Configuring DDoS and BotNet Detector Based on QoE [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • ODT export
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • ODT export
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Both sides previous revisionPrevious revision
    Next revision    		Previous revision
    en:dpi:dpi_options:opt_ddos:qoe_ddos [2026/04/01 11:05] – [1. Updating QoE] elena.krasnobryzhen:dpi:dpi_options:opt_ddos:qoe_ddos [2026/04/03 13:02] (current) – [7. Attack Analysis] elena.krasnobryzh
    Line 17: Line 17:
     **On the GUI server.** **On the GUI server.**
      
    -Update GUI to the latest version. Connect GUI to VAS Cloud if not already connected. Enable the aniddos license option.+[[en:dpi:dpi_components:dpiui:install_and_update:update|Update GUI]] to the latest version. Connect GUI to VAS Cloud if not already connected. Enable the aniddos license option.
      
     In the file ''/var/www/html/dpiui2/frontend/env.js'' set the option ''AppEnv.DDoSAttack_isVisible = 1;'' In the file ''/var/www/html/dpiui2/frontend/env.js'' set the option ''AppEnv.DDoSAttack_isVisible = 1;''
    Line 91: Line 91:
       - Check the "TOP Attacks by Protocols" section\\ Also sort by session count. Note these protocols.   - Check the "TOP Attacks by Protocols" section\\ Also sort by session count. Note these protocols.
       - Check the "TOP Attacking IP Addresses" section, note a few IPs with the highest session count\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_2.png?direct&700|}}   - Check the "TOP Attacking IP Addresses" section, note a few IPs with the highest session count\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_2.png?direct&700|}}
    -  - Check the Attack Log\\ Filter by previously selected subscribers and protocol.\\ Here you can get attack details and make additional conclusions to take actions.\\ For example, the screenshot below clearly shows port scanning on the same address via UDP protocol. In this case, it is sufficient to place the attacker IP into separate AS and set it to drop. +  - Analyze the Attack Log with a filter by previously selected subscribers and protocol.\\ You can extract attack details and make additional conclusions to take appropriate actions.\\ For example, in the screenshot below it is clearly visible that there is port scanning on the same address using the UDP protocol. In this case, it is sufficient to assign ''drop'' policy for the application protocol ''udp unknown'' to the attacking subscriber profile using session policing (service 18).\\ \\ This means that for the selected subscriber, all traffic matching this protocol will be completely blocked, i.e., both UDP flood and legitimate UDP traffic identified by DPI as udp unknown. 
    -<note tip>AS blocking is detailed in the scenario [[en:dpi:qoe_analytics:cases:network_health:flood#blocking_ip_by_placing_into_autonomous_system|Blocking IP by placing it into an autonomous system]]</note>+ 
     +<note tip>More details about session policing configuration: [[en:dpi:dpi_options:opt_shaping:shaping_session]]</note> 
     {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_4.png?direct&1100|}}\\  {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_4.png?direct&1100|}}\\