| Both sides previous revisionPrevious revision | |
| en:dpi:dpi_options:opt_ddos:qoe_ddos [2026/04/03 13:02] – [7. Attack Analysis] elena.krasnobryzh | en:dpi:dpi_options:opt_ddos:qoe_ddos [2026/04/14 15:01] (current) – elena.krasnobryzh |
|---|
| * ''QOESTOR_FM_METRICS_AGG_LOG_PARTITIONS_LIFE_TIME_DAYS'' = ''7'' | * ''QOESTOR_FM_METRICS_AGG_LOG_PARTITIONS_LIFE_TIME_DAYS'' = ''7'' |
| |
| {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_1.png?direct&1100|}} | {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_1.png?nolink&1100|}} |
| |
| =====7. Attack Analysis===== | =====7. Attack Analysis===== |
| Detected attacks can be examined in the DDoS attack sections in QoE Analytics. | Detected attacks can be examined in the DDoS attack sections in QoE Analytics. |
| |
| - Start with the "TOP Attacks" section for the last 24 hours.\\ Sort attacks by number of sessions and note a few IPs with the highest session count.\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_3.png?direct&700|}} | - Start with the "TOP Attacks" section for the last 24 hours.\\ Sort attacks by number of sessions and note a few IPs with the highest session count.\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_3.png?nolink&700|}} |
| - Check the "TOP Attacks by Protocols" section\\ Also sort by session count. Note these protocols. | - Check the "TOP Attacks by Protocols" section\\ Also sort by session count. Note these protocols. |
| - Check the "TOP Attacking IP Addresses" section, note a few IPs with the highest session count\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_2.png?direct&700|}} | - Check the "TOP Attacking IP Addresses" section, note a few IPs with the highest session count\\ {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_2.png?nolink&700|}} |
| - Analyze the Attack Log with a filter by previously selected subscribers and protocol.\\ You can extract attack details and make additional conclusions to take appropriate actions.\\ For example, in the screenshot below it is clearly visible that there is port scanning on the same address using the UDP protocol. In this case, it is sufficient to assign a ''drop'' policy for the application protocol ''udp unknown'' to the attacking subscriber profile using session policing (service 18).\\ \\ This means that for the selected subscriber, all traffic matching this protocol will be completely blocked, i.e., both UDP flood and legitimate UDP traffic identified by DPI as udp unknown. | - Analyze the Attack Log with a filter by previously selected subscribers and protocol.\\ You can extract attack details and make additional conclusions to take appropriate actions.\\ For example, in the screenshot below it is clearly visible that there is port scanning on the same address using the UDP protocol. In this case, it is sufficient to assign a ''drop'' policy for the application protocol ''udp unknown'' to the attacking subscriber profile using session policing (service 18).\\ \\ This means that for the selected subscriber, all traffic matching this protocol will be completely blocked, i.e., both UDP flood and legitimate UDP traffic identified by DPI as udp unknown. |
| |
| <note tip>More details about session policing configuration: [[en:dpi:dpi_options:opt_shaping:shaping_session]]</note> | <note tip>More details about session policing configuration: [[en:dpi:dpi_options:opt_shaping:shaping_session]]</note> |
| |
| {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_4.png?direct&1100|}}\\ | {{:en:dpi:dpi_options:opt_ddos:qoe_ddos_4.png?nolink&1100|}}\\ |
| |
