Dynamic baseline learning provides references for configuring the defense threshold.
The defense policy refers to setting a proper threshold for the traffic volume of a protocol. When the traffic on the live network exceeds the threshold, the system identifies that an anomaly occurs and triggers the corresponding attack defense.
Before configuring the defense policy, you may be assailed by two doubts:
The ATIC system supports diversified types of attack defense. You can enable corresponding attack defense if desired, but not all defense functions.
During defense policy configurations, the system prompts you to set defense thresholds for policies. When the number of the packets of a type destined for the Zone hits the threshold, the system enables defense against such packets. Because improper configurations may affect normal services, you are advised to learn the dynamic baseline and set a proper defense threshold according to the learning result.
In attack detection, the detection device collects statistics on traffic and then compares the traffic with the pre-defined threshold. If the traffic hits the threshold, the device considers that an anomaly occurs and reports the anomaly to the ATIC. Therefore, attack judgment is subject to the specified threshold; however, different networks have diversified applications, each of which is equipped with its actual bandwidth.
Therefore, before you configure the threshold, learn about the basic traffic model first.
In dynamic baseline learning, the system learns peak traffic at an interval in the normal network environment and presents the data in curve to the administrator by using the ATIC.
You are advised to deliver the learning result as the defense threshold, after dynamic baseline learning is complete. The threshold must be set to a value higher than normal peak traffic.
The dynamic baseline can be learned repeatedly to cope with the changes of network traffic models.
The anti-DDoS devices provide baseline learning of common defense policies. You can learn the baselines to understand the routine baseline values of various protocol traffic on the live network, so that you can configure appropriate defense policies. Table 1 lists the baseline learning types supported by the anti-DDoS devices.