Top N Study

After the top N study function is configured, you can view learning results, which act as policy parameters for tracing attack sources and confirming cleaning effects.

Top N study adversely affects device performance. Therefore, enable certain top N study items listed in Table 1.

Top N study results are displayed in reports. For details, see Report.

Table 1 Top N study
Top N study Description Usage
HTTP learning

HTTP Host

Indicates top N host fields in the HTTP traffic destined for the Zone.

Top N host fields are learned from incoming HTTP traffic.
  • When the Zone is under attack, the learning result can be used for configuring HTTP host filtering. For details, see Configuring a Filter.
  • The administrator can learn about the network status based on the learning result.

HTTP URI

Indicates top N URI fields in the HTTP traffic destined for the Zone.

Top N URI fields are learned from incoming HTTP traffic.
  • When the Zone is under attack, the learning result can be used for configuring URI monitoring. For details, see HTTP Defense Policy.
  • The administrator can learn about the network status based on the learning result.

HTTP Source IP Addresses (pps/qps)

Indicates top N source IP addresses in the HTTP traffic destined for the Zone.

Top N source IP addresses are learned from incoming traffic and legitimate traffic after cleaning.
  • When the Zone is under attack, you can confirm the cleaning effect by comparing top N source IP addresses in incoming traffic with that in legitimate traffic after cleaning.
  • The learning result in most cases is used to compare with top N source IP addresses in legitimate HTTP traffic after cleaning.
HTTPS learning

HTTPS Source IP (pps)

Indicates top N source IP addresses in the HTTPS traffic destined for the Zone.

Top N source IP addresses are learned from incoming traffic and legitimate traffic after cleaning.
  • When the Zone is under attack, you can confirm the cleaning effect by comparing top N source IP addresses in incoming traffic with that in legitimate traffic after cleaning.
  • The learning result in most cases is used to compare with top N source IP addresses in legitimate HTTPS traffic after cleaning.
DNS learning

DNS Request Domain Name

Indicates top N requested domain names in the traffic destined for the Zone.

Top N requested domain names are learned from incoming traffic and legitimate traffic after cleaning.

After Dynamic cache is configured, the cleaning device adds top N domain names and IP addresses to the dynamic cache. After that, the cleaning device replies to requests for these DNS domain names to reduce the load over the DNS server.

  • When the Zone is under attack, you can configure rate limiting over the packets of the specified domain name and static cache based on the learning result, reducing the load over the DNS server. For details, see DNS Defense Policy.

  • When the Zone is under attack, you can confirm the cleaning effect by comparing requested domain names in incoming traffic with that in legitimate traffic after cleaning.
  • The administrator can learn about the network status based on the learning result.

DNS Request Source IP (pps)

Indicates top N source IP addresses in the DNS request traffic destined for the Zone.

Top N source IP addresses are learned from incoming traffic and legitimate traffic after cleaning.
  • When the Zone is under attack, you can configure rate limiting over the request packets of the specified source IP address. For details, see DNS Defense Policy.
  • When the Zone is under attack, you can confirm the cleaning effect by comparing top N source IP addresses in incoming traffic with that in legitimate traffic after cleaning.
  • The administrator can learn about the network status based on the learning result.

DNS Response Source IP (pps)

Indicates top N source IP addresses in the DNS reply traffic destined for the Zone.

Top N source IP addresses are learned from incoming traffic and legitimate traffic after cleaning.
  • When the Zone is under attack, you can configure rate limiting over the reply packets of the specified source IP address. For details, see DNS Defense Policy.
  • When the Zone is under attack, you can confirm the cleaning effect by comparing top N source IP addresses in incoming traffic with that in legitimate traffic after cleaning.
  • The administrator can learn about the network status based on the learning result.
TCP learning

TCP Source IP (Number of New Connections)

Indicates top N source IP addresses with most new connections in the TCP traffic destined for the Zone.

Top N source IP addresses are learned from incoming TCP traffic.

The administrator can configure the threshold for Connection Number Check for Source IP Address based on the learning result. For details, see TCP Defense Policy.
Parent topic: Configuring the Zone-based Defense Policy
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.