| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:dpi_options:opt_ddos:qoe_ddos [2026/02/19 13:37] – elena.krasnobryzh | en:dpi:dpi_options:opt_ddos:qoe_ddos [2026/04/03 13:02] (current) – [7. Attack Analysis] elena.krasnobryzh |
|---|
| **On the QoE server.** | **On the QoE server.** |
| |
| Update QoE to the latest version, stopping the receivers beforehand. Before starting receivers, patch ClickHouse: | [[en:dpi:qoe_analytics:implementation_administration:installation_update:update|Update QoE]] to the latest version, stopping the receivers beforehand. Before starting receivers, patch ClickHouse: |
| <code>dnf --refresh install clickhouse-patched</code> | <code>dnf --refresh install clickhouse-patched</code> |
| Start the receivers. | Start the receivers. |
| **On the GUI server.** | **On the GUI server.** |
| |
| Update GUI to the latest version. Connect GUI to VAS Cloud if not already connected. Enable the aniddos license option. | [[en:dpi:dpi_components:dpiui:install_and_update:update|Update GUI]] to the latest version. Connect GUI to VAS Cloud if not already connected. Enable the aniddos license option. |
| |
| In the file ''/var/www/html/dpiui2/frontend/env.js'' set the option ''AppEnv.DDoSAttack_isVisible = 1;'' | In the file ''/var/www/html/dpiui2/frontend/env.js'' set the option ''AppEnv.DDoSAttack_isVisible = 1;'' |
| - Check the "TOP Attacks by Protocols" section\\ Also sort by session count. Note these protocols. | - Check the "TOP Attacks by Protocols" section\\ Also sort by session count. Note these protocols. |
| - Check the "TOP Attacking IP Addresses" section, note a few IPs with the highest session count\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_2.png?direct&700|}} | - Check the "TOP Attacking IP Addresses" section, note a few IPs with the highest session count\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_2.png?direct&700|}} |
| - Check the Attack Log\\ Filter by previously selected subscribers and protocol.\\ Here you can get attack details and make additional conclusions to take actions.\\ For example, the screenshot below clearly shows port scanning on the same address via UDP protocol. In this case, it is sufficient to place the attacker IP into a separate AS and set it to drop. | - Analyze the Attack Log with a filter by previously selected subscribers and protocol.\\ You can extract attack details and make additional conclusions to take appropriate actions.\\ For example, in the screenshot below it is clearly visible that there is port scanning on the same address using the UDP protocol. In this case, it is sufficient to assign a ''drop'' policy for the application protocol ''udp unknown'' to the attacking subscriber profile using session policing (service 18).\\ \\ This means that for the selected subscriber, all traffic matching this protocol will be completely blocked, i.e., both UDP flood and legitimate UDP traffic identified by DPI as udp unknown. |
| <note tip>AS blocking is detailed in the scenario [[en:dpi:qoe_analytics:cases:network_health:flood#blocking_ip_by_placing_into_autonomous_system|Blocking IP by placing it into an autonomous system]]</note> | |
| | <note tip>More details about session policing configuration: [[en:dpi:dpi_options:opt_shaping:shaping_session]]</note> |
| {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_4.png?direct&1100|}}\\ | {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_4.png?direct&1100|}}\\ |
| |
