation devices which may be Service
Gateway platforms or NetEnforcer devices
Patterns indicates applied patterns as an absolute value and as a
percentage of maximum number of patterns
Memory indicates the memory used for filtering in both absolute value
(Bytes) and percentage of available memory
Blocked bytes indicates the number of bytes that have been blocked by
this mitigation device.
Blocked pkts indicates the number of packets that have been blocked by
this mitigation device.
State provides information on the state of the NBAD mitigation device
Since indicates the date and time of the last change to the State
In addition, recent mitigation activity is displayed in a graph for each NBAD
mitigation device. Filtered traffic is counted and the packet rate and bit rate of
filtered traffic are displayed over time. Empty charts are not displayed.
Below the list of NBAD mitigation devices, NBAD Mitigation Requests are listed.
This view is pattern centric:
Applied at indicates the date and time at which the pattern was applied
Pattern indicates the pattern id which can be viewed by clicking on the
pattern number
State is a summary of the number of NBAD mitigation locations where
patterns are active
AOS Host is the name or IP of the NBAD mitigation device
Details indicate the status of the pattern such as whether it is active,
removed and any additional information relating to the NBAD mitigation
device
Floods will list the id of flood events which were/are affected by the
pattern; each flood can be viewed by clicking on the flood id number and
blocking can be individually managed on the relevant flood page
Action will provide the operator, if applicable, with an option to manually
remove the block on all applicable devices

Generating Views
NBAD Remote Trigger

NBAD Remote Trigger view provides a summary of all Remote Trigger devices and
requests.
Figure 3-15: NBAD Remote Trigger

The Remote Trigger Device List includes the following information:
BGP neighbor IP address
Community name
Patterns
BGP neighbor state: No connection/Up/Down
Time when recent state was changed
Rx hosts/rx subnets which are currently being triggered
Timeline graph showing the trigger activity for that BGP neighbor
 X-axis: date & time
 Y-axis: showing the number of triggered rx hosts and the number of
triggered rx subnets
 Updates (trigger/withdraw) made to that BGP neighbor over the time
(each update is shown as dotted vertical line on the graph)
Click Withdraw for an individual device to withdraw it from the remote trigger or
click Withdraw All, Withdraw all hosts or Withdraw all subnets at the bottom of the
list to withdraw all devices, hosts or subnets from the Remote Trigger.

Generating Views
The Remote Trigger Request List includes the following information:

Since: date & time of the last remote trigger request made for that rx
host/subnet
IP Address: of the rx host/subnet
Request Type: Trigger or withdrawal
RX Host/RX Subnet: if it is a host or a subnet.
Source Pattern: the pattern the Remote Trigger is based on.
Flood: the number of the Flood event where this rx host/subnet was
triggered
Expiry: when the requested state expired
Action: click the button to withdraw the request.

Generating Views
3.3 HBAD/Quarantine
HBAD or host behavioral anomaly detection is a technology developed for
detecting infected hosts or subscribers.
HBAD technology is explained as follows:
Hosts are identified by tracking all outbound connections from the
network and misbehaving hosts will exhibit abnormally elevated and
sustained outbound connections
Moreover, the connection patterns can be matched to common profiles of
infected or abusive behavior
Such misbehavior is categorized as address scanning, port scanning,
connection flooding, excessive connections to 25/TCP (SMTP) and 53/UDP
(DNS)
SMTP and DNS categories are associated with spamming
By monitoring all outbound connections, Allot DDoS Secure provides superior
visibility of misbehaving hosts over approaches that use sampled flow data since
the host connections can easily fall between samples. The problem with using
sampled flow data worsens in high throughput networks where the practical use of
flow data requires increasingly larger sampling intervals. Correspondingly, visibility
of individual host activity worsens with increasing sampling interval. Allot DDoS
Secure does not suffer from such flow sampling constraints.
Once groups have been setup, the ‘quarantine’ option is turned on for that group,
effectively enabling HBAD detection. From this point on, flow records are collected
for IPs falling under these groups.
Flows for every host are analyzed and the behavioral profile of the host is
inspected. If suspicious behavior is detected, a capture of 1000 flows is initiated for
that host.
Once the capture is complete the flows are analyzed and if suspicious behavior is
found, the following five activity types are classified:
Flow-Bomb – Multiple connections from the suspect host at different
ports to another single host at a single port.
Addr-Scan – Connections from one host to multiple hosts on a single port.

Generating Views
Mass-SMTP – Multiple connections to other host(s) on TCP port 25. This is

actually a specific case of address scan. Spam activity is usually found
going alongside DNS lookups which may be detected as flow bombs to a
server on UDP/53 if a single DNS server is used, or address scan on
UDP/53 if multiple DNS servers are queried.
Port-Scan – Multiple connections from a single host to a single destination
host on multiple target ports.
Mass-DNS – Multiple connections to TCP or UDP port 53 on multiple
destination hosts.
A host may display more than one of the above behavior profiles. For example,
spam (mass SMTP) may go along with flow bomb or address scan. In addition, the
host may be used as a DDoS bot as well. Activities of bots are varied and can be
used for launching DDoS attacks, spam campaigns or even scanning in order to
“recruit” other bots.
HBAD Workflow
SPS units are connected passively to monitor traffic. 100% of the traffic is
monitored by both the NBAD and HBAD systems. While the NBAD system receives
100% of the packets, the HBAD system uses 100% of the flows. Therefore it is
necessary to create these flows from the traffic. SP does not rely on external
hardware (such as routers) to create flows, this task is performed internally by a
flows creation engine that exports flows to the HBAD detection engine.
The HBAD system receives 100% of the flows and monitors them on a per host
basis. Flows are associated with hosts for groups that have the ‘quarantine’
function enabled in the CLI. At this stage we do not know if the host is suspicious or
not. After monitoring the host for a few minutes, a behavioral profile is created.
This profile is compared against the five categories of malicious behavior noted
above and if the host demonstrates suspicious behavior, it is tagged for further
investigation.
If the host doesn’t display suspicious behavior it is ignored and monitoring
continues as normal.
Further investigation begins by doing a 1000 flows sample. Once collected, these
flows are analyzed and the five categories of behavior are searched for. If none of
the activities is found, this means the host did some transient behavior. In this case
the system continues monitoring that host. Once the hour is over, detection

Generating Views
resumes and the cycle repeats. If one or more activities are found, the HBAD
system checks whether SMP integration is configured. If it is, then the SMP server
is queried for the subscriber name and this information is added along with the
HBAD event to the SP database, if there is no SMP integration, the subscriber IP
address is used. Once complete, a backoff period of 1 hour is implemented after
which the cycle resumes.
Note: HBAD is a host based behavioral system and should be turned on only for
hosts under your control. It is designed for subscribers or end users, and these
behavioral profiles are expected by the system. HBAD should not be used on
servers, since these machines display completely different behavioral profiles
and may be flagged as infected hosts. P2P activity on a host does not usually
demonstrate the same profile as botnet software and generally doesn’t trigger
alerts.
Similar to floods, HBAD also uses CLI configured Profiles to proactively alert
operators of events that match predefined criteria. Operators receive alerts and
can open the GUI to view further information before making a decision to mitigate
or not. In addition, the GUI has a HBAD activity page, similar to the flood activity
page where the operator can interactively query the database for events of
interest, or view events matching DDoS Secure Profiles.

Generating Views
HBAD Activity Event

Groups Types Subscriber
Minimum
Rates
Sensors
Target
Policy
HBAD
Events
Figure 3-16: HBAD – Activity View

The HBAD activity page is similar to the NBAD/activity page. Both share the
common sensors, groups, time ranges and time zone settings. In addition, both
have View-specific event types and additional DDoS Secure Policies to further limit
the query. In both Views, the operator may click on an event to drill down further
into the event analysis.
Event Types: There are five predefined event types – Addr-Scan, Flow-
Bomb, Mass-SMTP, Mass-DNS and Port-Scan. These event types relate to
the five types of malicious activity demonstrated by an infected host.
Suspicious hosts may demonstrate one or more of these behaviors.
Policy: The Policy select box lists the DDoS Secure Profiles defined in the
quarantine Policies section of the CLI. The <any/none> Policy matches
those events that didn’t match any Profile.
Further limiting the View may be achieved using the Data Filters on the far right.
These fields can be used to search for events demonstrated by a particular
subscriber or targeting a particular resource. These are especially useful for
searching for recurring events or analyzing the volume or impact infected hosts are

Generating Views
making on their targets. The ‘subscriber’ and ‘target’ columns in the View are
clickable and automatically enter this item into the correct Policy placement.
Subscriber: Can be IP or subscriber information queried from the SMP
(provided the SMP integration is configured). Clicking on a particular
subscriber in the View will fill the subscriber query window on the right.
Note that if detection is used without mitigation, the system will redetect
offending hosts after the one hour backoff period has expired. This is
normal and should be expected. Of course, if the host goes offline, ceases
its activity, or releases its DHCP lease, it will not reappear. If SMP is active,
the subscriber name remains consistent, so it is not relevant if the host
changes IP address.
Min Rates: These are the traffic statistics for a particular infected host –
minimum bit rate, packet rate or connection rate. Connection rate is
counted as unique flows per second.
Target: The target being attacked by the suspected host. The full target
information is in the form of IP:PORT/PROTOCOL. However in the case of
scanning, the IP section will appear as * because there is more than one
port scanning i.e. IP:*/PROTOCOL. If the protocol is not TCP or UDP it will
not appear.
Note that if * appears in the search field it does not act as a wildcard. It is
used as an argument to search for events of identical appearance.
Therefore only events that have the same “target” will be found.
HBAD Events: The table HBAD Events lists events that match the search
criteria.
Clicking on the capture ID on the left opens that event’s detailed analysis
Clicking subscriber IP or name, or target, enters that field in the Profiles.
The Subscriber name will appear alongside the IP if DDoS Secure is
integrated with an SMP. See the DDoS Secure Installation and
Administration Guide for details.
Other fields in the View include the SPS that detected this event, the
group the infected host belongs to, the time of detection, the type of
activity, the connection rate for the host, and finally the number of flows
per second for the host.

Generating Views
Events with more than one kind of activity are shown in the screenshot
above. Statistics for each kind of activity are shown on a line on their own,
and a summary field is shown below
Clicking on the Capture ID opens the HBAD Event Report page. Here the
individual flows are displayed and further analysis can be conducted.
HBAD Trend
Figure 3-17: HBAD – Trend View

The HBAD Trend View is similar to the NBAD Trend View and displays a count of
selected events over a defined period of time.
The View selection includes the familiar sensors, groups, time range and time zone,
as well as HBAD-specific Data Filters such as event types. The View can chart items
such as count, bitrate/packetrate/connectionrate, and display them in a variety of
charts. Further filtering can be achieved via the minimum
bitrate/packetrate/connectionrate text boxes.
By selecting a radio button under Graph, you may choose to display one of the
following graphs in the Trend View:
Infected Sources
Event Count

Generating Views
Bit Rate Impact

Pkt Rate Impact
Conn Rate Impact
Infection Level
Bit Rate Impact Level
Pkt Rate Impact Level
Under By, you may choose to distribute the events based on Duration, Bit Rate,
Packet rate, the Hours the events occur at, the Days they occur on or their
Importance.
HBAD Distribution
Figure 3-18: HBAD Distribution View

The HBAD Distribution View displays HBAD events sorted based on certain
parameters such as packet rate or duration. The page layout is consistent with the
rest of the GUI. At the top of the View you may set the time period covered by
the graph. On the left are the familiar Data Filters, Sensors and Groups selection

Generating Views
boxes and the All/Sum checkboxes. The Types select box lists the types of events
that have been detected so far.
By selecting a radio button under Graph, you may choose to display the one of the
following graphs in the Distribution View:
Infected Sources
Event Count
Bit Rate Impact
Pkt Rate Impact
Conn Rate Impact
Infection Level
Bit Rate Impact Level
Pkt Rate Impact Level
Under By, you may choose to distribute the events based on Duration, Bit Rate,
Packet rate, the Hours the events occur at, the Days they occur on or their
Importance.
as a CSV file.

Generating Views
HBAD Event View
Figure 3-19: HBAD Event view

When selected from the menu, HBAD Events view displays the latest event. You
may use the browse forward and backward buttons at the top on the list. The
browse next button initially is grayed out and automatically becomes available
when a new event is detected.
The top of the screen displays the familiar menu, and a DNS resolution progress
meter. The report is presented and hosts that resolve are automatically added as
they become available. The DNS resolution progress meter shows the percentage
of reverse resolved hosts already completed.
Further to the right, the event ID browser allows you to browse forwards and
backwards in the HBAD events. Finally, the timezone changer is at the far right.
Below the menu is the HBAD summary window displaying the capture ID (a unique
number incrementing by 1 for every subsequent event), SPS and group, the time of
detection and the subscriber information. Next to the subscriber’s IP number you
may click Check Blacklist to open a new browser window/tab to the site
multirbl.valli.org which aggregates blacklist checks at multiple blacklisting sites.
Also, if any DDoS Secure Profiles matched this event, their names are displayed.
If SMP integration is configured, the system automatically queries the SMP server
at event detection time for the subscriber name, which is stored in the database
along with event information. This is displayed in the subscriber field. a status field
also becomes available showing mitigation actions configured for this subscriber.
Mitigation may be changed using the ‘actions’ pulldown menu. Mitigation options
may be configured in the CLI.

Generating Views
The window to the right, ‘HBAD events’ shows the various activities found by
analyzing the 1000 flow captures. Some stats and summaries follow.
Finally the bottom section of the page displays all the flows, 100 per page. Each
flow has a timestamp along with the following information:
Age – the duration of the flow in seconds. This is the time difference
between the first packet of the flow and the last packet of the flow (time
[seconds] = LastFlow-FirstFlow). If the flow consists of only one packet, it
has an age of zero.
Protocol is displayed next, followed by the source port. The destination
IP:destination port is in the next column followed by the count of packets
per flow.
Byte count for the flow is displayed last. In our example each packet is 60
bytes. This is definitely a DDoS on the target web server.
Clicking on any Capture in the HBAD Event Report will drill down to the Capture
Page, giving more information concerning that Event. Packets are filtered to match
the last detected activity (e.g. spamming). Up to 300 packets and durations of up to
100 seconds are supported per capture.
Figure 3-20: Capture View

Generating Views
HBAD Top Sources
Figure 3-21: HBAD Top Sources

The HBAD Top Sources View displays a list of the top sources generating NBAD
events. The page layout is consistent with the rest of the GUI. On the left are the
familiar Sensors and Groups selection boxes and the Select All Items checkboxes.
The Types select box lists the types of the Events that have been detected so far.
Next you may set the minimum importance of the Events that will be displayed
followed by the Profiles select box. Here, existing DDoS Secure Profiles are listed,
as a CSV file.
Source indicates the IP address that is generating the HBAD event.
Times Detected indicates the number of times an HBAD event originating
from that Source has been detected.
Average Bit Rate lists the average bit rate of all the HBAD events
Average Packet Rate lists the average packet rate of all the HBAD events

Generating Views
Average Connection Rate lists the average connection rate of all the
HBAD events originating from that Source.
Click on any of the listed Sources to open a page listed all HBAD Events originating
from that Source.
Figure 3-22: HBAD Source Events List
HBAD Top Targets
Figure 3-23: HBAD Top Targets

The HBAD/ Quarantine – Top Targets View displays a list of the top targets of
HBAD events. The page layout is consistent with the rest of the GUI. On the left
are the familiar Sensors and Groups selection boxes and the Select All Items

Generating Views
checkboxes. The Types select box lists the types of the Events that have been
detected so far.
Next you may set the minimum importance of the Events that will be displayed
You may select if the Targets will be displayed as IP addresses, or as Port
numbers/Services.
as a CSV file.
Target indicates the IP address or Port/Service that is being hit with the
HBAD event.
Times Detected indicates the number of times an HBAD event targeting
that IP/Port has been detected.
Average Bit Rate lists the average bit rate of all the HBAD events targeting
that IP/Port.
Average Packet Rate lists the average packet rate of all the HBAD events
targeting that IP/Port.
Average Connection Rate lists the average connection rate of all the
HBAD events targeting that IP/Port.
Click on any of the listed targets to open a page listed all HBAD Events targeting
that IP.
Figure 3-24: HBAD Target Events List

Generating Views
HBAD Mitigation
Figure 3-25: HBAD – Mitigation View

The HBAD Mitigation feature is available when the DDoS Secure has been
configured to work with one or more SMPs (See the DDoS Secure Installation and
Administration Guide). Using this feature you can move an infected subscriber to a
different Service Plan in the SMP which you have previously configured for
quarantine purposes.
This report displays subscribers with mitigation applied and is only available if SMP
integration is configured.
In the ‘HBAD mitigation’ View, subscribers are displayed along with their current
plan. The action button enables change of plans for that particular user.
A select box with the available actions is displayed on the left, and a subscriber
name prefix textbox is available to the right to search a specific subscriber. When
operators change plans for a particular user, a message is sent to the SMP to
confirm the change. If the SMP responds that the user doesn’t exist, that user is
marked as deleted in the SP database and no action is taken. The ‘hide deleted’
button suppresses display of deleted subscribers.

Generating Views
HBAD Subscriber Info
Figure 3-26: HBAD – Subscriber Info View

The HBAD Subscriber Info screen gives detailed information on an individual
subscriber’s activities and is only available if SMP integration is configured.
In the ‘HBAD Subscriber Info’ View, a subscriber’s current status is displayed along
with a summary of their activities and a Mitigation Log indicating mitigation actions
taken and the SMP which initiated the action.
In addition, this view lists the subscriber’s Activity Types and Trends, the
Aggressiveness of their attacks and a listing of their HBAD Events which each may
be drilled down for further information.

Generating Views
3.4 Drill Down Views

It is possible to drill down to either an individual pattern or an individual Capture in
order to see more details by clicking on the Pattern ID or Capture ID in the HBAD or
NBAD Events Report page. Pattern IDs are only available from the NBAD Events
Report

Generating Views
Pattern Page
Pattern Flood
Summary Timezones
Summary
Full
Pattern
Pattern
Chart
Packet
Captures
Top TX/RX
Hosts
Figure 3-27: Pattern View

The Pattern page displays the result of the internal analysis. This is actionable
information that can be passed on directly to your Service Gateway to mitigate this

Generating Views
attack. The information is generated live from the wire, no preconfigured

signatures are required. At flood detection time a sample is taken. Subsequent
samples are captured every three minutes provided the deviation exceeds 10%.
These samples are analyzed by DDoS Secure and the ultimate result is a signature.
This page displays not only the signature in several popular formats, but also the
DPS - the result of the analysis in a very high level of detail - down to the individual
flags, headers, and payload. Signatures for the various filtering devices are
translated from this source at the highest resolution supported by the target
filtering device. The granularity of the result may vary since some vendors support
finer grain signatures than others. Allot can also export this signature in your
custom format. Please contact Allot for more information.
Note: The Cisco filter recommendations are valid for Cisco IOS version 12.4 stable,
12.3 testing and 12.2. These versions support the extended format with the
flags. Older IOS versions are incapable of filtering TCP flags.
Clicking on a relevant pattern opens the Pattern page. This is where you can view
the Deep Packet Signature (DPS), as well as conversion into a variety of third party
devices formats
The View Flood link opens the previous flood View page. Next is a pull
down select box with the various patterns. Usually the most accurate
patters are placed at the top of the patterns list on the flood View page,
and using this box you can quickly navigate to other patterns.
The timezone display config is in the top right corner.
The Flood box repeats information from the previous screen in the same
format.
The Pattern Summary box displays a summary of the current pattern:
 Pattern Identifier – a number is assigned to every unique pattern.
Pattern ids are reused, so if the pattern has been seen previously, that
id will be used in the flood. This is also a way of tracking recurring
attacks, where you can search by a particular pattern and see where it
appeared in the past.
 Search Floods - links to the flood activity page, with the pattern id
field already filled in for you. This is a very powerful feature allowing
you to search if this pattern has appeared before.
 Summary - repeats the main pattern information line from the
previous screen.

Generating Views
 Header octets – the number of consistent bytes in the header (blue

color)
 Payload octets – the number of consistent bytes in the payload (blue
color)
 Hosts – the ratio of source hosts to destination hosts
 Captures – the number of packet captures done in the life of the
flood. if the flood is currently active, this number may still be growing
 Alerts – if any alerts were triggered by this pattern
Full pattern or DPS - This is the pattern information displayed in the Allot
format DPS.
Consistent bytes are colored blue; these are bytes that are present
throughout the packets for this particular signature. Inconsistent or
randomized bytes are colored pink. These bytes are for example
checksum, sequence number, or any other fields that might be random or
spoofed. the payload is displayed in hex (default) or ASCII.
In the IPv4 header, if a consistent IP address is detected it becomes a link
and can be clicked to open the flood activity page. The IP address is
entered as a search parameter. This is a useful feature to search for
recurring attacks to a particular host, or if a source host is a repeat
offender.
Pattern Chart - This displays the pattern (“Matched”) in pink overlaid over
the entire traffic (“Unmatched”) in green.
This chart is a measure of how accurate the pattern is.
Accurate patterns have a consistent pink section throughout the traffic,
whereas less accurate patterns (like the one in the example above), have
inconsistent or broken “pink bits”.
The captured packet samples are overlaid as yellow vertical bars and the
expected traffic as per the model is the dotted blue line.
The quality of the pattern is not a function of the analysis, but rather of
the flood itself. Floods that have relevant patters tend to have them
throughout the flood and well pronounced. These are the easiest patterns
to mitigate.

Generating Views
Packet Captures - This is the same as the flood View page, with the
addition of “match”. This is the packet count that matches this particular
pattern from that packet capture.
Top TX Hosts and Top RX Hosts - Each of the IP addresses is clickable to

the flood activity page, where it fills the “address” field. The Group and
Prefix, the Autonomous System (ASN) and code of the country of origin
are displayed. If DNS is configured, the hostname section is filled with the
reverse DNS lookups of this host if the queries succeed.
Next to every IP address is a “?”. This opens up a ‘whois’ query on that IP
address.

Generating Views
Top TX Countries and Top RX Countries – Indicates the most prevalent

countries of origin, listing the number of packets from each and the
percentage.
Top ASN Countries and Top ASN Countries – Indicates the most prevalent
countries of origin, listing the number of packets from each and the
percentage.
Capture Page

Generating Views
Figure 3-28: Capture View (HBAD)

Packet captures have a life of two weeks. During this time they may be analyzed
using the built in tools or downloaded for archive or analysis with third party tools.
Once the two weeks expire, samples are automatically deleted to save database
space.
Clicking on a Capture ID in the HBAD or NBAD Events page will open the Capture
Page with additional information regarding that Capture.
DDoS Secure has a number of built in tools for sample analysis and graph
generation which may be selected from a drop-down menu at the top of the
Capture Page:
tcpdump & tcpdump hex – open the sample using this viewer
Ethereal & ethereal detail – open the sample using ‘wireshark’
Snort – run the packet sample via snort and query the snort database if
the packet sample is known. If no signatures are present, you will only see
“run time for packet processing was xxx seconds”.
Figure 3-29: Analyse: Flow view

Analyze host – view the samples based on host. Use the ‘join directions’
button to join the tx and rx directions. In this view, flows counts per flow
are displayed, along with the packet count per flow
Analyze port – display the sample according to port. Both source and
destination port are analyzed and flow data displayed. ‘join direction’ is
also available
Analyze endpoint – display the data according to endpoint.

Generating Views
Analyze flow- display the data as flows. this is in the form of source
address:source port -> destination address:destination port PROTOCOL
Analyze protocol – display the sample aggregated by protocol . Protocol
number is displayed too.
Analyze length – display count of packets of preset lengths. the
granularity (scale) can be adjusted. This View is useful to understand the
spread of packet sizes within the capture of course, the packet sample can
be downloaded for analysis using external tools via the save capture link in
the flood View or pattern pages.
Figure 3-30: Graph: host view

Graph host – Generate a graph of the samples based on hosts. Use the
‘join directions’ button to join the tx and rx directions. In this view, flows
counts per flow are displayed, along with the packet count per flow
Graph port – Generate a graph of the sample according to port. Both
source and destination port are analyzed and flow data displayed. ‘join
direction’ is also available
Graph endpoint – Generate a graph of the data according to endpoint.
Graph flow- Generate a graph of the full 5 tuple display of the flows. this
is in the form of source address:source port -> destination
address:destination port PROTOCOL

Generating Views
Graph protocol – Generate a graph of the sample aggregated by protocol .

Protocol number is displayed too.
Graph length – Generate a graph of the count of packets of preset lengths.
the granularity (scale) can be adjusted. This View is useful to understand
the spread of packet sizes within the capture of course, the packet sample
can be downloaded for analysis using external tools via the save capture
link in the flood View or pattern pages.

4 Reports
Reports are collections of several different Views that can be downloaded as a
single PDF. New Reports can be assembled and generated at any time, or saved so
that they can be generated again in the future.
To create a new Report:

1. Open a View that you wish to add to a new Report.
Figure 4-1: Add Current View to Report Button

2. Click the Add Current View to Report button in the right hand side of the
View.
Figure 4-2: Add Current View to Report Button

3. The currently selected report will appear on the upper part of the DDoS
Secure GUI, listing the name of the report (if any) and the number of
Views included in the Report. Click the red X to close the Selected Report.
4. Open any additional Views you wish to add to the selected Report and
click Add Current View to Report.
5. Click the name of the Selected Report at the top of the GUI to download
the Report as a PDF.
6. Click Edit/Save on the Selected Report listing or Selected Report from the
Reports menu to open the Report, where you may rearrange, name and
save the new report.
Reports
Figure 4-3: New Report
To download or edit an existing Report:

1. Select Report List from the Reports menu.
Figure 4-4: Report List

2. Click the name of the Report Template you wish to open as the Selected
Report.
Figure 4-5: Selected Report

3. The currently selected report will appear on the upper part of the DDoS
Secure GUI, listing the name of the report (if any) and the number of
Views included in the Report. Click the red X to close the Selected Report.
4. Once open, you may rearrange, rename and save the new report.
DDoS Secure Installation and Administration Guide

Reports
5. In the Auto field, you may schedule the report for automatic generation as
well as set the email address to which the automatically generated report
will be sent.
6. Click the name of the Selected Report at the top of the GUI to download
the Report as a PDF.
DDoS Secure Installation and Administration Guide

DDoS Secure Operation Guide R13 (16.1.50) PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DDoS Secure Operation Guide R13 (16.1.50) PDF

Uploaded by

Copyright:

Available Formats

DDoS Secure

Doc Revision Internal Product Published Changes

13 b3 DDoS Secure 17/11/2019 Log in information updated

DDoS Secure Operation Guide ii

DDoS Secure Operation Guide iii

Alerts Reception .................................................................................. 2-2

DDoS Secure Operation Guide iv

DDoS Secure Operation Guide v

HOW DOES IT WORK?

WHAT ARE THE COMPONENTS?

DDoS Secure Operation Guide

DDoS Secure Sensor (SPS) – intelligent network monitoring device

DDoS Secure Operation Guide 1-2

1.2 Common terms and concepts

DDoS Secure Operation Guide 1-3

DDoS Secure Operation Guide 1-4

DDoS Secure Profile

DDoS Secure Operation Guide 1-5

Zero Day Attack

DDoS Secure Operation Guide 1-6

Figure 2-1: Dashboard

2.2 Web browser support

DDoS Secure Operation Guide

2.3 System requirements

DDoS Secure Operation Guide 2-2

2.4 Accessing the GUI

DDoS Secure Operation Guide 2-3

Figure 2-2: Log In Screen

DDoS Secure Operation Guide 2-4

Navigating the GUI

Figure 2-3: Dashboard

DDoS Secure Operation Guide 2-5

DDoS Secure Operation Guide 2-6

 The columns may be sorted as follows.

The Main Menu

DDoS Secure Operation Guide 2-7

Figure 2-4: Main GUI

DDoS Secure Operation Guide 2-8

Select All Items

Sum Selected Items

Figure 2-5: All and Join Buttons

DDoS Secure Operation Guide 2-9

Figure 2-6: Data Restoration Option - Detail

DDoS Secure Operation Guide 2-10

Figure 2-7: Navigation Details

DDoS Secure Operation Guide 2-11

DDoS Secure Operation Guide

3.1 Traffic Views

Figure 3-1: Traffic – Detail View

Figure 3-2: Display Controls

DDoS Secure Operation Guide 3-2

DDoS Secure Operation Guide 3-3

Figure 3-3: Traffic – Trend View

DDoS Secure Operation Guide 3-4

Traffic Mitigation Detail

Figure 3-4: Traffic – Mitigation Detail View

DDoS Secure Operation Guide 3-5

Traffic Mitigation Trend

Figure 3-5: Traffic – Mitigation Trend View

DDoS Secure Operation Guide 3-6

DDoS Secure Operation Guide 3-7

Figure 3-6: NBAD Activity View