One of the most powerful and unique features implemented in WANGuard Platform is the extensible and automatic reaction to traffic anomalies. The WANGuard Platform interprets traffic anomalies as reaching predefined traffic thresholds defined per IP or per subnet.
Build complex event processing rules through WANGuard Console web interface
When a traffic threshold is reached, the WANGuard Sensor is able to take predefined actions at the beginning, during or at the end of a traffic anomaly, if the required preconditions are met. Some examples of actions already implemented:
- activate WANGuard Filter for DDoS mitigation (screenshot)
- alert the NOC Staff by email (screenshot)
- send Syslog messages to remote logservers (screenshot)
- send BGP announcements for blackholing (screenshot)
-
execute custom scripts (screenshot). Examples:
- configure ACLs or execute PIX "shun" command to filter traffic towards destination IP
- send SNMP TRAP messages to SNMP monitoring stations
- display the routers that are being transited by the anomalous traffic
When WANGuard Filter is activated to mitigate a DDoS attack, predefined actions may be taken at the start, during or at the end of a detected attack pattern:
- alert attacker's ISP via email (screenshot)
- alert the NOC Staff by email (screenshot)
- send custom Syslog messages to remote logservers (screenshot)
-
execute custom scripts (screenshot). Examples:
- configure ACLs or execute PIX "shun" command to filter attacking IPs
- issue route blackhole commands on the attacked Linux servers to filter attacking IPs
- send SNMP TRAP messages to SNMP monitoring stations
