1 Reply Latest reply on Feb 7, 2017 6:24 PM by d_aloy

    Inbound ICMP Packet Volume Too High - Possible Tuning

    abkhan

      Hi All,

       

      Ive been reading quite a lot about this subject recently. We have clients who often trigger these statistical anomoli alerts that fall under the Volume based DOS attacks. when the client is made aware of this, they say this is normal traffic and would like to see some tuning or possible filtering of this signature. Can this be done? is it possible to filter IP's or IP ranges from this Policy. My understanding is that there are no source or destinations provided when these signatures triggers. If this is seen as normal traffic on a clients network, would a re-learn be more appropriate or can this be tuned?

        • 1. Re: Inbound ICMP Packet Volume Too High - Possible Tuning
          d_aloy

          Hi Abkhan

           

          First question to ask is if they brought up any new systems/service that could be causing this? If yes, Dos Profile for the interface should be set to learning mode (even on detection mode the sensor still learns but if the change is so dramatic that triggers the alerts, maybe set it to learning mode on the busier periods)

           

          Second, what type of traffic they have?  Does it vary with seasons? I.e. more traffic over weekends or Xmas or Football Games? If so, lower the dos sensitivity on the policy to low? Again, maybe learning mode over busier periods in combination with a lower sensitivity may  help.

           

          You  could also disable the DoS Anomaly alerts for their policy, but looking at traffic patterns (when does the alert trigger, and possible causes) should help you tune sensitivity or set sensor into learning mode if required.

           

          The Dos Alerts generated should show you the top 3 IP sources/destinations and packet rate anomaly, so that should help you understand what the src/dst ip is.

           

          On the sensor's CLI, 'show dospreventionprofile' will also provide valuable information - check the CLI guide for details on how to read the output.

           

          And finally.. not sure about trusting the customer on the 'it  is normal traffic' If they can explain why they say is  normal...  it'ss a good start and  should help you tune the devices... but if they say 'it is just normal'.. well....

           

          Regards

          David

          1 of 1 people found this helpful