Dynamic baseline learning provides references for configuring the defense threshold.
The defense policy refers to setting a proper threshold for the traffic volume of a protocol. When the traffic on the live network exceeds the threshold, the system identifies that an anomaly occurs and triggers the corresponding attack defense.
Before configuring the defense policy, you may be assailed by two doubts:
The ATIC system supports diversified types of attack defense. You can enable corresponding attack defense if desired, but not all defense functions. When services on the network are unknown, you can learn about services on the network by using service learning, and then determine whether to enable attack defense.
During defense policy configurations, the system prompts you to set defense thresholds for policies. When the number of the packets of a type destined for the Zone hits the threshold, the system enables defense against such packets. Because improper configurations may affect normal services, you are advised to learn the dynamic baseline and set a proper defense threshold according to the learning result.
In attack detection, the detection device collects statistics on traffic and then compares the traffic with the pre-defined threshold. If the traffic hits the threshold, the device considers that an anomaly occurs and reports the anomaly to the ATIC. Therefore, attack judgment is subject to the specified threshold; however, different networks have diversified applications, each of which is equipped with its actual bandwidth.
Therefore, before you configure the threshold, learn about the basic traffic model first.
In dynamic baseline learning, the system learns peak traffic at an interval in the normal network environment and presents the data in curve to the administrator by using the ATIC.
You are advised to deliver the learning result as the defense threshold, after dynamic baseline learning is complete. The threshold must be set to a value higher than normal peak traffic.
The dynamic baseline can be learned repeatedly to cope with the changes of network traffic models.
Table 1 lists common defense policies supported by the ATIC for baseline learning. You can learn the baselines to understand the routine baseline values of various protocol traffic on the live network, so that you can configure appropriate defense policies.
| Protocol Type | Defense Policy |
|---|---|
| TCP | SYN Flood |
| ACK Flood | |
| FIN/RST Flood | |
| TCP Fragment Flood | |
| Number of concurrent connections by destination IP address | |
| New connection rate by destination IP address | |
| UDP | UDP Flood |
| UDP Fragment Flood | |
| ICMP | ICMP Rate Limit |
| DNS | DNS Request Flood |
| DNS Reply Flood | |
| HTTP | HTTP Request Flood |
| HTTP Packet Flood | |
| HTTPS | HTTPS Packet Flood |
| SIP | SIP Flood |
| Other | Other Flood |