Follow

Q&A: What do the values in Monitoring Settings indicate?

Description

  • Description of the values under Portal's Config > Monitoring Settings
  • Covers the "Host Detection" Tab

Environment

  • Silverline Portal

  • Silverline DDoS

    • Proxy

Answer

Host detection tab

Severity Duration:

The number of seconds that our device waits before it escalates the severity level of an alert

 

Host Fast: 

Host Fast flood detection is either enabled or disabled. When fast flood detection is enabled, a host alert is triggered much faster when large amounts of traffic toward a host are detected (doesn't wait for a Severity Duration time)

 

Fast Flood Detection:

Fast flood detection is either enabled or disabled. When fast flood detection is enabled, a host alert is triggered much faster when large amounts of traffic toward a host are detected

 

Alert thresholds:
Trigger (bps or pps) - threshold for a low severity alert.

Severity (bps or pps) - if the traffic exceeds this severity rate for the severity duration, then the alert is classified with a severity of High (F5 Silverline SOC is notified about it). If the traffic exceeds 75% of the severity rate for the severity duration, then the alert is classified with the severity of Medium.

 

Host detection misuse types

Host ICMP:

ICMP traffic (in pps). For IPv4, traffic matching ICMP (protocol 1) and for IPv6, traffic matching IPv6-ICMP (protocol 58).

Can help detect: Internet Control Message Protocol ICMP and IPv6-ICMP packet-flooding attacks

 

Host DNS:

DNS traffic (in pps) with the TCP and/or UDP protocol and destination port 53 traffic

Can help detect: Floods of DNS traffic

 

Host TCP NULL:

TCP traffic (in pps) that contains a sequence number but has all flags unset

Can help detect: TCP Null-Flags attacks

 

Host IP NULL:

tbd.

 

Host MSSQL Amplification:

UDP traffic (in bps or pps) with source port 1434

Can help detect: Microsoft SQL Resolution Service reflection/amplification attacks

 

SNMP Amplification:

SNMP traffic (in bps or pps) with the UDP protocol and source port 161 and/or 162.

Can help detect: SNMP reflection/amplification attacks

 

Host TCP SYN:

TCP traffic (in pps) with the synchronize flag set and the acknowledge flag not set. Other flags may be set.

Can help detect: Common TCP SYN flood attacks

 

Host UDP:

UDP traffic (in pps)

Can help detect: UDP attacks

 

Host charGEN Amplification:

chargen traffic (in bps or pps) with the UDP protocol and source port 19

Can help detect: Internet Control Message Protocol ICMP and IPv6-ICMP packet-flooding attacks

 

Host DNS Amplification:

DNS traffic (in bps or pps) with the UDP protocol and source port 53

Can help detect: DNS reflection/amplification attacks

 

Host IP Fragmentation:

Non-initial packet fragments (in pps). Source and destination port are zero and no TCP flags are set.

Can help detect: TCP and UDP fragmentation attacks where non-initial packet fragments are sent to a host

Note: TCP and UDP fragmentation attacks are often associated with chargen, DNS, SNMP, SSDP, and MS SQL RS amplification attacks.

 

Host Private IP:

Traffic (in pps) for private IP address space. SP uses the following IP spaces to detect this misuse type:

IPv4:

  • l10.0.0.0/8

  • l172.16.0.0/12

  • l192.168.0.0/16

IPv6:

  • All spaces except2000::/3

Can help detect: Spoofed IP addresses (which are not expected to be routed over the Internet) that are used in attacks

 

Host NTP Amplification:

NTP traffic (in bps or pps) with the UDP protocol and source port 123. Packet sizes of 36, 46, 76, and 220 for IPv4 and 56, 66, 96, and 240 for IPv6 are whitelisted.

Can help detect: NTP traffic (in bps or pps) with the UDP protocol and source port 123. Packet sizes of 36, 46, 76, and 220 for IPv4 and 56, 66, 96, and 240 for IPv6 are whitelisted.

 

Host SSDP Amplification:

UDP traffic (in bps or pps) with source port 1900

Can help detect: SSDP (Simple Service Discovery Protocol) reflection/amplification attacks

 

Host TCP Reset:

TCP traffic (in pps) with the reset flag set. Other flags may be set but not the synchronize flag

Can help detect:TCP reset attacks

 

Related Content

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request