Follow

Monitor & Analyze: Mitigation Metrics

Overview

The Silverline Portal can provide counts for DDoS mitigation techniques which are employed as part of the Silverline DDoS service. The stats located within the Mitigation Metrics page are derived from log counts from Silverline DDoS mitigation devices. The stats below are NOT bandwidth stats (bandwidth stats can be found under the DDoS Dashboard "Mitigations" tab).

 

Portal Navigation

From the main menu, select Mitigation Metrics from the Monitor and Analyze menu:

Monitor-Mitigation-Metrics.png

 

You will now be presented with a page which shows counts for:

Mitigation Counts This shows the number of times a packet was blocked, attributed to each of the mitigation policies.
Protocol Counts This provides a packet count that can be attributed to a specific IP protocol, such as TCP, UDP, ICMP, IPv6, etc.
Countermeasure Counts  This chart shows which DDoS countermeasures have been enacted along with the count of the number of incoming packets affected.
Reasons This chart displays the number of packets blocked against the reason for it to be blocked.
Denylisted During a mitigation, certain IP addresses may be explicitly blocked instead of blocking them for an observed behavior.  This chart shows the number of packets dropped for being on this list.

 

Mitigation Metrics: Charts

Mitigation Counts

Please note that you can filter for specific mitigation(s) by clicking on each mitigation name in the legend.

The chart will then redraw for just the mitigation(s) which are still enabled.

 

Protocol Counts

The protocol mapping is performed by inspecting the destination Port in the packet and then mapping it back to the well known protocol for that number.  This also determines the type of inspection the frame will receive for further protocol compliance checks.

 

Countermeasure Counts

This chart shows the number of packets for which a countermeasure category was applied over time.

Silverline DDoS has a wide variety of countermeasures that can be deployed when an attack is detected.  Critical to an accurate scrubbing service is the ability to determine which packets from the incoming traffic are from bad actors versus those which are legitimate and should be passed through to the protected server(s).  Silverline employs techniques such as:

- Protocol compliance checks
- Denylists
- IP Location Filters
- Compromised Hosts Filters
- Per Connection Flood Protection
- TCP SYN Challenges
- HTTP Challenges
- DNS Challenges
- Connection Rate Limiting
- Regular Expression Matching
- DNS Exploit Mitigation

 

Reason

When a packet is dropped at ingress because a countermeasure was enacted and the packet was deemed to be invalid, a reason is recorded.  This chart plots the reasons over time.

Examples of some of reasons include:

- The client IP was invalid (for example, an RFC1918 address was observed).
- A SOC applied regEx designed to spot specific bad patterns was triggered.
- The packet checksum was invalid.
- An HTTP or HTTPS request was malformed.
- TCP Flags combination were invalid.
- Client connection packet rate was too high.
- Malformed DNS request.
- Client failed a challenge.

Mitigated IP counts

This panel shows the packet count for the worst offending bad actors for the time period specified in the time selector.

Screen_Shot_2017-06-28_at_1.50.01_PM.png

 

View History

You can select a new custom time period by clicking into the From and To date/time fields.  If you do this, the previous time period is saved and a new drop-down list will appear.

Screen_Shot_2017-06-28_at_1.41.16_PM.png

 

 

Was this article helpful?
0 out of 1 found this helpful
Have more questions? Submit a request