Dynamic baseline learning provides references for configuring the defense threshold.
The defense policy refers to setting a proper threshold for the traffic volume of a protocol. When the traffic on the live network exceeds the threshold, the system identifies that an anomaly occurs and triggers the corresponding attack defense.
Before configuring the defense policy, you may be assailed by two doubts:
The ATIC system supports diversified types of attack defense. You can enable corresponding attack defense if desired, but not all defense functions.
During defense policy configurations, the system prompts you to set defense thresholds for policies. When the number of the packets of a type destined for the Zone hits the threshold, the system enables defense against such packets. It is difficult to set the defense threshold based on experience. If the threshold is incorrectly set, normal services may be affected. You are advised to perform dynamic baseline learning and set the defense threshold based on the dynamic baseline learning result.
In attack detection, the detection device collects statistics on traffic and then compares the traffic with the pre-defined threshold. If the traffic hits the threshold, the device considers that an anomaly occurs and reports the anomaly to the ATIC. Therefore, attack judgment is subject to the specified threshold; however, different networks have diversified applications, each of which is equipped with its actual bandwidth.
Therefore, before you configure the threshold, learn about the basic traffic model first.
The abnormal traffic cleaning solution supports dynamic baseline learning of traffic. In dynamic baseline learning, the anti-DDoS device collects network traffic statistics in a specified period of time, learning the peak volume of traffic, and presents the curve chart in the management center to the administrator.
You are advised not to set the defense threshold before the dynamic baseline learning period ends. After dynamic baseline learning is complete, you can manually deliver the learning result as the defense threshold. The threshold must be set to a value higher than normal peak traffic.
The dynamic baseline can be learned repeatedly to cope with the changes of network traffic models.
The AntiDDoS and AntiDDoS1820-N provide baseline learning for common defense policies. You can learn the baselines to understand the routine baseline values of various protocol traffic on the live network, so that you can configure appropriate defense policies. Table 1 lists the baseline learning types supported by the AntiDDoS. Table 2 lists the baseline learning types supported by the AntiDDoS1820-N.
Protocol |
Policy Item |
|---|---|
TCP |
ACK Flood |
SYN Flood |
|
TCP Big Packet Ratio(%) |
|
SYN-Ratio Packets Number |
|
SYN-Ratio Threshold(%) |
|
FIN/RST Flood |
|
TCP Fragment Attack |
|
Source IP-based New Connection Rate Check |
|
Connection Number Check for Source IP Address |
|
Concurrent Connection Check by Destination IP Address |
|
Destination IP-based New Connection Rate Check |
|
UDP |
UDP Traffic Limiting |
UDP Fragment Attack |
|
ICMP |
ICMP Rate Limiting |
DNS |
DNS Query Flood Attack |
DNS Reply Flood |
|
HTTP |
HTTP Request Flood |
HTTPS |
HTTPS Packet Flood |
SIP |
SIP Flood |
Other |
Other Fingerprint Attack |
Protocol |
Policy Item |
|
|---|---|---|
TCP |
Tcp Malformed Flood Bandwidth |
Tcp Malformed Flood PacketRate |
TCP SYN Flood Bandwidth |
TCP SYN Flood PacketRate |
|
TCP Fragment Flood Bandwidth |
TCP Fragment Flood PacketRate |
|
TCP ACK Flood Bandwidth |
TCP ACK Flood PacketRate |
|
TCP RST/FIN Flood Bandwidth |
TCP RST/FIN Flood PacketRate |
|
UDP |
UDP Flood Bandwidth |
UDP Flood PacketRate |
UDP Fragment Flood Bandwidth |
UDP Fragment Flood PacketRate |
|
ICMP |
ICMP Flood Bandwidth |
ICMP Flood PacketRate |
DNS |
DNS Query Flood Bandwidth |
DNS Query Flood PacketRate |
DNS Reply Flood Bandwidth |
DNS Reply Flood PacketRate |
|
HTTP |
HTTP Flood Bandwidth |
HTTP Flood PacketRate |
HTTPS |
HTTPS Flood Bandwidth |
HTTPS Flood PacketRate |
SIP |
SIP Flood Bandwidth |
SIP Flood PacketRate |
Other |
Other Flood Bandwidth |
Other Flood PacketRate |