Professional Documents
Culture Documents
Solution
The Cisco Stealthwatch® Security Insight Dashboard has two alarm categories dedicated to detecting DDoS attacks:
High DDoS Source Index: Indicates a DDoS source has been identified.
High DDoS Target Index: Indicates a DDoS target has been identified.
As Stealthwatch collects network telemetry, it gains visibility into all host-to-host communications across the network. It can
then compare collected data to determine if certain security criteria are met to trigger security events associated with these
two DDoS alarms.
Minimum requirements
The Cisco Stealthwatch system configuration minimum requirements are:
Page 1 of 8
Alarm Category: DDoS
The tables list security events that are associated with the DDoS alarms and the number of default points that are assigned
to the alarm category when the security event occurs.
Page 2 of 8
Alarm Category: DDoS
Here is a closer look at some of the key events for the DDoS alarm categories:
Slow Connection Flood: A host initiates multiple connections to a target with a very low packet rate. The goal is to
maintain open connections while using minimal bandwidth. Because this type of application denial-of-service (DoS)
attack can render a service unavailable with so little bandwidth, it is easier to attack a vulnerable host and it is often
more difficult to detect.
Packet Flood: The source host sends an excessive number of short packets to the target host. This security event
is considered a result of brute force attacks, DoS attacks, and malfunctioning network applications.
Half Open Attack: A half open attack can be an attempt to exhaust either bandwidth or connection handlers
because it opens connections but never carries them out. This type of DoS attack forces the victim host to wait long
enough to cause the malicious connections to time out.
Page 3 of 8
Alarm Category: DDoS
More information on alarm categories and the associated security events is in the Stealthwatch Help documentation from
the Stealthwatch Management Console (SMC) Desktop Client and the SMC Web User Interface (UI).
Page 4 of 8
Alarm Category: DDoS
On the Security Insight Dashboard, you will see the alarm categories listed across the top. This view shows the number of
hosts that have generated events in each category. This figure shows that one host has generated a DDoS event.
Click the DDoS Target category to generate a report that shows the host that triggered the event and information such as
the host IP address and host group.
Note that this host has a DDoS target index value of 131%. Click the percentage to get more information.
Application Traffic: Shows the applications that were used during this DDoS attack.
Alarm: Shows alarm information such as why the alarm was triggered as displayed in the details.
Page 5 of 8
Alarm Category: DDoS
The Security Event Details widget shows that host 10.10.30.15 triggered the security event called SYNs Received. Click
View Flows to get information on the associated flows for this event.
A Flow Search window displays and shows all criteria automatically populated. Because SYN floods from internal hosts are
probably due to misconfiguration, editing the search to include the outside host group as the peer will yield only flows
coming from external sources.
Page 6 of 8
Alarm Category: DDoS
The results show default information about the attack. We can see where multiple outside hosts are attempting to
communicate with the internal DNS server. To see more information, add columns to the results. Click Manage Columns
and select the additional fields as desired.
For this example, we selected the Connection TCP Connections column to show how many TCP connections were
accomplished. A zero indicates a connection was not made, meaning that these were probably SYN packets with no
response.
Page 7 of 8
Alarm Category: DDoS
The Connection TCP Connections column shows all zeros, indicating that these were all SYN packets, and suggesting that
a SYN flood attack was attempted on the DNS server.
1
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED "AS IS" AND AS SUCH MAY INCLUDE TYPOGRAPHICAL, GRAPHICS, OR FORMATTING
ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESSED, IMPLIED,
STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL
IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING
FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
Page 8 of 8