Detecting DDoS attacks, BotNet activity, and visits to specific resources using triggers in QoE [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Both sides previous revisionPrevious revision
    Next revision    		Previous revision
    en:dpi:qoe_analytics:cases:network_health:triggers_setup [2025/10/31 12:14] elena.krasnobryzhen:dpi:qoe_analytics:cases:network_health:triggers_setup [2025/12/10 16:01] (current) elena.krasnobryzh
    Line 18: Line 18:
     === General trigger information === === General trigger information ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_common.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_common.png?nolink&600 |}}
      
     Trigger name: “DDOS source detection”, days of the week – all, check frequency – 1 hour, trigger activation frequency – once, start and end times not set. Trigger name: “DDOS source detection”, days of the week – all, check frequency – 1 hour, trigger activation frequency – once, start and end times not set.
    Line 26: Line 26:
     === Queries === === Queries ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_query.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_query.png?nolink&600 |}}
      
       * Add field   * Add field
    Line 37: Line 37:
     === Conditions === === Conditions ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_conditions.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_conditions.png?nolink&600 |}}
      
       * Add two "+" fields   * Add two "+" fields
    Line 49: Line 49:
     === Error handling === === Error handling ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_error.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_error.png?nolink&600 |}}
      
       * “If no errors” — no data   * “If no errors” — no data
    Line 59: Line 59:
     == E-mail action == == E-mail action ==
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_email.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_email.png?nolink&600 |}}
      
       * Click the "</>" icon to auto-fill the form   * Click the "</>" icon to auto-fill the form
    Line 67: Line 67:
     == Notification == == Notification ==
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_notification.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_notification.png?nolink&600 |}}
      
       * Click "</>" to auto-fill the form   * Click "</>" to auto-fill the form
       * Select notification type — “Warning”   * Select notification type — “Warning”
       * A notification will be created in the SSG system   * A notification will be created in the SSG system
    - 
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_alerts.png?nolink&600 |}} 
      
     The report link can be obtained from the notifications menu. The report link can be obtained from the notifications menu.
    - 
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_report.png?nolink&400 |}} 
      
     Select the notification   Select the notification  
     Click **Details** Click **Details**
    - 
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_details.png?nolink&400 |}} 
      
     Follow the report link — it will open in a new browser window. Follow the report link — it will open in a new browser window.
    Line 88: Line 82:
     == HTTP action == == HTTP action ==
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_http.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_http.png?nolink&600 |}}
      
     Click "</>" to auto-fill the form, select the method suitable for your ticket system, and enter the URL address. Click "</>" to auto-fill the form, select the method suitable for your ticket system, and enter the URL address.
    Line 99: Line 93:
     === Queries === === Queries ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_target_query.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_target_query.png?nolink&600 |}}
      
     In the report field, select Raw full netflow → Tables → Attacks detection → Top subscribers → Maxi In the report field, select Raw full netflow → Tables → Attacks detection → Top subscribers → Maxi
    Line 105: Line 99:
     === Conditions === === Conditions ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:ddos_target_conditions.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_target_conditions.png?nolink&600 |}}
      
     Series — “Flow volume to subscribers, Pct/s” >= 10000 Series — “Flow volume to subscribers, Pct/s” >= 10000
    Line 116: Line 110:
     === Queries === === Queries ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:botnet_query.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:botnet_query.png?nolink&600 |}}
      
       * Select Raw full netflow → Tables → Attacks detection → Top application protocols → Maxi for “A”   * Select Raw full netflow → Tables → Attacks detection → Top application protocols → Maxi for “A”
    Line 123: Line 117:
     === Conditions === === Conditions ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:botnet_conditions.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:botnet_conditions.png?nolink&600 |}}
      
     Since BotNet often uses ports 6667 and 1080 — add each destination/source port by selecting query “B” with “OR” condition, and Flow Pcts/s >= 2000. Since BotNet often uses ports 6667 and 1080 — add each destination/source port by selecting query “B” with “OR” condition, and Flow Pcts/s >= 2000.
    Line 133: Line 127:
     === General trigger information === === General trigger information ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_common.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:competitors_common.png?nolink&600 |}}
      
     Trigger name: “Interest in competitors”, days of the week – all, check frequency – 1 hour, trigger activation frequency – once, start and end times not set. Trigger name: “Interest in competitors”, days of the week – all, check frequency – 1 hour, trigger activation frequency – once, start and end times not set.
    Line 141: Line 135:
     === Queries ===  === Queries === 
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_query.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:competitors_query.png?nolink&600 |}}
      
       * Add “+” field   * Add “+” field
    Line 151: Line 145:
     === Conditions === === Conditions ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_conditions.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:competitors_conditions.png?nolink&600 |}}
      
       * Add 3 “+” fields   * Add 3 “+” fields
    Line 161: Line 155:
     === Error handling === === Error handling ===
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_errors.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_error.png?nolink&600 |}}
      
       * “If no errors” — no data   * “If no errors” — no data
    Line 171: Line 165:
     == E-mail action == == E-mail action ==
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_email.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_email.png?nolink&600 |}}
      
       * Click to auto-fill the form   * Click to auto-fill the form
    Line 180: Line 174:
     == Notification == == Notification ==
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_notifications.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_notification.png?nolink&600 |}}
      
       * Click "</>" to auto-fill the form   * Click "</>" to auto-fill the form
       * Select notification type — “Warning”   * Select notification type — “Warning”
       * A notification will be created in the SSG system   * A notification will be created in the SSG system
    - 
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_alerts.png?nolink&600 |}} 
      
     The report link can be obtained from the notifications menu. The report link can be obtained from the notifications menu.
    - 
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_report.png?nolink&400 |}} 
      
     Select the notification   Select the notification  
     Click **Details** Click **Details**
    - 
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_details.png?nolink&400 |}} 
      
     Follow the report link — it will open in a new browser window. Follow the report link — it will open in a new browser window.
    Line 201: Line 189:
     == HTTP action == == HTTP action ==
      
    -{{ :dpi:qoe_analytics:cases:network_health:triggers_setup:competitors_http.png?nolink&600 |}}+{{ :en:dpi:qoe_analytics:cases:network_health:ddos_http.png?nolink&600 |}}
      
       * Click "</>" to auto-fill the form   * Click "</>" to auto-fill the form