Professional Documents
Culture Documents
DDoS Secure Operation Guide R13 (16.1.50) PDF
DDoS Secure Operation Guide R13 (16.1.50) PDF
Operation Guide
DDoS Secure Operation Guide
Version History
Each document has a version and a build number. You can tell the exact version and
build of this document by checking the top row of the table below.
Document updates are released in electronic form from time to time and the most up to
date version of this document will always be found on Allot’s online Knowledge Base.
Contents
1 Introduction to DDoS Secure ........................................................................................ 1-1
1.1 Overview ........................................................................................................... 1-1
WHAT IS IT? ......................................................................................... 1-1
HOW DOES IT WORK? ......................................................................... 1-1
WHAT ARE THE COMPONENTS? ......................................................... 1-1
PROCESS FLOW .................................................................................... 1-2
HOW IS IT MANAGED? ........................................................................ 1-2
1.2 Common terms and concepts .......................................................................... 1-3
Botnet .................................................................................................. 1-3
CLI ........................................................................................................ 1-3
Data Filter ............................................................................................ 1-3
DDoS attack ......................................................................................... 1-3
Flood .................................................................................................... 1-4
Groups ................................................................................................. 1-4
GUI ....................................................................................................... 1-4
HBAD ................................................................................................... 1-4
NBAD ................................................................................................... 1-5
Report .................................................................................................. 1-5
DDoS Secure Profile ............................................................................. 1-5
Spam .................................................................................................... 1-5
Spambot .............................................................................................. 1-5
View ..................................................................................................... 1-5
Worm ................................................................................................... 1-5
Zero Day Attack ................................................................................... 1-6
Zombies ............................................................................................... 1-6
2 DDoS Secure GUI ........................................................................................................... 2-1
2.1 Introduction ...................................................................................................... 2-1
2.2 Web browser support ...................................................................................... 2-1
2.3 System requirements ....................................................................................... 2-2
Operator Access .................................................................................. 2-2
Administrator Access .......................................................................... 2-2
NBAD
Network Behavioral Anomaly Detection is used for identifying distributed denial of
service (DDoS) attacks.
HBAD
Host Behavioral Anomaly Detection identifies hosts (subscribers and/or IP)
exhibiting symptoms of malware infection or deliberately engaging in behavior
abusive of acceptable use policies.
PROCESS FLOW
In the event of misbehaving hosts, SPC communicates directly with one or more
Allot Subscriber Management Platforms (SMP) to trigger enforcement policies on
the subscriber. Enforcement policies are determined by preconfigured subscriber
service plans designed to notify the subscriber of their misbehavior via HTTP
redirection to a captive portal and/or throttling or blocking all traffic or selected
traffic. For example, spamming behavior is controlled by blocking 25/TCP for the
subscriber to prevent leakage of spam from out of the network. The SPC is also
integrated with Allot NetXplorer in order to provide IP based enforcement in a
similar fashion.
In HBAD Mitigation, SPS detects an HBAD anomaly within the network and sends
that information to the SPC. The SPC resolves the name of the subscriber from the
SMP then tells the SMP to change the service plan of the offending subscriber.
In NMAD Mitigation, the SPS detects incoming anomalies and sends a report to the
SPC. The SPC then extracts the attack pattern and sends the information to the In-
line Platform for mitigation.
In the event of DDoS or network flooding, the SPC communicates directly with the
In-line Platform to transfer the filtering pattern.
HOW IS IT MANAGED?
A typical DDoS Secure deployment will have a cluster of Sensors (Service Gateway
or standalone sensor) managed by a single SPC. The SPC has a web and CLI based
management interface where operators and administrators can connect for the day
to day operation, as well as administration of the system. This interface is also used
to communicate with the various Service Gateways or standalone sensor units on
the network. Users connect via secured protocols such as SSH and HTTPS.
Sensors have a management interface for communications with SPC. SPS will have
several Ethernet monitoring interfaces including 10/100/1000 copper, 1GE fiber
and 10GE fiber interfaces. Monitoring interfaces receive traffic non-intrusively via
network taps or span/mirror ports.
A Sensor embedded on a Service Gateway does not connect directly to any links as
it is integrated with the regular In-line Platform packet processing flow.
In this guide, all operational procedures for working with DDoS Secure and
generating views will be outlined.
Botnet
The Internet has become a dangerous place. At one time you had to download
infected software in order to get a virus infection. Today, simply visiting a website
or receiving a malicious email is enough to infect an unprotected computer.
Botnets are networks of infected hosts that collectively create huge reservoirs of
spare processing power. These machines are then used to launch DDoS attacks,
send spam, or search for other machines to infect.
CLI
The Command Line Interface, or CLI, is the administrative portal for the system.
This is where the system administrator performs initial setup, and where the
underlying configuration is performed. System operators do not require access to
the CLI, and depending upon your administrator, probably won't receive CLI
permissions. For more information see the DDoS Secure Installation and
Administration Guide.
Data Filter
Drop down menus at the top of each View, allowing you to control the data to be
displayed.
DDoS attack
A distributed denial-of-service (DDoS) attack is one in which a multitude of
compromised systems (aka zombies) attack a single target, thereby causing denial
of service for users of the targeted system. The flood of incoming messages to the
target system essentially forces it to shut down, thereby denying service to the
system to legitimate users.
Flood
Network floods are a way to clog the network infrastructure (Bandwidth
consumption) or to overwhelm a service.
Groups
Subnet groups, or simply groups, are the basis for all traffic classification within
DDoS Secure. The system is designed to present information to the user with human
readability in mind. Grouping is a method of creating logical collections of addresses
that perform a similar task from the point of view of the operator. Simply put, the
operator will find it easier to understand a group called "DSL Customers", rather than
a bunch of IP addresses or a few subnet prefixes. Grouping allows the administrator to
group several prefixes into a single, easy to understand entity. So instead of simply
naming subnet prefixes then managing several of these, grouping allows the
creation of a single group, then the addition of one or more prefixes to it. The
secret of effectively using DDoS Secure is to get the grouping correct from the very
beginning. Groups are setup by an administrator.
Groups should be configured in a manner that provides sufficient diversity in terms
of traffic types: TCP, DNS, other UDP, etc. For example, a group containing only
DNS servers might make sense from a customer’s POV, but may not exhibit
sufficiently diversified traffic types from NBAD’s perspective, as it may only contain
DNS traffic.
GUI
The Graphical User Interface. This is where operators will view traffic charts, NBAD
and HBAD Views and receive information from the system. The GUI is secured and
is visible via https on a web browser.
HBAD
Host Behavioral Anomaly Detection. HBAD, or Quarantine, detects subscribers
infected with botnet software according to their behavioral patterns. Infected
machines frequently demonstrate huge numbers of connections to the network,
and these profiles are used for detection.
NBAD
Network Behavioral Anomaly Detection. NBAD or floods, is used to detect incoming
attacks. NBAD is the exact opposite of HBAD. While HBAD detects the infected
machines in your network launching attacks, NBAD detects incoming attacks,
usually resulting for infected machines on the internet or on your own network.
Report
A collection of views, downloaded as a PDF.
Spam
Unsolicited e-mail. Usually either mass e-mailings by commercial sites to recipients
who have not requested any contact, or e-mails sent to intentionally annoy or
harass the recipient, including crashing his or her computer by overloading its e-
mail capacity. Sending lots and lots of spam might cause an ISP to be blacklisted as
a mail relay spammer.
Spambot
A (usually) compromised machine sending spam
View
A single DDoS Secure graph or page.
Worm
A computer worm is a self-replicating computer program. It uses a network to send
copies of itself to other computers and it does so without any user intervention. It
does so by exploiting unknown, undisclosed or un-patched computer application
vulnerabilities
Zombies
A zombie computer (often shortened as zombie) is a computer attached to the
Internet that has been compromised by a hacker (which uses a worm, a virus, or a
Trojan horse). Most owners of zombie computers are unaware that their system is
being used in this way.
Operator Access
Operators typically manage the system using only the GUI for seeing Views. They
will require a workstation with a web browser. Cookies and Javascript must be
enabled. The GUI is served via https on TCP port 443.
Administrator Access
Administrators will use both the CLI and the GUI. The GUI will require a
workstation with a web browser. Cookies and Javascript must be enabled. The CLI
will require a secure shell client, using TCP port 22. On Windows several ssh software
packages exist. Putty and Poderosa are examples of free ssh software. On Linux or
Unix, it's usually known as SSH. Several commercial packages are available too.
Alerts Reception
A typical DDoS Secure system will be configured to send alerts when predefined
events occur. This is a proactive means by which operators can be notified on the
detection of floods and other important events. Alerts can be sent via any of the
following 3 transport mechanisms - Email, Syslog, SNMP, in any combination, and
to any number of recipients.
Email Alerts
The SPC can send emails to one or more designated recipients. A valid email address
must be supplied, in addition to a mail server reachable by the SPC. The recipient
obviously requires a means of reading mail.
Syslog alerts
The SPC can send syslog messages. A server capable of receiving syslog messages is
required. Syslog messages are sent on UDP port 514.
SNMP alerts
The SPC can send SNMP traps. An SNMP server is required. Traps are sent to UDP
port 162
The administrator can control user access with fine granularity and may limit
access to specific SPS units and specific groups. For more information see the
DDoS Secure Installation and Administration Guide.
Note: Stats are calculated based on data from the last 24 hours and the Dashboard
includes information about the change from the previous 24 hours
Top Attackers/Targets
Top Attacker is the top source IP that generated the DDoS attack
Top Target is the IP most attacked by DDoS events
Top Attackers/Targets are presented by number of events
Top Attackers/Targets visual display is a horizontal bar chart, so that
the IP addresses can be read easily
The Top Attackers/Targets is based on last week's attack information
excluding attacks classified as Importance == Ignore.
Click on the Options button to switch between Attackers and Targets.
DDoS Attacks
Displays the top attacks distributed by attack type
Click on the Options button to switch:
Events - Total number of Events
Bandwidth - Total Bandwidth
Packets per second – total PPS
DDoS Attacks are based on last week's data
Recent Attacks
Displays the top recent attacks over the last week.
Default display is the top 10 attacks but from the drop down menu
you can opt to display 10, 25, 50 or 100 attacks.
100 attacks displays the most recent 100 attacks chronologically
10, 25 and 50 attacks displays the top attacks according to
priority selected from the last 100 attacks chronologically.
Recent attacks are displayed in a table format including the following
columns:
Data – date and time
Attack – attack name
Group- protection group on which attack was detected
Importance
Status – attack status: active or Idle
Data Filters
Several Data Filters are found in the upper portion of each page or View. These
may vary depending on the specific Data Filters required. Some of the more
common are listed below:
Sensors and Sensor Clusters– Devices physically connected to the network
and monitoring traffic.
Note: Sensor clusters are groups of sensors that are treated by DDoS Secure as a
single sensor for the purpose of NBAD detection and mitigation. Clusters are
created and configured via the CLI only. For information see the DDoS Secure
Installation and Administration Guide.
Groups – Logical collections of network prefixes
Time range – Preset or user selected times
Timezone – Displays the View in the selected timezone. By default the SPC
time zone is used, and can be changed using this control
Chart options – Several different ways of displaying the requested View,
usually appearing as a series of radio buttons.
View-specific controls – Other controls specific to that View. usually
controls that are unique to the View being requested, such as Protocols, or
Direction.
Time
Main Menu Range
Data Filters
Chart
Options
Graph Graph
Controls
(Traffic
Views)
The Sum Selected Items button depicted as a sigma sign. This collects the
information from all the marked items and joins their values into a single
trace.
Navigation Example
Graph Controls
Inspect Mode – click to select points or mark areas. NBAD and HBAD
events within the marked areas will be listed below the chart. More than
one area can be selected.
Pan Mode – Click and drag the chart to pan left and right.
Zoom In – Mark the area requested and the chart updates to match.
When this mode is activated, you may click on any area of a graph to zoom
in to that spot. Double clicking this button zooms in 3x.
Zoom Out – Click and hold, then move the mouse to one side to zoom
out. Double clicking this button zooms out 3x.
View Generation
Select the SPS units and Groups to include in this View, the protocols you wish to plot
and the direction of the traffic.
You can display one of four traffic statistics:
Bit rate
Byte rate
Packet rate (Pkt rate)
Average packet size (Pkt size)
The data can be plotted in a variety of charts: Area chart, Line chart (linear or
Log) or Plain text. The plain text can be exported to software such as Excel. You
can select either a preset time range, or customize your own. Use the ‘before now’
preset to provide a constantly updating chart of the last X time, or the ‘starting at’
to display a fixed time.
The Select All Items checkbox (represented by an asterisk) on the select boxes
selects all items in the list and the Sum Selected Items checkbox (represented by a
sigma symbol) aggregates data from the selected items.
Once a selection has been made, click the Update button to update the View with
your selected data. Views that use the ‘before now’ option will auto update every
minute; a countdown timer is displayed in the button. Views that have a “starting
at” time do not update since the time range is fixed anyway.
Once the View appears, use ‘inspect mode’ to see NBAD events during a selected
time. The top 5 events will be displayed for each selection.
Clicking that event takes you to the NBAD Event Report page for that event.
Traffic Trend
3.2 NBAD
The NBAD/floods detection feature is designed for the detection of DDoS attacks but
is applicable to network flooding events in general such as worm propagation
activity and excessive connections from one IP address to another IP.
NBAD detection technology is explained as follows:
Network behavior can be modeled in terms of various combinations of
layer 3 and 4 network packet rate statistics of incoming and outgoing
traffic (or ‘network ratios’)
Under normal conditions, the network ratios are largely time invariant and
remain invariant despite flash crowds, downloads and daily peaks and
troughs in normal (non attack condition) traffic
However, under DDoS attacks, connection/packet flooding events and
dramatic levels of address scanning (usually associated with outbreaks of
zero day Worms) will cause abnormal spikes in the network ratios
These events are invariably found to cause anomalies in network ratios
(but not all anomalies are attacks!)
Network flooding attacks are differentiated simply by the fact that they
produce dramatic anomalies in the network ratios
Compared with other anomaly detection approaches that analyze flow data, Allot
DDoS Secure has a superior approach because it will not suffer from secondary
flooding due to excessive flow records generated during flooding attacks, does not
impact the router in any way, and can extract more granular filtering patterns
directly from captured packets.
NBAD Activity
Attack Types
DDoS Secure has several built-in flood types that appear in the Types drop down
menu. By default, no actual flood names appear in the list - they are added upon
detection.
The built-in flood types are:
ID DESCRIPTION
ack Incoming TCP ACK without data flood
ack-data Incoming TCP ACK with data flood
fin Incoming TCP FIN flood
ID DESCRIPTION
frag Incoming Fragmented packet flood
icmp Incoming ICMP flood
other Incoming OTHER (not TCP, UDP or ICMP) flood
ping Incoming PING (ICMP echo request) flood
pong Incoming PONG (ICMP echo reply) flood
rst Incoming TCP RST flood
syn Incoming TCP SYN flood
TCP-inval Incoming Invalid TCP flood
udp Incoming UDP flood
unr Incoming UNR (ICMP destination unreachable) flood
out-ack
Outgoing TCP ACK without data flood
out-unr
Outgoing UNR (ICMP destination unreachable) flood
Next is the Profiles select box. Here, existing DDoS Secure Profiles are listed,
allowing the display of only those floods that match filtering criteria. Detailed DDoS
Secure Profiles are defined in the CLI and provide superior filtering capabilities to
those of the GUI.
The far right of the window contains Data Filter settings allowing you to fine tune the
View to display items of interest.
Minimum Bit rate and Minimum Pkt rate filter out floods whose traffic
volumes fall below this value. The % textbox describes the flood's
deviation percentage from the expected value
Min Duration textbox accepts values in seconds. This is the minimum
flood duration that will be included in the View. The longest flood is 60
minutes, after which tracking ceases.
Min Shape Sev Data Filter defines floods with the minimum shape severity
to be added to the View. Every flood is assigned a Shape severity. This is
a value between 0-4 and describes how much the flood resembles a
deliberate attack. The higher values of 3 and 4 are the most significant and
will deserve the most attention.
Pattern ID textbox accepts pattern ids and is useful for searching the
floods database for specific patterns. This situation is especially useful
when analyzing attacks and you need to know if the attack has occurred in
the past.
IP Endpoint textbox narrows the search to floods where the stated
endpoints appeared for a detected pattern.
Payload limits the search to floods where the stated payload portion
appeared in a detected pattern.
Running a simple View provides a number of events. Active events are always
displayed at the top, followed by the rest of the events sorted by the selected
order. Columns with the ‘*’ mark can be sorted in ascending or descending order.
The sorted column and sort order is displayed using a blue arrow on that column.
NBAD Trend
NBAD Distribution
add the current View to a Report, to download the View as a PDF or to download it
as a CSV file.
Below the Charts window is the Mitigation State window, displaying the
current Mitigation actions of each Service Gateway and allowing the user
to select the Pattern, Mitigation Action and the time period (while flood
lasts, for 30 minutes, for 60 minutes, for 2 hours, indefinitely) for the
Mitigation.
PARAMETER VALUES
Host/Subnet: Shows the list of Check box: Used to select the host in order to either trigger or
hosts and the status of each host. withdraw this host (there is a global checkbox to select/unselect all
For each host the following hosts at once)
attributes are shown: IP address– IP address for rx host. IP subnets are created out of the
rx hosts.
Group/Prefix – Group name and prefix name related to this rx host.
Name – Domain name of host.
BW % - Percentage of pattern traffic going to this host. A high
percentage would indicate this host should be triggered.
State: Shows the state in the event (local) and the global state (in all
other events). Global state shows only if this host is triggered in
any other event in the system or if no trigger (None) is activated on
that host in other events.
None – No action taken on this host
Triggered <policy_name> – Advertised to BGP neighbors. If
trigger was done automatically through policy, the Policy
name appears in the state.
Withdrawn – Triggered host was withdrawn
Last change: Shows the time (YYYY-MM-DD HH:MM) when the host
changed its recent state. If there was no state change on for this
host, time is shown as N/A)
Withdraw ET: Shows the expected time (YYYY-MM-DD HH:MM) that
triggered host is going to be withdrawn (if host state is
None/withdrawn, time is shown as N/A)
Withdraw timeout: Selects the
timeout that is set for host
withdrawal. There are several
preset timeout values: 10/20/60
minutes or 2/6/24/48 hours
PARAMETER VALUES
Subnet: Shows the list of subnet Check box: Used to select the subnet in order to either trigger or
and the status of each subnet. For withdraw this subnet (there is a global checkbox to select/unselect
each subnet the following all subnets at once)
attributes are shown: IP address– IP address for subnet.
Group/Prefix – Group name and prefix name related to this rx
subnet.
BW % - Percentage of pattern traffic going to this subnet. A high
percentage would indicate this subnet should be triggered.
State: Shows the state in the event (local) and the global state (in all
other events). Global state shows only if this subnet is triggered in
any other event in the system or if no trigger (None) is activated on
that subnet in other events.
None – No action taken on this subnet
Triggered <policy_name> – Advertised to BGP neighbors. If
trigger was done automatically through policy, the Policy
name appears in the state.
Withdrawn – Triggered host was withdrawn
Last change: Shows the time (YYYY-MM-DD HH:MM) when the
subnet changed its recent state. If there was no state change on for
this subnet, time is shown as N/A)
Withdraw ET: Shows the expected time (YYYY-MM-DD HH:MM) that
triggered subnet is going to be withdrawn (if subnet state is
None/withdrawn, time is shown as N/A)
Withdraw timeout: Selects the
timeout that is set for host
withdrawal. There are several
preset timeout values: 10/20/60
minutes or 2/6/24/48 hours
The Patterns section displays the various patterns that were detected
during the flood. The system automatically orders patterns by relevance
and places the most relevant patterns on the top.
Some of the ports listed will also be indicated by the name of the service
generally associated with that port appearing in parentheses. These
include such ports as port 80 = HTTP, port 53 = DNS, port 22 = SSH, port 21
= FTP and so on.
Format: Source IP: source port -> destination IP: destination port
protocol signature length
To the right, the header and payload signature lengths are displayed
(these are the number of consistent bytes in the header and payload – the
“blue” bytes), then the pattern relevance and finally a host count. The
pattern relevance displays how relevant the pattern is to the overall flood.
When calculating the relevance, the algorithm checks if the pattern
accounts for the “deviation” but not the “expected” part of the flood.
After all, the deviation is the anomalous portion of the flood and should
be depicted by the pattern. In addition, we calculate this for the entire
length of the flood, and a more relevant pattern should cover a larger
portion, if not all of the flood.
The hosts count displays the number of source hosts talking to the count
of destination hosts. A large number of sources to a low number of
destinations resembles a DDoS attack, whereas a single host talking to
multiple destinations seems like scanning activity.
The last portion of the screen shows the Packet Captures that occurred
during the flood.
Packet captures are taken once every three minutes, to the maximum life
of a flood of one hour. Shorter floods will have fewer samples. Packet
samples may not be taken at all if the deviation is smaller than 10%.
Each packet capture displays a Capture ID, the capture timestamp, the
deviation from the model in percent, the number of packets, their size,
and finally a link to download the capture.
The All Packets link at the very bottom includes all packets from the entire
life of the flood.
Average Bit Rate lists the average bit rate of all the NBAD events
originating from that Source.
Average Packet Rate lists the average packet rate of all the NBAD events
originating from that Source.
Clicking on any of the listed Sources will open a Flood Activity View listing all floods
originating from that Source.
The far right of the window contains Data Filter settings allowing you to fine tune the
View to display items of interest. Below those are three buttons which allow you to
add the current View to a Report, to download the View as a PDF or to download it
as a CSV file.
Target indicates the IP address that is being hit with the NBAD event.
Times Detected indicates the number of times an NBAD event targeting
that IP has been detected.
Average Bit Rate lists the average bit rate of all the NBAD events targeting
that IP.
Average Packet Rate lists the average packet rate of all the NBAD events
targeting that IP.
Clicking on any of the listed Targets will open a Flood Activity View listing all floods
targeting that IP.
NBAD Mitigation
NBAD mitigation provides surgical filtering of network floods on Allot Service
Gateway platforms which are running Allot Operating System (AOS).
Note: NBAD Mitigation requires a separate software license per platform
AOS Host column lists NBAD mitigation devices which may be Service
Gateway platforms or NetEnforcer devices
Patterns indicates applied patterns as an absolute value and as a
percentage of maximum number of patterns
Memory indicates the memory used for filtering in both absolute value
(Bytes) and percentage of available memory
Blocked bytes indicates the number of bytes that have been blocked by
this mitigation device.
Blocked pkts indicates the number of packets that have been blocked by
this mitigation device.
State provides information on the state of the NBAD mitigation device
Since indicates the date and time of the last change to the State
In addition, recent mitigation activity is displayed in a graph for each NBAD
mitigation device. Filtered traffic is counted and the packet rate and bit rate of
filtered traffic are displayed over time. Empty charts are not displayed.
Below the list of NBAD mitigation devices, NBAD Mitigation Requests are listed.
This view is pattern centric:
Applied at indicates the date and time at which the pattern was applied
Pattern indicates the pattern id which can be viewed by clicking on the
pattern number
State is a summary of the number of NBAD mitigation locations where
patterns are active
AOS Host is the name or IP of the NBAD mitigation device
Details indicate the status of the pattern such as whether it is active,
removed and any additional information relating to the NBAD mitigation
device
Floods will list the id of flood events which were/are affected by the
pattern; each flood can be viewed by clicking on the flood id number and
blocking can be individually managed on the relevant flood page
Action will provide the operator, if applicable, with an option to manually
remove the block on all applicable devices
3.3 HBAD/Quarantine
HBAD or host behavioral anomaly detection is a technology developed for
detecting infected hosts or subscribers.
HBAD technology is explained as follows:
Hosts are identified by tracking all outbound connections from the
network and misbehaving hosts will exhibit abnormally elevated and
sustained outbound connections
Moreover, the connection patterns can be matched to common profiles of
infected or abusive behavior
Such misbehavior is categorized as address scanning, port scanning,
connection flooding, excessive connections to 25/TCP (SMTP) and 53/UDP
(DNS)
SMTP and DNS categories are associated with spamming
By monitoring all outbound connections, Allot DDoS Secure provides superior
visibility of misbehaving hosts over approaches that use sampled flow data since
the host connections can easily fall between samples. The problem with using
sampled flow data worsens in high throughput networks where the practical use of
flow data requires increasingly larger sampling intervals. Correspondingly, visibility
of individual host activity worsens with increasing sampling interval. Allot DDoS
Secure does not suffer from such flow sampling constraints.
Once groups have been setup, the ‘quarantine’ option is turned on for that group,
effectively enabling HBAD detection. From this point on, flow records are collected
for IPs falling under these groups.
Flows for every host are analyzed and the behavioral profile of the host is
inspected. If suspicious behavior is detected, a capture of 1000 flows is initiated for
that host.
Once the capture is complete the flows are analyzed and if suspicious behavior is
found, the following five activity types are classified:
Flow-Bomb – Multiple connections from the suspect host at different
ports to another single host at a single port.
Addr-Scan – Connections from one host to multiple hosts on a single port.
HBAD Workflow
SPS units are connected passively to monitor traffic. 100% of the traffic is
monitored by both the NBAD and HBAD systems. While the NBAD system receives
100% of the packets, the HBAD system uses 100% of the flows. Therefore it is
necessary to create these flows from the traffic. SP does not rely on external
hardware (such as routers) to create flows, this task is performed internally by a
flows creation engine that exports flows to the HBAD detection engine.
The HBAD system receives 100% of the flows and monitors them on a per host
basis. Flows are associated with hosts for groups that have the ‘quarantine’
function enabled in the CLI. At this stage we do not know if the host is suspicious or
not. After monitoring the host for a few minutes, a behavioral profile is created.
This profile is compared against the five categories of malicious behavior noted
above and if the host demonstrates suspicious behavior, it is tagged for further
investigation.
If the host doesn’t display suspicious behavior it is ignored and monitoring
continues as normal.
Further investigation begins by doing a 1000 flows sample. Once collected, these
flows are analyzed and the five categories of behavior are searched for. If none of
the activities is found, this means the host did some transient behavior. In this case
the system continues monitoring that host. Once the hour is over, detection
resumes and the cycle repeats. If one or more activities are found, the HBAD
system checks whether SMP integration is configured. If it is, then the SMP server
is queried for the subscriber name and this information is added along with the
HBAD event to the SP database, if there is no SMP integration, the subscriber IP
address is used. Once complete, a backoff period of 1 hour is implemented after
which the cycle resumes.
Note: HBAD is a host based behavioral system and should be turned on only for
hosts under your control. It is designed for subscribers or end users, and these
behavioral profiles are expected by the system. HBAD should not be used on
servers, since these machines display completely different behavioral profiles
and may be flagged as infected hosts. P2P activity on a host does not usually
demonstrate the same profile as botnet software and generally doesn’t trigger
alerts.
Similar to floods, HBAD also uses CLI configured Profiles to proactively alert
operators of events that match predefined criteria. Operators receive alerts and
can open the GUI to view further information before making a decision to mitigate
or not. In addition, the GUI has a HBAD activity page, similar to the flood activity
page where the operator can interactively query the database for events of
interest, or view events matching DDoS Secure Profiles.
Minimum
Rates
Sensors
Target
Policy
HBAD
Events
making on their targets. The ‘subscriber’ and ‘target’ columns in the View are
clickable and automatically enter this item into the correct Policy placement.
Subscriber: Can be IP or subscriber information queried from the SMP
(provided the SMP integration is configured). Clicking on a particular
subscriber in the View will fill the subscriber query window on the right.
Note that if detection is used without mitigation, the system will redetect
offending hosts after the one hour backoff period has expired. This is
normal and should be expected. Of course, if the host goes offline, ceases
its activity, or releases its DHCP lease, it will not reappear. If SMP is active,
the subscriber name remains consistent, so it is not relevant if the host
changes IP address.
Min Rates: These are the traffic statistics for a particular infected host –
minimum bit rate, packet rate or connection rate. Connection rate is
counted as unique flows per second.
Target: The target being attacked by the suspected host. The full target
information is in the form of IP:PORT/PROTOCOL. However in the case of
scanning, the IP section will appear as * because there is more than one
port scanning i.e. IP:*/PROTOCOL. If the protocol is not TCP or UDP it will
not appear.
Note that if * appears in the search field it does not act as a wildcard. It is
used as an argument to search for events of identical appearance.
Therefore only events that have the same “target” will be found.
HBAD Events: The table HBAD Events lists events that match the search
criteria.
Clicking on the capture ID on the left opens that event’s detailed analysis
Clicking subscriber IP or name, or target, enters that field in the Profiles.
The Subscriber name will appear alongside the IP if DDoS Secure is
integrated with an SMP. See the DDoS Secure Installation and
Administration Guide for details.
Other fields in the View include the SPS that detected this event, the
group the infected host belongs to, the time of detection, the type of
activity, the connection rate for the host, and finally the number of flows
per second for the host.
Events with more than one kind of activity are shown in the screenshot
above. Statistics for each kind of activity are shown on a line on their own,
and a summary field is shown below
Clicking on the Capture ID opens the HBAD Event Report page. Here the
individual flows are displayed and further analysis can be conducted.
HBAD Trend
HBAD Distribution
boxes and the All/Sum checkboxes. The Types select box lists the types of events
that have been detected so far.
Next you may set the minimum importance of the floods that will be displayed
followed by the Policy select box. Here, existing DDoS Secure Policies are listed,
allowing the display of only those floods that match filtering criteria.
By selecting a radio button under Graph, you may choose to display the one of the
following graphs in the Distribution View:
Infected Sources
Event Count
Bit Rate Impact
Pkt Rate Impact
Conn Rate Impact
Infection Level
Bit Rate Impact Level
Pkt Rate Impact Level
Under By, you may choose to distribute the events based on Duration, Bit Rate,
Packet rate, the Hours the events occur at, the Days they occur on or their
Importance.
The Display value may be set to present the information as a Stacked Bar chart,
normal bar chart, Pie chart or Text Table.
The far right of the window contains Data Filter settings allowing you to fine tune the
View to display items of interest. Below those are three buttons which allow you to
add the current View to a Report, to download the View as a PDF or to download it
as a CSV file.
The window to the right, ‘HBAD events’ shows the various activities found by
analyzing the 1000 flow captures. Some stats and summaries follow.
Finally the bottom section of the page displays all the flows, 100 per page. Each
flow has a timestamp along with the following information:
Age – the duration of the flow in seconds. This is the time difference
between the first packet of the flow and the last packet of the flow (time
[seconds] = LastFlow-FirstFlow). If the flow consists of only one packet, it
has an age of zero.
Protocol is displayed next, followed by the source port. The destination
IP:destination port is in the next column followed by the count of packets
per flow.
Byte count for the flow is displayed last. In our example each packet is 60
bytes. This is definitely a DDoS on the target web server.
Clicking on any Capture in the HBAD Event Report will drill down to the Capture
Page, giving more information concerning that Event. Packets are filtered to match
the last detected activity (e.g. spamming). Up to 300 packets and durations of up to
100 seconds are supported per capture.
Average Connection Rate lists the average connection rate of all the
HBAD events originating from that Source.
Click on any of the listed Sources to open a page listed all HBAD Events originating
from that Source.
checkboxes. The Types select box lists the types of the Events that have been
detected so far.
Next you may set the minimum importance of the Events that will be displayed
followed by the Policy select box. Here, existing DDoS Secure Policies are listed,
allowing the display of only those floods that match filtering criteria.
You may select if the Targets will be displayed as IP addresses, or as Port
numbers/Services.
The far right of the window contains Data Filter settings allowing you to fine tune the
View to display items of interest. Below those are three buttons which allow you to
add the current View to a Report, to download the View as a PDF or to download it
as a CSV file.
Target indicates the IP address or Port/Service that is being hit with the
HBAD event.
Times Detected indicates the number of times an HBAD event targeting
that IP/Port has been detected.
Average Bit Rate lists the average bit rate of all the HBAD events targeting
that IP/Port.
Average Packet Rate lists the average packet rate of all the HBAD events
targeting that IP/Port.
Average Connection Rate lists the average connection rate of all the
HBAD events targeting that IP/Port.
Click on any of the listed targets to open a page listed all HBAD Events targeting
that IP.
HBAD Mitigation
Pattern Page
Pattern Flood
Summary Timezones
Summary
Full
Pattern
Pattern
Chart
Packet
Captures
Top TX/RX
Hosts
Packet Captures - This is the same as the flood View page, with the
addition of “match”. This is the packet count that matches this particular
pattern from that packet capture.
Top ASN Countries and Top ASN Countries – Indicates the most prevalent
countries of origin, listing the number of packets from each and the
percentage.
Capture Page
Analyze flow- display the data as flows. this is in the form of source
address:source port -> destination address:destination port PROTOCOL
Analyze protocol – display the sample aggregated by protocol . Protocol
number is displayed too.
Analyze length – display count of packets of preset lengths. the
granularity (scale) can be adjusted. This View is useful to understand the
spread of packet sizes within the capture of course, the packet sample can
be downloaded for analysis using external tools via the save capture link in
the flood View or pattern pages.
5. In the Auto field, you may schedule the report for automatic generation as
well as set the email address to which the automatically generated report
will be sent.
6. Click the name of the Selected Report at the top of the GUI to download
the Report as a PDF.