14. Network & Policy » Threshold Template

To add a new Threshold Template, go to Configuration » Network & Policy, click the [+] button from the title bar, and then select [Threshold Template]. Threshold Templates are mainly used to add identical thresholds to multiple prefixes.

THRESHOLD_TEMPLATE_8.10.png

Every threshold rule contains the following metrics:

Domain – Sensors can detect anomalies to/from an internal IP contained in the selected subnet or to/from the subnet taken as a whole. If the selected subnet is 0.0.0.0/0, then a third option is possible, which allows detection anomalies to/from external IPs (for this third option to work, the Stats Engine parameter from the Sensor configuration has to be set accordingly)
Direction – The direction of traffic can be “receives” for the inbound traffic received by the prefix or “sends” for the outbound traffic sent by the prefix
Comparison – Select “over” to detect volumetric anomalies (e.g., DrDoS, DDoS) or “under” to detect a gap in the expected traffic
Value – The threshold value can be entered as an absolute number or as a percentage of the total traffic matched by the selected decoder per Sensor interface. Absolute values can be multiples of 1000 with K (kilo) appended, multiples of 1 million with M (mega) appended, or multiples of 1 billion with G (giga) appended
Decoder – Select one of the decoders enabled in General Settings » Anomaly Detection
Unit – DDoS attacks usually reach a very high number of packets per second, so the “pkts/s” option is the best way to detect them. For bandwidth-related anomalies, select “bits/s”
Response – Select a previously defined Response, or select “None” to have no reaction to anomalies other than displaying them in Reports » Tools » Anomalies » Active Anomalies
Parent – Select “Yes” if more specific prefixes should inherit the threshold. You can cancel inherited thresholds by defining a similar threshold with “Unlimited” selected in the Value field
Inheritance – Displays the parent prefix when the rule is inherited from a less specific prefix
Adding a threshold rule on 0.0.0.0/0 that reads, “Internal IP receives over 5% TCP+SYN pkts/s” catches port scans and all significant SYN attacks towards any IP address belonging to your network. A threshold rule on 0.0.0.0/0 that reads, “Subnet sends under 1 IP bits/s” executes the Response when the link goes down.

Note

Adding similar threshold rules in the same prefix or Threshold Template is not allowed, even when the rules have different values or Responses. To execute different actions for different threshold values, define only the smallest threshold value, and then make use of preconditions inside the Response. For example, if you want to activate Wanguard Filter for UDP attacks stronger than 100 Mbps but you also want to null-route them when they reach 1 Gbps, add only the “Internal IP receives over 100M UDP bits/s” rule. Then, inside the Response add two actions: one that activates Filter without preconditions, and another that executes the null-routing BGP announcement with the precondition “Peak Value” “greater than” “1G”.

14.1. Best Practices for Traffic Thresholds

✔ TCP+SYN thresholds on IPs should be configured to low values, usually at around 500-1000 packets/s. TCP uses packets with the SYN flag set only when establishing new TCP connections; very few services (e.g., high volume websites) are able to handle more than 1000 new TCP connections every second. SYN packets are used for SYN flooding
✔ TCP bits/s thresholds should be configured to your maximum bandwidth level per IP. TCP packets carry on average around 500 bytes of data. Setting a threshold of 15k TCP packets/s should be enough for medium-sized networks
✔ ICMP thresholds should be configured to very low levels, 50-100 packets/s. ICMP is used for Ping flooding, while legitimate ICMP traffic is never above a few packets/s
✔ UDP traffic usually exhibits high packets/s and low bits/s values, so you can configure low values for bits/s. Setting UDP packets/s thresholds at around 15k/s per destination should not generate false positives while catching significant UDP flood attacks. A special attention has to be paid lately to the QUIC protocol, which encapsulates high-bandwidth HTTP traffic inside UDP packets
✔ OTHER decoder matches all non-TCP, non-UDP, and non-ICMP traffic. You can configure thresholds for OTHER if you have non-standard applications in your network. Over 90% of Internet traffic is either TCP or UDP
✔ Enable additional decoders, such as HTTP, MAIL, NTP, etc., to configure thresholds for specific services and servers. Most DDoS amplification attacks are captured by the following decoders: MEMCACHED, NTP, SSDP, CHARGEN, CLDAP
✔ If you open an IP Zone and select 0.0.0.0/0, you will be able to configure thresholds for external IPs (IPs not belonging to your network). This is useful to catch external IPs that scan or attack your network with very few packets sent to each of your IPs
✔ You could add “illegal” IP address ranges that should never be seen in regular traffic (unallocated IP addresses or parts of your internal IP address range that are unoccupied). If you add small thresholds to these, you will catch malicious activities such as scans and worms