ddos secure gui user guide - juniper networks - network ... ·...

DDoS Secure

GUI User Guide

Release

5.14.1-0

Published: 2014-05-14

Copyright © 2014, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Copyright © 2014, Juniper Networks, Inc.

Copyright ©Webscreen Technology 2001-2013

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

DDoS Secure GUI User GuideCopyright © 2014, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2014, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.html

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Part 1 DDoS Secure GUI Overview

Chapter 1 DDoS Secure Appliance Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

DDoS Secure Appliance Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 DDoS Secure Appliance Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Connecting a DDoS Secure Appliance to the Network . . . . . . . . . . . . . . . . . . . . . . . 7

Understanding the DDoS Secure Appliance Interface Conventions . . . . . . . . . . . . 9

UnderstandingDefendingVersusLoggingOperationalModesof theDDoSSecure

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Accessing a Secure DDoS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Imaging a DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Reimaging a DDoS Secure Appliance After Hardware Replacement . . . . . . . . . . . 12

Configuring Basic Settings for a DDoS Secure Appliance After Hardware

Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Configuring the Management Interface for a DDoS Secure Appliance . . . . . . . . . . 13

Configuring the Management Interface Using a Keyboard and Monitor or a

Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Configuring the Management Interface Using an Ethernet Interface . . . . . . . 14

Configuring a DDoS Secure Appliance Using Integrated Lights Out

Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Connecting to a DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

End User License Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Understanding the Summary Dashboard of a DDoS Secure ApplianceWeb

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

DDoS Secure ApplianceWeb Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Understanding DDoS Secure Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Using the DDoS Secure Appliance Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . 25

Expanding the Central Pane Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Arranging Table Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Arranging Column Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Sorting Data and Add-Remove Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Understanding Action Cells . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

iiiCopyright © 2014, Juniper Networks, Inc.

Understanding IP/AS Number/Location Details . . . . . . . . . . . . . . . . . . . . . . . 29

Understanding Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 3 DDoS Secure Appliance Configuration and Logs . . . . . . . . . . . . . . . . . . . . . . 33

DDoS Secure Appliance Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Setting Access Control in a DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . 35

User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuring the DDoS Secure Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Understanding Common Interface Information in a DDoS Secure

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring DDoS Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

DDoS Secure Appliance Internet Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Adding an Internet MAC Address to a DDoS Secure Appliance . . . . . . . . . . . 49

Configuring a DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring Sharing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Configuring a Protected Gateway Based on MAC Address . . . . . . . . . . . . . . . 58

Configuring Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Configuring DDoS Secure Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring DDoS Secure Appliance Individual Portals . . . . . . . . . . . . . . . . . 63

Configuring DDoS Secure Appliance Bandwidth and Port Filters . . . . . . . . . . 63

Configuring DDoS Secure Appliance Configure Filter Aggregations . . . . . . . . 67

Configuring DDoS Secure Appliance Configure Protected IP addresses . . . . 68

Configuring DDoS Secure Appliance Defined Protected IP Addresses . . . . . . 72

Configuring SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

FIPS 140-2 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

SSL Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Management GUI SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Uploading SSL Decrypt Private Key File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Adding Default Domain SSL Decrypt Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Adding a Specific Domain SSL Decrypt Key . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configured SSL Decrypt Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring Date and Time on DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . 77

Configuring Logging on a DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 78

Setting Up Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Setting Up SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Setting Up a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Setting Up a Structured Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Setting Up a Netflow Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Setting Up a Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Setting Up a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Setting Up GeoIP Database(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Setting Up an Incident Create Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Setting Up an Incident Alert Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Setting Up an Incident View Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Setting Up Incident Peak Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Setting Up the Worst Offenders Logging Threshold . . . . . . . . . . . . . . . . . . . . 88

Setting Up Debug Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Copyright © 2014, Juniper Networks, Inc.iv

DDoS Secure GUI User Guide

Managing DDoS Secure Appliance General Logs . . . . . . . . . . . . . . . . . . . . . . 89

DDoS Secure Appliance Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

DDoS Secure Appliance Statistics Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Managing DDoS Secure Appliance Incident Logs . . . . . . . . . . . . . . . . . . . . . . . . . 94

Managing DDoS Secure Appliance Worst Offenders Log File . . . . . . . . . . . . . . . . 96

Reporting on a Specific Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Reporting on a Specific IP or Network Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Upgrading a DDoS Secure Appliance with Patches Using File Upload . . . . . . . . . 98

Understanding DDoS Secure Appliance Packet Capture Options . . . . . . . . . . . . 100

Terminating a DDoS Secure Appliance Packet Capture Recording . . . . . . . . . . . 102

Displaying a DDoS Secure Appliance Packet Capture . . . . . . . . . . . . . . . . . . . . . 103

Downloading and Saving DDoS Secure Appliance Packet Capture Details . . . . 105

Shutting Down a DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Chapter 4 DDoS Secure Statistical Displays Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 109

DDoS Secure Appliance Statistical Summary Overview . . . . . . . . . . . . . . . . . . . 109

DDoS Secure Appliance Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

DDoS Secure Appliance Protected IP Information . . . . . . . . . . . . . . . . . . . . . . . . . 114

DDoS Secure Appliance Live Incidents Information . . . . . . . . . . . . . . . . . . . . . . . . 117

DDoS Secure Appliance Worst Offenders Information . . . . . . . . . . . . . . . . . . . . . 118

DDoS Secure Appliance Temporarily Black-Listed Information . . . . . . . . . . . . . . 121

DDoS Secure Appliance Tracked IP Information . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Tracking Country-Wide Usage Information in a DDoS Secure Appliance . . . . . . . 124

DDoS Secure Appliance TCP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

DDoS Secure Appliance UDP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

DDoS Secure Appliance ICMP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

DDoS Secure Appliance Other IP Protocol Information . . . . . . . . . . . . . . . . . . . . 130

DDoS Secure Appliance Fragment Information . . . . . . . . . . . . . . . . . . . . . . . . . . 132

DDoS Secure Appliance URL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

DDoS Secure Appliance DNS Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

DDoS Secure Appliance SIP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

DDoS Secure Appliance Bandwidth Information . . . . . . . . . . . . . . . . . . . . . . . . . 138

DDoS Secure Appliance Rerouting Information . . . . . . . . . . . . . . . . . . . . . . . . . . 139

DDoS Secure BGP FlowSpec Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

DDoS Secure Appliance MAC Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Miscellaneous Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

DDoS Secure Appliance Miscellaneous Information . . . . . . . . . . . . . . . . . . . 145

Network Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Disk Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

System Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

DDoS Secure Appliance Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Interface Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Chapter 5 DDoS Secure Defense Information Overview . . . . . . . . . . . . . . . . . . . . . . . . . 151

Understanding DDoS Secure Appliance Operational Mode . . . . . . . . . . . . . . . . . 151

Understanding DDoS Secure Appliance Failover States . . . . . . . . . . . . . . . . . . . . 153

Understanding DDoS Secure Appliance Failover Information . . . . . . . . . . . . . . . 153

Understanding DDoS Secure Appliance State Synchronization Information . . . . 153

vCopyright © 2014, Juniper Networks, Inc.

Table of Contents

Understanding DDoS Secure Appliance Record/Replay State . . . . . . . . . . . . . . . 154

Understanding DDoS Secure Appliance Transition States . . . . . . . . . . . . . . . . . . 154

Understanding DDoS Secure Appliance Protected IP Information . . . . . . . . . . . . 155

Understanding DDoS Secure Appliance Defense Status Information . . . . . . . . . 156

Understanding DDoS Secure Appliance Additional Status Information . . . . . . . 158

Part 2 Appendixes

Appendix A TCP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Understanding DDoS Secure Appliance TCP States . . . . . . . . . . . . . . . . . . . . . . 165

Appendix B ICMP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Understanding DDoS Secure Appliance ICMP Types . . . . . . . . . . . . . . . . . . . . . . 167

Appendix C Index Attack Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Understanding Index Attack Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Appendix D Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

DDoS Secure Appliance Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Appendix E Panel Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

DDoS Secure Appliance Panel Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

DDoS Secure-1200-Fail-Safe Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Appendix F Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Troubleshooting a DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Appendix G Customizing the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Customizing the DDoS Secure Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Images/CSS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Updating Customized Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Removing Customized Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Appendix H TAPMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Configuring DDoS Secure for Running in TAP Mode . . . . . . . . . . . . . . . . . . . . . . . 205

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Copyright © 2014, Juniper Networks, Inc.vi


List of Figures


Chapter 1 DDoS Secure Appliance Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Figure 1: Traffic Flow Through a DDoS Secure Appliance . . . . . . . . . . . . . . . . . . . . . 3

Figure 2: Attack Traffic Flow Through a DDoS Secure Appliance . . . . . . . . . . . . . . . 4

Figure 3: Traffic Analysis Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2 DDoS Secure Appliance Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Figure 4: DDoS Secure Standalone Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Figure 5: DDoS Secure Appliance Network Connection in a High-Availability

Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 6: Navigation Block Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 7: DDoS Secure Appliance Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 8: Security Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Figure 9: End User License Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 10: DDoS Secure Appliance Summary Dashboard . . . . . . . . . . . . . . . . . . . . 21

Figure 11: DDoS Secure Appliance Web Interface Layout . . . . . . . . . . . . . . . . . . . . 22

Figure 12: View Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Figure 13: View Filter Option Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 14: Select View Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 15: Viewing Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 16: Expanding Center Pane Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 17: Displaying Left and Right Pane Option . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 18: Table Arranging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 19: Table Arranging–Finding Position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 20: Table Arranging–Position Found . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 21: Table Sorting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure 22: Action Location on Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure 23: Action on Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure 24: IP/AS/Location Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Figure 25: Graph Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Figure 26: Previous Graph Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Figure 27: Custom Period Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31


Figure 28: Configuration Overview Page Snippet 1 . . . . . . . . . . . . . . . . . . . . . . . . . 34

Figure 29: Configuration Overview Page Snippet 2 . . . . . . . . . . . . . . . . . . . . . . . . . 35

Figure 30: Access Control Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Figure 31: Configure Interface Page Snippet 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Figure 32: Configure Interface Page Snippet 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Figure 33: DDoS Secure Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Figure 34: Configure Portal Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

viiCopyright © 2014, Juniper Networks, Inc.

Figure 35: DDoS Secure Portal Configuration Overview Page. . . . . . . . . . . . . . . . . 60

Figure 36: DDoS Secure Portal Configure Bandwidth and Port State Filters . . . . 64

Figure 37: DDoS Secure Portal Configure State Filter Aggregations . . . . . . . . . . . 68

Figure 38: Management Only SSL Certificate Option . . . . . . . . . . . . . . . . . . . . . . . 75

Figure 39: Individual Portal Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Figure 40: Specific Domain Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Figure 41: Data and Time Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Figure 42: DDoS Secure Portal Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Figure 43: DDoS Secure SNMP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Figure 44: DDoS Secure Syslog Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Figure 45: DDoS Secure Structured Syslog Server Options . . . . . . . . . . . . . . . . . . 82

Figure 46: DDoS Secure Logging Netflow Server . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Figure 47: DDoS Secure Logging Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Figure 48: DDoS Secure Logging Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Figure 49: DDoS Secure GeoIP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Figure 50: DDoS Secure Incident Create Threshold . . . . . . . . . . . . . . . . . . . . . . . . 87

Figure 51: DDoS Secure Incident Alert Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Figure 52: DDoS Secure Incident View Threshold . . . . . . . . . . . . . . . . . . . . . . . . . 88

Figure 53: DDoS Secure Incident Peak Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Figure 54: Worst Offenders Logging Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Figure 55: Debug Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Figure 56: DDoS Secure General Logs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Figure 57: Configuration File Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Figure 58: Configuration File Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Figure 59: Statistics Report Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Figure 60: Incident Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Figure 61: Specific Display Incident Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Figure 62: Worst Offenders Log Page Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Figure 63: Specific Time Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Figure 64: Specific IP Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Figure 65: Upgrade Software Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Figure 66: Upgrade Software Using File Upload . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Figure 67: Confirmation Dialog Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Figure 68: Upgrade Confirmation Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Figure 69: Upgrade Reboot Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Figure 70: New Packet Capture Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Figure 71: Existing Packet Capture Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Figure 72: Packet Capture Display Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Figure 73: Packet Capture Display Column Page . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Figure 74: Packet Capture Download Recording Page . . . . . . . . . . . . . . . . . . . . . 106

Figure 75: Packet Capture Recording Download Page . . . . . . . . . . . . . . . . . . . . . 107

Figure 76: Packet Capture Recording Download Confirmation Page . . . . . . . . . . 107

Figure 77: Shut Down Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107


Figure 78: Summary Dashboard Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Figure 79: Status Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Figure 80: Protected IP Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Figure 81: Live Incidents List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Copyright © 2014, Juniper Networks, Inc.viii


Figure 82: Live Incidents Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Figure 83: Worst Offenders Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Figure 84: Last Reason Expand Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Figure 85: Temporarily Black List Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Figure 86: IP Temporarily Black Listed Information Page . . . . . . . . . . . . . . . . . . . . 121

Figure 87: Black List Removal Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Figure 88: IP Tracked Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Figure 89: Country-Wide Usage Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Figure 90: Black List Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Figure 91: TCP Information Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Figure 92: UDP Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Figure 93: ICMP Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Figure 94: Other IP Protocol Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Figure 95: Fragmentation Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Figure 96: URL Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Figure 97: URL Information Option Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Figure 98: DNS Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Figure 99: SIP Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Figure 100: Bandwidth Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Figure 101: Re-Route Info Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Figure 102: BGP FlowSpec Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Figure 103: MAC Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Figure 104: Miscellaneous Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145


Figure 105: Operational Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Figure 106: Appliance or Protected IP Information Page . . . . . . . . . . . . . . . . . . . . 155

Figure 107: Defense Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Figure 108: Additional Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Part 2 Appendixes


Figure 109: DDoS Secure-1200-Fail-Safe Front Panel . . . . . . . . . . . . . . . . . . . . . 199

Figure 110: DDoS Secure-1200-Fail-Safe Back Panel . . . . . . . . . . . . . . . . . . . . . . 199

Appendix H TAPMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Figure 111: Logging Tap Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Figure 112: MAC Information for an Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Figure 113: IP Address Out of Local Protected Network Range . . . . . . . . . . . . . . . 207

Figure 114: Protected Side Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

ixCopyright © 2014, Juniper Networks, Inc.

List of Figures

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv



Table 3: Access Control Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Table 4: DDoS Secure Interface Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Table 5: Configure Internet MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Table 6: Appliance Configuration Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Table 7: Configure Sharing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Table 8: Configure Protected Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Table 9: Configure Portal Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Table 10: Configure Bandwidth and Port Filters Details . . . . . . . . . . . . . . . . . . . . . 64

Table 11: Configure Filter Aggregations Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Table 12: Configure Protected IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Table 13: Defined Protected IP Address Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Table 14: SSL Decryption Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Table 15: Default Domain SSL Decrypt Key Details . . . . . . . . . . . . . . . . . . . . . . . . . 76

Table 16: Specific Domain SSL Decrypt Key Details . . . . . . . . . . . . . . . . . . . . . . . . 76

Table 17: DDoS Secure SNMP Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Table 18: DDoS Secure Syslog Server Option Details . . . . . . . . . . . . . . . . . . . . . . . 81

Table 19: DDoS Secure Structured Syslog Logging Details . . . . . . . . . . . . . . . . . . . 82

Table 20: DDoS Secure Netflow Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Table 21: DDoS Secure Mail Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Table 22: DDoS Secure Proxy Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Table 23: GeoIP Database Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Table 24: DDoS Secure Statistics Report Details . . . . . . . . . . . . . . . . . . . . . . . . . . 94


Table 25: Summary Dashboard Information Page . . . . . . . . . . . . . . . . . . . . . . . . . 110

Table 26: Status Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Table 27: Protected IP Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Table 28: Worst Offender Information Page Details . . . . . . . . . . . . . . . . . . . . . . . 119

Table 29: Temporarily Black Listed Information Page Details . . . . . . . . . . . . . . . . 121

Table 30: Tracked IP Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Table 31: Country Usage Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . 124

Table 32: TCP Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Table 33: UDP Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Table 34: ICMP Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

xiCopyright © 2014, Juniper Networks, Inc.

Table 35: Other IP Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Table 36: Fragment Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Table 37: URL Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Table 38: DNS Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Table 39: SIP Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Table 40: Bandwidth Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Table 41: Re-Route Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Table 42: BGP FlowSpec Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . 141

Table 43: MAC Information Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Table 44: Network Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Table 45: Resource Usage Page Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Table 46: Appliance Internal Usage Page Details . . . . . . . . . . . . . . . . . . . . . . . . . 146

Table 47: Disc Activity Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Table 48: System Load Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Table 49: Appliance Queue Usage Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Table 50: Interface Error Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149


Table 51: Operational Modes Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Table 52: Failover State Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Table 53: Record/Replay State Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Table 54: Transition States Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Table 55: Transition States Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Table 56: Defense Status Details page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Table 57: Additional Status Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Part 2 Appendixes

Appendix A TCP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Table 58: TCP Status Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Appendix B ICMP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Table 59: ICMPv4 Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Table 60: ICMPv6 Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Appendix C Index Attack Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Table 61: Type Code Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Table 62: Attack Type Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Appendix D Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Table 63: Code Type Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Table 64: Sort by Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Table 65: Sort by Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Table 66: Sort by Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188


Table 67: DDoS Secure 1200-Fail-Safe Callout Details . . . . . . . . . . . . . . . . . . . . 199

Copyright © 2014, Juniper Networks, Inc.xii


About the Documentation

• Documentation and Release Notes on page xiii

• Documentation Conventions on page xiii

• Documentation Feedback on page xv

• Requesting Technical Support on page xvi

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Documentation Conventions

Table 1 on page xiv defines notice icons used in this guide.

xiiiCopyright © 2014, Juniper Networks, Inc.

http://www.juniper.net/techpubs/

http://www.juniper.net/books

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page xiv defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2014, Juniper Networks, Inc.xiv


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page at the Juniper Networks Technical

Documentation site at http://www.juniper.net/techpubs/index.html, simply click the

stars to rate the content, anduse thepop-up form toprovideuswith informationabout

your experience. Alternately, you can use the online feedback form at

https://www.juniper.net/cgi-bin/docbugreport/.

xvCopyright © 2014, Juniper Networks, Inc.


http://www.juniper.net/techpubs/index.html

https://www.juniper.net/cgi-bin/docbugreport/

• E-mail—Sendyourcommentsto [email protected]. Includethedocument

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need post-sales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright © 2014, Juniper Networks, Inc.xvi


mailto:[email protected]

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

http://kb.juniper.net/InfoCenter/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

xviiCopyright © 2014, Juniper Networks, Inc.


http://www.juniper.net/support/requesting-support.html

PART 1

DDoS Secure GUI Overview

• DDoS Secure Appliance Feature Overview on page 3

• DDoS Secure Appliance Getting Started on page 7

• DDoS Secure Appliance Configuration and Logs on page 33

• DDoS Secure Statistical Displays Overview on page 109

• DDoS Secure Defense Information Overview on page 151

1Copyright © 2014, Juniper Networks, Inc.

CHAPTER 1

DDoSSecureApplianceFeatureOverview

This chapter includes the following topics:


DDoS Secure Appliance Feature Overview

TheDDoSSecureappliance isa fullyautomaticDDoSprotectionsystemused forwebsites

andWeb-connected e-commerce sites. DDoS Secure protects all TCP/IP protocols. An

appliance can be real hardware, or it can be a virtual instance (such as VMware).

Figure 1 on page 3 illustrates how normal Internet traffic flows through the DDoS Secure

appliance, while the software analyzes the utilization of type, origin, flow, data rate,

sequencing, style, and protocol from all inbound and outbound traffic. The analysis is

heuristic in natureandadjusts over timebut is applied in real timewith virtually no latency.

Figure 1: Traffic Flow Through a DDoS Secure Appliance

Figure2onpage4 illustrateshowtheDDoSSecureapplianceusescomplexdataanalysis

techniques to detect attacks and take the defensive measures.


Figure 2: Attack Traffic Flow Through a DDoS Secure Appliance

Figure 3 on page 4 illustrates how all inbound traffic that is identified as normal (good

CHARMscore) passes through theappliancewithout any change. All inbound traffic that

is identifiedasmalicious (badCHARMscore) isdiscarded if theprotected resourcecannot

handle the load. There are no IP addresses to configure on the appliance's Internet traffic

interfaces, and theappliancemaybe installedwithoutchanging thenetworkconfiguration

of any existing equipment. However, an IP address is required for the secure control

connection to the management PC. Themanagement PC (not provided) requires a

browser that supportsHTML frames, JavaScript, and theHTTPSprotocol, or, alternatively,

an SSH client. Themanagement PC is used to initially configure the appliance and then

to report on the traffic statistics. During an attack, the appliance uses its built-in heuristic

analysis to identify themost likely attackers within a fewmicroseconds of the beginning

ofanattack. The longer theapplianceanalyzes the traffic, thebetter theheuristic analysis.

Attacks are tracked on a per-incident basis for easy reporting and analysis.

Figure 3: Traffic Analysis Block Diagram

You can specify blocks of IP addresses (networks and/or single IP addresses, also known

as portals), which can bemanaged separately by designated users. This gives the ability

for clients or business groups to manage the DDoS Secure appliance functionality. You



can change the portal configuration if you have amanagement permissions. The primary

portal is known as -General-.

RelatedDocumentation

• Connecting a DDoS Secure Appliance to the Network on page 7

• Accessing a Secure DDoS Appliance on page 11

• Connecting to a DDoS Secure Appliance on page 16


Chapter 1: DDoS Secure Appliance Feature Overview

CHAPTER 2

DDoS Secure Appliance Getting Started

This chapter helps you to connect your DDoS Secure appliance to the network.


• Understanding the DDoS Secure Appliance Interface Conventions on page 9

• Understanding Defending Versus Logging Operational Modes of the DDoS Secure

Appliance on page 10


• Imaging a DDoS Secure Appliance on page 11

• Reimaging a DDoS Secure Appliance After Hardware Replacement on page 12

• Configuring Basic Settings for a DDoS Secure Appliance After Hardware

Replacement on page 12

• Configuring the Management Interface for a DDoS Secure Appliance on page 13

• Configuring a DDoS Secure Appliance Using Integrated Lights Out

Functionality on page 15


• End User License Agreement on page 18

• Understanding the Summary Dashboard of a DDoS Secure ApplianceWeb

Interface on page 21

• DDoS Secure ApplianceWeb Interface Overview on page 22

• Understanding DDoS Secure Filter Options on page 23

• Using the DDoS Secure ApplianceWeb Interface on page 25

Connecting a DDoS Secure Appliance to the Network

Figure 4 on page 8 illustrates the setup for a single standalone DDoS Secure appliance.


Figure 4: DDoS Secure Standalone Appliance

Figure 5 on page 9 illustrates how DDoS Secure appliances are set up in an

active/standby high-availability cluster.

Determine the appropriate I/O connectors for your DDoS Secure appliance, and cable

accordingly. It is not necessary to run the appliance with amonitor and keyboard, but it

is useful for hardware fault diagnosis and it can be used for access though the

command-line interface (CLI).



Figure 5: DDoS Secure Appliance Network Connection in aHigh-Availability Cluster


DDoS Secure Appliance Feature Overview on page 3•




• Configuring Basic Settings for a DDoS Secure Appliance After Hardware Replacement

on page 12

• DDoS Secure Appliance Panel Information on page 199

Understanding the DDoS Secure Appliance Interface Conventions

The DDoS Secure appliance interface uses the following conventions:

• I-I/F—Internet Interface

• P-I/F—Protected Interface


Chapter 2: DDoS Secure Appliance Getting Started

• M-I/F—Management PC Interface

• D-I/F—Data Share Interface (Optional)

Crossover cablesmight be required when plugging directly into a server, router, or similar

gateway device. A standard cable should be used for connecting to a switch or hub. The

same switch or hubmust not be used for connecting to both I-I/F and P-I/F, unless there

is VLAN separation.

Themanagement device can be directly connected to the appliance with a crossover

cable or through a network with a hub/switch and, optionally, through a router (after the

correct default gateway is set on the appliance). Depending on your security policy, you

might want to connect the M-I/F to the Internet or protected networks.





on page 12

Understanding Defending Versus Logging Operational Modes of the DDoS SecureAppliance

The DDoS Secure appliance supports different components in one of two operational

modes:

• Defending—If the DDoS Secure appliance detects an undesirable packet, it logs the

issue, and the packet is dropped.

• Logging—If theDDoSSecure appliancedetects anundesirablepacket, it logs the issue,

and the packet is passed.

Examples of different components are:

• Overall operation—logging or defending

• Portal operation—logging or defending

• Protected IP address operation—logging or defending

• White-listed client IP address—logging

• Black-listed client IP address—defending

If an activity uses components that contain a combination of defending and logging, the

resultant operational mode will be logging. Thus, for a black-listed client IP address and

anoverall operationofdefending, aportal operationof logging, andaprotected IPaddress

operation of defending, the client IP address is not dropped.







• Configuring Logging on a DDoS Secure Appliance on page 78

Accessing a Secure DDoS Appliance

You access the DDoS Secure appliance through one of the following methods:

• Keyboard or monitor—Used for CLI access or to configure the management interface

IP address.

• Serial interface—Used for CLI access or to configure the management interface IP

address.

• SSH connection—Used for secure remote CLI access only.

• SecureWeb interface—Used for secureWeb interface.






on page 12

Imaging a DDoS Secure Appliance

To image your DDoS Secure appliance:

1. Insert the DDoS Secure appliance CD into the CD drive.

2. Power cycle the appliance.

NOTE: If your system is connected to a keyboard, you will be prompted toconfirm to indicate whether or not you want to overwrite the disk.

If there is an existing DDoS Secure appliance configuration on the systemdisk, you will be prompted to indicate whether or not you want to retain theconfiguration. By default, any existing configuration is retained on the disk ifthe system is not connected to a keyboard.

Allow 20minutes for the system reimage process. After the re-imagingprocess is complete, the CDwill be ejected from the CD drive.

EnteringNO at the prompt that asks if you want to keep the existingconfiguration results in removal of all the existing data. This includesheuristically obtained information aswell as the system configuration. If youchoose this option, you will need to reconfigure the DDoS Secure appliance.







• Upgrading a DDoS Secure Appliance with Patches Using File Upload on page 98

Reimaging a DDoS Secure Appliance After Hardware Replacement

To reimage an appliance, use one of the options through the BIOS boot options menu:

1. Boot off the internal SD drive—Type reinstall and press Enter, or, using the serialinterface, type serial and press Enter.

2. Boot off a CD—Press Enter, or, using the serial interface, type serial and press Enter.

NOTE: Wheneveranyhardware is replaced,we recommendthatyou reimagethe DDoS Secure appliance so that the image process can correctly detectthe new hardware and build it correctly.

DDoS Secure appliances are shipped with an internal SD recovery drive thatkeeps a copy of the DDoS Secure appliance ISO image on it for recovery.





Configuring Basic Settings for aDDoSSecureApplianceAfter HardwareReplacement

Before you begin the initial configuration, the following information is required:

• The IP address and netmask for the appliancemanagement interface (M-I/F).

• The default gateway IP address for M-I/F.

• The outgoing bandwidth of the pipe (your Internet connection).

• The hard-coded interface speed for P-I/F, I-I/F, M-I/F, andD-I/F (if not auto selection).

• (Optional) The inbound bandwidth of the protected IP addresses that the appliance

will bedefending (usually set to link speed). If a loadbalancingdevice isbeingdefended,

the bandwidth used should be for the load balancer.



• (Optional) Depending on the cluster configuration, the IP address and netmask for the

applianceData Share Interface (D-I/F) for synchronizing states betweenDDoSSecure

appliances.

• (Optional) A list of ports and protocols that you wish to allow through the appliance.

Formaximumprotection, theseports andprotocols shouldbe theminimumnecessary

for business purposes.

NOTE: In the factory defaults settings, choose values to fit in with yournetwork-addressing schema.




• Configuring a DDoS Secure Appliance Using Integrated Lights Out Functionality on

page 15

• DDoS Secure Appliance Configuration Overview on page 33

Configuring theManagement Interface for a DDoS Secure Appliance

Youcanconfigure the IPaddressof themanagement interfaceusingeitherof the following

methods:

• Console—Keyboard andmonitor, or serial interface.

• Network Connection—Default settings for the management Ethernet interface.

1. Configuring the Management Interface Using a Keyboard and Monitor or a Serial

Interface on page 13

2. Configuring the Management Interface Using an Ethernet Interface on page 14

Configuring theManagement Interface Using a Keyboard andMonitor or a Serial Interface

If you have a keyboard andmonitor attached to the DDoS Secure appliance, or a device

connected to the serial interface at 9600 baud, 8 bits, with no parity, the appliance can

be configured once the appliance has booted.

Toconfigure themanagement interfaceusingakeyboardandmonitor or a serial interface:

1. Log in to the appliance using the username configure and the password configure.

A list of interface mappings is displayed.

2. Enter n to the interface association question.

A series of parameters todefine themanagement interface IPaddress, networkmask,

gateway IP address and interface speed as shown below is displayed.

If you do not enter new values, values entered previously appear in the parentheses

and are used as the default data.



IP Address (192.168.0.196) :Netmask (255.255.255.0) :Gateway (192.168.0.1) :Speed (auto) [auto/10half/10full/100half/100full/1000full] :

Input Values :-IP Address : 192.168.0.196Netmask : 255.255.255.0Gateway : 192.168.0.1Speed : autoOK [y/n]?

When the values are accepted, the management interface is updated with the new

values. You can abort this process by pressing CTRL-C.

NOTE: Configuring themanagement IPaddress forvirtual instancesofDDoSSecure is slightly different for some of the fields. For more information, seethe DDoS Secure VMware Virtual Edition Installation Guide.

With the serial interface, youmight need to hit the Break key several times(wait 5 seconds between each break) to get a login prompt, as the rates9600, 57600, and 115200 baud are supported. Any appliance bootingmessages are always displayed at 9600 baud.

Configuring theManagement Interface Using an Ethernet Interface

To configure the management interface using an Ethernet interface:

1. Set up a browser PC with IP address 192.168.0.1.

2. Use a crossover cable between the PC and the DDoS Secure appliancemanagement

interface.

3. Power on the DDoS Secure appliance.

4. Connect the PC browser to URL https://192.168.0.196.



https://192.168.0.196

NOTE: After you accept the EULAs, reconfigure the IP address of themanagement interface using the DDoS Secure applianceWeb interfaceas explained in Configuring the Management Interface Using a Keyboardand Monitor or a Serial Interface. The Protected and Internet speeddefinitions should be identical, and you should take the DDoS Secureengine offline to validate that traffic can still flow and bypass theappliance. If there is a change in switchport speeds (for example: Internet1G, protected 100M), then auto only should be configured for bothinterfaces, and on the router/switch ports to which the appliance isconnected.

5. Common interface displayed information—Once you have reconfigured the

management interface, you can connect it to your network. You can also revert the

browser PC to its original settings at this time.




on page 12

Configuring a DDoS Secure Appliance Using Integrated Lights Out Functionality

DDoSSecure appliances support the ILO functionality. The ILOshares the sameEthernet

portas themanagement interface,buthasadifferentEthernetMACaddressand requires

a unique IP address. The ILO can only be configured by breaking into the BIOS boot

process, and configuring the ILO. The ILO IP address has to be unique, which means it

cannot be the same as themanagement IP address. However, it should be in the same

network as the management IP address, with the same default gateway. After the ILO

is set up, it can be accessed using your Web browser.

NOTE: The default user is root and password is calvin.

Change your password after logging in for the first time.




on page 12




Connecting to a DDoS Secure Appliance

To connect to the DDoS Secure appliance:

1. Open a browser window on themanagement PC.

2. Type https://aaa.bbb.ccc.ddd in the address bar, where aaa.bbb.ccc.ddd is the IPaddress of the management interface of the appliance (factory default is

192.168.0.196).

Figure 6 on page 16 displays the navigation block error.

Figure 6: Navigation Block Error

NOTE: The URL is prefixed with https://.

All traffic between themanagement PC and the DDoS Secure applianceis encrypted.

The DDoS Secure appliance produces a self-signed certificate for use in secured

communications. This certificate is recreated every time the appliancemanagement

interface IP address is configured, or if there is less than a year to runwhen a software

patch isapplied. It is possible for thedate tobe invalid if theclockson theDDoSSecure

appliance and on the browser are significantly out of phase.

3. View and install the certificate to prevent seeing the security alert every time you

connect to the DDoS Secure appliance.

Click Continue to this website (not recommended), if you are sure that you are trying

to connect to the DDoS Secure appliance. Figure 7 on page 17 displays the DDoS

Secure appliance login page.



Figure 7: DDoS Secure Appliance Landing Page

4. Click Login to access the DDoS Secure appliance.

Alternatively, check Use Original GUI to access the older DDoS Secure interface.

5. Enter the username and password, when prompted.



Figure 8: Security Login Page

The default user name is user and the password is password.

NOTE: The first time of use, youwill be asked to accept the DDoS SecureEULAs after you have logged in.

6. Click Reset to reset the default login values and control access to the DDoS Secure

appliance.





• Setting Access Control in a DDoS Secure Appliance on page 35

End User License Agreement

Figure 9 on page 19 displays the End User License Agreement (EULA) webpage on first

login.



Figure 9: End User License Agreement



1. Read the EULA carefully to make sure that you fully understand the terms and

conditions. To accept the EULA:

a. Click I Accept to accept the terms and conditions.

b. Click Cancel to proceed no further.

If you click Cancel, the system powers off.

2. Read the software-specific entitlement addendum carefully to make sure that you

fullyunderstand the termsandconditions.Toaccept thesoftware-specific entitlement

addendum:

a. Click I Accept to accept the terms and conditions.

b. Click Cancel to proceed no further.

If you click Cancel, the system powers off.



Once you have accepted the terms and conditions of the license, the DDoS Secure

appliance redirects to the DDoS Secure Appliance Summary Dashboard page.



• Understanding the Summary Dashboard of a DDoS Secure ApplianceWeb Interface

on page 21

• DDoS Secure ApplianceWeb Interface Overview on page 22

Understanding the Summary Dashboard of a DDoS Secure ApplianceWeb Interface

After successful authentication, the DDoS Secure appliance summary dashboard is

displayed. Figure 10onpage21displays theDDoSSecureapplianceSummaryDashboard

page.

Figure 10: DDoS Secure Appliance Summary Dashboard

The available options are:

• Traffic Monitor—Displays the average speed of data processed, both inbound and

outbound, for the appliance, as well as the most active portals.

• Load Status— Displays how busy the DDoS Secure appliance engine is.

• Attack Status— Displays how aggressively the DDoS Secure appliance is dropping

traffic to defend the appropriate resources.

• Good Traffic—Displays the distribution of where good traffic is coming from.

• Bad Traffic—Displays distribution of where bad traffic is coming from.

• Protected Performance—Displays how busy a protected IP address is from an

aggregatedCHARMperspective, andwhat theaverage traffic toand fromthe IPaddress

is.


DDoS Secure ApplianceWeb Interface Overview on page 22•

• End User License Agreement on page 18




DDoS Secure ApplianceWeb Interface Overview

This section describes and explains the GUI functions.

Figure 11 on page 22 displays the layout for the statistical display part of the appliance

user interface. Each individual segment of the page is divided into categories.

Figure 11: DDoS Secure ApplianceWeb Interface Layout

Options on the left pane are:

• Configuration/Logs—Used to access the configuration and logs window.

• Summary Dashboard—Used to display the summary dashboard.

• Menu Buttons—Themenu buttons are in the left pane on the page.

Options on the center pane are:

• Display Output—Used to display output.

• Configuration Input—Used for configuration input.

NOTE: If the operational mode is Standby, then the configuration screen inthe center pane is in the read-only mode.



Option on the topmenu bar is Logout.

Options on the right pane are:

• Operational Mode

• Protected Info

• Defense Status—When an item in defense status turns from black to red, then DDoS

Secure appliance is actively defending this situation.

• Additional Status

Options on the top center pane are:

• Page Specific Action—Actions specific to the page.

• View Filters—The view filter button is available from any page within the statistical

display section of the DDoS Secure appliance. Any value entered into the filter will be

setuntil the filter is cleared, evenwhenaccessinganotherpagewithin theDDoSSecure

appliance statistical display section.


End User License Agreement on page 18•


on page 21

• Understanding DDoS Secure Appliance Operational Mode on page 151

• DDoS Secure Appliance Country Codes on page 175

Understanding DDoS Secure Filter Options

Click View Filter option at the top of the center pane to open a text box.

Figure 12 on page 23 displays the view filter options.

Figure 12: View Filter Options

Somepages in the statistical displaymenu have a specific function button ormenu. This

is for customizing the displayed output.

Filters can be specified in the following format:

• aaa.bbb.ccc.ddd/mask—To specify a group of IP addresses using a netmask

• aaa.bbb.ccc.ddd/count—To specify a group of IP addresses using a netmask length

• aaa.bbb.ccc.ddd—To specify a specific IP address

• xxxx::xxxx:xxxx/count—To specify a group of IPv6 addresses using a netmask length

• xxxx::xxxx:xxxx—To specify a specific IPv6 address



• ABC—To specify a three-letter country code

• AS#nnnnn—To specify a specific AS number

Once a filter is active, the View Filter button will change to display the actual filter text,

as shown in Figure 13 on page 24.

Figure 13: View Filter Option Example

Other View Filters

When viewing URL, DNS, or SIP information, you see an additional filter. This filter can

be used for doing an appropriate string match.

Select Viewing Option

TheWeb interface can be used to monitor different protected IP address activity. Select

theprotected IPaddress, portal, or appliance that youwant tomonitor fromthehierarchy

tree as shown in Figure 14 on page 24.

Figure 14: Select ViewOption

The appliance refers to activity on the local DDoS Secure appliance.

The IP address indeterminate or I-portal-name refers to activity against IP addresses in

that portal that have not yet been confirmed as genuine, live, IP addresses.

Thedisplaysaffectedby this entry have theViewing icon, as shown inFigure 15onpage25.



Figure 15: Viewing Icon

The list is initially set to global; click on the arrow in front of the folder icon to expand.

The three options that you can select are:

• Appliance—The local DDoS Secure appliance

• Portal—Lists defined portals that can be selected or drilled down to list IP addresses

in the portal

• IP—Lists all protected servers by IP address




on page 21



• DDoS Secure Appliance Protected IP Information on page 114

Using the DDoS Secure ApplianceWeb Interface

• Expanding the Central Pane Area on page 25

• Arranging Table Ordering on page 26

• Arranging Column Ordering on page 27

• Sorting Data and Add-Remove Columns on page 27

• Understanding Action Cells on page 28

• Understanding IP/AS Number/Location Details on page 29

• Understanding Graphs on page 29

Expanding the Central Pane Area

You can expand the center pane on the user interface. The arrow icons highlighted below

extend the center pane over the left of right pane, as shown in Figure 16 on page 26.



Figure 16: Expanding Center Pane Option

To display the left or right pane after expanding the center pane, click the appropriate

arrow, as shown in Figure 17 on page 26.

Figure 17: Displaying Left and Right Pane Option

Arranging Table Ordering

While viewing the miscellaneous information and status information pages, you can

interact with the tables to rearrange, reorder, and hide tables from view. The table

arranging options are displayed in Figure 18 on page 26.

Figure 18: Table Arranging Options



Arranging ColumnOrdering

Each column in a display can be rearranged by selecting the column and dragging it to

the desired position. While finding a position, the icon shown in Figure 19 on page 27 is

displayed, and when an acceptable position is located, the new location is highlighted

as displayed in Figure 20 on page 27.

Figure 19: Table Arranging–Finding Position

Figure 20: Table Arranging–Position Found

Sorting Data and Add-Remove Columns

When themouse pointer is hovering over column headers, the header displays a down

arrow. This lets you access to sort the selected column, or add/remove columns entirely

from the table. Figure 21 on page 28 displays table sorting.



Figure 21: Table Sorting

NOTE: Sorting by columns is not completely supported on some screens.

Understanding Action Cells

Cells that have a gray mark at the bottom right corner have an action associated with

the displayed data, as shown in Figure 22 on page 28.

Figure 22: Action Location on Cell

Click on the blue location, as shown in Figure 23 on page 28, to display the popup action

box. The red section describes the action, and clicking the button (in purple) executes

the action.

Figure 23: Action on Cell



Action cells can be used to:

• View graphs

• Block/unblock IP addresses

• Block/unblock countries

• Track URLs

• Track DNS name query type

• Track SIP URIs

Understanding IP/AS Number/Location Details

DDoS Secure appliance uses a GeoIP database, which can be used to find more

information on Internet IP addresses.

Figure 24 on page 29 displays the pop-up information box that appearswhen themouse

pointer is hovered over the location cells.

Figure 24: IP/AS/Location Details

Understanding Graphs

All the graphs have a common interface. The options available are:

The graph legend is highlighted in purple as shown in Figure 25 on page 30.

Hovering the mouse over the legend labels will highlight the corresponding graph data

in bold.



Figure 25: Graph Details

Click a specific label to drill down the hierarchy tree, showing data from the child node.

To revert to the original view, click Previous Graph (highlighted in white), as shown in

Figure 26 on page 30.

Figure 26: Previous Graph Option

Time ranges for all graphs are:

• Last 1, 3, 6, 12, or 24 hours.

• Today, yesterday, last week, previous week, last month, or custom.

• Select Custom to display additional options, as shown in Figure 27 on page 31.



Figure 27: CustomPeriod Configuration

Type in the start date and time in the appropriate text boxes.

Alternatively, select the date by clicking the calendar and the time using the list.

Select the time period for the graph – 1,3,6,12 hours, 1 week, or 1 month.

Click GO to generate the appropriate graph.




on page 21




CHAPTER 3

DDoSSecureApplianceConfigurationandLogs

This chapter describes the administration and configuration options available in the

DDoS Secure applianceWeb interface portal.


• Setting Access Control in a DDoS Secure Appliance on page 35

• Configuring the DDoS Secure Interfaces on page 39

• Configuring DDoS Secure on page 46

• Configuring Portals on page 59

• Configuring SSL on page 74

• Configuring Date and Time on DDoS Secure Appliance on page 77


• DDoS Secure Appliance Configuration Files on page 92

• DDoS Secure Appliance Statistics Reports on page 93

• Managing DDoS Secure Appliance Incident Logs on page 94

• Managing DDoS Secure ApplianceWorst Offenders Log File on page 96

• Reporting on a Specific Time on page 97

• Reporting on a Specific IP or Network Activity on page 97


• Understanding DDoS Secure Appliance Packet Capture Options on page 100

• Terminating a DDoS Secure Appliance Packet Capture Recording on page 102

• Displaying a DDoS Secure Appliance Packet Capture on page 103

• Downloading and Saving DDoS Secure Appliance Packet Capture Details on page 105

• Shutting Down a DDoS Secure Appliance on page 107

DDoS Secure Appliance Configuration Overview

The configuration overview provides details about the DDoS Secure appliance

configuration, including general information, user-definable details, and table size used.


Click Configuration Overview to update configuration information, as shown in

Figure 28 on page 34 and Figure 29 on page 35.

Figure 28: Configuration Overview Page Snippet 1



Figure 29: Configuration Overview Page Snippet 2




on page 12


Setting Access Control in a DDoS Secure Appliance

Click Configure Access Control to configure DDoS Secure appliance access control.

Figure 30 on page 36 displays the access control page.

Access control is used to configure users and define access lists for HTTPS, SSH, SNMP,

andexternal authentication servers.Whenmultiple portals are configured, user accounts

can be created to access specific portals. To do this, select the portal from the list. For

any portal other than -General-, the Network Access configuration is not displayed.


Chapter 3: DDoS Secure Appliance Configuration and Logs

Any user defined in a portal other than –General– is only allowed to access their defined

portal. A user defined in DDoS Secure appliance can access all portals.

Information is transferredbetween–General–andthemanagementPCusinganencrypted

SSL link and uses the username and password pair to authenticate users.

Figure 30: Access Control Page

User Access

User access is available for:

• Administrator—Can access and configure the DDoS Secure appliance portal.

• Operator—Can access but not configure the DDoS Secure appliance. An operator can

change his own password.

• Guest—CanviewtheDDoSSecureapplianceportal configuration information, excluding

user information. A guest is not allowed to change his own password.

• sso—Can change user information.

Table 3onpage36provides a summaryof the informationdisplayedon theDDoSSecure

access control page.

Table 3: Access Control Page Details

DescriptionField

This field needs to be configured when adding a new user. A usernamemust start with a lowercase letter, with additional characters made fromamix of lowercase letters, digits, underscores, and hyphens. Users areunique across all portals.

Username



Table 3: Access Control Page Details (continued)

DescriptionField

Enteravalue if youwant tochange thepassword.Apasswordmustcontain(ASCII) printable characters with a minimum of 6 characters and amaximum of 35 characters.

Password

Enter the new password again to confirm.Confirm Password

Select administrator, operator, guest, or sso from the pull-down list.Permissions

This allows for public/private keys to be used for user access to the DDoSSecure insteadof passwords. Thepublic key part of anSSHpublic/privatekey pair can be uploaded for use.

SSH AuthorizedKeys file

We recommend that you choose a password that has 10 or more characters, with a

combination of uppercase and lowercase letters, numbers, and special characters. Do

not disclose your password to anybody. An administrator password should be available

to authorized people for use in an emergency. In such cases, the administrator should

change the password.

NOTE: If you loseyourpassword, it ismost likely that youwill have to reimageyour DDoS Secure appliance. By reimaging your appliance, you will lose allconfiguration information.

External Authenticators

RADIUS external authentication is supported. The appropriate fields need to be updated

as specified by the owner of the RADIUS server. The user needs to be defined on the

DDoS Secure appliance for both GUI and SSH access. The authentication sequence is

check remote password – if failure, then check local password.

Network Access Definitions

IP addresses can be specified with one of the following formats:

• all—All IP addresses are valid.

• aaa.bbb.ccc.ddd/mask—To specify a group of IP addresses using a subnet mask.

• aaa.bbb.ccc.ddd/count—Tospecify agroupof IPaddressesusingasubnetmask length.

• aaa.bbb.ccc.ddd—To specify a specific IP address.

• none—No valid IP addresses.

Values can also be separated using commas. Thus, 11.22.33.44,44.33.22.11 allows access

from host addresses 11.22.33.44 or 44.33.22.11.



NOTE: The value all has the highest precedence in a list and will replace allother values, and the value none has the lowest precedence in a list and will

be ignored if not used on its own.

The preferred range notation is the aaa.bbb.ccc.ddd/count format. When a

new configuration is accepted, this preferred format will be used to displaythe current configuration. Any entrieswith the /mask formatwill be replacedwith /count. In addition, any redundant values will also be removed, leavingjust the larger address ranges that encompass the redundant values.

Network Services

https—Access to the DDoS Secure appliance is strictly controlled. By default, any IP

address can access the appliance through a secured HTTPSWeb connection. If users

try to connect to the regular HTTP port using the homepage (http://w.x.y.z/), they will

be immediately redirected to the secured HTTPSWeb connection (https://w.x.y.z/).

Only valid users can access the appliance. We strongly recommend that the list of valid

users be limited to a specific set of IP addresses, if the management interface is directly

connected to the Internet.

The list of Juniper Networks public IP addresses can easily be enabled or disabled for

Juniper Networks personnel access by selecting or clearing the appliance check box. We

recommend that you leave this check box enabled (as well as providing access to the

appliancemanagement interface through firewalls and so on) so that Juniper Networks

personnel can quickly help you in DDoS attack scenarios.

SSH—By default, only private (RFC1918) and Juniper Networks public IP addresses can

access the appliance through an SSH connection. A CLI is provided. Only valid users can

access the CLI.We strongly recommend that the list of valid users be limited to a specific

set of IP addresses, if the management interface is directly connected to the Internet.

New connections are rate limited, so if there is a connection timeout failure, wait a few

minutes before trying again.

The list of Juniper Networks IP address public IP addresses can easily be enabled or

disabled for Juniper Networks personnel access by checking or unchecking the appliance

check box. We recommend that you leave this check box enabled (as well as providing

access to the appliancemanagement interface through firewalls and so on) so that

Juniper Networks personnel can rapidly help you in DDoS attack scenarios.

SNMP—By default, SNMP access is not enabled. SNMP access can be enabled for

third-party packages such as HP Openview. If SNMP traps are enabled, then the trap

receiver address is automatically included in this field.







Configuring the DDoS Secure Interfaces

The interface linkmodesneed tobecorrectly set for your network infrastructure toprovide

optimal network speeds. Link speed auto-detection will fail (usually falling back to

half-duplex) if the other end of the link is set to a fixed speed.

Click Configure Interfaces to configure the DDoS Secure interfaces. Figure 31 on page 39

and Figure 32 on page 40 display the Configure Interface page.

Figure 31: Configure Interface Page Snippet 1



Figure 32: Configure Interface Page Snippet 2

NOTE: These values cannot be configured when DDoS Secure is running asan application instead of as an appliance. However, you can configure themfor theDDoSapplication through the appropriate interface of the third-partyparty hardware platform.

For fail-safe cards, the protected and Internet speed definitions should beidentical , and you should take the DDoS Secure engine offline to validatethat traffic can still flow and bypass the appliance. If there is a change inswitch port speeds (for example: Internet 1 G, protected 100M), then autoshould only be configured for both interfaces, and on the router/switch portsto which the appliance is connected.



Understanding Common Interface Information in a DDoS Secure Appliance

For an appliance that usesmore than one interface for the Internet/protected data path,

additional columns are added for each extra interface.

If CDP or LLDP packets are detected on an interface, information containedwithin those

packets is displayed where appropriate.

For fail-safe cards, the current state of the transmitter (Tx) and receiver (Rx) are prefixed

with a - (off) and + (on).The underlying Linux associated Ethernet name (ethX) is also

displayed.

Table 4 onpage41 provides a summary of the information displayed on theDDoSSecure

interface page.

Table 4: DDoS Secure Interface Page Details

DescriptionField

Internet Interface Definition

The name of the interface.Interface Name

If the switch/hub that this interface is connected to ishard-coded to a specific speed/duplex, then the interface linkmodemust be set to the same value. The default value of autoindicates to the interface to negotiate interface speed/duplex.The currently detected speed/duplex is shown in the third or asubsequent column.

Interface Link Mode

The flow control mode controls the automatic generation of(Tx) and response (Rx) to Ethernet pause frames on thisinterface. The default value of auto (only valid if link mode isset to auto) indicates to the interface to negotiate flow control.The currently detected flow control is shown in the third orsubsequent column.

I/F Flow Control Mode

The options available are:

• Chassis

• Port ID

LLDP

Internet Layer 3 IP Addresses (only when running in the L3 network mode)

Assign IP address and prefix for the Internet interface.IP/Prefix

Remote Network Information Global Definition



Table 4: DDoS Secure Interface Page Details (continued)

DescriptionField


• L2 (bridge)—DDoS Secure acts as a Layer 2 bridging devicewith Internetandprotected interfaces running inpromiscuousmode.

• L2/L3 (split network)—DDoS Secure is running at Layer 2.However, interfaces are not running in promiscuous mode.Selecting this network mode, the user must specify LocalNetwork InformationandRemoteNetwork Information. Theseoptions appears once the network mode is selected andallows DDoS Secure to separate the network into two partswithMan-in-the-Middle ARP requests.

• L3 (Router)—In some virtual environments it might benecessary for DDoSSecure to be a Layer 3 device. If selected,the Internet and protected interfaces must be configuredwith IP addresses that are on separate subnets, and remotenetwork routing information must be defined. Internet IPAddress(es), Protected IP Address(es), and Remote NetworkInformation configuration options appear.

NOTE: L2, L2/L3, or L3 buttons might be disabled, if thatfunctionality is notavailable. For example, an Internet IPaddressis defined, so L2 or L2/L3modes are not available.

Network Mode

This is used to define the MTU packet size for the data pathbetween the Internetand theprotected IPaddresses. For jumboframe support, MTU packet size is set to 9216.

MTU (without MAC Header)Size

This is used to enable/disable the generation of CDP packetsby the DDoS Secure appliance on all the interfaces, except inthe case of KVM/Xen hypervisor versions, when CDP packetsare only sent out of the Internet Interface.

CDP Packet Info Generation

If there is a link failure on the Internet interface, then the DDoSSecure appliance turns off the transmitter on the protectedinterface so that the protected switch detects the link failureon the other side of the appliance.

Link Fault Pass Through

Set this if the same IPaddress is being used for different serversin different VLANs so that DDoS Secure can differentiatebetween them.

Same IP, different server, indifferent VLAN/MPLS

For an appliancewheremore thanone interface is used insteadof the Internet or protected data path. The port pair 1 can beenabled or disabled.

NOTE: Disabling port pairs will prohibit the traffic flow.

Port Pair 1

For an appliancewheremore thanone interface is used insteadof the Internet or protected data path. The port pair 2 can beenabled or disabled.

NOTE: Disabling port pairs will prohibit the traffic flow.

Port Pair 2




DescriptionField

The Internet and protected interfaces can easily be swappedover (if, for example, there is a cable misconfiguration) byclickingonSwapInternetandProtected Interfaces (notavailableif the appliance is running in an active/standby pair).

Swap Internet and ProtectedInterfaces

Remote Network Information (only available when either L2/L3 Split and L3 router networkmodeis selected)

A remote network accessible from one of the local networks.The keyword default is also valid.

Remote CIDR

The IP address on the local network that is used to get to theremote CIDR.

Gateway

Protected Interface Definition

Name of the protected interface.Interface Name

If the switch/hub that this interface is connected to ishard-coded to a specific speed/duplex, then the interface linkmodemust be set to the same value. The default value of autoindicates that the interface tonegotiate interface speed/duplex.The currently detected speed/duplex is shown in the third or asubsequent column.

Interface Link Mode

The flow control mode controls the automatic generation of(Tx) and response (Rx) to Ethernet pause frames on thisinterface. The default value of auto (only valid if link mode isset to auto) indicates to interface to negotiate flow control. Thecurrently detected flow control is shown in the third orsubsequent column.



• Device

• Platform

• Port

• Capability

• IP—IP address of the data share interface.

NOTE: To prevent routing errors, the data share interfacemust not have an IP address that is in the same network asthe management interface.

• Duplex

• MTU

CDP

Protected Layer 3 IP Addresses (only when running in L3 Network Mode)

Assign IP address and prefix for the interface.IP/Prefix




DescriptionField

Data Share Interface Definition

This interface is used toshare (configuration, stateand Incident)information between DDoS Secure appliances (configured asfail-over or state sharing). If this interface is not configuredwithan IP address, then the information is shared over themanagement interface that potentially canmake themanagement network busy.

If any of the logging servers have an IP address that is in thedata share network IP address space, then traffic to the loggingserver will be routed over the data share Interface.

Interface Name

IP address of the data share interface.

NOTE: To prevent routing errors, the data share interfacemustnot have an IP address that is in the same network as themanagement interface.

IP Address

The network mask of the data share interface.Network Mask


Interface Link Mode

The flow control mode controls the automatic generation of(Tx) and response (Rx) to Ethernet pause frames on thisinterface. The default value of auto (only valid if link mode isset to auto) indicates to the interface to negotiate flow control.The currently detected flow control is shown in the third orsubsequent column.


You can share state information betweenDDoSSecure devicesusing a larger MTU providing the underlying infrastructuresupports it. However, this MTU cannot be larger than MTUspecified for traffic flowing between the protected and Internetinterfaces.

MTU (without MAC Header)Size

Management Interface Definition

IP address of the management interface.

NOTE: To prevent routing errors, the management interfacemust not have an IP address that is in the same network as thedata share interface.

IP Address

The network mask of the management interface.Network Mask

The IP address of the router that the DDoS Secure applianceneeds to use to get to an IP address that is not on the local LAN.

Default Gateway IP Address




DescriptionField

The DNS servers to use if any URLs (for example, GeoIP dataupdates) need to be looked up.

DNS Server Address(es)


Interface Link Mode

The flow control mode controls the automatic generation of(Tx) and response (Rx) to Ethernet pause frames on thisinterface. The default value of auto (only valid if link mode isset to auto) indicates to the interface to negotiate flow control.The currently detected flow control is shown in the third or asubsequent column.



• Device

• Platform

• Port

• Capability

• IP

• Duplex

• MTU—Youcansharestate informationbetweenDDoSSecuredevices using a larger MTU, providing the underlyinginfrastructure supports it. However, thisMTUcannotbe largerthan the MTU specified for traffic flowing between theprotected and Internet interfaces

CDP

Management Specific Routing Information

Click Add to update the following details:

• Remote CIDR—The IP address or network to reach inaaa.bbb.ccc.ddd/count format.

• Gateway—The gateway to route traffic to the CIDR.

Action








Configuring DDoS Secure

The parameters displayed in Figure 33 on page 47 should be set on the DDoS Secure

appliance immediately after the first power-up. These parameters are used by the

appliance algorithm to tune responses to attacks. The default values are used if no

user-defined values are entered. Click Configure DDoS Secure to configure the DDoS

Secure appliance. This view is available only to appliance-level users.



Figure 33: DDoS Secure Configuration

This page is divided into four parts and describes the following:

• Topology of the network on the Internet side of the DDoS Secure appliance.

• The DDoS Secure appliance operation.



• Who the DDoS Secure appliance is going to be sharing information with.

• Topology of the network on the protected side of the DDoS Secure appliance.

Anappliance-level user or aportal user canalsoaccessanarrowedviewofportal-specific

black-list, white-list, preferred list, or default list configurations as described in

Table 6 on page 50. An appliance-level user can select a specific portal from the top

portal selector list. Aportal user sees this restrictedviewonlywhenselecting theConfigure

DDoS Secure page. See Figure 34 on page 48.

Figure 34: Configure Portal Definitions

DDoS Secure Appliance Internet Gateways

This section describes the topology of the network on the Internet side of the DDoS

Secure appliance. If theappliancehasbeen running for a short time, someof the systems

connected will be detected by MAC address. Within this section, the speed and packet

rate that a particular device can support can only be configured with respect to its MAC

address. The IP address of a device (knownas a gateway) is self-operational and cannot

bemodified, as it is only provided to act as a visual aid. An address of 0.0.0.0means that

no IP address has yet seen for the MAC address. It is possible that the Internet gateway

might initially have a non-local Internet address, but eventually the appliance will

recognize the actual IP address of the gateway.

Table5onpage48providesa summaryof the informationdisplayedon theDDoSSecure

configuration page.

Table 5: Configure Internet MAC Addresses

DescriptionField

Configure Internet MAC Address

The gateway IP address.Gateway IP

The MAC address is the 6-byte MAC (or NIC) address of theinterface card on the gateway. If the DDoS Secure appliance issittingonaVLAN/MPLStrunkedor tunneledconnection, then theappropriate information will be shown as well.

MAC Address



Table 5: Configure Internet MAC Addresses (continued)

DescriptionField

Themaximum data rate that the gateway device can accept forpassing on towhatever is behind the gateway. For example, if thegatewaywere connected to a 1544Kbps (T1) line, then the speedshould be defined as 1544K, or 1.544M. Speed can be specified inunits of K (1,000), M (1,000,000) or G (1,000,000,000). 0 or Umeans unrestricted. This speed is used in the appliancesalgorithms fordeterminingwhenbandwidth shouldbecontrolled.

To Speed (bps)

Themaximumpacket rate (packetsper second) that thegatewaydevice can accept for passing on to whatever is behind thegateway. Speed can be specified in units of K (1,000), M(1,000,000) or G (1,000,000,000). If the value is set to 0 or U, itmeans it is unrestricted. We recommend that you use thesuggested rate, if themaximumpackethandling rate is not known.

To Rate (pps)

The recommended default is normally 25% of the theoreticallymaximumnumberof small packets thatcan fit downtheToSpeedof the gateway.On lower bandwidth links (linkswith a bandwidthless than8Mbs) the recommendedvaluewill behigher than25%of the theoreticalmaximum, andonhigher speed links, thismightbe less than 25%.

Suggested Rate (pps)

Adding an Internet MAC Address to a DDoS Secure Appliance

You can define an Internet gateway MAC address that has not been auto-detected. You

will need to ensure that the Add check box is selected, and then click Update at the end

of the configuration page, or top right for a new item to be included. VLAN and/or MPLS

information can be included by using the following prefixes:

• v—VLAN

• q—QINQ

• u—Unicast MPLS label

• m—Multicast MPLS label

• IPv4—IPv6 traffic tunneled in IPv4

• GRE—IPv4 traffic in a GRE tunnel

Defined Internet MAC Addresses

This section contains all the defined Internet MAC addresses. Select the Remove check

box to remove inactive InternetMAC addresses from the display. ClickUpdate to confirm

this change.

Auto-Detected Internet MAC Addresses

This section contains all Internet MAC addresses detected by the appliance, apart from

those reported above. Select the Include check box to move this MAC address into the

defined Internet MAC addresses section, where interface speeds can bemodified. To



purge all the auto-detected Internet MAC addresses, click Delete All. Inactive

auto-detected MAC addresses are deleted automatically after five days.

Configuring a DDoS Secure Appliance

Table 6 on page 50 provides a summary of the information displayed on the appliance

configuration page.

Table 6: Appliance Configuration Page Details

DescriptionField

Configure Appliance

The default for the hostname is the IP address of the DDoS Secureappliance. Changing the entry causes the name in the browser tab toalso update the browser and the system name in any generated CDPpackets.

Host Name

The DDoS Secure appliance can operate in different modes, some ofwhich are primarily used for diagnostic purposes. Thesemodes are:

Defending—In this mode, the DDoS Secure appliance is behavingnormally, passing packets and defending as required.

Defending-NoStateLearn—For the first five minutes following a reboot,or a network cable being plugged in, the appliance bypasses its normalstate table rigorous checkingand re-syncs statewith anyactive existingconnections.These fiveminutesofgraceprevent theblockingofpacketsfromexisting connections active at the timeof the appliance restarting.This can be overridden by setting the DDoS Secure appliance intoDefending-NoStateLearnmode. Doing this will cause a substantialnumber of connections to be dropped, and so is not normallyrecommended.

Logging—Where theappliancemonitors the traffic and flagsanyattacksdetected but does not drop any packets prior to transmission out of theopposite interface. Consequently, some of the entries inTCP/UDP/ICMP/Other Info pagesmight be highlighted in yellow to flagthese discrepancies. Some of the other reported statistics might beskewed by the fact that packets should have been dropped, but werenot seen. In thismode, the appliance is allowed to proactively generatepackets (such as TCP keepalives to test for genuine idle connections,or fail-over heartbeats).

Logging-NoKeepAlives—This is same as logging, except that TCPkeepaliveswill notbegeneratedproactively. Theappliancewill, however,generate fail-over heartbeats if configured for fail-over. Running in thismodewill causeahigher incidenceofBlockedState–NoState Incidentsas the DDoS Secure appliance is unable to determine if a session hasexpired.

Operational Mode



Table 6: Appliance Configuration Page Details (continued)

DescriptionField

Logging-Tap—Where the appliancemonitors traffic that is picked up byits Internet Interface and flags any attacks detected but does not passany packets to or from the protected interface. If this mode is enabled,oneormoreprotected IPaddresses, or oneormoreprotectedgatewaysthat are actually connected to the Internet Interface have to be definedas sitting behind the DDoS Secure appliance, so that the applianceknows which protected IP addresses are being protected for defensepurposes. In this mode, it is also advisable to configure the Internetgateways. Note that the sequencing of packets received on the tap portmight be in thewrongorder if the switch ismirroringmultiple ports—thewrong ordering can confuse the DDoS Secure appliance state logic arise to a lot of false positives.

NOTE: Use of this option is not recommended.

Bypass-Software—The appliance passes all the traffic directly to itsother interface through the kernel address space. The appliance doesnot monitor the traffic for attacks and therefore does not have thecapability to drop any attack packets.

Bypass-FS-Hardware—The appliance passes all the traffic directlythrough to its other interface by forcing the fail-safe card into bypassmode. The appliance does not monitor the traffic for attacks andtherefore does not drop any packets.

NOTE: Logging-Tap and Bypass-Softwaremodes are only availablewhen the DDoS Secure appliance is not running in a high-availabilityconfiguration.

NOTE: Bypass-FS-Hardwaremode is only available when the DDoSSecureappliance isnot inahigh-availability configuration, anda fail-safecard is being used.

Select this option if you want this appliance to override any portal orprotected IPaddress settingsand force themtobedefendingnomatterhow they are configured.

NOTE: If the appliance is overall in logging mode, then this option willhave no effect.

NOTE: If a client IP address is in the white-list, then the white-listed IPaddress will still be allowed through as it is not affected by this option.

OverridePortal/ProtectedLogging modes




DescriptionField

The DDoS Secure appliance is capable of operating in different highavailability modes.

Standalone—Operates in standalonemode. Traffic is passed through,based on the operational mode. Spanning tree (BPDU) packets arepassed through. If there is a fail-safe card, then this DDoS Secureappliancewill go intoby-pass if there is a software shutdown, or apowerfailure.

NOTE: This mode cannot be selected, if the DDoS Secure appliance iscurrently running in a high-availability cluster.

Standalone-NoFS—Operates in standalonemode, even if it is licensedfor fail-over. Traffic is passed through, based on the operational mode.Spanning tree (BPDU)packets are passed through. If there is a fail-safecard, then this DDoSSecure appliancewill go into no-link status if thereis a software shutdown, or a power failure.

NOTE: This mode cannot be selected, if the DDoS Secure appliance iscurrently running in a high-availability cluster.

Active-Standby—TheDDoSSecure appliance negotiateswith any otherDDoS Secure appliances as to whether an active-standby relationshipcan be set up. If a partner is found, then this DDoS Secure appliancewill be either the active or standby partner. BPDU packets are dropped.If a fail-safe card is being used, the card will be set to dual-port modeto disable the fail-safe functionality.

Active-Standby-FS—The DDoS Secure appliance negotiates with anyother DDoS Secure appliances as to whether an active-standbyrelationship can be set up. If a partner is found, then this DDoS Secureappliance will be either the active or standby partner. BPDU packetsare dropped only if a DDoS Secure appliance engine is running. If afail-safe card is being used, andbothDDoSSecure appliances are alive,both cards will be set to dual-port mode so that a single DDoS Secureappliance failurewill not causeanetwork short-circuit. If onlyoneDDoSSecure appliance is available in the high-availability cluster, then itscard will be set to bypass-capable, so that if there is a failure of thesingle DDoS Secure appliance, traffic will pass through the fail-safecard. If one DDoS Secure appliance is trying to boot, and the partner isdown with its fail-safe card in bypass mode, then the booting DDoSSecure appliance will not come out of the probe state until the bypasslink is removed.

• Priority—This can only be defined if high availability mode is set toactive-standby. The priority can be configured to have a valuebetween –127 to 127 inclusive. If a fail-over cluster has differentpriorities for the individualDDoSSecureappliances, theDDoSSecureappliancewith thehighest numerical prioritywill be thedefault activeof thecluster andwill takeover oneminuteafter successfully booting,or the priority is changed.

• Grouping ID—ADDoS Secure appliance can only establish anactive-standby relationship with another DDoS Secure appliancewith the same grouping ID. Having different grouping IDs allowsmultiple high-availability pairs to co-exist in the same networkenvironment.

High Availability Mode




DescriptionField

With connection state being shared between DDoS Secure appliances,you can set up a network where there is asymmetric routing—or dataflows in one direction through a DDoS Secure appliance and back outthrough another DDoS Secure appliance. There is a potential timingwindowwhere state is not yet been updated (usually with idle servers)before the return response packet is seen. Checking the asymmetricrouting check box removes some of the state checking but marginallyincreases the risk of not properly defending the protected IP addresses.If operating in an asymmetric environment, we recommend you thatcheck this box.

Asymmetric Routing

Auto Black-Listing

You can get DDoS Secure appliance to auto black-list IP addresses iftheir error rate is running over a specified threshold. Select this optionto enable this functionality. IP addresses that are black-listed will beremoved from the black-list automatically by the DDoS Secureappliance when the core engine decides that it is safe to do so-usuallyafter 5 minutes of no traffic from this IP address.

NOTE: The auto black-list systemwill never block a protected IPaddress, preferred client, white-list client, or one of the addressesdefined as being un-black-listable in this sub-section.

Auto TemporaryBlack-List IP Address

If the Bad Irritant Rate (known as type 1) rolling average rate (asdisplayed in worst offenders) for an IP address exceeds this value, andauto black-list IP addresses is enabled, then the IP address in questionwill be added to the auto black-listed IP address list. Nomore traffic isallowed to or from this IP address until it is removed from the autoblack-listed IP address list (either manually or automatically).

The Type 1 rolling average rate is based on all packets droppedregardless of attack type and is normally set with a high threshold (thedefault is 200).

-Bad Average Irritant(Type 1) Rate (/s)

If the Bad Resource Usage (known as Type 2) rolling average rate (asdisplayed in worst offenders) for an IP address exceeds this value, andauto black-list IP addresses is enabled, then the IP address in questionwill be added to the auto black-listed IP address list. Nomore traffic isallowed to or from this IP address until it is removed from the autoblack-listed IP address list (either manually or automatically).

The Type 2 rolling average rate is based on packets dropped againstattack types known tocauseaggressive resource consumptiononmosttargets. Such attacks are usually, but not exclusively, managed by theDDoS Secure appliance CHARM algorithms and include attacks suchasSYNfloodsandconnection floods. For this reason, theDefensestartswithquitea lowthreshold (thedefault is 100).Duringprolongedattacksit might prove useful to lower this threshold to match the attack ratesof theworst entries in theworst offenders list. If URL Inspection is beingused , then this value should not be dropped to less than two times theinspection bias value (typically 5) that is, 10.

-BadAverageResourceUsage (Type 2) Rate(/s)




DescriptionField

If an IP address is doing a port scan, then it is likely to create either ahigh SYN count (ports filtered), a high RST count (ports closed) or F2Dcount (protected IP address has closed the connection, but the clienthas not acknowledged it). This count setting can be used to terminateIP addresses exhibiting this behavior. The default value is 300anddoesnot normally have to be changed.

-Bad SYN +RST + F2Dstate count

You can track specific URLs which can be set up through the CLI (setinspect) or through the GUI URL Information page. These URLs haveanaccess rate scaling factor asdefinedbyapositivebias value (typically5). If an IP address keeps accessing these trackedURLs, and the scaledGET rate exceeds the specified value, then the IP addresswill be addedto the auto black-listed IP address list. Nomore traffic is allowed to orfrom this IP address until it is removed from the auto black-listed IPaddress list (either manually or automatically). The default is 300 andcan be adjusted up or down as required. Tracked info will display thecurrent (scaled) GET rate

-Bad Tracked URLsGET Rate (/s)

If IP addresses are sending fragmented packets (an IP address packetis split over several fragmented packets) and not all the fragments areprocessed, this will cause fragmentation timeout, usually the cause ofan attack to consume packet re-assembly resources. If a protected IPaddress detects fragmentation timeouts at or above this rate, it willtemporarily stop allowing any fragmented packets through at all toprotect the protected IP address.

-Bad FragmentTimeout Rate (/s)

Protected IP Detection

Protected IP address detection and hence protection is different,dependingonwhether the IPaddress is apart of thenetworkaddressesof a defined non-General- (non-master) portal (type IP-Portal), or aspart of the network addresses of -General- (master) portal, but is notof type IP-Portal (type IP-General-Portal).

Protected IP Detection

If this check box is set, then any IP addresses of type IP-General-portal(and not defined as a protected IP address) will be initially treated asthe Indeterminate protected IP address as if it were a single protectedIP address using the configured Indeterminate protected IP addresssettings.

If this check box is not set, then protected IP address protection(connection limits and filters) will not be applied to any IP addressesof type IP-General-portal that arenotdefinedasaprotected IPaddress.There is therefore no DDoS protection for these non-configuredprotected IP addresses when the check box is not set.

NOTE: Any IP addresses of type IP-Portal are always treated asindeterminate if not specifically defined as a protected IP address.

Track IndeterminateDDoS Secure PortalConnections Enable




DescriptionField

If this check box is set, then any IP address of type IP-General-Portal orIP-Portal, not configured,will bedetectedandprotectedasan individualprotected IPaddressusing theDefaultprotected IPaddressparameters(overriding the Indeterminate above). If not set, then this protected IPaddress trafficwill beaggregatedwith, andprotectedby Indeterminate,as if Indeterminate was a single protected IP address.

NOTE: Tomake this option visible requires track indeterminate DDoSSecure appliance portal connections to be set.

Auto Detect ProtectedIP addresses

Black/White/Preferred/Default Lists

You can block traffic to and from a set of IP addresses or networks ona permanent basis. Specify IP addresses (in CIDR format) separatedby commas (no spaces) if multiple address blocks are required. IPaddresses allocated to the -bl country code (set geoip) are also treatedas black-list IP addresses.

Black List IP(s)

You can block traffic to and from a set of IP addresses or networks ona permanent basis, based on the Autonomous System (AS) number asused by BGP routing for the Internet. The AS number information isprovided by MaxMind and is not 100% accurate. Specify AS numbersor AS ranges, separated by commas (no spaces) if multiple AS blocksare required.

NOTE: Themaximum AS number currently supported is 65535.

Black List AS#(s)

You can block traffic to and from a set of countries. The countries aredetermined from the IP to country tables provided by MaxMind (andpossibly updated with the CLI set geoip command), and so are notguaranteed to be 100% accurate. The 3 letter country ids are required,separated by commas (no spaces), if multiple countries are to bespecified. A list of these country codes can be found as observed fromthe output information of various statistical outputs. If many countriesare to be blocked, the pseudo all can be used, followed by ! and the 3letter country code. Thus all, !GBRmeans only GBR is allowed (all butGBR is blocked).

Click Black List Country(s), to display of all the country codes. The redcodes are always blocked; the orange codes are (partially) blocked bya filter definition.

Black List Country(s)

It is possible that a country needs to be black-listed, but that some IPaddresses fromwithin thecountryneedaccess throughtheDDoSSecureappliance.Specify IPaddresses (inCIDR format) separatedbycommas(no spaces) if multiple address blocks are required to override theblack-list country definitions. IP addresses allocated to the -ca countrycode (set geoip) are also treated as Do not block these addresses ifcountry is blocked.

-Do not block theseaddresses if Countryblocked




DescriptionField

You can specify an IP address network where you have authorized pentesters to work from giving them the ability to do pen testing onprotected IP addresses. Any connections from this network are treatedas if the DDoS Secure appliance engine is running in logging mode, nomatter what the actual operational mode is set to. Thus, attacks willbe reported, but no packets will get dropped. If a white-listed IP isspecified, and this address is spoofed on the Internet, then the spooferhas the potential to DDoS a protected IP. Use this option with caution,as it is not normally needed. IP addresses allocated to the -wl countrycode (set geoip) are also treated as white-listed IP addresses.

White List IP(s)

Youcanspecify client IPaddresses that getpreferential treatmentwhenconnecting to a busy protected IP address, but nothing is recorded inthe logs for this IP address. Furthermore, this IP address will never getblocked/dropped. If a white (No logging) list IP address is specified, andthis address is spoofed on the Internet, then the spoofer has the potentialto seriously DDoS a protected IP and there will be nothing in the log filesto report what happened. Use this option with caution, as it is notnormally needed. IP addresses allocated to the -wn country code (setgeoip) are also treated as white (no logging) list IP addresses.

NOTE: We strongly recommend that white-listed IP addresses is usedinstead, as logs of any bad activity will be generated.

White (No logging) ListIP(s)

You can specify IP addresses that get preferential treatment (with aCHARM boost) when connecting to a busy protected IP address. If apreferred (CHARMBoost) IP address is specified, and this address isspoofed on the Internet, then the spoofer has the potential to DDoS aprotected IP. Use this option with caution, as it is not normally needed.IP addresses allocated to the -pl country code (set geoip) are alsotreated as preferred (CHARM Boost) IP addresses.

Preferred (CharmBoost) IP(s)

Youcanspecify countries thatgetpreferential treatment (withaCHARMboost) when connecting to a busy protected IP address. If a preferred(CHARMboost) country is specified, and this address is spoofed on theInternet, thenthespooferhasthepotential toDDoSaprotected IPaddress.Use this option with caution, as it is not normally needed.

Preferred (CharmBoost) Country(s)

You can specify IP addresses that always get first time treatmentwhenconnecting to a busy protected IP address. This allowsmonitoringsystemstoalwaysgeta first timeexperiencewhenmonitoring responsetimes etc. IP addresses allocated to the -dc country code (set geoip)are also treated as default CHARM IP(s).

Default Charm IP(s)

Test Environment




DescriptionField

This check box should not typically be set during normal operation. Itis provided to handle a special case that can arise in test lab situationswhere powerful traffic generators are in use. Sometimes, these testsystems break RFC rules about TCP port reuse.

This special case is described as follows:

The TCP rules for connection termination specify that after the finalACK is sent in an active close, then that connection must stay in theTIME_WAIT state for twice theMSL timeperiod. As theMSL timeperiodis 30 seconds, this TIME_WAIT delay onmost systems is usually justgreater than 1 minute, but can be as long as 4minutes.

Some network stress testing tools generate high rates of connections(and the consequential teardowns of same) in rates in excess of 100Kconnections per second. If these connections come from a single clientIPaddress toa singleprotected IPaddressandport, thenany ratehigherthan 65K connections per minute requires source port reuse at a ratehigher than 1perminute.This is in violationofRFCs, and theDDoSSecureappliance blocks the port reuse until at least a minute has passed.Consequently, theperceivedperformanceof theDDoSSecureapplianceis much lower than expected.

To handle these tools, setting the test environment check box reducesthis TIME_WAIT state down to 7 seconds.

Additionally, these tools can take a long time to set up a large numberof connections. DDoS Secure appliance will start timing out theseconnections under normal conditions. Setting test environment checkbox increases the allowed connection setup time to 10minutes.

Test Environment

Configuring Sharing Information

This sectiondescribes thesharingdetails of theDDoSSecureappliance, its configurations,

incidents, and connection state. Whenmultiple DDoS Secure appliances are running in

an active/standby or load sharing configuration, this information will always be sent to

the IP address of the partner. The information needs to be sent to remote IP addresses,

then specifying the appropriate unicast or broadcast addresses will cause packets to be

sent to that remote set of addresses.

Table 7 on page 58 provides a summary of the information of the sharing information

configuration.



Table 7: Configure Sharing Information

DescriptionField

The IP address of the remote DDoS Secure appliance or abroadcast address for appliance in a remote network (to cutdown of traffic going between the appliances).

NOTE: Configurations can only be transferred to an actual IPaddress, not a broadcast address, so three entries (two forconfigurations, one for incidents/state) might have to be set upto reduce traffic being sent to a remote pair of appliances.

Remote IP

Check this box, if the remote appliance is required to detecttraffic flowing bothways through a appliance cluster – typicallyin an asymmetric routing environment using fail-safe interfacecards. If this partner becomes unavailable, the local appliancewill take itself into a degraded (pseudo logging) state to makesure that it does not simply block any traffic until the situationis fixed.

Required

To send data to an IP address that is not on the local LAN, eitherthe default gateway can be used, or a specific next hop routeraddress canbe specified, if data is to be sent over thedata shareinterface.

NOTE: If the data share interface is defined, then all sharedinformation must be routed through this interface across theappliances.

Via Gateway

Configuration changes will be sent to this IP address. Thisaddress must be a unicast address as the configuration istransferred using the https protocol.

Config

Appliance Defense information will be sent to this IP addressusing port 5556/udp.

Incident

Appliance connection state information will be sent to this IPaddress using port 5555/udp.

State

Configuring a Protected Gateway Based onMACAddress

This section describes the topology of the network on the protected side of the DDoS

Secure appliance. If the appliance has been running for a short time, it is quite likely that

some, if not all, of the systems connected will be detected by MAC address. Within this

section, only MAC addresses, the speed, and the packet rate that the particular device

can support can be configured. The IP address of a device (known as a gateway) is

self-learning and cannot bemodified, because the information is provided as an aid only.

An address of 0.0.0.0 means that no IP address has (yet) been seen for the device. It is

possible that theprotectedgatewaymight initially haveanon-local protected IPaddress,

but eventually the appliance will learn the actual IP address of the gateway.

Table 8 on page 59 provides a summary of the information of the protected gateway

configuration.



Table 8: Configure Protected Gateway

DescriptionField

6-byte MAC (or NIC) address of the interface on the gateway.If the DDoS Secure appliance is sitting on a VLAN or MPLStrunked connection, then the appropriate information will beshown as well. This information is encoded as follows with thefollowing prefixes:

• v—VLAN

• q—QINQ



• IP6in4—IPv6 traffic tunneled in IPv4

• GRE—IP address traffic in a GRE tunnel

MAC Address

Maximum data rate that the gateway device can accept forpassing on to whatever is behind it. For example, if the gatewaywere connected to a 10Mbps connection, then the speed isdefined as 10M. Speed can be specified in units of K (1,000), M(1,000,000) or G (1,000,000,000), 0 means unrestricted. Thisspeed is used in the appliance algorithms for determiningwhenbandwidth should be controlled.

To Speed (bps)

Maximum packet rate that the gateway device can accept forpassing on to whatever is behind the gateway. We recommendthat youuse thesuggested rate if themaximumpackethandlingrate is not known.

To Rate (pps)

The recommended default is 25% of the theoretically possiblemaximum number of small packets that can fit down the ToSpeed of the gateway. On lower bandwidth links (links with abandwidth less than the 8 Mbs) the recommended value willbe higher than 25% of the theoretical maximum, and on higherspeed links, this might be less than 25%.

Suggested Rate (pps)




on page 12


Configuring Portals

• Configuring DDoS Secure Portals on page 60

• Configuring DDoS Secure Appliance Individual Portals on page 63

• Configuring DDoS Secure Appliance Bandwidth and Port Filters on page 63

• Configuring DDoS Secure Appliance Configure Filter Aggregations on page 67

• Configuring DDoS Secure Appliance Configure Protected IP addresses on page 68

• Configuring DDoS Secure Appliance Defined Protected IP Addresses on page 72



Configuring DDoS Secure Portals

The following parameters should be set on the DDoS Secure appliance soon after the

first power-up. These parameters are used by the appliance algorithm to tune responses

to attacks. The defaults shown will be used if no user-defined values are supplied.

Click Configure Portals to configure the DDoS Secure appliance parameters.

Figure 35 on page 60 displays the DDoS Secure Portal Configuration page.

Figure 35: DDoS Secure Portal Configuration Overview Page.

Initially only the configure portals table is displayed. A user associated with -General-

portal cancreate, viewandedit portal definitions. Toviewandedit specific portal settings,

select the portal from the drop down list.

You can allocate (not necessarily contiguous) blocks of addresses (networks and or

single IP addresses) known as portals, which can, if required, be managed separately by

designatedusers. This gives theability for customers, clients, or businessunits tomanage

what DDoS Secure appliance does for their portal. Any user that has

administrator/operator access can override these portal configurations. Themaster

portal is known as -General-.

The master portal defines the address space that the DDoS Secure appliance protects,

and all other portals have a subset of (but cannot overlapwith other portals) thismaster

portal capability.

Table9onpage60providesasummaryofconfigureportaldetailsdisplayedon theDDoS

Secure portal configuration page.

Table 9: Configure Portal Details

DescriptionField

Name of the portal.Name

This portal canbea list of IPaddresses, or associatedwithaparticularVLAN/MPLS definition.

Type



Table 9: Configure Portal Details (continued)

DescriptionField

You can specify all the valid protected IP addresses that your DDoSSecure appliance is protecting for a portal. For the master portal(-General-), this defines all the valid addresses that theDDoSSecureappliance is protecting – any other portal will be a subset of the–General- portal. Any inbound traffic will have to match a portal IPaddress (or be going to amulticast address or a broadcast address)to be allowed through. Any outbound traffic will have to come froma valid portal IP address. It is therefore possible to do simple ingressand egress filtering by specifying a restricted network. It is valid tospecify an address group that encompasses, for example, the defaultgateway IP that is on the Internet side of the DDoS Secure appliance.

IP addresses can be specified as follows:

• All—All IP addresses are valid (includes IPv6).

• all-ipv4—All IPv4 addresses.

• aaa.bbb.ccc.ddd/mask—A group of IPv4 addresses using a subnetmask.

• aaa.bbb.ccc.ddd/count—Agroup of IPv4 addresses using a subnetmask length.

• aaa.bbb.ccc.ddd—A specific IPv4 address.

• aaa.bbb.ccc.ddd-eee.fff.ggg.hhh—A range of IPv4 addresses.

• xxxx::xxxx:xxxx/count—A group of IPv6 addresses using a subnetmask length.

• xxxx::xxxx:xxxx—An IPv6 address.

• xxxx::xxxx:xxxx-yyyy:yyyy::yyyy—A range of IPv6 addresses. Alladdressescanbe , (comma)separated.Thus, 11.22.33.44,44.33.22.11specifies the twoprotected IPaddresses 11.22.33.44and44.33.22.11.There can be amaximum of 30 different entries.

NOTE: Youmight need to define an IP address of 0.0.0.0/32 toallow DHCP requests to pass through the DDoS Secure appliance.

If the portal is defined at type VLAN, then a, potentially commaseparated, setofVLAN/MPLSdefinitionsneed tobedefined.Theseare prefixed as appropriate with the letters:

• v—VLAN

• m—MPLS label

Only the outermost VLAN/MPLS label is selected.

Address(es)

It is possible for portals tobeoperating inadifferentoperationalmodethan defined for the appliance. You can select either defending orlogging. If the appliance operational mode is set to anything otherthan defending, then the portal mode will be the same as theoperational mode.

Operation




DescriptionField

You can specifywhich countriesmatch, and hence are allowed to usethis portal. The countries are determined from the IP address tocountry tables providedbyMaxMind (andpotentiallymodified by thegeoip command), and so are not guaranteed to be 100% accurate.The three letter country IDs are required, separated by commas (nospaces) if multiple countries are to be specified.

A list of these country codes can be found in, or as observed from theoutput information of various statistical outputs.

If many countries are to be allowed, the pseudo all can be used,followedby (!)and the three letter country code.Thusall, !GBRmeansthat all traffic, apart from that coming from GBR is matched. Thecountry match always applies to the client Internet address, not aprotected IP address.

Countries

You can allow traffic to and from a set of IP addresses or networkson a permanent basis, based on the Autonomous System (AS)number as used by BGP routing for the Internet. The AS numberinformation is provided is not 100%accurate. Specify AS numbers orAS ranges, separated by commas (no spaces) if multiple AS blocksare required. By default, all AS numbers are allowed. ThemaximumAS# that can be specified is 65535.

AS#s

Minimumguaranteedspeed(bandwidth) that theportal hasavailablefor use. If the value is set to U or 0, then there is no guaranteedminimumspeedavailable. Thesumofall the individualportals cannotexceed that of the master portal.

Speed (bps)

Speed that the portal can use, if the bandwidth is not being usedelsewhere. Bandwidth will be rate limited for any speeds over theguaranteed speed based on CHARM.

Burst Speed

The packet rate under which the DDoS Secure appliance will dropthe inserted route after defined period (default is five minutes). Thisis only applicable if BGP re-routing is enabled using the CLI.

ReRoute Under

The packet rate over which the DDoS Secure appliance will insert aroute into BGP. This is only applicable if BGP re-routing is enabledusing the CLI.

ReRoute Over

The number of available filters is a limited resource. Using the filters,you can define the filters a particular portal is allowed to use. Thedefault value is thenumber of filters dividedby thenumber of portals.For themaster portal, the number displayed is the remaining numberof filters available for allocation.

Filters

The number of filters used.(Used)




DescriptionField

The number of available protected IP addresses is a limited resource.You can define howmany protected IP addresses a particular portalis allowed to use. The default value is the number of protected IPaddresses divided by the number of portals. For the master portal,the number displayed is the remaining number of protected IPaddresses available for allocation.

Protected IPs

The number of defined IP addresses in the portal.(Addresses)

The number of IP addresses in use in the portal.(Used)

Configuring DDoS Secure Appliance Individual Portals

From the Portal pull-down list, select the appropriate portal to configure.

Configuring DDoS Secure Appliance Bandwidth and Port Filters

Bandwidth and port filters are defined for inbound and outbound traffic. Any new traffic

thatmatches a specific filter will have session state tracking enabled for that traffic. Any

subsequent traffic matching (taking into account direction) a tracked session will also

be allowed based on the filter. Thus, for an inbound connection, an inbound filter that

allows http traffic only (port 80/tcp) and an outbound filter that lets through no traffic,

is sufficient to allow a http connection to take place.

Any traffic associated with a filter will be rate limited (based on CHARM) if it exceeds

the defined bandwidth thresholds – which are separately applied to both directions.

Depending on the Ratelimit-by type, traffic is aggregated per filter, Internet IP, protected

IP, by both Internet and protected IP, or per session.

Eachprotected IPaddressmusthaveone inbound filterandoneoutbound filter configured

to control access to and from the protected IP address.

The nonconfigurable filter, default, allowsmost traffic through with a restriction on valid

ICMP types andUDPport 80. This is the initial default protected IP address filter for both

inbound and outbound.

In addition to thedefault filter that cannotbeconfigured, thereare threepredefined filters

that canbeconfigured. Themulticast filter is preset toallow traffic (noTCPand restriction

on ICMP types) through and is the default filter for the global protected IP address

multicast. The broadcast filter is preset to block all TCP ports, UDP port 7 and all ICMP

types, and is thedefault filter for theglobal protected IPaddressbroadcast. The intercept

filter is initially set to only allow TCP, and this is used in conjunction with the set wrapper

blocked command.

Figure 36 on page 64 displays the DDoS Secure portal configure bandwidth and port

state filters.



Figure36:DDoSSecurePortalConfigureBandwidthandPortStateFilters

Table 10 on page 64 provides a summary of the bandwidth and port filters displayed on

the DDoS Secure portal configuration page.

Table 10: Configure Bandwidth and Port Filters Details

DescriptionField

The name of the filter.Name

It Is possible to restrict source TCP ports of a TCP connection for afilter match. The default is all if any TCP ports are defined.

Source TCP Ports

Thedefault value of allallows throughall TCPports. If only a subsetof ports such as 80 and 443 is required, we recommend that youenable only the subset of ports. The DDoS Secure appliance willalways drop all packetswith port numbers notmatching the valuesentered. Ports are specified individually (80), as a range (80-81),as a comma-separated list (80,443), or as a combination(80-81,443). The keyword none is also supported. Any connectionthat matches the filter is always allowed, as are any responsepackets (including an ICMP diagnostic response), while the state ismaintained on the connection session.

NOTE: FTP (port 21) is a special case – data connections arehandled automatically, so data ports do not need to be defined.Only the control port (21) must be defined, unless FTPS is beingused, inwhich case the data portswill have to be configured aswellas the control port traffic is encrypted which the DDoS Secureappliance logic cannot interpret.

TCP Ports

Theseare theTCPports that theDDoSSecureappliancewill inspectfor HTTP traffic. Ports defined will automatically get added in theTCP port definitions.

HTTP Ports

It Is possible to restrict sourceUDPports of aUDPsession for a filtermatch. The default is all if any UDP ports are defined.

Source UDP Ports



Table 10: Configure Bandwidth and Port Filters Details (continued)

DescriptionField

Thedefault valueofallallows throughallUDPports. If only a subsetof ports such as 53 (DNS) is necessary for the correct operation ofthe protected IP addresses, it is suggested that only these areenabled. DDoS Secure appliance will always drop all packets withport numbers not matching the values entered. Ports are specifiedas an individual port 53, or as a range of ports 53-54, a commaseparated list of ports 53,100, or as a combination 53-54,100. Thekeyword none is also supported. AnyUDP request thatmatches thefilter is always allowed the response packets (including an ICMPdiagnostic response) as state is maintained on the connection.However, this state expires after 30 seconds of inactivity, so if youhave a UDP protocol that can be started from either end (such asport 500 for IPSEC IKE traffic), youwill need to specify theUDPportas being valid in both the inbound and outbound filter of theprotected IP address definition.

UDP Ports

ICMPv4 types necessary (in addition to valid state matchingdiagnostic responses) for the correct operation of all protected IPaddresses being defended should be listed. The appliancewill denyall other ICMP types whether or not the protected IP addresses areunder attack. Types are specified as either an individual type 8, asa range of types 3-4, as a comma separated list of types 3,8, or asa combination 3-4,8. The keyword none is also supported. A list oftypes for ICMP is given in ICMP diagnostic responses that match avalid state for an existing session are always let through. Thisincludes, for example, ping responses to ping requests. Currently,the highest RFC ICMPv4 defined type is 18, so the keyword all refersto types0 through 18. If other ICMPtypesare required, theywill needto be separately added in (for example: 0-18,21).

ICMP Types

ICMPv6 types necessary (in addition to valid state matchingdiagnostic responses) for the correct operation of all protected IPaddresses being defended should be listed. The appliancewill denyall other ICMP types whether or not the protected IP addresses areunder attack. Types are specified as either an individual type 8, asa range of types 3-4, as a comma separated list of types 3,8, or asa combination 3-4,8. The keyword none is also supported. ICMPdiagnostic responses thatmatchavalid state foranexisting sessionare always let through. This includes, for example, ping responsesto ping requests. Currently, ICMPv6 uses 0 through 4, and 128 to154, so the keyword all refers to types 0 through 4, and 128 through154 inclusive. If other ICMP types are required, they will need to beseparately added in (for example: 0-4,128-154,156).

ICMPv6 Types




DescriptionField

IP address protocols (other than TCP, UDP, ICMPv4 and ICMPv6)necessary for the correct operation of all protected IP addressesbeing defended should be listed. Examples could be IPSEC(protocols 50 and or 51) or GRE (protocol 47). The appliance willdeny all other IP address protocols whether or the protected IPaddresses are under attack. Protocols are specified as either anindividual protocol 47, as a range of protocols 50-51, as a commaseparated list of protocols 47,50, or as a combination 47,50-51. Thekeyword none is also supported. Any IP address request thatmatches the filter is alwaysallowed the responsepackets (includingan ICMPdiagnostic response)asstate ismaintained for thesession.However, this state expires after 30 seconds of inactivity, so youwill need to specify the IP address protocol as being valid in boththe inbound and outbound filter of the protected IP addressdefinition.

IP Protocols

You can specify which countries match, and hence are allowed touse this filter. The countries are determined from the IP address tocountry tables provided and potentially modified by the geoipcommand), and so are not guaranteed to be 100% accurate. Thethree letter country IDs are required, separated by commas (nospaces) if multiple countries are specified. A list of these countrycodes can be found in, or as observed from the output informationof various statistical outputs. If many countries are to be allowed,the pseudo all can be used, followed by ! and the 3 letter countrycode. Thus all, GBRmeans that all traffic, apart from that comingfrom GBR is matched. The country match always applies to theclient’s Internet address, not a protected IP address.

Countries

You can specify which networks match, and hence are allowed touse this filter. The network match always applies to the client’sInternet address, not a protected IP address. Thus, you can specify,only certain IP addresses are able to access port 22 on a protectedIP address. It should be noted that if port 22 is allowed in anotherfilter match as part of a filter aggregation definition, then port 22might not be blocked as expected. The network match alwaysapplies to the client Internet address, not a protected IP address.

Networks

Youcanspecifywhichnetworksmatched,basedontheAutonomousSystem (AS) number as used by BGP routing for the Internet. TheAS number information is provided by MaxMind and is not 100%accurate. Specify AS numbers or AS ranges, separated by commas(no spaces) if multiple AS blocks are required. By default, all ASnumbers are allowed. Themaximum AS# that can be specified is65535.

AS#s

Traffic (in packets per sec)below this valuewill not get rate-limited.If the value is set to U or 0, then there is no rate-limiting.

Speed (bps)

Bursty traffic is allowedover the Speed value (bps) for brief periodsof time up to the defined Burst speed; otherwise, it is restricted toSpeed (bps).

Burst Speed




DescriptionField

Traffic (in pps) below this valuewill not get rate-limited. If the valueis set to U or 0, then there is no rate-limiting.

Rate (pps)

Bursty traffic is allowed over the Rate value (pps) for brief periodsof timeup to thedefinedBurst rate; otherwise, it is restricted toRate(pps).

Burst Rate

The recommended default is normally one quarter of thetheoretically maximum number of small packets that can fit intothe speed of the filter. With lower bandwidth (bandwidth less than8 Mbs) the recommended value will be higher than one quarter ofthe theoretical maximum, and on higher speed links, this might beless than one quarter.

Suggested Rate

If rate thresholds are defined, they define the type of rate-limiterinstance that creates on a filter match. Traffic flows are measuredagainst this rate-limiter. If traffic exceeds the valid rate, then thetraffic is dropped. However, traffic is allowed to be bursty for briefperiods and will be allowed to increase up to the Burst rate.

Rate-Limit By types are defined as follows:

• filter—The default. One rate-limiter per filter is created, and alltraffic matching the rate-limiter is aggregated.

• internet-ip—One rate-limiter per matching Internet IP per filter iscreated, and all traffic matching the rate-limiter is aggregated.

• protected-ip—One rate-limiter per matching protected IP perfilter is created, and all traffic matching the rate-limiter isaggregated.

• match-ips—One rate-limiter per matching Internet IP andprotected IP per filter is created, and all traffic matching therate-limiter is aggregated.

• session—One rate-limiter per connection/session per filter iscreated, and all traffic matching the rate-limiter is aggregated.

Rate-Limit By

Configuring DDoS Secure Appliance Configure Filter Aggregations

Multiple filtersmightbe required foraprotected IPaddress, eachhaving itsownbandwidth

and port characteristics. With filter aggregations, you can define a list of (up to seven)

filters to search through looking for the first match on the port and/or protocol, which is

then used. It is possible for a filter aggregation to refer to another, previously defined,

filter aggregation. Thus, you can build a baseline filter aggregation and create other

special configurations keyed off the baseline.

If a filter aggregation is used, and a particular port is not defined ormatched in any of the

seven sections, then any traffic to that port will be dropped.

These filter aggregations do not appear on the statistical information pages and are an

aid to configuring the protected IP address filter definitions.

Figure 37 on page 68 displays the DDoSSecure portal configure state filter aggregations.



Figure 37: DDoS Secure Portal Configure State Filter Aggregations

Table 11 on page 68 provides a summary of a configuration filter aggregation.

Table 11: Configure Filter Aggregations Details

DescriptionField

Name of the filter aggregation.We recommend a filter aggregation namethat can be easily differentiated from the filter name for ease ofconfiguration troubleshooting.

Name

Select a filter name or a filter aggregation name from the pull-down list.It is valid to have the -undefined- entry between genuine entries.

Filter [1 2 3 4 5 6 7]

Configuring DDoS Secure Appliance Configure Protected IP addresses

The protected IP address definitions are automatically updated in the configuration file

everymidnight.Theyprovideastartingvaluehint to theDDoSSecurealgorithmswhenever

the DDoS Secure engine is restarted. This is only true for protected IP addresses that are

defined, not just detected.

Table 12 on page 68 provides a summary of the configuration filter aggregation.

Table 12: Configure Protected IP Addresses

DescriptionField

The IP address of the IP address being protected.Protected IP



Table 12: Configure Protected IP Addresses (continued)

DescriptionField

Themaximum number of connection attempts, per port, that aprotected IP address can hold in a partially opened state. This isknown as the hard limit and a value of 1000 per protected IPaddress is usually acceptable but might be lowered to around 50for a sensitive protected IPaddress. If this value is prefixedbyauto-,then the DDoS Secure appliance engine will try to automaticallyadjust this value based on how the protected IP address isresponding. The default is auto-1000. A value of 0 orUmeans thatthere is no backlog checking. The DDoS Secure appliance CHARMalgorithmwill reduce the likelihood of a user making a connectionas the current count increases towards the (potentiallyautomatically determined) hard limit.

The auto- logic only recalculates for ports or IP addresses that areknown to be Active –that is, not filtered out by an internal firewall.

The auto- logic gets confused if SYN Cookies are in use by theprotected IPaddress, as theprotected IPaddresswill alwaysquicklyrespond to the SYN request. If this is the case, then auto-might notbe appropriate, and, depending on the power of the protected IPaddress, typically have a value of 1000 up to 5000.

If the protected IP address hard limit is unknown, and auto- is notappropriate, set this hard limit value to the value reported underSuggested TCP Backlog for the appropriate protected IP address,and then review the situation to see if this value significantlychanges. If Syn Floods are being reported, there are very fewconnections in the SYN state and the protected IP address is notoverloaded, this value can be increased.

A protected default value of the IP address for maximum TCPbacklog queue per port differs depending on its operating system.On Linux systems, for example, this hard limit can be determinedby issuing the command: sysctl net.ipv4.tcp_max_syn_backlog\. OnMicrosoft Windows servers, this value is stored in a variable(TcpMaxHalfOpen) in the registry entry:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters].

TCP Backlog per port

The value that the DDoS Secure appliance engine assumes that itis a better value to use. This value can be incorrectly calculated, ifthe protected IP address is using SYN Cookies.

Suggested TCP Backlog




DescriptionField

Themaximum number of open connections (in an active datatransfer state) that can be handled by the protected IP address.This is known as the hard limit and a value of 1000 per protectedIP address (but considerably higher for a load-balancer) is usuallyacceptable but might be lowered to around 50 for a sensitiveprotected IP address. If this value is prefixed by auto-, then theDDoS Secure appliance engine will try to automatically adjust thisvalue based on how the protected IP address is responding. Thedefault is auto-1000. A value of 0 or Umeans that there is noconnectionchecking.TheDDoSSecureapplianceCHARMalgorithmwill reduce the likelihood of a user making a connection as thecurrent count increases towards the (automatically determined)hard limit.

If the protected IP address hard limit is unknown, and auto- is notappropriate, set this hard limit value to the value reported undersuggested connections for the appropriate protected IP address,and then review the situation to see if this value significantlychanges. If connection floodsarebeing reported, and theprotectedIP address (by checking the IP address itself) is not overloaded,this value can be increased.

Max Open Connections

The DDoS Secure appliance engine believes is a better value touse.

Suggested Connections

Themaximumnumber of new connections per second that can behandled by the protected IP address. This is known as the hardlimit. This could be a limit imposed by the transaction rate of aback-end database server. If this value is prefixed by auto-, thenthe DDoS Secure appliance engine will try to automatically adjustthis value based on how the protected IP address is responding.The default is auto-1000. A value of 0 or Umeans that there is noconnection rate checking. The DDoS Secure appliance CHARMalgorithmwill reduce the likelihood of a user making a connectionas the current count increases towards the hard limit.

For HTTP connections usingHTTP/1.1, the second and subsequentGET/HEAD/POST requests are also treated as a new connectionrequest for calculating rates, as well as an additional GET request.

If the protected IP address hard limit is unknown, and auto- is notappropriate, set this hard limit value to the value reported underSuggestedConnRate for the appropriate protected IP address, andthen review the situation to see if this value significantly changes.If Connection Rate Floods, or GET Rate Floods are being reported,and the protected IP address is operating within limits, this valuecan be increased.

Max Conn Rate

The value that the DDoS Secure appliance engine believes is abetter value to use. This value can be incorrectly affected by theprotected IP address silently dropping TCP connections.

Suggested Conn Rate




DescriptionField

Themaximum number of concurrent HTTP page requests that aprotected IPaddresscanprocess.Anexampleofmaximumnumberof ASP Threads that an IIS Server can handle. The DDoS Secureappliance code tracks the GET/HEAD/POST requests, incrementsa counter, and then decrements this counter when the HTTPresponse starts to come back. The default is auto-1000. A valueof 0 or Umeans that there is no concurrent GET checking.

If the protected IP address hard limit is unknown, and auto- is notappropriate, set this hard limit value to the value reported underSuggested GETs for the appropriate protected IP address. If GETfloodsarebeing reported, and theprotected IPaddress isoperatingwithin limits, this value can be increased.

NOTE: Do not set this to 0 or U if you want the DDoS Secureappliance to defend against URL attacks.

Max Active GETs

The value that the DDoS Secure appliance engine believes is abetter value to use.

Suggested GETs

The filter will be applied to all sessions initiated to your protectedIP address (and response packets). If this is a filter aggregationdefinition, then the first filter match in the aggregate list will beused. If there is no filter match, then the packet will be dropped.

Inbound Filter

The filterwill beapplied toall sessions initiated fromyourprotectedIP address (and response packets). If this is a filter aggregationdefinition, then the first filter match in the aggregate list will beused. If there is no filter match, then the packet will be dropped.

Outbound Filter

If this box is selected, then TCP RST packets will be sent back tothe originating client , if the port requested has not been permitted(there is no filter match). When under peak loads, these are ratelimited.

Send TCP Rejects

If this box is selected, then the HTTP Header data is scanned forSOAP action headers. If one is found, then this Action is taggedonto the URL for URL tracking. There is a performance overheadwith this enabled, so it should only be used on SOAP enabledservers.

Track SOAP

If this box is selected, then no fragmented IP address packets willbe accepted.

NOTE: The DDoS Secure appliancewill automatically temporarilyenable No Fragmentation on a per protected IP address basis if itdetermines that a fragmentation attack is under way.

No Frags

If the protected IP is a corporate firewall, or a NAT device wheremost of (or all) the initiated traffic is outbound, enabling PAT G/Wto relax restrictions on outbound connections is preferable toattempting to restrict traffic as if it were attacking the Internet.

PAT G/W




DescriptionField

It is possible for aprotected IPaddress tobeoperating in adifferentoperationalmode thandefined for the portal or appliance. You canselect defending, logging, or not reported. Not reportedmeans thatno packets are dropped and no incidents are created for thisprotected IP address. If the appliance or portal operational modeis set to anything other than defending, then the protected IPaddress mode will be no better than logging.

Operation

Can be used to define a name for a protected IP address to aididentification when defining values.

Hostname

The hint about the open ports on the protected IP address inquestion. If a filter or filter aggregation restricts ports, then theseports will not appear in this list. Also, if the protected IP address isfiltering out some IP addresses but not others, then an open portmight bounce in andout of active ports. Theseports get reset everyconfiguration change, or at midnight.

Active Ports

The actual inbound allowed ports. Entries in red have additionalCountry/Network/AS# restrictions.

Enabled Ports

Configuring DDoS Secure Appliance Defined Protected IP Addresses

Table 13 on page 72 provides a summary of the defined protected IP addresses.

Table 13: Defined Protected IP Address Details

DescriptionField

Allows you to specify a protected IP address that has notbeen previously configured or auto-detected. You will needto ensure that the Add check box is selected for a new itemto be included.

NOTE: If the add entry is not available; this is because youhave used up the protected IP address allocation for thisportal.

Add Protected IP

If a protected IP address is detected (assuming auto detectprotected IPaddresses isenabled,buthasnotbeendefined),then the new protected IP address will be configured withthe definition for protected IP address defaults acting as atemplate. Changes to the protected IP address defaults willalso change the configuration of auto-detected protected IPaddresses.

NOTE: If the auto-detected protected IP address is part ofadefinedportal, then theauto-detectedprotected IPaddresswill take on the characteristics of the portal Indeterminateprotected IP address.

Protected IP Defaults



Table 13: Defined Protected IP Address Details (continued)

DescriptionField

You can define default settings for five virtual protected IPaddresses, distinct from those defined under protected IPaddress defaults.

Portal defensedefineswhat theportal is capableof handling,and it is typically used, if the portal were a load balancerwithvarious virtual IPaddresses, buthas itsownsetof limitations.

Intercept default settings are used for traffic that isintercepted to an internal DDoS Secure appliance server togenerate suitabledenial responsepages. These interceptionsare configured using the CLI set wrapper blocked command.

Multicastdefault settingsareused for thosebackenddevicesresponding to multicast addresses.

Broadcastdefault settingsareused for thosebackenddevicesresponding to broadcast addresses.

Indeterminate default settings are used for those protectedIP addresses that are unknown, have not yet been validated,or were discovered after the internal protected IP addresstable is full.

Global Protected IP Addresses

Contains all the defined protected IP addresses. SelectRemove check box and click Update to remove protected IPaddresses from the defined list.

Defined Protected IP Addresses

Contains all protected IP addresses detected by theappliance, apart from those reported above. Select IncludecheckboxandclickUpdate tomove thisprotected IPaddressinto the defined protected IP addresses section, where thespecific protected IP address configuration can be changedfrom the protected IP address defaults.

To purge out all the auto-detected protected IP addressesclick Delete All.

To include all the auto-detectedprotected IP addresses clickInclude All.

Inactive auto-detected protected IP addresses will beautomatically deleted after five days.

NOTE: Auto-detected protected IP addresses are allocatedto the appropriate portals.

Auto-detected Protected IP







Configuring SSL

TheConfigureSSL page is used for configuring SSL-specific features of the DDoSSecure

appliance. This includes the global settings for FIPSmode and the SSL decryptionmode

along with the per-protected-IP address SSL decrypt configuration.

Global Configuration

This section includes:

• FIPS 140-2 Mode on page 74

• SSL Decryption on page 74

• Management GUI SSL Certificate on page 74

FIPS 140-2Mode

FIPS 140-2modewill switch all encryptedmanagement services (currently SSH and the

GUI) into FIPSmode. Changing this requires a complete appliance reboot.

SSL Decryption

SSL decryption allows the user to specify whether the decryption of SSL traffic occurs

in real-time (as the traffic flows through the appliance) or in low latencymode. Changing

this value requires the DDoS Secure engine to be restarted.

You can configure which protected IP addresses and associated ports should have their

SSL traffic decrypted and inspected. The private key file is selected from a list of private

keys already uploaded to the appliance. Select Add and click Update at the end of the

configuration page, or at the top right, for a new entry to be included. Table 14 on page 74

describes the SSL decryption modes.

Table 14: SSL DecryptionMode

DescriptionSSLDecryptionMode

Each SSL packet is decrypted and inspected before being allowed topass through the appliance. This introduces latency but ensures thatevery packet is inspected.

Real Time

Under heavy load, SSL packets will be allowed to pass throughunverified.

Low Latency

Management GUI SSL Certificate

Management-only SSL certificate is used for updating the SSL certificate used for

management access. By selecting the appropriate pull-down, you can either use a

self-signed certificate, generate a CSR certificate request, or upload a previously signed

certificate pair. Figure 38 on page 75 displays the SSL certificate option.



Figure 38: Management Only SSL Certificate Option

To generate aCSR request to be send off to your CAauthority, fill in the appropriate fields

and click Generate CSR. Send the CSR off to the CA for signing, and then upload the

response file and click Update. It is safe to browse away from this page and come back

to it later when you have the CSR response. Figure 39 on page 75 displays the individual

portal details.

Figure 39: Individual Portal Details

By selecting the appropriate portal, you can configure the settings for that portal.



Uploading SSL Decrypt Private Key File

You can upload RSA private key files to the DDoS appliance. A private key file, for a

protected server, must be uploaded to the appliance before SSL decryption can be

configured. If the private key is protectedby apassword, thismust be entered at the point

of upload. Click Upload to upload and verify the private key. The private key is then

separately (under another key) encrypted and stored on the appliance.

Adding Default Domain SSL Decrypt Key

If there are unused private keys on the system, the option to remove all (or individual)

unused keys will become available.

You can configure which protected IP addresses and associated ports should have their

SSL traffic decrypted and inspected. The private key file is selected from a list of private

keys already uploaded to the appliance. Select Add and click Update at the end of the

configuration page, or at the top right, for a new entry to be included. Table 15 on page 76

describes the default domain SSL decrypt key details.

Table 15: Default Domain SSL Decrypt Key Details

DescriptionField

A protected IP address whose SSL traffic is to be decrypted and inspected.Protected IP

A list of ports on which SSL traffic should be decrypted and inspected.Ports

The private key file needed to decrypt the SSL traffic.Private Key File

Adding a Specific Domain SSL Decrypt Key

You can configurewhich private key is used to decrypt SSL traffic for a particular domain

name. This is used when a single protected IP address is serving multiple domains, with

their own certificate and private key. The protected IP address and SSL ports must be

configured, as a default domain SSL decrypt key entry, before the specific domains are

configured. Select Add and click Update for a new entry. Table 16 on page 76 describes

the specific domain SSL decrypt details.

Table 16: Specific Domain SSL Decrypt Key Details

DescriptionField

A preexisting (default domain defined) protected IP address whose SSLtraffic is to be decrypted and inspected.

Protected IP

The specific domain name associated with this private key.Domain IP

The private key file needed to decrypt the SSL traffic.Private Key File

Figure 40 on page 77 displays the specific domain options.



Figure 40: Specific Domain Details

Configured SSL Decrypt Keys

The existing and newly added SSL Decrypt Key entries are displayed. They are grouped

by protected IP address. Select Remove check box and click Update to remove the entry.





Configuring Date and Time on DDoS Secure Appliance

This topic helps you configure date and time on your DDoS Secure appliance. Click

Configure Date and Time to configure date and time.

Figure 41 on page 77 displays the options to configure date and time.

Figure 41: Data and Time Page

Date and timemust be set to the standard time for your environment as it is used in the

creation of log entries. Time is stored internally as UTC and displayed biased from UTC

by the timezonedefinition. It is advised thatwhen installingor configuringaDDoSSecure

appliance unit for the first time that the system time configuration is set immediately

after the management interface is configured.

If your environmentusesNTP to synchronize time, thena (commadelimited) list of server

IP addresses can be specified. If NTP servers are specified, it is assumed that the

management interface IPaddressanddefault gatewaydefinitionsare sufficient toaccess



the specified NTP server(s). These NTP servers will keep the internal clock synced with

UTC time.

If NTP servers are defined, then the date and time fields are ignored when you click

Update. Changing the time zone changes how the date and time is represented when

displayed or when recorded in log files. It does not affect the duration of incidents or

recordings.

If NTP servers are not defined, then the internal clock is set based on the time zone and

the date and time fields, unless this is a VMware instance, where time is synced up with

the host server. Thus, changing the time zonemight cause the (internal) UTC clock to

move ahead or back by several hours to compensate for the time zone change. It is

important to set the correct time zone and time information while adjusting the time

configuration. This helps prevents large leaps in the system clock back or ahead. Large

changes in the system clock can cause erroneous reports of DDoS Secure appliance

subsystems stalling or failing and for the duration of events to be incorrect. The

configuration of a valid NTP server can prove very useful, because it prevents such

confusing error reports and ensures that an accurate system clock is established and

maintained from power on.

NOTE: NTP Servers cannot be configured when DDoS Secure appliance isrunning as an application on a third-party hardware platform.

The NTP state describes howNTPworks and is defined by the ntpq –n –p

Linux command.

* in column 1 is the peer being used.

‘ ‘ in column 1 is a peer that is not being used at present.

+ in column 1 is a peer that is a potential candidate.

After defining, or updating a set of NTP servers, NTP takes a fewminutes tochoose a suitable, stable NTP peer, and so all column 1s will be blank.

Clock 127.127.1.0 is the local system clock.





Configuring Logging on a DDoS Secure Appliance

You can specifywhere youwant the appliance logging redirected to off-the-box analysis,

as well as control the detail of the logging.

Click Configuring Logging to configure local and remote logging options.



IP addresses can be specified. asaaa.bbb.ccc.ddd is used to specify a specific IP address,

and can be separated by commas wherever supported.

• Setting Up Portals on page 79

• Setting Up SNMP on page 79

• Setting Up a Syslog Server on page 80

• Setting Up a Structured Syslog Server on page 82

• Setting Up a Netflow Server on page 82

• Setting Up a Mail Server on page 83

• Setting Up a Proxy Server on page 85

• Setting Up GeoIP Database(s) on page 86

• Setting Up an Incident Create Threshold on page 86

• Setting Up an Incident Alert Threshold on page 87

• Setting Up an Incident View Threshold on page 87

• Setting Up Incident Peak Values on page 88

• Setting Up theWorst Offenders Logging Threshold on page 88

• Setting Up Debug Options on page 89

• Managing DDoS Secure Appliance General Logs on page 89

Setting Up Portals

By selecting the appropriate portal, you can configure the information for that portal by

using the portal drop down.

NOTE: For anyportal other thanDDoSSecureappliance, only themail servercan be configured.

Figure 42 on page 79 displays secure logging portal options.

Figure 42: DDoS Secure Portal Options

Setting Up SNMP

Appliances can be configured to send SNMP traps to a SNMPmanagement tool such

as HP Openview. If this manager (or any other SNMP reader) wants to read MIB defined

data through SNMP, then the correct access control must be configured. The SNMP

agent is set up for read-only access. Figure43onpage80displays loggingSNMPoptions.



Figure 43: DDoS Secure SNMPOptions

Table 17onpage80providesasummaryof the informationdisplayedon theDDoSSecure

SNMP options.

Table 17: DDoS Secure SNMPDetails

DescriptionField

The IP address for the SNMP trap destination has to be aspecific IP address, and cannot contain a network mask.Multiple IP addresses are valid, separated by a comma. Trapsare v2c.

Trap Receiver IP Address(es)

Community name to be used whenever a SNMP trap is sent.Trap Community Name

Onlyapplicationsusing thedefinedcommunitynamecan readthe DDoS Secure appliance MIB data. Multiple communitynames are supported, , (comma) separated.

RO Community Name(s)

Defines the location of your DDoS Secure appliance. This iskept unique across an active/standby DDoSSecure appliancepair.

System Location

Defines the e-mail address of the person responsible for theoperation of your DDoS Secure appliance.

System Contact

Setting Up a Syslog Server

The appliance can be configured to send a copy of the messages that it records in the

DDoS Secure appliance logs to a syslog server. The remote syslog server might require

to be configured again before it will accept DDoS Secure appliance syslog messages.

The syslog server will receive the messages at the specified facility and priority.

Figure 44 on page 81 displays syslog server options.



Figure 44: DDoS Secure Syslog Server Options

Table 18onpage81providesasummaryof the informationdisplayedon theDDoSSecure

SNMP options.

Table 18: DDoS Secure Syslog Server Option Details

DescriptionField

The IP address for the syslog server has to be a specific IP addressand cannot contain a network mask. Multiple IP addresses arevalid and are separated by a command.

Server IP address(es)

The syslog facility type to transmit in the messages to the syslogserver.

Facility

The syslog priority level at or above which messages aretransmitted to the syslog server.

NOTE: Version 4.0.3-0 and earlier, this was the priority encodedin messages sent to the syslog server.

NOTE: The followingmessageprefixeshave theassociatedsyslogpriority levels:

• Prefix—Logging Priority

• BGP—Informational

• BIOS—Error

• CLI—Informational

• Config—Notice

• Count—Informational

• Debug—Debug

• Disk—Error

• End—Informational

• Error—Error

• GeoIP—Informational

• GUI—Informational

• Inc't—Informational

• Info—Informational

• Raid—Error

• Start—Informational

• State—Informational

• Stats—Informational

• Warn—Warning

Priority>=



Setting Up a Structured Syslog Server

The DDoS Secure appliance can be configured to sendmessages to a SEIM server in the

following formats: STRM (Log Event Extended Format, LEEF), Webtrends Enhanced

Logging Format (WELF), or Arcsight (Common Event Format, CEF). The remote SEIM

server might require reconfiguration before it will accept DDoS Secure structured syslog

messages. The SEIM server will receive the messages at the specified facility and for

priorities greater thanor equal to that configured. Figure45onpage82displays structured

syslog server options.

Figure 45: DDoS Secure Structured Syslog Server Options

Table 19 on page 82 provides a summary of the DDoS Secure structured syslog logging

details.

Table 19: DDoS Secure Structured Syslog Logging Details

DescriptionField

The IP address for the SEIM server has to be a specific IP address andcannot contain a network mask. Multiple IP addresses are valid, and areseparated by a comma.

Server IP address

The structured syslog format of the messages.Format

The syslog facility type to transmit in the messages to the SEIM server.Facility

The syslog priority level at or above which messages are transmitted tothe SEIM server.

Priority>=

Setting Up a Netflow Server

The appliance can be configured to sendmessages to one or more Netflow collectors

in version 9 (RFC 3954) format. The Netflow collector might require to be configured

again, before it accepts Netflow v9messages from the DDoS Secure appliance. There

is no aggregation of Netflowmessages.

Figure 46 on page 83 displays logging Netflow server options.



Figure 46: DDoS Secure Logging Netflow Server

Table 20 on page 83 provides a summary of the information displayed on the DDoS

Secure Netflow server options.

Table 20: DDoS Secure Netflow Server Details

DescriptionField

The IP address for theNetflow collector has to be a specificIP address and cannot contain a networkmask. Multiple IPaddresses are valid and are, separated by a comma, aswellas multicast IP addresses.

Server IP address (es)

Port that the Netflow collector is connected on.Port

When the specified number of Netflow packets aretransmitted, the templates defining the format of thenetflow packets are re-transmitted.

Refresh Templates (Pkts)

When the specified number of minutes has passed sincethe templates were last transmitted, then the templatesdefining the format of the netflow packets arere-transmitted.

Refresh Templates (Mins)

When the specified number of minutes has passed sincenetflow information is transmitted for aparticular flow, thena netflow record is generated. This allows collectors tomaintain flow information about flows that have activefrom some time, instead of waiting for the flow to timeout.

NOTE: When a long flow is flushed, this also resets theactive/packet/byte counters displayed in the statefulsession information pages, such as TCP information.

Session aggregation is not supported, so enabling this cangenerate a lot of traffic.

Flush Long Flows (Mins)

Setting Up aMail Server

An e-mail can be sent everymidnightwith a copy of the daily statistics, or an e-mail alert

can be sent on an activity. Click Send TestMail to validate that e-mail can be sent to and

received by the mail server.

Figure 47 on page 84 displays logging mail server options.



Figure 47: DDoS Secure LoggingMail Server

Table21onpage84providesasummaryof the informationdisplayedon theDDoSSecure

logging mail server options.

Table 21: DDoS SecureMail Server Details

DescriptionField

The IP address for the mail server has to be a specific IPaddress, and cannot be a DNS resolvable name. Multiple IPaddresses are not valid.

Server IP address

Thee-mail addressofwhoever isnotionally sending themail.This address is used in theheaderof thee-mail but theSMTPenvelope of the e-mail uses the null sender <> as failure ordelivery delay notification are not supported.

From

The e-mail address of the required recipient. The addressmust be acceptable to the specifiedmail server andmultiplerecipients can be specified, (comma) separated.

To

It is possible that youmight be accessing the DDoS Secureappliance through an IP address that is different to theDDoSSecure applicable management IP address. You can definethe different IP address, or the DNS resolvable name to thealternative IP address for embedding into any URIs in thee-mails.

DDoS Secure appliance Server



Table 21: DDoS SecureMail Server Details (continued)

DescriptionField

If selected, e-mailwill be sent everymidnightwitha summaryof the daily activity of your DDoS Secure applicable. Thisreport contains the same informationas foundon thedisplaystatistics page. On Sundaymornings, a weekly summary isalso sent. On the first of amonth, amonthly summary is alsosent.

Send Daily Stats

If selected, e-mailwill be sent everymidnightwitha summaryof thedaily activityofall theDDoSSecureappliancessharingstate information. This report contains the same informationas found on the display statistics page.

Send Cluster Daily Stats

At midnight on Sundaymornings, a weekly summary is sent.This report contains the same information as found on thedisplay statistics page.

Send Cluster Weekly Stats

E-mail sent at midnight on the first of a month. A monthlysummary is also sent. This report contains the sameinformation as found on the display statistics page.

Send Cluster Monthly Stats

E-mail sent summarizing the current incident activity (forthose incidents over the alert threshold. An alert e-mail issent from the DDoS Secure appliance when theminimummail interval separation time has passed and there is at leastone incident change yet to be reported.

Send Alert

E-mails generated by incident activity are rate limited tosending nomore than one e-mail per everyminmail interval.Delayed alerts are collected and sent together in a singlee-mail.

Min Mail Interval (mins)

Setting Up a Proxy Server

Youmight need to allow the DDoS Secure appliance to access the Internet to download

the GeoIP updates using the management interface.

Figure 48 on page 85 displays logging proxy server options.

Figure 48: DDoS Secure Logging Proxy Server


Secure proxy server options.



Table 22: DDoS Secure Proxy Server Details

DescriptionField

The IP address for the proxy server has to be a specific IP address, andcannot be aDNS resolvable name.Multiple IP addresses are not valid.Noneindicates no proxy server.

Server IP

This defines the port to use on the proxy server.Server Port

This defines the user to authenticate the proxy server (can be left blank).Proxy User

This defines the password to authenticate the proxy server (can be leftblank).

Proxy Password

Setting Up GeoIP Database(s)

Figure 49 on page 86 displays GeoIP database options.

Figure 49: DDoS Secure GeoIP Server


Secure portal options.

Table 23: GeoIP Database Details

DescriptionField

The database used to map IP addresses to country is the geolite freeversion provided by MaxMind (http://www.maxmind.com) undertheir license agreement. There is also a free version that maps IPaddresses to cities, as well as IP addresses to AS number. If you wantto use these free databases, subject to MaxMind license agreements,then your DDoS Secure appliance will need access to the Internet –either directly using DNS resolution, or through a proxy server. ClickUpdate GeoLite Databases, the country, city and AS databases areinstalled and selected for updates on a daily basis.

Update GeoIPDatabase(es)

Setting Up an Incident Create Threshold

Use the Incident Create Threshold option to control whether incidents are created and

specify the packet rate at or above which they are created. If an incident has not been

created, you cannot alert on, report on, or view information about the incident.

Incidents are divided into 16main categories, with each category containing a set of

specific incidents. You can enable or disable eachmain category for incident tracking. If

a category is enabled for tracking, when the errant packet rate for the category is equaled

or exceeded, an incident is created if one is not already active. When an incident has not



http://www.maxmind.com

equaled or exceeded the errant packet rate for a configured period (the default is 5

minutes), the incident is closed.

Whenever an incident goes over the incident alert threshold for a configured period (the

default is 60 seconds), an entry is written to the log file. If the entry is logged, when the

incident is closed, this will also be logged. Any logging will also be duplicated out to the

syslog server (if configured above) about the specific incident.

If there is a defined structured syslog server as configured above, then information is sent

about an incident when the incident closes. If there is a high incident rate, once a day

check Auto Adjust to try to keep the incident rate per category to between 10 and 100

per day.

Figure 50 on page 87 displays incident create threshold options.

Figure 50: DDoS Secure Incident Create Threshold

Setting Up an Incident Alert Threshold

You can enable or disable eachmain category for alert tracking. If a category is enabled

for tracking, when the errant packet rate for the category is equaled or exceeded for

longer than the configured period (the default is 60 seconds), an alert is generated and

a log entry is created. When the incident is closed, an end-of-incident alert is generated.

If incidents are disabled for a main category type, incident alerts are also disabled for

that category.

If e-mail is configured for sendingalerts, thene-mailswill be sent at theappropriate time.

If an SNMP trap server is configured, then SNMP traps will be sent for an incident as

appropriate alerts are triggered.

Figure 51 on page 87 displays incident alert threshold options.

Figure 51: DDoS Secure Incident Alert Threshold

Setting Up an Incident View Threshold

The incident view threshold dictates when the right pane Defense indicators turn from

gray to red and from red to gray. If incidents are disabled for thismain category type, then



the incident viewmust also be disabled. If an option is disabled, then the Defense status

for this option in the right pane has the link reference removed. The right pane Defense

indicators will be red whenever the current packet rate is at or above the specified view

threshold rate.

Figure 52 on page 88 displays incident view threshold options.

Figure 52: DDoS Secure Incident View Threshold

Setting Up Incident Peak Values

The incident peak values indicate the peak values tracked since the values were last

reset. From this, you can determine the appropriate values to be set in the incident alert

or incident view fields.

Figure 53 on page 88 displays incident peak value options.

Figure 53: DDoS Secure Incident Peak Values

Setting Up theWorst Offenders Logging Threshold

An IPaddresswill be a valid candidate for theWorstOffenders table if tracking is enabled

anderrantpacketsarebeinggeneratedby that IPaddress.Oncean IPaddresshasentered

theWorst Offenders table, and the errant packet rate of the address is at or above the

threshold for this appropriate category, an entry will be written to the log file. When the

IP address is removed from theWorstOffenders table, then this eventwill also bewritten

to the log file. If an IPaddress errant packet rate is at or above theautoblack-list threshold

(type 1 or type 2), and auto black-listing is enabled, then the IP address will be moved

out of theWorst Offenders table and into the auto black-listed IP address table.

Figure 54 on page 89 displays worst offender logging threshold options.



Figure 54:Worst Offenders Logging Threshold

Setting Up Debug Options

Enabling any of the Debug options can cause very large amounts of data to be written

to log files. These options should only be used when troubleshooting at the request of

an appliance engineer.

Figure 55 on page 89 displays debug options.

Figure 55: Debug Options

Managing DDoS Secure Appliance General Logs

This allows you to review the log files of the appliance to viewwhat has happened in the

past.

Click General Logs to display log files. This displays the DDoS Secure general logging

page. Figure 56 on page 90 displays the General Logs page.



Figure 56: DDoS Secure General Logs Page

The log file starts with a date and time entry, followed by a log entry type prefix. The next

entry is appliance, indeterminate, multicast, broadcast, an IP address, a MAC address,

or incident report identification. The final part of the entry describes why this entry was

logged.

If a protected IP is unknown, or has not yet been validated, then the entry are logged

against indeterminate. The options are as:

• BGP—Indicates an entry from the BGP FlowSpec subsystem.

• BIOS—Indicates an entry from the BIOS System Event Log (SEL).

• CLI—User connected or disconnected from the CLI.

• Config—Indicates configuration changes. + is added, - is deleted.

• Count—Additional information about a condition that has a start reference.

• Debug—Debug information.

• Disk—Disk sub-systemmessages.

• End—End of a condition that has a start reference.

• Error—Indicates some error condition.

• GeoIP—Status change in GeoIP updates fromwww.maxmind.com.

• GUI—User connected or disconnected from the GUI.



http://www.maxmind.com

• Inc't—Indicates information about a specific incident. Click on this to view the incident

information.

• Info—Informational information.

• Raid—Raid sub-systemmessages.

• Start—Start of a particular condition.

• State—DDoS Secure appliance state change (For example: reboot initiated).

• Stats—Daily statistics are generated.

• Warn—Indicates some warning condition.

For worst offender, the start entry is only recorded when the IP address has exceeded

the average error rate. The end entry is recorded when the IP address is replaced by a

newworst offender. In addition, the count entry records the different Defense types and

counts for that specific IP address.

By default, only the first 1 MB of information is displayed with the latest entry at the top.

If there ismore information, you can display all information by clicking Full List at the end

of theoutput. Thismight takesometime todownload, especially over slower connections.

The display log page has the following options:

• Download Logfile—To download the complete file in compressed format to your local

PC, click Download Logfile.

• Download HelpDesk Information—Click Download HelpDesk Information to copy

information suitable for DDoS Secure appliance. Support gets downloaded to your

local PC for onward forwarding to DDoS Secure appliance support. This includes the

set of the DDoS Secure appliance log files.

• Create Dell DSET Information (not seen in virtual instances)—Click Create Dell DSET

Information (if available), to copy information suitable for DDoS Secure appliance.

Support gets built ready for downloading to your local PC for onward forwarding to

DDoS Secure appliance support.

NOTE: This should not be run on abusyDDoSSecure appliance andmighttake some time. Do not leave the page while this is being processed.

• DownloadDellDSET Information—ClickDownloadDellDSETInformation (if available),

to copy information suitable for DDoS Secure appliance, Support gets downloaded to

your local PC for onward forwarding to DDoS Secure appliance support.

• Download Core File—Click Download Core File (if available), to copy core files and

download it to your local PC for onward forwarding toDDoSSecure appliance support.



• Configuring Date and Time on DDoS Secure Appliance on page 77




DDoS Secure Appliance Configuration Files

Through the configuration file window, you can view, save, and restore configurations.

Click Configuration File to view the Configuration File Management page in the center

pane, or for guest accounts a partial copy of the configuration file will be displayed.

Click one of the following:

• Download—Prompts you for a location to save the encrypted configuration file on your

PC.

• Browse— Enables you to locate a previously saved encrypted configuration file. Then

this file can then be uploaded and installed as the running configuration by clicking

Upload. When a configuration is uploaded, the interface definitions are ignored as the

configuration might be from a different DDoS Secure appliance. You can override this

by selecting use interface definitions.

• View—Displays a copy of the current configuration in the center pane. However, only

administrator accounts can view the whole configuration file. Operator accounts only

view a partial copy of the configuration file with user account information removed.

Guest accounts will find that they only have the partial copy of the configuration file

displayed, as they do not have access to all configuration file management options.

Figure 57 on page 92 and Figure 58 on page 92 display the Configuration File option

and the snippet of the configuration file as determined by an administrator account.

Figure 57: Configuration File Options

Figure 58: Configuration File Page

Theconfiguration sectioncontainsa list ofCLI commands thatwouldcompletely recreate

the device current settings, when displayed for an administrator. The CLI section does

not display the user information when viewed by a guest or an operator account.



NOTE: A portal user will only see their portal configuration.





DDoS Secure Appliance Statistics Reports

Display of statistics reports allows you to review the current defensive statistics of the

appliance.

Click Statistics Reports to display current defensive statistics.

Figure 59 on page 93 displays the Statistics Report page.

Figure 59: Statistics Report Page

These statistics report the activity of the DDoS Secure appliance over the last 24 hours.

Any defense line that comprises of only zero entries is not reported. Portal users will only

see data relevant to their portal. Where available, you can click the hyperlinks to drill

down into the detailed information.



The statistics are divided into six sections, and output can cover a day, week, or month,

depending on the options selected. Some sectionsmight not be presented, as these are

not appropriate to the selected options.

On theDDoSSecure Statistic Report page, click the appropriate button to view statistics

for the previous week andmonth. Click Date for a specific date. Up to 60 days of

information is held, but the amount depends on available disk space. A copy of this

statistical report can be e-mailed every midnight, if required.

Table24onpage94asummaryof the informationdisplayedon theDDoSSecureStatistic

Report page.

Table 24: DDoS Secure Statistics Report Details

DescriptionField

This section summarizes the traffic throughput, the traffic aftercleansing, the traffic dropped (Internet noise, black-listed andattack) and the traffic dropped (attack only).

Graphical Summary

This section summarizes the packet drop activity and reasons thepackets were dropped, as well as situations that occurred wherethere was no packet drop activity.

Packet Drop/NotificationActivity

This section reports top worst offenders tracked over the month,week, and day.

TopWorst Offenders

This section reports the top incidents trackedover themonth,week,and day.

Top Incidents

These statistics reflect the usage of different tableswith the DDoSSecure appliance software.

Over time, the Tracked IPs, URLs, DNS, SIP, andWorst Offenderstables reach 100%,which isnormal.When the table is full, the leastrecently used entry is discarded.

Table Usage

These statistics reflect how the appliance is being utilized.

Memoryusage is always likely tobehighas theunderlyingoperatingsystem uses spare memory for disk caching.

TheDDoSSecureapplianceautomaticallymanages thedisk space.

Resource Usage





Managing DDoS Secure Appliance Incident Logs

The Display Incident page allows you to review the active incidents tracked by the

appliance.



Click Incident Logs to display active incident information. For an incident defense type to

be displayed (the default), it has to be enabled in Incident Create Threshold.

Figure 60 on page 95 displays the incident logs.

Figure 60: Incident Logs

NOTE: Entries that are in the red font are for incidents that have been overthe alert threshold for at least oneminute.

• Incidents can be filtered by protected IP address or portal by selecting from the pull

down list. The options are:

• Today to bring up a log of incidents that has taken place today.

• Date tobringupa logof incidents that have takenplacewithin the specifieddate range.

Only the last 60 days of incidents are kept on disk.

• CSVDisplay to bring up a comma-separated detail of incidents that have taken place

within the specified date range. You can look up a specific incident by entering the

incident number, which is in the format yyyymmdd/nnnnnn.

• Date and Time hyperlink to get to the specific detail of an incident.

Displaying Incident Details

Byhovering themouseoveran IPaddress, youcan roughlydeterminewhere the IPaddress

is.

There are three types of Incident activity – recorded on the seventh line of output.

• Packets Dropped—Packets are actually being dropped (unless in logging mode).

• Packets Noted—Packets are actually being noted (as in logging mode)

• Occurred—The situation is observed number of times.

Figure 61 on page 96 displays the Specific Incident page.



Figure 61: Specific Display Incident Page





Managing DDoS Secure ApplianceWorst Offenders Log File

ClickWorst Offender Log to display worst offenders. Figure 62 on page 96 displays the

Worst Offenders page.

Figure 62:Worst Offenders Log Page Snippet

Click Download Logfile for a copy of the log file that can be used for post processing on

the worst offender information. Other download options are:

• Download CSV logfile.

• Download black-listed IP addresses CSV logfile.

• Download previous month CSV logfile.

• Download previous month black-listed IP addresses CSV logfile.







Reporting on a Specific Time

To get a specific time report:

1. Click Specific Time Report to bring up the page for querying activity at a specific time.

Figure 63 on page 97 displays the Specific Time Report page.

Figure 63: Specific Time Report

2. Define a time with a tolerance on either side and click Find Time.

All information referring to the time window is displayed.

3. Click Printable Version to print a copy of the report output.




• Reporting on a Specific IP or Network Activity on page 97


Reporting on a Specific IP or Network Activity

To get a specific IP or a network activity report:

1. Click Specific IP Report to bring up the page for querying IP addresses.

Figure 64 on page 97 displays the Specific IP Report page.

Figure 64: Specific IP Report

2. Enter the IP address (or address/netmask).

3. Click Find IP.

All entries that the GUI can find in the logs or incident information are displayed.






• Reporting on a Specific Time on page 97


Upgrading a DDoS Secure Appliance with Patches Using File Upload

Click Upgrade to display the upgrade options

At any point, the tracked information (used to calculate CHARM) can be backed up or

restored. The size of the file is large (it can easily exceed 2G), so this process might take

some time and is not normally needed. Figure 65 on page 98 displays the Upgrade

Software through file upload.

Figure 65: Upgrade Software Page



To upload the file:

1. Select File Upload and clickOK.

Figure 66 on page 99 displays the Upgrade Software Using File Upload page.

Figure 66: Upgrade Software Using File Upload

2. Browse to the previously downloaded file.

3. Click Upgrade.

Figure 68 on page 99 displays the Confirmation Dialog message.

Figure 67: Confirmation DialogMessage

4. ClickOK to continue.

NOTE: Itmight takesometimefor yourupgrade file tobeuploaded.Duringthis period, do not browse away from this screen. Figure 68 on page 99displays the Upgrade Confirmation details.

Figure 68: Upgrade Confirmation Details

Figure 69 on page 100 displays the Upgrade Reboot page.



Figure 69: Upgrade Reboot Screen

The DDoS Secure reboot takes 5 to 10minutes.





Understanding DDoS Secure Appliance Packet Capture Options

Click Packet Capture to display the packet capture options.

Youcan recordup toninedistinct packet capture files. If there hasnotbeenany recording,

all recording file slots (accessible through the pull-downmenu) are labeledNew and the

Start Recording button is displayed.

Figure 70 on page 101 displays the New Packet Capture page.



Figure 70: New Packet Capture Page

If a recording does exist, it will be identified by its timestamp in one of the recording file

slots. Select a recording by choosing its entry in the pull-downmenu. A table displays

statistics associated with that file. Figure 71 on page 102 displays the Existing Packet

Capture page.

Click Start Recording to start a new recording and that overwrites any existing recording

in this file slot. You can restrict the IP addresses that are recorded by specifying an IP

address, or a network with a network mask. Setting such a restriction does not strip out

all non-masked traffic, as IP addresses might not be easily determined (to minimize

performanceoverhead)at the timeof recording. It is alsopossible to enable a continuous

recording loop by selecting Continuous. In continuous mode, a new recording is started

in the next recording slot when the current recording slot becomes full or the system is

restarted.Once the last record slot nine is used the systemrestarts, thecontinuous record

loop with slot one.

CAUTION: When recording, there is a performance overhead (about 10%,CPU usage and disk write activity) that might cause your DDoS Secure



appliance to drop a few packets at the point of starting a new recording.Figure 71 on page 102 displays the Existing Packet Capture page.

Figure 71: Existing Packet Capture Page






Terminating a DDoS Secure Appliance Packet Capture Recording

Click Stop Recording to stop recording. The recording automatically stops when the

recording size reaches 500MB, unless running in continuous recording mode, when the

next recording slot is used.



Before displaying any recorded data, you can select a specific network address, protocol,

port or Defense type, or any combination of these types in order to reduce the displayed

data. Furthermore, filter syntax (based on BPF (as used by tcpdump)) can be specified

for further data reduction.






Displaying a DDoS Secure Appliance Packet Capture

Before displaying any recorded data, you can select a specific network address, protocol,

port or defense type, or any combination of these types in order to reduce the displayed

data. Furthermore, filter syntax based on BPF as used by tcpdump can be specified for

further data reduction.

NOTE: If the BPF filter is being used, and the DDoS Secure appliance is on aVLAN/MPLS trunk, then the appropriate VLAN/MPLS keywordsmust to beused.

You can enable the output of MAC address information for the packets displayed, select

whether to showonly inboundor outboundpackets anddecode thepackets that contain

state information that is being shared between DDoS Secure appliances.

Having entered any of the optional data reduction options, click Display Data to review

the recording. This step can be performed even on a recording that is still in progress.

Figure 72 on page 104 displays the packet capture display page.



Figure 72: Packet Capture Display Page

The records are color-coded as follows:

• Black—Packet is good and passed through.

• Amber—Indicates that packets were dropped.

• Blue—Indicates generated packets.

• Gray—Traffic detected by DDoS Secure appliance that is not appropriate to pass

through. The reasons are provided.

• Pink—Received state synchronization packet details.

• Yellow—Packet that would have been dropped if DDoS Secure was not in Logging

mode for this session.

• Green—Sent state synchronization packet details.

• Purple—Redirected packet to the Intercept server.

The columns are generally divided as:

| Time | Protocol | Src IP| Src Port | Direction | Dest IP | Dst Port | Length| Fragment ID |.

For TCP, this continues as: |TCP Flags | TCP State | Sequence numbers| Window Size.

For ICMP, this can continue as: |Sequence numbers.|

For fragmented packets, H: is start fragment, M: is middle fragment, T: is tail fragment

and O: is starting offset.

HB is the heart beat protocol that DDoS Secure appliance uses for fail over

synchronization.

Figure 73 on page 105 displays the Packet Capture Display Column page.



Figure 73: Packet Capture Display Column Page

Slide to right to get Drop Reason.

Some fieldswithina linemightbecolor coded to indicateduplicateor outof orderpackets

(blue), missing packets (red), updating SACKs (green) and MAC address on the wrong

side (red).

If recordings are continuous, then the decode logic continues into the next recording if

appropriate.





Downloading and Saving DDoS Secure Appliance Packet Capture Details

To download the DDoS Secure appliance capture details when a USB drive is plugged

into the :

1. Click Download Recording to download a copy of the recording to your PC for onward

transmission to a Juniper Networks personnel for analysis.

You can download this recording in regular format, or in pcap format (as used by

tcpdump, ethereal, andsoon). If youdownload the recording in thepcap format,most

of the recording information (such as why a packet was dropped) is lost.

2. SelectCopyRecording#xx toUSBDrive if a USBdrive is plugged into theDDoSSecure

appliance.



The recordings are copied in DDoSSecure appliance regular format. If there is an error

while performing the recording copy, an error message is displayed. Themost likely

cause is insufficient disk space on the external USB drive.

NOTE: The USB drive has to have a formatted file system to get detectedin the record replay GUI page.

Figure 74 on page 106 displays the Packet Capture Download Recording page.

Figure 74: Packet Capture Download Recording Page

3. Click Download Recording #1.

Figure 75 on page 107 displays the Packet Capture Download Recording page.



Figure 75: Packet Capture Recording Download Page

4. Click the format output version that you require.

Figure 76 on page 107 displays the Packet Capture Download Recording Confirmation

page.

Figure 76: Packet Capture Recording Download Confirmation Page

5. ClickOK.






Shutting Down a DDoS Secure Appliance

ClickShutdown to shutdown your DDoSSecure appliance. Figure 77 on page 107 displays

the Shutdown page.

Figure 77: Shut Down Page



There are five options with an optional sixth option, if the DDoS Secure appliance is

running as active in a fail-over relationship.

• Shutdown DDoS Secure Appliance and Poweroff—The appliance can be powered off

using this control. All file systems are updated safely using this method. To restart, the

appliance requires a power cycle.

NOTE: This option is not availablewhenDDoSSecure appliance is runningas an application on a third-party hardware platform.

• Shutdown DDoS Secure appliance and Reboot—During normal operation, it should not

be necessary to reboot the DDoS Secure appliance. However, all file systems are

updated safely using this method and the appliance reboots automatically, taking

around five minutes.

NOTE: This option is not availablewhenDDoSSecure appliance is runningas an application on a third-party hardware platform.

• Shutdown DDoS Secure appliance engine—This stops the DDoS Secure appliance

engine, leaving the GUI running. To restart the DDoS Secure appliance engine, click

Restart DDoS Secure appliance Engine.

NOTE: If themanagementaccess to theDDoSSecureappliance is throughthe DDoS Secure appliance, if you do not have a high-availability system,or a fail-safe card, you will lose access to the DDoS Secure appliance.

• ShutdownDDoSSecureapplianceengineandrestart—This stopsand thenautomatically

restarts the DDoS Secure appliance engine. This is not the same as shutting down

DDoS Secure appliance and rebooting, that completely shuts down the operating

system and then completely reboots the appliance from scratch.

• Shutdown DDoS Secure appliance engine, clear state and restart—This stops and then

automatically restarts the DDoS Secure appliance engine. All state information is

cleared providing a clean start for the DDoS Secure appliance. This is not the same as

shutting down DDoS Secure appliance and rebooting that completely shuts down the

operating system and then completely reboots the appliance from scratch.

• Go standby—This option is only displayed when the DDoS Secure appliance is the

activeDDoSSecureappliance ina fail-over cluster. This optioncauses theDDoSSecure

appliance to drop out of active state so that a partner in the cluster takes over the

active role.




on page 12




CHAPTER 4

DDoS Secure Statistical DisplaysOverview

This chapter describes the statistical displays of the appliance protected traffic that can

be viewed using the Summary Dashboard display button.

• DDoS Secure Appliance Statistical Summary Overview on page 109

• DDoS Secure Appliance Status Information on page 111


• DDoS Secure Appliance Live Incidents Information on page 117

• DDoS Secure ApplianceWorst Offenders Information on page 118

• DDoS Secure Appliance Temporarily Black-Listed Information on page 121

• DDoS Secure Appliance Tracked IP Information on page 122

• Tracking Country-Wide Usage Information in a DDoS Secure Appliance on page 124

• DDoS Secure Appliance TCP Information on page 126

• DDoS Secure Appliance UDP Information on page 127

• DDoS Secure Appliance ICMP Information on page 129

• DDoS Secure Appliance Other IP Protocol Information on page 130

• DDoS Secure Appliance Fragment Information on page 132

• DDoS Secure Appliance URL Information on page 133

• DDoS Secure Appliance DNS Information on page 135

• DDoS Secure Appliance SIP Information on page 136

• DDoS Secure Appliance Bandwidth Information on page 138

• DDoS Secure Appliance Rerouting Information on page 139

• DDoS Secure BGP FlowSpec Information on page 140

• DDoS Secure Appliance MAC Information on page 143

• Miscellaneous Information on page 145

DDoS Secure Appliance Statistical Summary Overview

Click Summary Dashboard to display summary dashboard details.


Summary dashboard contains six tables or information and graphs summarizing the

traffic passing through the DDoS Secure appliance. Figure 78 on page 110 displays

Summary Dashboard page.

Figure 78: Summary Dashboard Page

Table 25 on page 110 provides the parameters of the summary dashboard information

page.

Table 25: Summary Dashboard Information Page

DescriptionField

This shows the peak traffic usage (inbound and outbound)over the selected period (default is 24 hrs).

Traffic Monitor

This reports on how busy the DDoS Secure engine is.Load Status

This reports on howaggressively theDDoSSecure applianceis dropping traffic to defend the appropriate resources.

Attack Status

This reportson thedistributionofwheregood traffic is comingfrom.

Good Traffic

This reports on the distribution of where the bad traffic isrouted from.

Bad Traffic

This reports on how busy a protected IP address is from anaggregatedCHARMperspective, andwhat theaverage trafficto and from the IP is.

Protected Performance



• DDoS Secure Appliance Status Information on page 111




DDoS Secure Appliance Status Information

Click Status Information to display status information. Figure 79 on page 111 displays the

Status Information page.

Figure 79: Status Information Page

The status information display is the primary information source for DDoS Secure

appliance and is useful both during attacks and in normal operation. All information

comprises of current values and peak value. Peak values represent data since the last

reboot, or the time of the last Reset. Click an individual cell to displays the pop up graph

menu.

If an entry turns orange, or red, then packets are being dropped based on CHARM values.

Different protected IP addresses or portals can bemonitored by choosing the viewing

option at the top of the screen.

Click Reset Status Info Peak Values to reset all the peak values to zero.

Table 26 on page 111 provides the parameters of the status information page.

Table 26: Status Information Page Details

StatusField

Summary Information

Average speed of data processed for the specified protected IPor appliance.

Data Rate (bps)


Chapter 4: DDoS Secure Statistical Displays Overview

Table 26: Status Information Page Details (continued)

StatusField

Average packets per second processed for the specifiedprotected IP or appliance.

Packet Rate(/s)

Protected Information

Number of partially open TCP connections for the specifiedprotected IP address or appliance.

Backlog Queue

Rolling average protected IP address response times to a newconnection request.

IP Latency (usecs)

Number of TCP connections for the specified protected IPaddress or appliance.

Open Connections

Number of TCP connection requests for the specified protectedIP address or appliance.

Connection Request(/s)

Number of HTTP page requests being processed by theprotected IP address , and indicates the page request (GET,HEAD or POST) has been sent, but not yet responded to.

Active HTTP GETs

Rate at which the DDoS Secure appliance has determined thatan IP address is overloaded.

Overloaded IP(/s)

Protocol Bit Rate

Averaged speed of TCP data processed for the specifiedprotected IP address or appliance.

TCP Rate (bps)

Averaged speed of UDP data processed for the specifiedprotected IP address or appliance.

UDP Rate (bps)

Averaged speed of ICMP data processed for the specifiedprotected IP address or appliance.

ICMP Rate (bps)

Averaged speed of Other-IP data processed for the specifiedprotected IP address or appliance.

Other Rate (bps)

Protocol Packet Rate

Averagedpacketsper second forTCPprocessed for thespecifiedprotected IP address or appliance.

TCP Rate (pps)

Averagedpacketsper second forUDPprocessed for thespecifiedprotected IP address or appliance.

UDP Rate (pps)

Averaged packets per second for ICMP processed for thespecified protected IP address or appliance.

ICMP Rate (pps)

Averaged packets per second for other-IP processed for thespecified protected IP address or appliance.

Other-IP Rate (pps)




StatusField

Packet Size Information

Averaged packets (256 bytes or less) per second processed forthe specified protected IP address or appliance. This includespackets that might have been dropped.

Packet (Small) Rate (/s)

Averaged packets (1024 bytes or less, but greater than 256bytes) per second processed for the specified protected IPaddress or appliance. This includes packets that might havebeen dropped.

Packet (Medium) Rate (/s)

Averaged packets (greater than 1024 bytes) per secondprocessed for the specified protected IP address or appliance.This includes packets that might have been dropped.

Packet (Large) Rate (/s)

Drop Information

Averaged rateofdatadroppedby theappliance for thespecifiedprotected IP address, or appliance.

Drop Rate (bps)

Averaged packets per second dropped for the specifiedprotected IP address or appliance.

Packets Dropped (/s)

Averaged packets per second that DDoS Secure appliance hasdropped by heuristic detection.

Charm Dropped (pps)

Averaged rate of data that DDoSSecure appliance has droppedby heuristic detection.

Charm Dropped (bps)

A representationof thedroppedbandwidthdividedby theactualbandwidth. It must be noted that on idle connections, thispercentage is likely to be large as most of the traffic will just benoise.

Filtered Bandwidth (%)

Traffic Limiting

Packetsper second thataredroppeddue to thebandwidthbeinggreater than the defined bandwidth value or filter set for theportals; or the maximum bandwidth for the appliance isbreached.

Bandwidth (/s)

Number of packets per second, which have been dropped dueto portal or filter configuration on the Packet Rate limitingsettings being breached.

Packet Rate (/s)

Number of packets per second thatDDoSSecure appliance hasdropped due to either a protocol not being enabled in a filter, oran IP address is black-listed.

Blocked Protocol (/s)

When packets are that do not have entries in the DDoS Secureappliance state table are detected and are not starting aconnection or are in the state table but the sequence numbersdo not match.

Unknown Session (/s)




StatusField

Rate of packets per second the DDoS Secure appliance hasclassified attack traffic, for the following:

• IP Attack (/s)

• TCP Attack (/s)

• UDP Attack (/s)

• ICMP Attack (/s)

• Other-IP Attack (/s)

• Fragment Attack (/s)

Protocol Attack Rate

Packet rate detected and are classified as follows:

• Bad IP packet (/s)

• Bad TCP packet (/s)

• Bad UDP packet (/s)

• Bad ICMP packet (/s)

• Bad O-IP packet (/s)

Malformed Packet Rate

Counters for occurrences per second that potentially cause ared light to be turned on in the right hand pane.

Other line items


DDoS Secure Appliance Statistical Summary Overview on page 109•



DDoS Secure Appliance Protected IP Information

Click Protected Information to display protected IP Information.

Figure 80 on page 114 displays the protected IP information.

Figure 80: Protected IP Information Page



Click + in front of the portal name, the protected IP addresses associatedwith the portal

are expanded.

NOTE: If a specific portal or IP address is selected in the viewing : pull down(top right), then only the associated portal is available for review.

The central pane describes the determined protected IP addresses, as well as the

respective traffic rates. Each transaction has twenty-five parameters. The entries that

have action cells brings up graphs of previous data. Click the respective columns to sort

the appropriate column head.

For the columns that have four entries, these are current, peak, suggested value to use

for CHARM and the last entry is the current configured value for that parameter. If the

last entry is in blue font then, this entry is auto-configured and the displayed value shows

the currently determined value. If third entry font is in red, then this is a suggested

configuration value that DDoS Secure appliance has determined to be suitable.

Reconfigure the protected IP address with this value and observe whether DDoS Secure

appliance suggests another iteration of configuration.

If any entry reverses to orange then packets are being dropped, as their CHARM score is

too low. If the entry is reversed to red, then potentially high CHARM value packets are

being dropped.

If you click Reset Protected Statistics, all the peak values are reset to zero.

NOTE: The value in backlog queue can rise above the configured Defensethreshold. It might even fail to turn orange in such situations. This can occurbecause the defense threshold is configured on a per port basis, the valuedisplayed in the table is the total backlog for all TCP connection attemptsto the protected IP address, for all the TCP ports.

The value in the backlog queue does not include requests to ports that arenot open or not responding, or include SYN requests that are let through inloggingmode that should have been dropped.

Table 27 on page 115 provides the parameters of the protected information page.

Table 27: Protected IP Information Page Details

DescriptionField

The IP address or IP address tree for drilling down.IP Address

Count of SYN requests that have takenmore than five secondsto respond to.

Slow Syn

Current, peak and configured number of partially open TCPconnections.

Backlog



Table 27: Protected IP Information Page Details (continued)

DescriptionField

Current, peakandconfigurednumberofopenTCPconnections.Open Connections

Current, peak and configured number of TCP connectionrequests per sec.

Connection Requests

Count of GET requests that have takenmore than 5 secondsto respond to.

Slow Get

Current and peak/configured number of HTTP page requestsbeing processed.

Gets

Currentandpeaknumberofpackets to theprotected IPaddressdropped per second.

In Drop (Pkts/s)

Currentandpeaknumberofpackets to theprotected IPaddressin packets per second.

In (Pkts/s)

Current and peak speed of data to the protected IP address inbits per second.

In (Bits/s)

Current and peak number of packets from the protected IPaddress dropped per second.

Out Drop (Pkts/s)

Current and peak speed of data from the protected IP addressin packets per second.

Out (Pkts/s)

Current and peak speed of data from the protected IP addressin bits per second.

Out (Bits/s)

Current and peak TCP number of packets to the protected IPaddress in packets per second.

In TCP (Pkts/s)

CurrentandpeakTCPspeedofdata to theprotected IPaddressin bits per second.

In TCP (Bits/s)

Current and peak UDP number of packets to the protected IPaddress in packets per second.

In UDP (Pkts/s)

CurrentandpeakUDPspeedofdata to theprotected IPaddressin bits per second.

In UDP (Bits/s)

Current and peak ICMP number of packets to the protected IPaddress in packets per second.

In ICMP (Pkts/s)

Number of inbound initiated TCP sessions.In (TCP)

Number of outbound initiated TCP sessions.Out (TCP)

Number of outbound initiated UDP sessions.Out (UDP)



Table 27: Protected IP Information Page Details (continued)

DescriptionField

Number of outbound initiated ICMP sessions.Out (ICMP)

Number of outbound initiated other IP address sessions.Out (Other)

Number of outbound initiated fragment tracking sessions.Out (Fragment)




• DDoS Secure Appliance Live Incidents Information on page 117

DDoS Secure Appliance Live Incidents Information

Click Live Incidents to display Live Incident information. This allows you to review the

active Incidents tracked by the appliance.

Enable incident defense type in Incident Create Threshold.

Entries in red highlight incident activity that is over the alert threshold for at least one

minute.

This allows you to review live incidents tracked by the appliance. Figure 81 on page 117

shows the list of live incidents. To viewmore information about a particular incident click

the associated row.

Figure 81: Live Incidents List

Figure 82 on page 118 displays the live incidents page with highlighted screens.



Figure 82: Live Incidents Page

• Green Screen—Incidents screen (minimized version than on page load)

• Blue Screen—Summary of specific incident

• Purple Screen—Graph of specific attack vector

• Yellow Screen—List source IP addresses involved in incident, (max 20 individual IP

addresses)

NOTE: The initial incident screen is shown ingreen.Theother screensappearwhen a specific incident is selected.




• DDoS Secure ApplianceWorst Offenders Information on page 118

DDoS Secure ApplianceWorst Offenders Information

ClickWorst Offenders to display the list of worst offenders.

The central pane shows real-time status of theworst offending IP addresses, alongwith

the reason. Click the head of a column, the output is sorted by this column, with the

triangle indicator showing the sort direction.

Figure 83 on page 119 displays theWorst Offenders information page.



Figure 83:Worst Offenders Information Page

If the DDoS Secure appliance is running under severe loading conditions, worst offender

tracking rate is limited to 1000 errant packets per second, and so the average or current

ratesmight report a value lower than the rate atwhichDDoSSecure appliance is actually

discarding errant packets.

Table 28 on page 119 provides a summary explaining the meaning of the values held in

each column.

Table 28:Worst Offender Information Page Details

DescriptionField

Location of the IP address. Hovering the mouse over the Locfield indicates roughly where the IP address is located.

Location

The autonomous system routing prefix for this IP.AS#

IP source address of theworst offender as determinedbyDDoSSecure appliance algorithm. The indicators are as follows:

Blue—indicates a protected IP

Green—indicates a Do not auto-block IP

Red—white-listed IP

If there is a trailing triangle, bottom right, then this hyperlink canbe used to temporarily block this IP address for at least fiveminutes.

Address

Valid IP address or not. If it is not valid it is spoofed.Valid

The last IP address that this IP address tried to access, witherror.

Last Destination

The last protocol this IP address tried to access, with error.Last Proto

The last source port this IP address used, with error.Last S Port

The last destination port this IP address tried to access, witherror.

Last D Port

The last portal that this IP address tried to access, with error. Ifthe portal is orange, then it is in logging mode.

Last Portal

The last reason why this IP address was determined to be aworst offender.

Last Reason



Table 28:Worst Offender Information Page Details (continued)

DescriptionField

The number of times this IP address is identified as an attacker.Count

The current and peak packet rates per second.Rate (Pkts/s)

Thecurrentandpeakpacket ratesper secondof irritantattacks.Irritant Rate

The current and peak packet rates per second of resourceconsuming attacks.

Resource Usage Rate

The last time this IP address was determined to be a worstoffender.

Last Time

If the last reason column shows a folder icon, it can be expanded to drill down to the

breakout of the different types of Defense invoked against this IP address as shown in

Figure 84 on page 120.

Figure 84: Last Reason Expand Page

Click ResetWorst Offenders (top right side ofWorst Offenders table), to remove all the

worst offender entries.

To temporarily black-list a worst offender, select the IP address and click the triangle at

the bottom right of the cell. This displays the black-list dialog box. Click the dialog box

to confirm the action.

Once completed, the confirmation as shown in Figure 85 on page 120.

Figure 85: Temporarily Black List Confirmation




• DDoS Secure Appliance Temporarily Black-Listed Information on page 121



DDoS Secure Appliance Temporarily Black-Listed Information

Click Temporarily Black Listed to display the temporarily black-listed information.

Figure 86 on page 121 displays the temporarily black-listed information.

Figure 86: IP Temporarily Black Listed Information Page

Table 29onpage 121 provides theparameters of theTemporarily Black Listed information

page.

Table 29: Temporarily Black Listed Information Page Details

DescriptionField

Location of the IP address. Hovering the mouse over the Loc fieldindicates roughly where the IP address is located.

Location

The autonomous system routing prefix for this IP address.AS#

IP address of the worst offender seen by DDoS Secure appliancealgorithm.

Address

Valid IP address or not. If it is not valid it is spoofed.Valid

The last IP address that this IP address tried to access.Last Protected

The last protocol that this IP address tried to access.Last Proto

The last source port that this IP address used.Last S Port

The last destination port that this IP address tried to access.Last D Port

The last portal that this IP address tried to access. If the portal isorange, then it is in logging mode.

Last Portal

The current and peak packet rates per second.Rate (Pkts/s)

The current and peak bit rates per second.Speed (Bits/s)

The number of packets dropped from this IP address.Count

The last time this IP address was blocked.Last Time

The reason why this IP address was temporarily black-listed.Reason



Tomanually remove an IP from the temporary black-list, select the IP address and click

the triangle at the bottom right of the cell. This displays the un-black-list dialog box,

whichmust be clicked to confirm the action. The confirmation screen appears as shown

in Figure 87 on page 122.

Figure 87: Black List Removal Confirmation

ClickPurgeBlack-Liston the top row towards the right, then all IP addresses are removed

from the auto black-list.

NOTE: Purge Black-Listwill also purge any dynamic BGP FlowSpec rules.

IPaddressesareautomatically removed fromtheautoblack-list IP listwhenDDoSSecure

appliance determines that it is safe to do. This is usually after five minutes of inactivity

for this IP address.




• DDoS Secure Appliance Tracked IP Information on page 122

DDoS Secure Appliance Tracked IP Information

Click IP Tracked Info to display tracked information.

Figure 88 on page 122 displays the IP Tracked information.

Figure 88: IP Tracked Information Page

The central pane outputs some of the IP information used for CHARMcalculations. Each

entry has 22 parameters.

Table 30 on page 123 provides the parameters of the tracked IP information page.



Table 30: Tracked IP Information Page Details

DescriptionField

The GeoIP location of the IP address. If this location is red, thenthis IP is repeatedly asking for the same URL.

Location

The autonomous system routing prefix for this IP address.AS#

If the address is orange, then this IP address is troublesome. Ifthis IP address is red, then this IP address is black-listed.

IP Address

Last protected IP address that this IP tried to get to.Last Protected

Number of partially open TCP connections.Backlog Queue

Number of connections that are completed the three wayhandshake, but no data is transferred yet.

Half Conn

Number of open (active) TCP connections.Connections

Numberofhosts/ports currentlybeingscannedby this IPaddress.Port Scan

Error rate of the IP address.Errors

Rolling average speed of data to and from the IP address in bitsper second.

Bit Rate

The number of GETs requested by the IP address per second.This number is scaled up when tracking specific URLs that arematched.

GET Rate

IP address is defined in the black-list.BL

IP address is defined in the white-list.WL

IP address is defined in the white-list (no logging).WN

IP address is defined as a preferred client (CHARM boost).PL

IP address is defined as always having default CHARM.DL

IP address overrides any country blocking.CA

IP address can never be auto-blocked.NB

IP address is defined as amega-proxy.MP

IP address is detected as a proxy server.P

IP address is currently being filtered by a protected IP address.F



Table 30: Tracked IP Information Page Details (continued)

DescriptionField

Time when that traffic was seen to and from this IP address.Last Seen




• Tracking Country-Wide Usage Information in a DDoS Secure Appliance on page 124

Tracking Country-Wide Usage Information in a DDoS Secure Appliance

ClickCountryUsage Info todisplay country-wideusage information. Figure89onpage 124

provides the country-wide usage information.

Figure 89: Country-Wide Usage Information

Thecentral paneshows real-timestatusof traffic through theappliance, basedoncountry

of origin. Click on a column head to sort the rows.

Table 31 on page 124 provides a summary explaining the meaning of the values in each

column.

Table 31: Country Usage Information Page Details

DescriptionField

Country of origin. Hovering the mouse over the countryindicates the country code. If this entry is orange, then thiscountry is black-listed. If this entry is orange, then thiscountry is partially blocked by a filter.

Country

The current and peak number of history table entries forthis country.

Clients

The current and peak number of TCP table entries for thiscountry.

TCP

The current and peak number of UDP table entries for thiscountry.

UDP

The current and peak number of ICMP table entries for thiscountry.

ICMP

The current and peak number of other IP address tableentries for this country.

Other



Table 31: Country Usage Information Page Details (continued)

DescriptionField

The current and peak number of fragment table entries forthis country.

Frag

The current and peak number of packets per seconddropped from this country.

Drop (Pkts/s)

The current and peak number of packets per second fromthis country.

Inbound (Pkts/s)

Thecurrentandpeakdata rateper second fromthis country.Inbound (Bits/s)

The current and peak number of packets per second to thiscountry.

Outbound (Pkts/s)

The current and peak data rate per second to this country.Outbound (Bits/s)

Only countries that have any activity are reported.

Clicking Reset Country Usage Statistics resets all the peak values used to build the table.

An orange cell represents a black-listed country.

To black-list a country, click theCountry Cell to bring up the black-listmenu. Then, select

Black-List, alternatively unblock a black-listed country shown in orange following the

same process. Figure 90 on page 125 displays the black-list menu options.

Figure 90: Black List Menu Options




• DDoS Secure Appliance TCP Information on page 126



DDoS Secure Appliance TCP Information

Click TCP Information to display TCP information.

Figure91 onpage 126displays the real-time status of theTCPconnections throughDDoS

Secure appliance.

Figure 91: TCP Information Options

Select the TCP states list, to filter the TCP Information and to the selected TCP state

type.

If any entry is highlighted in orange, then packets are being dropped, as their CHARM

score is too low. If the entry is red, then high CHARM value packets are being dropped.

Table 32 on page 126 provides a summary explaining the meaning of the values held in

each column.

Table 32: TCP Information Page Details

DescriptionField

The outer level VLAN or MPLS tag for this session.Vlan/MPLS

Where the IP address is located. Hovering themouse over thelocation field indicates roughlywhere the IPaddress is located.

Internet Location

The autonomous system routing prefix for this IP address.Internet AS#

IP address of the Internet side of the connection.Internet IP

Port of the Internet side of the connection.Internet Port

Location for Internet traffic coming through a proxy/CDNserver.

X-Forwarded-For Location

The autonomous system routing prefix for Internet trafficcoming through a proxy/CDN server.

X-Forwarded-For AS#



Table 32: TCP Information Page Details (continued)

DescriptionField

IP address of the Internet traffic coming throughaproxy/CDNserver.

X-Forwarded-For IP

Direction of initiated session.Dir

IP address of the protected side of the connection.Protected IP

Port of the protected side of the connection.Protected Port

Theportal that theprotected IPaddress resides in. If theportalis orange, then it is in logging mode.

Protected Portal

The number of data bytes received from the client.Inbound Bytes

The number of packets received from the client.Inbound Pkts

The number of data bytes received from the protected IPaddress.

Outbound Bytes

The number of packets received from the protected IPaddress.

Outbound Pkts

Time in seconds since the first SYN of the connection.Active

State of connection–This entry is red if there is DDoS Secureappliance TCP keepalive probing.

State

The background for each line can be color coded as follows:

• Green—Entry has expired and is waiting for deletion.

• Orange—Entry created due to a routing redirect packet bounce.

• Yellow—Pseudo connection that is dropped. But, the DDoS Secure appliance is in

logging mode for this particular connection.

• Light blue font—State information obtained from another DDoS Secure appliance.




• DDoS Secure Appliance UDP Information on page 127

DDoS Secure Appliance UDP Information

Click UDP Information to display UDP information.



Figure 92 on page 128 displays real-time status of the UDP transactions through DDoS

Secure appliance.

Figure 92: UDP Information Page

Table 33 on page 128 provides the parameters of the UDP information page.

Table 33: UDP Information Page Details

DescriptionField

The outer level Vlan or MPLS tag for this session.Vlan/MPLS

Where the IP address is located. Hovering the mouse over thelocation field indicates roughly where the IP address is located.

Internet Location



Port of the Internet side of the connection.Internet Port



Port of the protected side of the connection.Protected Port

The portal that the protected IP address resides in. If the portal isorange, then it is in logging mode.

Protected Portal



The number of data bytes received from the protected IP address.Outbound Bytes

The number of packets received from the protected IP address.Outbound Pkts













• DDoS Secure Appliance ICMP Information on page 129

DDoS Secure Appliance ICMP Information

Click ICMP Information to display ICMP information.

Figure 93 on page 129 displays the real-time status of the ICMP transactions through

DDoS Secure appliance.

Figure 93: ICMP Information Page

Table 34 on page 129 provides the parameters of the ICMP information page.

Table 34: ICMP Information Page Details

DescriptionField

The outer level VLAN or MPLS tag for this session.Vlan/MPLS


Internet Location





ICMP type or code.Type: Code



Table 34: ICMP Information Page Details (continued)

DescriptionField

The portal that the protected IP address resides in. If the portalis orange, then it is in logging mode.

Protected Portal



Thenumberofdatabytes received fromtheprotected IPaddress.Outbound Bytes












• DDoS Secure Appliance Other IP Protocol Information on page 130

DDoS Secure Appliance Other IP Protocol Information

Other IP protocol information contains information on protocols that are not listed in the

protocol specific displays. These should bemonitored for unusual or unexpected traffic.

ClickOther IP Information to display other IP protocol information.

Figure 94 on page 130 displays the real-time status of the other IP protocol transactions

through DDoS Secure appliance.

Figure 94: Other IP Protocol Information Page

Table 35 on page 131 provides the parameters of the other IP information page.



Table 35: Other IP Information Page Details

DescriptionField

The VLAN, or MPLS label associated with this connection.Vlan/MPLS


Internet Location

The autonomous system routing prefix for this IP.Internet AS#




IP protocol in use.Proto

Theportal that theprotected IP resides in. If theportal is orange,then it is in logging mode.

Protected Portal



The number of data bytes received from the protected IP.Outbound Bytes

The number of packets received from the protected IP.Outbound Pkts





• Yellow—Pseudo connection that is normally dropped. But, theDDoSSecure appliance

is in logging mode for this particular connection.


Details of protocol numbers can be found at:

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml#protocol-numbers-1.




• DDoS Secure Appliance Fragment Information on page 132



http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml#protocol-numbers-1

DDoS Secure Appliance Fragment Information

Click Fragment Information to display fragment information.

The central pane shows real-time status of currently active, valid fragmented packets.

Each transaction has fourteen parameters. The yellow entries record fragments that are

dropped, but are tracked so that other fragments of the same sequence can be dropped.

Figure 95 on page 132 displays the Fragmentation Information.

Figure 95: Fragmentation Information Page

Table 36 on page 132 provides the parameters of the fragment information page.

Table 36: Fragment Information Page Details

DescriptionField

The VLAN, or MPLS label associated with this connection.Vlan/MPLS


Internet Location

The autonomous system routing prefix for this IP.Internet AS#




The fragment identification, followed by which part(s) of thesequence seen. H – Head, M –Middle and T – Tail.

ID

The IP protocol of the fragment.Proto

Port (if known) for TCP or UDP.Port

The portal that the protected IP resides in. If the portal is orange,then it is in logging mode.

Protected Portal



The number of data bytes received from the protected IP address.Outbound Bytes



Table 36: Fragment Information Page Details (continued)

DescriptionField






• Yellow—Pseudo connection that is normally dropped. But, theDDoSSecure appliance

is in logging mode for this particular connection.





• DDoS Secure Appliance URL Information on page 133

DDoS Secure Appliance URL Information

Click URL Information to display URL information.

The central pane shows real-time status of the most active inbound 32K URLs tracked

through the appliance and each row represents one of these URLs.

Click Reset URL Peak values to reset the current list.

ClickURL Filter to filter on the URL [+ parameters] column. This is additional to the View

Filterwhich filters IPs/AS# and Loc.

Figure 96 on page 133 displays the URL Information page.

Figure 96: URL Information Page

Table 37 on page 133 provides the parameters of the URL Information page.

Table 37: URL Information Page Details

DescriptionField

The current and peak number of URL hits for this URL.Rate



Table 37: URL Information Page Details (continued)

DescriptionField

The number of outstanding requests to be responded to.Pending

The last HTTP response code for this URL.Response

The server IP address the URL was requested on.Server IP

The type of request (GET/HEAD/POST).Mode

The actual URL including the domain. If this URL is red, then this URLis being specifically tracked.

URL

Thisprovides theminimum, last, andpeak response times to theURLrequest.

Response Time

Time of the peak response time.Peak Time

The portal that the protected IP address resides in. If the portal isorange, then it is in logging mode.

Protected Portal

The last IP address to request this URL.Last IP

Resets the peak values of the current list of URLs.Reset

All the active URLs to be displayed. The center pane will not refresh.Full List

Page refreshes.Refresh

Only URLs that have any activity are reported.

Click an URL for the option of tracking, or untracking the URL. You can tune this further

using the CLI. If a URL is being tracked, all IP addresses requesting this URL gets a lower

CHARM value. If an IP address is aggressively accessing this tracked URL, then the IP

address gets a very low CHARM value and is likely to be dropped if the protected IP

address is limiting GET requests. Figure 97 on page 134 displays the URL Information

options.

Figure 97: URL Information Option Page

Enter a value in URL Filter: (top line) and <enter> to match specific URLs for output.



More information on HTTP response codes can be found at:

http://www.iana.org/assignments/http-status-codes/http-status-codes.xml#http-status-codes-1.




• DDoS Secure Appliance DNS Information on page 135

DDoS Secure Appliance DNS Information

Click DNS Information to display DNS information.

Figure 98 on page 135 displays the DNS information.

Figure 98: DNS Information Page

Thecentral pane shows real-timestatusof themost active inbound32768DNS requests

tracked through the appliance. Each row represents one of these DNS requests.

Table 38 on page 135 provides the parameters of the DNS information page.

Table 38: DNS Information Page Details

DescriptionField

The current and peak number of DNS hits for this DNS query.Rate

The current and peak inbound rate for this DNS query.Inbound (bps)

The current and peak outbound response rate for this DNS query.Outbound (bps)

Number of DNS queries not yet responded to.Pending

This provides the minimum, last and peak response times for the DNSquery.

Response Time


The last IP address to request this DNS query.Last IP

DNS query response. If blank, the DNS server has not responded.Response

The server IP address that the DNS query was sent to. If you are lookingat a particular protected IP address, then only DNS queries from thisparticular IP address are displayed.

Server IP



http://www.iana.org/assignments/http-status-codes/http-status-codes.xml#http-status-codes-1

Table 38: DNS Information Page Details (continued)

DescriptionField

Theportal that theprotected IP address resides in. If the portal is orange,then it is in logging mode.

Protected Portal

The DNS query (including implicit trailing period followed by the querytype). If this DNS query is red, then this DNS query is being specificallytracked.

Name Type

Only DNS queries that have any activity are reported.

Click a DNS query for option of black-listing, or unblack-listing this DNS query. You can

tune this further through the CLI. If a DNS query is being black-listed, the DNS query

packet gets dropped. If a DNS query is being tracked, all IP addresses requesting this

DNS query gets a lower CHARM value. If an IP address is aggressively accessing this

tracked DNS query, then the IP address gets a very low CHARM value and is likely to be

dropped, if the protected IP address is limiting GET requests.

Enter a value in DNSmask followed by <enter> to output the DNS entries that match

the supplied mask.




• DDoS Secure Appliance SIP Information on page 136

DDoS Secure Appliance SIP Information

The central pane shows real-time status of the most active inbound 32K SIP REGISTER

and INVITE requests tracked through the appliance. Each row represents one of these

requests. Click the head of a column, to sort the output of rows by the column.

Figure 99 on page 136 displays the SIP Information.

Figure 99: SIP Information Page

Table 39 on page 137 provides a summary explaining the meaning of the values in each

column.



Table 39: SIP Information Page Details

DescriptionField

The current and peak number of requests for this SIP URI.Rate

Number of SIP queries not yet responded to.Pending

This gives the minimum, last and peak response times for the SIP request.Response Time


The last IP address to send this request.Last IP

The last response code for this request. No code indicates that the serverhas yet to issue a response.

Response

The server IP address the request was sent to.Server IP

The portal that the protected IP address resides in. If the portal is orange,then it is in logging mode.

Protected Portal

The type of request (REGISTER or INVITE).Mode

The SIP URI concerning the request. In the case of REGISTER, this is the URIbeing registered. If the request is an INVITE, this is the URI to which theinvitation is being sent.

SIP URI

The current and peak number of requests for this SIP URI.Rate

Number of SIP queries not yet responded to.Pending

This gives the minimum, last and peak response times for the SIP request.Response Time

Click a SIP URI to track or untrack the request. You can further tune this setting through

the CLI. If a SIP request is being tracked, all IP addresses requesting this URI get a lower

CHARM value. If an IP address is aggressively requesting this tracked SIP URI, then the

IP address gets a very low CHARM value and is likely to be dropped, if the protected IP

address is limiting GET requests.

Enter a value in SIP Filter followed by <enter>. Output the SIP requests with URIs that

match the supplied mask.




• DDoS Secure Appliance Bandwidth Information on page 138



DDoS Secure Appliance Bandwidth Information

Click Bandwidth Information to display bandwidth information.

Figure 100 on page 138 displays the Bandwidth Information.

Figure 100: Bandwidth Information Page

Click the folder icon in the hierarchy tree associated with the appliance, portal, IP, filter,

or limiter details on bandwidth info to be expanded.

Click Reset Bandwidth Info Peak Values to reset all peak values to zero.

If any entry is highlighted in orange, then the current rate is above the valid rate and

potentially can be dropped, if there is another resource constraint. If the entry is red, then

the burst rate threshold is exceeded and the packets with the lowest CHARM are being

dropped.

Table 40 on page 138 provides the parameters of the Bandwidth Information page.

Table 40: Bandwidth Information Page Details

DescriptionField

Hierarchical tree that canbeused todrill down toa specific filterentry.

Name

The configured packet rate and bandwidth of the entry. If thevalue is set to U, then it is unrestricted. These values are theguaranteedminimum values.

Valid Speed (Pkts/s)/(Bit/s)

Themaximum configured packet rate and bandwidth. If thevalue is set to U, then it is unrestricted.

Burst Speed (Pkts/s)/(Bit/s)

Average rate that the rate-limiter is currently processing. If thefield is amber, then traffic is being rate-limited.

Inbound Average



Table 40: Bandwidth Information Page Details (continued)

DescriptionField

Average rate that the rate-limiter is currently processing. If thefield is amber, then traffic is being rate-limited.

Outbound Average

Current and peak speed of data inbound in packets per secondbeing dropped.

Inbound Drop (Pkts/s)

Current and peak speed of data inbound in packets per second.Inbound (Pkts/s)

Currentandpeakspeedofdata inbound inbitsper secondbeingdropped.

Inbound Drop (Bits/s)

Current and peak speed of data inbound in bits per second.Inbound (Bits/s)

Currentandpeakspeedofdataoutbound inpacketsper secondbeing dropped.

Outbound Drop (Pkts/s)

Currentandpeakspeedofdataoutbound inpacketsper second.Outbound (Pkts/s)

Current and peak speed of data outbound in bits per secondbeing dropped.

Outbound Drop (Bits/s)

Current and peak speed of data outbound in bits per second.Outbound (Bits/s)




• DDoS Secure Appliance Rerouting Information on page 139

DDoS Secure Appliance Rerouting Information

Click ReRoute Information to display reroute information.

Figure 101 on page 139 displays the Re-Route Information page.

Figure 101: Re-Route Info Page

The central pane shows real-time status of any traffic that is set up for re-routing as

instructed by one or more DDoS Secure appliances. You can configure (through the CLI)

a BGP peering relationship where the DDoS Secure appliance is acting (over the

management interface) as a trigger router in a Remotely Triggered Black Hole (RTBH)

environmentwhereas the result of a trigger, traffic is either black-holed, or routed through

another DDoS Secure appliance.



IP addresses can be configured for permanent rerouting (through the CLI); or, if an IP

address goes over the upper rerouting threshold that is defined for the IP address portal,

it then gets added into the rerouting tables and then adds in the IP address to the BGP

routing tables as a trigger. If not permanently configured, the IP address drops out of the

rerouting tables when below the lower rerouting threshold for 5 minutes.

Table 41 on page 140 provides the parameters of the re-route information page.

Table 41: Re-Route Information Page Details

DescriptionField

The IP address that is being re-routed.IP Address

The portal that the protected IP address resides in. If the portalis orange, then it is in logging mode.

Portal

The IP address of the appliance that requested the re-routing.ReRouter

The lower and upper thresholds (packets per sec) for this IP asdetermined from its portal. If 0, then this IP address ispermanently configure for re-routing.

Thresholds (Pkts/s)

The lower and upper thresholds (speed) for this IP address asdetermined from its portal. If 0, then this IP is permanentlyconfigured for re-routing.

Thresholds (Bits/s)

Current and peak packet packets detected as determined bythe DDoS Secure appliance triggering the re-routing.

ReRouting DDoS Secure(s)(Pkts/s)

Current and peak speed as determined by the DDoS Secureappliance triggering the re-routing.

ReRouting DDoS Secure(s)appliance(s) (Bits/s)

Current and peak packet packets per sec as determined by theDDoS Secure appliance handling the re-routing.

ReRouted DDoS Secure(s)(Pkts/s)

Current and peak speed as determined by the DDoS Secureappliance handling the re-routing.

ReRouted DDoS Secure(s)(Bits/s)

The time when this re-routed IP has been below both the lowerpps and bps thresholds.

Time Below Lower Threshold




• DDoS Secure BGP FlowSpec Information on page 140


DDoS Secure BGP FlowSpec Information

Click BGP FlowSpec Information to display BGP FlowSpec information.



Figure 102 on page 141 displays the BGP FlowSpec information.

Figure 102: BGP FlowSpec Information Page

The central pane shows the real-time status of any traffic that has been set up for BGP

FlowSpec. A dynamic FlowSpec rule is created whenever a worst offender transitions

into a Temporarily Black List IP and a BGP server has been set up. The BGP server has

to be configured through the CLI using the set bgp peer … command, which is different

from the CLI set chassis bgp … command, which configures traffic for BGP RTBH traffic

only.

BGPFlowSpec rules canbemanually createdusing theCLI setbgpflowspec… command.

These rules are always pushed out to the BGP peer and are very flexible in their

configuration.

BGP dynamic FlowSpec rules are created as active or inactive. Only active rules are

pushed out to the BGP peer. Inactive rules are created when the CLI set bgp peer …

autoinject no command is defined, or the DDoS Secure appliance is running in logging

mode. Click on the little bottom right triangle to toggle between the inactive and active

rule states through the GUI.

BGP dynamic FlowSpec rules are always created as type action rate-limited. With this

configuration, the DDoS Secure will detect some of the rate-limited traffic and can keep

the FlowSpec rule active for the duration of the attack.

Clicking on Remove FlowSpec Rules removes all the dynamic FlowSpec rules as well as

all the Temporary Black Listed entries.

Table 42 on page 141 provides the parameters of the BGP FlowSpec information page.

Table 42: BGP FlowSpec Information Page Details

DescriptionField

Shows whether the rule configured is inactive or active.State

The source IP address and source IP network of the rule match.Source

The destination IP address and destination IP network of the rulematch.This can only be one or more of the protected IPs to prevent a rogueFlowSpec rule dropping other network users’ IP addresses.

Destination

The portal that this rule is associated with.Portal



Table 42: BGP FlowSpec Information Page Details (continued)

DescriptionField

This can be one of the following:

• accept—Accept and pass this packet.

• discard—Discard this packet.

• redirect—Redirect this packet to the VRFmatching BGPCommunity:Number.

• rate-limit—Rate-limit to threshold (bps).

• sample—Sample this packet (for Netflow and so on) and/or log it.

• terminal—Stop processing packet matches.

• sample-terminal—Sample this packet and stop processing packetmatches.

Action

Current or peak traffic rates being seen by the DDoS Secure appliancethat match this FlowSpec rule.

Traffic Rate

Protocols to bematched for this FlowSpec rule.Protocol

Fragmented packet types to bematched for this FlowSpec rule.Fragmentation

Source ports of a TCP/UDP session to bematched for this FlowSpecrule.

Src Port

Destination ports of aTCP/UDPsession to bematched for this FlowSpecrule.

Dst Port

TCP flags (for example, SYN) of a TCP session to bematched for thisFlowSpec rule.

Tcp Flags

ICMP types of an ICMP session to bematched for this FlowSpec rule.Icmp Type

ICMP codes of an ICMP session to bematched for this FlowSpec rule.Icmp Code

DSCP values of an IP session to bematched for this FlowSpec rule.DSCP

Packet length specification of an IP session to bematched for thisFlowSpec rule.

Length

An indication as to when the FlowSpec rule is likely to expire.Time Below LowerThreshold







DDoS Secure ApplianceMAC Information

ClickMAC Information to display MAC addresses.

Figure 103 on page 143 displays the MAC Information.

Figure 103: MAC Information Page

As the appliance operates in Bridge mode between the Internet and the protected IP

addresses, MAC addresses have to be tracked as to which interface they are located on.

The entries that have action cells brings up the appropriate table that displays the last

24 hours data in five minute samples.

If any entry is highlighted in red, then this entry is at the configuredmaximum value and

packets are being dropped as determined by the CHARM algorithm.

Click Reset Bandwidth Info Peak Values, for all the peak values to be reset to zero.

The central pane describes the determined locations, as well as the respective traffic

rates. Table 43 on page 143 provides the parameters of the MAC information page.

Table 43: MAC Information Page Details

DescriptionField

MAC address listed in relation to appliance it wasdetected, location, or list of MAC addresses.

VLAN and/or MPLS information is included after theMAC address by using in the following prefixes:

• v—VLAN

• q—QINQ



• IP6In4—IPv6 within a IPv4 tunnel

• GRE— IP traffic within a GRE tunnel

Name/AC

Ethernet interface theMACaddress is associatedwith.Interface



Table 43: MAC Information Page Details (continued)

DescriptionField

Internetorprotectedside theMACaddresswas trackedon.

Located

The IP address associated with the MAC address, ifknown.

Addition, interface types available in DDoS Secureappliance device are:

I – Internet Interface

P – Protected Interface

M –Management Interface

R – Redirect

D - Datashare

BPDU indicates that this MAC address was obtainedfrom a spanning tree packet.

ARP IP Address

Trafficdestination IPaddress sent to thisMACaddress.Traffic IP Address

The bits that the MAC address is speed limited orunlimited.

Configured (Bits/s)

The packets that the MAC address has been ratelimited or unlimited.

Configured (Pkts/s)

Current and peak speed of data to the MAC address inbits per second.

To (Bits/s)

Current and peak speed of data to the MAC address inpackets per second.

To (Pkts/s)

Current and peak speed of data from theMACaddressin bits per second.

From (Bits/s)

Current and peak speed of data from theMACaddressin packets per second.

From (Pkts/s)


DDoS Secure BGP FlowSpec Information on page 140•



• Miscellaneous Information on page 145



Miscellaneous Information

This topic contains the following sections:

• DDoS Secure Appliance Miscellaneous Information on page 145

• Network Logging on page 145

• Resources on page 146

• Queues on page 146

• Disk Activity on page 147

• System Load on page 147

• DDoS Secure Appliance Tables on page 147

• Interface Errors on page 149

DDoS Secure ApplianceMiscellaneous Information

ClickMiscellaneous Info to display miscellaneous information.

Figure 104 on page 145 displays the Miscellaneous Information.

Figure 104: Miscellaneous Information Page

Themiscellaneous information is divided into seven tables; each value in the table has

an associated graph.

Each table can be dragged around to alter the positioning on the screen or hidden.

If Reset Misc Info Peak Values is clicked, all peak values will be back to zero.

Network Logging

Table 44 on page 146 provides the parameters of the network logging details.



Table 44: Network Logging

DescriptionField

The current and peak output of netflow traffic.NetFlow

The current and peak output of syslog traffic.Syslog

The current and peak output of Webtrends traffic.Webtrends

The current and peak output of SNMP traffic.SNMP

The current and peak output of state traffic.State Update

The current and peak output of incident traffic.Incidents Update

The current and peak levels of input state traffic.State Inbound

Resources

Displays each core of the CPU. This varies with appliance type.

NOTE: Select cluster to display the aggregate information for all the DDoSSecure appliances sharing information.

Table 45 on page 146 provides the parameters of the resource details.

Table 45: Resource Usage Page Details

DescriptionField

%of usage current and peak of disk space.Disk Space

% of usage current and peak of memory.Memory

CPU x% of usage current and peak. Each CPUwill be listed separately.CPU x

Queues

Table 46 on page 146 provides information about the DDoS Secure appliance kernel ring

queues.

Table 46: Appliance Internal Usage Page Details

DescriptionField

The name of the queue.Queues

Shortage of resource in the kernel.Misc (/s)



Table 46: Appliance Internal Usage Page Details (continued)

DescriptionField

Current and peak dropped at kernel level per second.Dropped(/s)

Current and peak queue length.Length

Disk Activity

Shows information about appliance page swap (transfer of and I/O activity). Each entry

has two parameters.

Table 47 on page 147 provides the disk activity details.

Table 47: Disc Activity Details

DescriptionField

Paging from disk to RAM (current and peak) per second.Page Swap (In)

Paging from RAM to disk (current and peak) per second.Page Swap (Out)

Disk I/O read rate per second.Disk I/O (Read)

Disk I/O write rate per second.Disk I/O (Write)

System Load

The fifth section is informationaboutappliance resourceusage, andhasavaryingnumber

of parameters, depending on CPU count.

Table 48 on page 147 provides the parameters of the system load.

Table 48: System Load Details

DescriptionField

The current and peak load average over oneminute.Load Avg (1 Min)

The current and peak load average over oneminutes.Load Avg (5 Min)

The current and peak load average over 15 minutes.Load Avg (15 Min)

DDoS Secure Appliance Tables

Each item listed in the DDoS Secure appliance table is a defined attribute, which the

DDoS Secure appliance engine is managing. The columns describe maximum current

and peak values, and also show new entries on a per second basis. Table 49 on page 148

provides the parameters of the DDoS Secure appliance table.



Table 49: Appliance Queue Usage Details

DescriptionField

Number of protected IP address defined.Protected IPs

Internet IP address tracked by the appliance.Tracked IPs

Used portal entries defined in the DDoS Secure appliance table.Portals

Filters defined.Filter

TCP sessions that the appliance is tracking.TCP Sessions

UDP sessions that the appliance is tracking.UDP Sessions

ICMP sessions that the appliance is tracking.ICMP Sessions

Other-IP sessions that the appliance is tracking.Other-IP Sessions

Fragment sessions that the appliance is tracking.Fragment Sessions

Number of protected URLs that the appliance is tracking.URLs Protected

DNS entries that the appliance is tracking.DNSs Protected

SIP entries that the appliance is tracking.SIPs Protected

Live Incidents that the appliance is tracking.Live Incidents

Number of worst offenders tracked by the appliance.Worst Offenders

Temporary black-listed IP addresses.Auto Black-Listed IPs

FTP sessions that the appliance is tracking.FTP Sessions

Misbehaving IP addresses that the appliance is tracking.Misbehaving IP addresses

MAC addresses that the appliance is tracking.MAC Addresses

BGP re-route entries that the appliance is tracking.Re-Routes

ARP entries that the appliance is tracking.ARP Entries

HTTP parser entries that the appliance is tracking.HTTP Parsers

SSL session entries that the appliance is tracking.SSL Sessions

SSL key exchange entries that the appliance is tracking.SSL Key Exchange

SSL handshake entries that the appliance is tracking.SSL Handshake Buffers



Table 49: Appliance Queue Usage Details (continued)

DescriptionField

SSL block buffers that the appliance is tracking.SSL Block Buffers

SSL decoders that the appliance is tracking.SSL Decoders

SSL states that the appliance is tracking.SSL States

BGP FlowSpec entries that the appliance is tracking.BGP FlowSpec

Rate-limiter entries that the appliance is tracking.Rate Limiters

Interface Errors

Table 50 on page 149 provides the parameters described below. It displays all the

connected interfaces - protected, Internet, management and data share.

Table 50: Interface Error Details

DescriptionField

The name of the interface that errors are potentially occurring on.Interface Name

Input packets dropped per second.Drop-In (/s)

Output packets dropped per second.Drop-Out (/s)

Packets dropped due to lack of buffers per second.Drop-Buf (/s)

The count and current and peak framing errors per second.Framing (/s)

The count and current and peak packet collision errors per second.Collisions (/s)

The count and current and peak carrier errors per second.Carrier (/s)







CHAPTER 5

DDoS Secure Defense InformationOverview

All anomalous behavior (attacks) is tracked on an incident-per-protected-IP address

basis. When an attack is active and running at a rate greater than or equal to the defined

view threshold, the right side of the display (Defense status) changes from black to red.

During an attack with multiple components, multiple attack indicators will be shown.

The attack indicator will go back from red to black when the event rate drops below the

threshold. Click the hyperlink on an icon to display all active incidents for that type in the

center pane. The last 31 days worth of incidents are available for review, and can be

accessed by using the Incident Logs entry under DDoS Configuration/Logs. You can

disable an attack indication icon by disabling the creation of incidents for the attack type

on the configure logging page.


• Understanding DDoS Secure Appliance Failover States on page 153

• Understanding DDoS Secure Appliance Failover Information on page 153

• UnderstandingDDoSSecureApplianceStateSynchronization Informationonpage 153

• Understanding DDoS Secure Appliance Record/Replay State on page 154

• Understanding DDoS Secure Appliance Transition States on page 154

• Understanding DDoS Secure Appliance Protected IP Information on page 155

• Understanding DDoS Secure Appliance Defense Status Information on page 156

• Understanding DDoS Secure Appliance Additional Status Information on page 158

Understanding DDoS Secure Appliance Operational Mode

Figure 105 on page 152 displays the operational modes on the right side.


Figure 105: Operational Modes

Table 51 on page 152 lists the DDoS Secure appliance operational modes.

Table 51: Operational Modes Details

DescriptionField

The DDoS Secure appliance is configured to defend against any badtraffic.

DEFENDING

The DDoS Secure appliance is configured in the logging mode. In thisconfiguration, the appliancemonitors the traffic and flags any attacksdetected. No packets are dropped. All packets are passed to theopposite interface. If the appliance is running in the defending mode,the dropped counters reflect the activity of the dropped packets. Thiscan lead to some ambiguities in some of the statistics as the droppedpackets are allowed to pass.

LOGGING

The DDoS Secure appliance is configured in the logging-tapmode. Inthis configuration, the appliancemonitors Internet interface trafficand flags if any attacks are detected but does not pass the packetsto the protected interface. There should be no actual traffic on theprotected interface. All protected IP addresses must be defined, sothat the appliance can differentiate which traffic is Internet orprotected IP address.

LOGGING TAP

The DDoS Secure appliance is configured in the BYPASS-SWmode.In this configuration, theappliancepassesall the trafficdirectly throughto its other interface. The appliance does not monitor the traffic forattacks and therefore does not drop any packets.

BYPASS-SW

The DDoS Secure appliance is configured in the BYPASS-HWmode.In this configuration, the fail-safe card is forced into by-pass. Theappliance does not monitor the traffic for attacks and therefore doesnot drop any packets.

BYPASS-HW




• Understanding DDoS Secure Appliance Failover States on page 153



Understanding DDoS Secure Appliance Failover States

Table 52 on page 153 lists the DDoS Secure appliance failover states.

Table 52: Failover State Details

DescriptionField

The DDoS Secure is running as a standalone entity.STANDALONE

The DDoS Secure appliance is running as an active partner of anactive/standby configuration and passing traffic.

ACTIVE

The DDoS Secure appliance is running as a hot standby partner of anactive/standby configuration and not passing traffic.

STANDBY

The DDoS Secure appliance is determining whether it should be a partof an active/standby configuration. This will continue for 10 seconds,and then transition into standalone or standby.

PROBE

The DDoS Secure appliance is not capable of analyzing and passingtraffic. The fail-safe card might still be operational.

OUT-OF-SERVICE




• Understanding DDoS Secure Appliance Failover Information on page 153

Understanding DDoS Secure Appliance Failover Information

Combined with one of the above failover states may be some IP addresses. For more

information, see “Understanding DDoS Secure Appliance Failover States” on page 153.

The IP addresses may be prefixed with one or more of the characters I, P, or M. If any of

these characters is present, then this indicates a failed or failing communications link on

the Internet, protected, or management connections, respectively, between the two

systems thatare trying toestablishapartner relationship.The IPaddresseshavea trailing

field, indicating the failover state of the remote system.




• UnderstandingDDoSSecureApplianceStateSynchronization Informationonpage 153

Understanding DDoS Secure Appliance State Synchronization Information

If theDDoSSecureappliancesareconfigured for sharing information, thiswill be indicated

by the entry Info Share. Following this are entries for the IP addresses that are being


Chapter 5: DDoS Secure Defense Information Overview

actively shared. If the IP address is orange, then there has been a brief loss of connection

with the remote DDoS Secure.




• Understanding DDoS Secure Appliance Record/Replay State on page 154

Understanding DDoS Secure Appliance Record/Replay State

Table 53 on page 154 provides the record/replay state details.

Table 53: Record/Replay State Details

DescriptionField

Traffic through the appliance is currently being recorded. The digit (1 - 9)indicates the recording slot in use.

[Recording # #]

A previous recording of appliance traffic is being injected into the DDoSSecure appliance processing engine. This traffic does not leave theappliance but does alter the defensive responses of the engine. The digit(1 - 9) indicates the recording slot in use.

[Replaying # #]




• Understanding DDoS Secure Appliance Transition States on page 154

Understanding DDoS Secure Appliance Transition States

Table 54 on page 154 provides transition state details.

Table 54: Transition States Details

DescriptionField

The appliance engine is starting up. In addition, theappropriate logic (xyz) that is being initialized is also reported.

DDoSSecureappliance Initializing

Theapplianceengine isbeingshutdown.Theenginewill thengo offline. Depending on whether power down, reboot orrestart is selecteddependsonwhen theenginewill next startto re-initialize or if the connection will be lost.

DDoS Secure appliance GoingOffline

The appliance engine is not currently running.DDoS Secure appliance Offline



Table 54: Transition States Details (continued)

DescriptionField

Thiswarningcanbeseenbriefly sometimeswhenthesystemclock is adjusted. The adjustment of the system clock canconfuse theWeb interface briefly. If this warning remains onfor more than a few screen updates, then the applianceenginehashung, and isno longerpassing traffic. If thewarningremains on for more than a few screen updates, take theappliance engine offline, and then back online again byclicking, SHUTDOWNDDoS SECURE followed by shutdownDDoS Secure appliance engine and restart. This is anunexpected condition.

NOTE: If several browser windows (on the same PC) areopen on the same appliance, this can also cause theappliance stall light to come on—as a false positive—as thesecond browser windowmight refresh its right pane at thesame time as the first browser and the webserver enginedetermines that there is not a time difference since the lastrefresh.

DDoS Secure appliance Stall




• Understanding DDoS Secure Appliance Protected IP Information on page 155

Understanding DDoS Secure Appliance Protected IP Information

Figure 106 on page 155 displays the appliance or protected IP address information.

Figure 106: Appliance or Protected IP Information Page

The entry describeswhether theDefense status indicators are for the appliance, a portal,

or a specific protected IP address. Thiswill also apply to the data rate shown for the data

onmany statistics pages.

Table 55 on page 156 defines the transitional states.



Table 55: Transition States Details

DescriptionField

Appliance statistics are being reported.Appliance statistics

Specific portal statistics are being reported.Portal name statistics

Specific protected IP address statistics are being reported.Protected IP addressaaa.bbb.ccc.ddd Statistics

Specific protected IP address statistics are being reported.The protected IP address was named in the configureportals screen.

Some protected IP address namestatistics

This reports the averaged inbound and outbound speed(data rate) for the appliance, portal or for the protected IPaddress being monitored.

In:3.27M bit/s- Out: 6.17M bit/s:inbound/outbound bits rate

This reports the averaged inbound and outbound packetrate for theappliance, portal, or for theprotected IPaddressbeing monitored.

In: 341 pkt/s - Out: 541 pkt/sinbound/outbound packet rate





Understanding DDoS Secure Appliance Defense Status Information

Figure 107 on page 156 displays the defense status information.

Figure 107: Defense Status Information

If the lines change from black to red, then the appliance is defending against the type of

attack indicated. Click the icon to display all active incidents pertaining to the attack to

be displayed. If this incident type is not being displayed, then the icon hyperlink will be

removed.



Table 56 on page 157 provides defense status details.

Table 56: Defense Status Details page

DescriptionField

This indicates that appliance has detected that the bandwidth availableto one ormore protected IP addresses or Internet gateways is becomingcritical and is inbandwidthDefensemode.Packetsarebeing intelligentlyfiltered to deny access from themost likely attackers. This Defenseposture is applied per protected or Internet gateway basis.

Bandwidth

This indicates that appliance has detected high rates of small packets.DDoSSecure appliance intelligently filters the streamof traffic droppingpackets from themost likely attackers.

Packet Rate

Blocked protocol includes TCP/UDPports that are being dropped by thefilter, as well as ICMP types or other specific IP address protocols, plusany blocked IP addresses. These invalid ports/types/protocols areconfigured.The IPaddressblocking isautomaticbutneeds tobeenabled.

Blocked Protocol

Blocked state includes when any packet that does not match theappliance internal state machine for the specific protocol is blocked.This includesprotocols that are stateless suchas ICMP.With the randomnoise on the Internet, it is likely that this Defense light will be on for alarge amount of the time. BrokenTCP/IP stacks, andbrokenNATdevicesareacommoncauseof this randomnoise, asare the sideeffectsof someDDoS attacks and port scanning tools.

Blocked State

A form of IP address attack is being directed at a protected IP address.For example: land attack.

IP Attack

A form of TCP attack is being directed at a protected IP address. Forexample: The SYN attack or the connection flood.

TCP Attack

A form of UDP attack is being directed at a protected IP address.UDP Attack

A form of ICMP attack is being directed at a protected IP address.ICMP Attack

A form of attack based another IP address protocol is being directed ata protected IP address.

Other IP Attack

Innormal traffic, packets canbesplit (fragmented) intodifferentpackets,which are then reassembled at the protected IP address back into theoriginal packet. Planned attack packets can be used to create invalidpackets when reassembled. This can have a detrimental effect on theprotected IP address. DDoS Secure appliance detects such attacks anddrops the attack packets before they reach the protected IP addresswhile allowing genuine packet fragments through. Fragments droppedby a protected IP address definition also turn on this light.

Fragment Attack

The next five indicators on the right hand side of the appliance displayindicatebadpacketsaredetected.Thesearepackets thatdonotconformto the relevant RFCs and are dropped at all times by DDoS Secureappliance.

Bad Packets (IP,ICMP, TCP, UDP andO-IP)



Table 56: Defense Status Details page (continued)

DescriptionField

The appliance has detected that a protected IP address is no longerresponding to connection requests. This might be caused by a downedprotected IP address, a slow response to SYN requests, or the protectedIP address is deliberately not responding to SYN requests on specificports. To reduce false alarms and to improve the auto-black-listingresponse to port scanners, apply a suitable DDoS Secure appliancepermit filter. False alarms can also be avoided by adjusting your host (orfirewall) filtering policy to use deny or reject responses to connectionrequests for a closed port, as opposed to drop responses.

NOTE: A drop response provides very few if any security benefits whendefending against a port scan.

OverloadedProtectedIP





Understanding DDoS Secure Appliance Additional Status Information

Figure 108 on page 158 displays Additional Status page.

Figure 108: Additional Status Page

Additional informationwill bedisplayedabout theDefense statusof theappliance. These

are defined in alphabetical order below (apart from SomeProtectedName), even though

they might be displayed in a different order.

Table 57 on page 159 provides additional status details.



Table 57: Additional Status Details

DescriptionField

This protected IP address is being defended. Click the URL linkto display the Defense state for that specific protected IPaddress. The protected IP address namewas specified on theconfiguration screen.

Protected IPSomeProtectedName

The DDoS Secure appliance has detected a BGP session, butthe server is excluded by the DDoS Secure appliance portalnetwork list.

BGPMisconfigured

Theappliancehasusedupall the internal table space for trackingIPaddresses that arebeing temporarily black-listed. Any inactiveblack-listed IP address will be removed from the list.

Black-Listed IP Table Full

The DDoS Secure appliance was unable to transmit theconfiguration file changes to a partner.

Config Transfer Failed

Thedata share Interface (D-I/F) is notphysically connected, andhas an IP address configured.

DataShare-I/F N/C

Oneof the disks has failed aSMART test and should be replacedas soon as possible.

Disk Failure

The system BIOS is reporting that there is a fan failure, or thatthe appliance is running in hot environment. This needs to berepaired as soon as possible to prevent hardware componentfailure.

Fan Failure

The appliance has detected that there is a network short circuitsituation prior to the system being licensed. Consequently, nomore traffic will be passed through until the bypass situation issorted out and the appliance restarted.

Forced Inactive

The appliance has run out of internal table space for handlingfragments. This table size is deliberately restricted. The oldest(by use) entry is dropped.

FRAGMENT Table Full

Theappliancehasusedupall the internal table space for trackingFTP connections. Any entry not required will be flushed out tocreate space for the next FTP connection. This should normallyonly happen when defending against a large-scale attack.

FTP Table Full

The appliance has run out of internal table space for ICMPsessions. This table size is deliberately restricted. The oldest (byuse) entry is dropped. This should normally only happen whendefending against a large-scale attack.

ICMP Table Full

The appliance has run out of internal table space for activeIncidents. The oldest (by use) entry is dropped.

Incident Table Full

On fail-safe systems, the interface speeds on the fail-safe cardaredefined, or detected tobedifferent,whichwill causean issueif the card goes Fail-Safe.

Interface Speed Mismatch



Table 57: Additional Status Details (continued)

DescriptionField

The Internet Interface (I-I/F) is not physically connected. Thisoccurs when the appliance is running as standby in a VMwareenvironment.

Internet-I/F N/C

AMACaddress is defined as type Internet, or type protected, butthe MAC address is detected on the opposite side of the DDoSSecure appliance. Correct this situation.

MACMisconfigured

The appliance has run out of internal table space for MACaddresses. The oldest (by use) entry is dropped.

MAC Table Full

Themanagement interface (I-I/F) is not physically connected.Management-I/F N/C

A state synchronization partner defined as required is notavailable. The DDoS Secure appliance is running in a degradedstate,where all DDoSactivitywill not bedetectedandprotectedagainst.

Missing Partner

TheDDoSSecure appliance has detected the same sourceMACaddress in use on both the I-I/F and P-I/F interfaces. Bypasspackets are not passed through the appliancewhen in defensivemode. This means that there is either an alternative data patharound the appliance, or a topology change has placed apreviously determined MAC address on the opposite side of theappliance. In the event of a topology change, the cached entrycan bemodified by configuring the MAC address as either anInternet or protected gateway, or if not configured, the MACwillbe allowed to change sides automatically after five seconds.

Network Short Circuit

Theconfigurationhas just beenupdated, potentially bya remoteDDoS Secure.

New Configuration

The DDoS Secure appliance has not been authorized for use.Not Licensed

The appliance has used up all the internal table space for IPaddress protocol sessions. Any entry not requiredwill be flushedout to create space for the next IP address protocol session. Thisshould normally only happen when defending against alarge-scale attack.

OTHER IPProtocolsTableFull

DDoS Secure appliance is having trouble transmitting packetson the Internet Interface. This could be because a downstreamlink is saturated, or a duplex speedmismatch.

Output Error – Internet

DDoS Secure appliance is having trouble transmitting packetson themanagement interface. This could be because adownstream link is saturated, or a duplex speedmismatch.

Output Error - Management

DDoS Secure appliance is having trouble transmitting packetson theprotected interface. This couldbebecauseadownstreamlink is saturated, or a duplex speedmismatch.

Output Error – Protected




DescriptionField

This protected IP address is being defended. Click the URL linkto display the Defense state for that specific protected IPaddress.

Protected aaa.bbb.ccc.ddd

The protected Interface (P-I/F) is not physically connected.Protected-I/F N/C

The appliance has run out of internal table space for protectedIP addresses. This usually indicates that your Internet andprotected cable connections are swapped. If not, then yourappliance is trying to protect toomany protected IP addressesand the network topology needs to be reviewed, or a featureupgrade purchased (if available).

Protected IP Table Full

One of the links on the protected interface (P-I/F) is notphysically connected. If bothportpairsarenot inuse, thendisablethe appropriate port pair; see “Configuring the DDoS SecureInterfaces” on page 39. If both port pairs are not in use, thendisable the appropriate port pair.

Protected Sub-Link Down

The system BIOS is reporting that one of the redundant powersupplies is not working/powered up. This situation needs to berectified as soon as possible to prevent the appliance losingpower should the working PSU fail.

PSU Failure

The DDoS Secure appliance has detected a packet that has justbeenpassed through theappliance isnowreturningback throughthe appliance. This usually indicates that two routers on eithersideof theapplianceassumes that to get toa specific IPaddresstraffic needs to be redirected through the other router.

Routing Loop

The appliance has detected that somepackets are dropped dueto heavy loading. When this light is on, logging activity issubstantially reduced to minimize the further dropping of anypackets.

Severe Loading

For the first five minutes following a reboot, or a network cablebeing plugged in, the DDoS Secure appliance bypasses StateTable rigorous checking, so that existing connections active attime of the appliance going active are not blocked. Thisfive-minute window can be overridden by setting the applianceinto Defending-NoStateLearnmode.

State Learning

The appliance has used up all the internal table space for TCPconnections. Any entry not requiredwill be flushed out to createspace for the next TCP connection. This should normally onlyhappen when defending against a large-scale attack.

TCP Table Full

The appliance has used up all the internal table space for UDPsessions. Any entry not required will be flushed out to createspace for thenextUDPsession.This shouldnormallyonlyhappenwhen defending against a large-scale attack.

UDP Table Full




DescriptionField

The DDoS Secure appliance is being software upgraded.Upgrading

TheDDoSSecure appliance is currently processing a file upload.Progress of the file upload is reported in percentage terms.

Uploading







PART 2

Appendixes

• TCP States on page 165

• ICMP Types on page 167

• Index Attack Types on page 169

• Country Codes on page 175

• Panel Information on page 199

• Troubleshooting on page 201

• Customizing theWeb Interface on page 203

• TAPMode on page 205


APPENDIX A

TCP States

• Understanding DDoS Secure Appliance TCP States on page 165

Understanding DDoS Secure Appliance TCP States

Table 58 on page 165 provides the TCP status details of the TCP states held by DDoS

Secure appliance during operation. The TCP states corresponds to the standard states

of a conventional TCP device; but are subdivided due to the uniquemethod of handling

connections by DDoS Secure appliance.

Table 58: TCP Status Details

DescriptionField

Client has sent a SYN.SYN

Client has sent a SYN to a potentially internally filtered port.SPF

Client has sent a SYN to a potentially internally filtered IP address.SIF

Server has responded with SYN-ACK.S-A

Client and server SYN at the same time.S-S

Connection Established, but no data from Client or Server.ACK

Client sent data, Server not yet acknowledged any data.P-A

Currently processing an HTTP GET/HEAD/POST request.GET

Connection established, data is flowing.EST

Internet has sent a FIN.F1S

Protected ACK’d FIN.F2S

Internet sent FIN, protected ACK’d FIN and has sent its own FIN.F3S

Internet and protected sent FIN, but neither ACK’d FIN.F-F


Table 58: TCP Status Details (continued)

DescriptionField

Protected has sent a FIN.F1D

Internet has ACK’d FIN.F2D

Protected sent FIN, Internet ACK’d FIN and sent its own FIN.F3D

Closed (All FINs ACK’d).CLS

RESET (either end) to SYN.RST

RESET (either end) to force session close.R-C

Session in unknown state.UNK

Count of connections processing a GET/HEAD request.GETs


• Understanding DDoS Secure Appliance ICMP Types on page 167

• Understanding Index Attack Types on page 169



APPENDIX B

ICMP Types

• Understanding DDoS Secure Appliance ICMP Types on page 167

Understanding DDoS Secure Appliance ICMP Types

Table 59 on page 167 provides ICMPv4 details.

Table 59: ICMPv4 Details

DescriptionField

0Echo Reply

3Destination Unreachable

4Source Quench

5Redirect (change route)

8Echo Request

11Time Exceeded

12Parameter Problem

13Timestamp Request

14Timestamp Reply

15Information Request

16Information Reply

17Address Mask Request

18Address Mask Reply

Table 60 on page 168 below provides ICMPv6 details.


Table 60: ICMPv6 Details

DescriptionField

1Destination Unreachable

2Packet Too Big

3Time Exceeded

4Parameter Problem

128Echo Request

129Echo Reply

130Group Membership Query

131Group Membership Reply

132Group Membership Reduction

133Router Solicitation

134Router Advertisement

135Neighbor Solicitation

136Neighbor Advertisement

137Redirect


• Understanding DDoS Secure Appliance TCP States on page 165




APPENDIX C

Index Attack Types


Understanding Index Attack Types

Table 61 on page 169 provides type code details.

Table 61: Type Code Details

DescriptionField

Recorded in auto black-list.-2

Packets not dropped, not recorded in worst offenders.-1

Not recorded in worst offenders.0

Irritant attacks used by worst offenders and auto black-list.1

Resource consuming attacks – used by worst offenders and auto black-list.2

Table 62 on page 169 provides attack type code details.

Table 62: Attack Type Details

DetailsTypeAttack Type

ICMP header malformed (length, options, and so on).1Bad ICMP Packet – Malformed

IP address header malformed – RFC non-compliant.1Bad IP Packet - Broken Header

IP address packet has invalid option field or field length.1Bad IP Packet - Invalid Option

IP address packet has invalid source address.0Bad IP Packet - Invalid Source Address

IP address packet is being reflected off a router – samepacketis passed both ways through the DDoS Secure appliance.Informational only.

-1Bad IP Packet - Reflected Route

IP address packet has invalid field length.1Bad IP Packet - Size Mismatch


Table 62: Attack Type Details (continued)


IP address packet too short to contain IP address protocolheader.

1Bad O-IP Packet - Length

Invalid IP address protocol number.1Bad O-IP Packet - Protocol

Identical packets containing ACKs are being repeated at a rateof greater than 10 per second.

0Bad TCP Packet - Fast Repeat Ack

Invalid TCP flag combinations.1Bad TCP Packet - Flags

Format of TCP header invalid.1Bad TCP Packet - Malformed

Invalid TCP option field.1Bad TCP Packet - Option

UDP header malformed.1Bad UDP Packet - Malformed

UDP packet contains no data.1Bad UDP Packet - No data

Bandwidth rate exceeded for MAC address/portal/filter.2Bandwidth - Rate Limited

This IP address is black-listed as it is part of a black-listednetwork.

0Blocked Protocol – Black-Listed

AS is blocked.0Blocked Protocol – Black-Listed AS

DNS query is blocked.1Blocked Protocol – Black-Listed DNS

SIP request is blocked.1Blocked Protocol - Black-Listed SIP

URL request is blocked.1Blocked Protocol – Black-Listed URL

Traffic to and from country is blocked.0BlockedProtocol–CountryBlack-Listed

No filters match for this ICMP packet.1Blocked Protocol - Icmp Type

No filters match for this protocol type.1Blocked Protocol – Other Proto

No filter match for this destination port.1Blocked Protocol - Port

This IP address is temporarily black-listed.-2Blocked Protocol – Temp Black-Listed

Traffic to or from an address that is not defined as a protectedIP address.

0Blocked Protocol–Undefined protectedIP

Invalid fragment length in IP address header.2Fragment Attack - Bad Length

Fragment start overlays protocol header.2Fragment Attack - Header Overlay





Fragmentation is disabled in the filter.1Fragment Attack - No Fragmentsallowed

Assembled packet is longer than 65,535 bytes.2Fragment Attack - Ping of Death

Same fragment is sent again.1Fragment Attack – Repeats

Initial TCP fragment is smaller than header.2Fragment Attack – Small Size

Internal state table for fragments is full.1Fragment Attack – Table Full

Not all fragments seen.2Fragment Attack – Timeout

ICMP packets being repeated at a rate of more than 40 persecond.

1ICMP Attack - Repeats

Internal state table for ICMP is full.1ICMP Attack - Table Full

Source and destination IP addresses are equal.2IP Attack - Land

Failover mode does not allow through spanning tree packets.0Not Passed Thru – BPDU Packet

DDoS Secure appliance has operationally closed down.0Not Passed Thru – Deactivated

Logging-tap only. MAC address not obtained yet.0Not Passed Thru – Direction Unknown

ARP packet generated by redirect server.0Not Passed Thru – Generated Response

Failover heartbeat is never passed through a DDoS Secureappliance.

0Not Passed Thru - HeartBeat

TCP response packet to internally generated keepalive probepacket is dropped.

0Not Passed Thru - Keep-Alive Response

A MAC address is configured for one side of DDoS Secureappliance, but this packetwith this sourceMACaddress is seenon the wrong side of the DDoS Secure appliance.

0Not Passed Thru - MACMisconfigured

Internal table forMACaddresses is full. Oldest entry is expired.0Not Passed Thru - MAC Table Overflow

Failover device is out of service. No packets passing through.0Not Passed Thru - Out Of Service State

Packet sent by someone pretending to be an Internet or aprotected interface by using their MAC address.

0Not Passed Thru - Packet From Us

Packet sent to Internet or protected interface MAC address.0Not Passed Thru - Packet To Us

Ethernet pause frame is dropped.0Not Passed Thru - Pause Frame


Appendix C: Index Attack Types



Failover is in the probe state, so no traffic passing through yet.0Not Passed Thru - Probe State

Undersized packet is dropped.0Not Passed Thru – Runt Packet

The source and destinationMACaddresses both reside on thesame side of the DDoS Secure appliance.

0Not Passed Thru - Same Side

The same (source) MAC address is seen on both sides of theDDoS Secure appliance.

0Not Passed Thru - Short Circuit Active

Failover is in the standby state – traffic flows through otherDDoS Secure appliance.

0Not Passed Thru - Standby State

State synchronization packets are being processed but notpassed through.

0Not Passed Thru – State Sync

State synchronization packets are being processed but notpassed through.

0Not Passed Thru – State Sync Sent

Internal state table for other IPaddressprotocols is full. Oldestentry is expired.

1Other-IP Attack - Table Full

The protected IP address cannot keep up with new TCPconnection requests.

1Overloaded IP - Backlog

Theprotected IP address has stopped responding to anything.1Overloaded IP - Stall

Theprotected IPaddresshasstopped responding tonewHTTPGET requests.

2Overloaded IP - Threads

Packet rate exceeded as defined in a filter or portal.2Packet Rate - Rate Limited

Client aborted connection after request.1TCP Attack – Client Abort

The protected IP address has reached its concurrentconnection configured limit.

2TCP Attack - Connection Flood

The protected IP address is receiving connection requests ata rate higher than it is configured for.

2TCP Attack - Connection Rate Flood

The protected IP address has reached its concurrentGET/HEAD configured limit.

2TCP Attack - HTTP Flood

HTTP packet incorrectly formatted.2TCP Attack - HTTP Format

The protected IP address is receiving GET requests at a ratehigher than it is configured for.

2TCP Attack – HTTP Rate Flood

The HTTP GET request was never completed.2TCP Attack - HTTP Req Incomplete





The protected IP address did not respond to a GET/HEADrequest in a timely manner.

1TCP Attack - HTTP Timeout

No data in either direction was transferred on the TCPconnection. The connectionwas just opened and then closed.

1TCP Attack – No Data Xfer

A webserver did not respond to a GET request. Usually seenwhen an IP addresses is requested in the host: header field,instead of a domain name.

1TCP Attack – No Server Data Xfer

A potential port scan was detected.2TCP Attack – Port Scan

RST packet has invalid sequence number.1TCP Attack – RST

Client has closed TCPwindow.2TCP Attack – Small Window

The client IP address did not complete the TCP connection.2TCP Attack - Syn-Ack Timeout

The protected IP address is receiving SYN packets at a ratehigher than it is configured for or can handle.

2TCP Attack - Syn Flood

Internal state table for TCP connections is full.1TCP Attack - Table Full

DNS queries are not being responded to quickly enough.2UDP Attack - DNS Rate Limited

SIP queries are not being responded to quickly enough.2UDP Attack - SIP Rate Limited

Internal state table for UDP information is full.1UDP Attack - Table Full

ICMPdiagnostic responsepacketdoesnotmatchastate tableentry for the respective IP address protocol.

1UnknownSession - IcmpDiagResponse

ICMP response packet has nomatching ICMP request in statetable.

1Unknown Session - Icmp Response

TCP packet has a state table entry, but packet is out of state(sequence numbers mismatch, or incorrect TCP flags).

1Unknown Session - Invalid State

TCP packet has no state table entry and is not a SYN (start ofconnection) packet.

1Unknown Session - No State

Unknown response packets to queries not initiated by aprotected IP.

1Unknown Session - Reflective Attack


Appendix C: Index Attack Types

APPENDIX D

Country Codes

• DDoS Secure Appliance Country Codes on page 175

DDoS Secure Appliance Country Codes

Table 63 on page 175 and Table 64 on page 176 provides the details of DDoS Secure

appliance that are sort by codes.

Table 63: Code Type Details

DetailsTypeCode

--Unknown—---

Cannot be blocked---Broadcast----bc

Always is blocked---Black List----bl

---Bogon address----bo

---Country Allow ----ca

---Class E----ce

---Default CHARM----dc

---Loopback----lo

Cannot be blocked---Multicast----mc

Cannot be blocked---Mega Proxy----mp

---No Auto Block----nb

---Preferred List----pl

---RFC1918 address----pr

---User Defined #1----u1


Table 63: Code Type Details (continued)

DetailsTypeCode









Cannot be blocked---White-list----wl

Cannot be blocked---White No Log----wn

Table 64: Sort by Country

DetailsCode

Anonymous ProxyA1

Satellite ProviderA2

ArubaABW

AfghanistanAFG

AngolaAGO

AnguillaAIA

Aland IslandsALA

AlbaniaALB

AndorraAND

Netherlands AntillesANT

Asia/Pacific RegionAP

AntarcticaAQ



Table 64: Sort by Country (continued)

DetailsCode

United Arab EmiratesARE

ArgentinaARG

ArmeniaARM

American SamoaASM

Antigua and BarbudaATG

AustraliaAUS

AustriaAUT

AzerbaijanAZE

BurundiBDI

BelgiumBEL

BeninBEN

Burkina FasoBFA

BangladeshBGD

BulgariaBGR

BahrainBHR

BahamasBHS

Bosnia and HerzegovinaBIH

BelarusBLR

BelizeBLZ

BermudaBMU

BoliviaBOL

BrazilBRA

BarbadosBRB

Brunei DarussalamBRN


Appendix D: Country Codes


DetailsCode

BhutanBTN

Bouvet IslandBV

BotswanaBWA

Central African RepublicCAF

CanadaCAN

Cocos (Keeling) IslandsCC

SwitzerlandCHE

ChileCHL

ChinaCHN

Côte d’IvoireCIV

CameroonCMR

Congo, The Democratic Republic of theCOD

CongoCOG

Cook IslandsCOK

ColombiaCOL

ComorosCOM

Cape VerdeCPV

Costa RicaCRI

CubaCUB

Christmas IslandCX

Cayman IslandsCYM

CyprusCYP

Czech RepublicCZE

GermanyDEU




DetailsCode

DjiboutiDJI

DominicaDMA

DenmarkDNK

Dominican RepublicDOM

AlgeriaDZA

EcuadorECU

EgyptEGY

EritreaERI

Western SaharaESH

SpainESP

EstoniaEST

EthiopiaETH

EuropeEU

FinlandFIN

FijiFJI

Falkland Islands (Malvinas)FLK

FranceFRA

Faroe IslandsFRO

Micronesia, Federated States ofFSM

France, MetropolitanFX

GabonGAB

United KingdomGBR

GeorgiaGEO

GuernseyGGY




DetailsCode

GhanaGHA

GibraltarGIB

GuineaGIN

GuadeloupeGLP

GambiaGMB

Guinea-BissauGNB

Equatorial GuineaGNQ

GreeceGRC

GrenadaGRD

GreenlandGRL

South Georgia and the South Sandwich IslandsGS

GuatemalaGTM

French GuianaGUF

GuamGUM

GuyanaGUY

Hong KongHKG

Heard Island and McDonald IslandsHM

HondurasHND

CroatiaHRV

HaitiHTI

HungaryHUN

IndonesiaIDN

Isle of ManIMN

IndiaIND




DetailsCode

British Indian Ocean TerritoryIO

IrelandIRL

Iran, Islamic Republic ofIRN

IraqIRQ

IcelandISL

IsraelISR

ItalyITA

JamaicaJAM

JerseyJEY

JordanJOR

JapanJPN

KazakhstanKAZ

KenyaKEN

KyrgyzstanKGZ

CambodiaKHM

KiribatiKIR

Saint Kitts and NevisKNA

Korea, Republic ofKOR

KuwaitKWT

Lao People’s Democratic RepublicLAO

LebanonLBN

LiberiaLBR

Libyan Arab JamahiriyaLBY

Saint LuciaLCA




DetailsCode

LiechtensteinLIE

Sri LankaLKA

LesothoLSO

LithuaniaLTU

LuxembourgLUX

LatviaLVA

MacauMAC

MoroccoMAR

MonacoMCO

Moldova, Republic ofMDA

MadagascarMDG

MaldivesMDV

MexicoMEX

Marshall IslandsMHL

MacedoniaMKD

MaliMLI

MaltaMLT

MyanmarMMR

MontenegroMNE

MongoliaMNG

Northern Mariana IslandsMNP

MozambiqueMOZ

MauritaniaMRT

MontserratMSR




DetailsCode

MartiniqueMTQ

MauritiusMUS

MalawiMWI

MalaysiaMYS

NamibiaNAM

New CaledoniaNCL

NigerNER

Norfolk IslandNFK

NigeriaNGA

NicaraguaNIC

NiueNIU

NetherlandsNLD

NorwayNOR

NepalNPL

NauruNRU

New ZealandNZL

OtherO1

OmanOMN

PakistanPAK

PanamaPAN

Pitcairn IslandsPCN

PeruPER

PhilippinesPHL

PalauPLW




DetailsCode

Papua New GuineaPNG

PolandPOL

Puerto RicoPRI

Korea, Democratic People’s Republic ofPRK

PortugalPRT

ParaguayPRY

Palestinian TerritoryPSE

French PolynesiaPYF

QatarQAT

ReunionREU

RomaniaROU

Russian FederationRUS

RwandaRWA

Saudi ArabiaSAU

SudanSDN

SenegalSEN

SingaporeSGP

Saint HelenaSHN

Svalbard and Jan MayenSJM

Solomon IslandsSLB

Sierra LeoneSLE

El SalvadorSLV

San MarinoSMR

SomaliaSOM




DetailsCode

Saint Pierre and MiquelonSPM

SerbiaSRB

Sao Tome and PrincipeSTP

SurinameSUR

SlovakiaSVK

SloveniaSVN

SwedenSWE

SwazilandSWZ

SeychellesSYC

Syrian Arab RepublicSYR

Turks and Caicos IslandsTCA

ChadTCD

French Southern TerritoriesTF

TogoTGO

ThailandTHA

TajikistanTJK

TokelauTKL

TurkmenistanTKM

Timor-LesteTLS

TongaTON

Trinidad and TobagoTTO

TunisiaTUN

TurkeyTUR

TuvaluTUV




DetailsCode

TaiwanTWN

Tanzania, United Republic ofTZA

UgandaUGA

UkraineUKR

United States Minor Outlying IslandsUM

UruguayURY

United StatesUSA

UzbekistanUZB

Holy See (Vatican City State)VAT

Saint Vincent and the GrenadinesVCT

VenezuelaVEN

Virgin Islands, BritishVGB

Virgin Islands, U.S.VIR

VietnamVNM

VanuatuVUT

Wallis and FutunaWLF

SamoaWSM

YemenYEM

MayotteYT

South AfricaZAF

ZambiaZMB

ZimbabweZWE

Table 65 on page 187 and Table 66 on page 188 provides the details of DDoS Secure

appliance that are sort by country.



Table 65: Sort by Code

Always is blocked---Black List----bl

---Bogon address----bo

Cannot be blocked---Broadcast----bc

---Country Allow----ca

---Class E----ce

---Default CHARM----dc

---Loopback----lo

Cannot be blocked---Multicast----mc

Cannot be blocked---Mega Proxy----mp

---No Auto Block----nb

---Pen Test List----pt

---Preferred List----pl

---RFC1918 address----pr










Cannot be blocked---White List----wl

Cannot be blocked---White No Log----wn

--Unknown-----



Table 66: Sort by Country

AfghanistanAFG

Aland IslandsALA

AlbaniaALB

AlgeriaDZA

American SamoaASM

AndorraAND

AngolaAGO

AnguillaAIA

Anonymous ProxyA1

AntarcticaAQ

Antigua and BarbudaATG

ArgentinaARG

ArmeniaARM

ArubaABW

Asia/Pacific RegionAP

AustraliaAUS

AustriaAUT

AzerbaijanAZE

BahamasBHS

BahrainBHR

BangladeshBGD

BarbadosBRB

BelarusBLR

BelgiumBEL

BelizeBLZ




BeninBEN

BermudaBMU

BhutanBTN

BoliviaBOL

Bosnia and HerzegovinaBIH

BotswanaBWA

Bouvet IslandBV

BrazilBRA

British Indian Ocean TerritoryIO

Brunei DarussalamBRN

BulgariaBGR

Burkina FasoBFA

BurundiBDI

CambodiaKHM

CameroonCMR

CanadaCAN

Cape VerdeCPV

Cayman IslandsCYM

Central African RepublicCAF

ChadTCD

ChileCHL

ChinaCHN

Christmas IslandCX

Cocos (Keeling) IslandsCC

ColombiaCOL




ComorosCOM

CongoCOG

Congo, The Democratic Republic of theCOD

Cook IslandsCOK

Costa RicaCRI

Côte d’IvoireCIV

CroatiaHRV

CubaCUB

CyprusCYP

Czech RepublicCZE

DenmarkDNK

DjiboutiDJI

DominicaDMA

Dominican RepublicDOM

EcuadorECU

EgyptEGY

El SalvadorSLV

Equatorial GuineaGNQ

EritreaERI

EstoniaEST

EthiopiaETH

EuropeEU

Falkland Islands (Malvinas)FLK

Faroe IslandsFRO

FijiFJI




FinlandFIN

FranceFRA

France, MetropolitanFX

French GuianaGUF

French PolynesiaPYF

French Southern TerritoriesTF

GabonGAB

GambiaGMB

GeorgiaGEO

GermanyDEU

GhanaGHA

GibraltarGIB

GreeceGRC

GreenlandGRL

GrenadaGRD

GuadeloupeGLP

GuamGUM

GuatemalaGTM

GuernseyGGY

GuineaGIN

Guinea-BissauGNB

GuyanaGUY

HaitiHTI

Heard Island and McDonald IslandsHM

Holy See (Vatican City State)VAT




HondurasHND

Hong KongHKG

HungaryHUN

IcelandISL

IndiaIND

IndonesiaIDN

Iran, Islamic Republic ofIRN

IraqIRQ

IrelandIRL

Isle of ManIMN

IsraelISR

ItalyITA

JamaicaJAM

JapanJPN

JerseyJEY

JordanJOR

KazakhstanKAZ

KenyaKEN

KiribatiKIR

Korea, Democratic People’s Republic ofPRK

Korea, Republic ofKOR

KuwaitKWT

KyrgyzstanKGZ

Lao People’s Democratic RepublicLAO

LatviaLVA




LebanonLBN

LesothoLSO

LiberiaLBR

Libyan Arab JamahiriyaLBY

LiechtensteinLIE

LithuaniaLTU

LuxembourgLUX

MacauMAC

MacedoniaMKD

MadagascarMDG

MalawiMWI

MalaysiaMYS

MaldivesMDV

MaliMLI

MaltaMLT

Marshall IslandsMHL

MartiniqueMTQ

MauritaniaMRT

MauritiusMUS

MayotteYT

MexicoMEX

Micronesia, Federated States ofFSM

Moldova, Republic ofMDA

MonacoMCO

MongoliaMNG




MontenegroMNE

MontserratMSR

MoroccoMAR

MozambiqueMOZ

MyanmarMMR

NamibiaNAM

NauruNRU

NepalNPL

NetherlandsNLD

Netherlands AntillesANT

New CaledoniaNCL

New ZealandNZL

NicaraguaNIC

NigerNER

NigeriaNGA

NiueNIU

Norfolk IslandNFK

Northern Mariana IslandsMNP

NorwayNOR

OmanOMN

OtherO1

PakistanPAK

PalauPLW

Palestinian TerritoryPSE

PanamaPAN




Papua New GuineaPNG

ParaguayPRY

PeruPER

PhilippinesPHL

Pitcairn IslandsPCN

PolandPOL

PortugalPRT

Puerto RicoPRI

QatarQAT

ReunionREU

RomaniaROU

Russian FederationRUS

RwandaRWA

Saint HelenaSHN

Saint Kitts and NevisKNA

Saint LuciaLCA

Saint Pierre and MiquelonSPM

Saint Vincent and the GrenadinesVCT

SamoaWSM

SanMarinoSMR

Sao Tome and PrincipeSTP

Satellite ProviderA2

Saudi ArabiaSAU

SenegalSEN

SerbiaSRB




SeychellesSYC

Sierra LeoneSLE

SingaporeSGP

SlovakiaSVK

SloveniaSVN

Solomon IslandsSLB

SomaliaSOM

South AfricaZAF

South Georgia and the South Sandwich IslandsGS

SpainESP

Sri LankaLKA

SudanSDN

SurinameSUR

Svalbard and Jan MayenSJM

SwazilandSWZ

SwedenSWE

SwitzerlandCHE

Syrian Arab RepublicSYR

TaiwanTWN

TajikistanTJK

Tanzania, United Republic ofTZA

ThailandTHA

Timor-LesteTLS

TogoTGO

TokelauTKL




TongaTON

Trinidad and TobagoTTO

TunisiaTUN

TurkeyTUR

TurkmenistanTKM

Turks and Caicos IslandsTCA

TuvaluTUV

UgandaUGA

UkraineUKR

United Arab EmiratesARE

United KingdomGBR

United StatesUSA

United States Minor Outlying IslandsUM

UruguayURY

UzbekistanUZB

VanuatuVUT

VenezuelaVEN

VietnamVNM

Virgin Islands, BritishVGB

Virgin Islands, U.S.VIR

Wallis and FutunaWLF

Western SaharaESH

YemenYEM

ZambiaZMB

ZimbabweZWE



APPENDIX E

Panel Information

• DDoS Secure Appliance Panel Information on page 199

DDoS Secure Appliance Panel Information

DDoS Secure-1200-Fail-Safe Panels

Figure 109 on page 199 and Figure 110 on page 199 shows the front and back panel of the

DDoS Secure-1200-Fail-safe.

Figure 109: DDoS Secure-1200-Fail-Safe Front Panel

Figure 110: DDoS Secure-1200-Fail-Safe Back Panel

Table 67 on page 199 lists the front and back panel components of the DDoS

Secure-1200-Fail-Safe appliance.

Table 67: DDoS Secure 1200-Fail-Safe Callout Details

ComponentCallout

Front Panel

Power ON/OFF button1

Rear Panel


Table 67: DDoS Secure 1200-Fail-Safe Callout Details (continued)

ComponentCallout

I-IF (1Gb/10Gb Internet interface)1

P-I/F (1Gb/10Gb protected interface)2

Power supply3

D-IF (Optional 1Gb data share interface)4

M-I/F+ILO (1Gbmanagement interface and Integrated Lights Out)5

USB port (Optional)6

Video (Optional)7

Serial interface8





APPENDIX F

Troubleshooting

• Troubleshooting a DDoS Secure Appliance on page 201

Troubleshooting a DDoS Secure Appliance

1. My browser gives an SSL connection error.

If the DDoS Secure appliance SSL certificate changes for any reason, some PC

browsers chokeon thepreviously installed certificate. If so, the old certificatewill have

to be removed by hand from the Browser Root Certificate cache. It is possible that

exiting the browser and reconnecting fixes the situation.

2. How do I recover my lost username and password?

You are unable to recover the username and password. If Juniper Networks personnel

able to access your appliance, they might be able to reset the password. It might be

that you have to re-image the system.

3. What does Init Phase xxxmean?

When theappliancestartsup, various largedatasetshave tobe initialized. Eachphase

is the initialization of a different data set.

4. What does Exit Phase xxxmean?

When the appliance closes down, various large data sets have to be cleanly closed

down. Each phase is the cleanup of a different data set.

5. Why do I get Protected IP Table Full turning to red?

The appliance is set up to protect a maximum number of protected IP addresses. If

this limit is exceeded, then protected IP address table full will turn to red. If your I-I/F

and P-I/F connectors are reversed, the appliance is effectively protecting the Internet

from your internal users. Confirm this using the Protected Information option. Correct

any cabling errors. Review the location of the appliance in your network topology, if

theappliancehas toprotectmore than thespecifiednumberofprotected IPaddresses.

If cabling arrangements are logically reversed without physical disconnection, the

DDoS Secure appliance engine must be restarted to ensure the correct automatic

detection of the network topology. It is also possible to swap the interfaces with

Configure Interfaces option.


APPENDIX G

Customizing theWeb Interface

• Customizing the DDoS SecureWeb Interface on page 203

Customizing the DDoS SecureWeb Interface

You can customize both the GUI initial login landing page and the format/style of pages.

Login Page

To customize the login page:

1. Take a copy of the source of the initial login page, https://a.b.c.d, and save it locally.

2. Name the file customer.tmpl or host_uri-customer.tmpl, where host_uri is the name

or IP address that a user uses to access the DDoS Secure appliance.

The customer.tmpl file:

• Is preserved across software upgrades.

• Can include references to external URLs.

• Can reference existing image files or portal-specific images.

• Must link to webviewcheck.wsp to enter the DDoS Secure appliance portal.

For example, If the site is accessed with the URL https://some.host.com, then the

search sequence is some.host.com-customer.tmpl, then customer.tmpl, and finally

the original login page.

Images/CSS Files

Onceyouhave logged in, youareassociatedwithaportal. Any .css file in the /cssdirectory,

or any images in the /images directory, can be customized to modify the output.

For example, you are logged in to portal CustomerX and are requesting

css/center_pane.css. The search order is css/portal-CustomerX-center_pane.css, then

css/portal-center_pane.css, and finally css/center_pane.css. The same is true for any

images.


https://some.host.com

Updating Customized Files

To upload the files on a Linux server, you need to collect all the customized files in a

directory, and then run the following Linux command to create an update package:

echow.x.y>webscreen- ; tar cvf files.upgwebscreen-*customer.tmplportal*.cssportal*.gif

wherew.x.y is the current version of the DDoS Secure appliance (for example: 5.13.1),

and then upload files.upg as a DDoS Secure appliance patch.

Removing Customized Files

Run the following command from the CLI to remove any custom files:

JS>system clear_custom



APPENDIX H

TAP Mode

• Configuring DDoS Secure for Running in TAPMode on page 205

Configuring DDoS Secure for Running in TAPMode

DDoSSecure needs todetect the traffic flowing in bothdirections in order to detect Layer

7 attacks as well as detect when protected resources are beginning to get overloaded.

For example, there is a maximum TCP connection count reached.

Doing this on a spanport creates a challenge asDDoSSecure has to identifywhich traffic

is on the Internet side and which traffic is on the protected side. This is done by defining

the location of different MAC addresses that DDoS Secure then uses for determining

what is protected traffic.

CAUTION: RunningDDoSSecure inTAPmodewill give rise to falsepositives,but for proof of concepts, the only acceptable way of demonstrating thecapabilities of DDoS Secure is running DDoS Secure off a span port on aswitch.

DDoS Secure needs to view the traffic flowing in both directions in order to detect Layer

7 attacks as well as detect when protected resources are beginning to get overloaded.

For example, there is a maximum TCP connection count being reached.

The reason for the false positives has to do with packet sequencing. For example, take

the classic TCP 3-way handshake.

1. Client to server SYN

2. Server to client SYN-ACK

3. Client to server ACK

Packet 2 will be flowing through the switch containing the span port in the opposite

direction. It is therefore possible that (as a result of packet serializing within the switch)

that these packets might arrive at the DDoS Secure appliance in the following order:

1. Client to server SYN

2. Client to server ACK


3. Server to client SYN-ACK

Configuration

First, the DDoS Secure needs to be configured as running in analyze-TAPmode. The

switch span port should be connected to the Internet interface.

The same side traffic needs to be evaluated with the intention of splitting it so that it

flows to and from Internet and protected IP address. Figure 111 on page 206 displays the

log tap details.

Figure 111: Logging Tap Details

The first part is traffic flowing to and from the Internet side (theMACaddresses reported

are the source/destination MAC addresses) and the second part is traffic flowing to and

from the protected side. It should be noted that depending on how flat the network is,

there might be legitimate traffic flowing to and fromMAC addresses on the same side.

Expand locatedand then located[Internet]and located[protected]. Figure 112onpage207

displays the MAC Information of the appliance.



Figure 112: MAC Information for an Appliance

The located entries in red are MAC addresses that are being used for same side traffic.

For the snapshot scenario above, themain local network is 192.168.0.0/24. Line 13 shows

a traffic IP address (in the red box) that is out of the local protected network range and

so is likely to be a router for traffic going out to the Internet. A good candidate formoving

to theprotected side is line 14. This canbeaccomplishedby simply clickingon the located

field, and then clicking Move MAC. Figure 113 on page 207 displays the IP address that is

out of the local protected network range.

Figure 113: IP Address Out of Local Protected Network Range

TheMACaddress is thenconfiguredasbeingon theprotectedside. Figure 114onpage208

displays the protected side configuration.


Appendix H: TAPMode

Figure 114: Protected Side Configuration

Iterate throughall theappropriate IPaddresses. It is possible that youmight inadvertently

moveacross aMAC that shouldbeon the Internet side (as it is an external router). Simply

move that MAC address back again.

NOTE: Whenever a MAC address is moved, there is a general reset of thelogic, so ARP/Traffic IP addressesmight temporarily disappear.

Once the MAC addresses are sorted, the DDoS Secure might be subject to the false

positives mentioned earlier. The MAC Information pagemight need to be revisited for

more tuning.


• Configuring DDoS Secure on page 46



ddos secure gui user guide - juniper networks - network ... ·...

Documents