Reports » Tools » Anomalies

This report provides live and historical data related to DoS, DDoS, and other traffic anomalies. The number of active traffic anomalies is displayed inside the Reports » Tools panel. This number is refreshed every 10 seconds. The color of the number reflects the highest severity of the active anomalies

The Anomalies tab contains 3 sub-tabs located at the lower left side of the window:

Active Anomalies

It shows a listing with active anomalies where each row represents an active anomaly. The columns are:

Unique index of the anomaly. Click it to open a detailed anomaly report

Prefix

The IP address/class subject of the traffic anomaly, and its reverse DNS.
In front of the prefix, the arrow indicates the direction of traffic: inbound when the arrow
is pointing towards the prefix, or outbound when the arrow is pointing away from the prefix.
Click it to open a new tab or window with data specific to that prefix. A cloud icon located on
the right of the prefix indicates that the IP is external, thus not included in the IP Zone

IP Group

The IP group of the prefix. Click it to open a new tab with data specific to that IP group

Anomaly

A short description of the anomaly

Speed (Latest)

The peak value of the abnormal traffic. The latest value is displayed between parentheses

Sensor Interface

On which Packet Sensor or Flow Sensor Interface the anomaly was detected. Click it to open a new tab with data specific to that Sensor Interface

From

The time and date when the anomaly started

Latest Alarm

How much time has passed since the most recent detection of the anomaly

Pkts/s – Bits/s

The latest packets/second and bits/second throughput of the IP decoder

Severity

The exact rule severity and link severity are displayed as a tool-tip.
The rule severity field graphically represents the ratio between the abnormal traffic and the
threshold value. Every bar represents 100% of the threshold value
The color of the severity indicates the link’s severity: 0-25% blue, 25%-50% yellow, 50%-75%
orange, 75%-100% red. The link’s severity is the ratio between the abnormal traffic and the
overall traffic of the link (Sensor or interface) for pkt/s thresholds, or the ratio between the
abnormal traffic and the link capacity for bits/s thresholds

Actions

Actions available for administrators, operators, and guests with proper permissions:
Enable Manual Action(s) – execute all actions configured for manual execution
Classify/Set Comment – add or modify comments, or manually classify the impact of
anomalies. It is used only for reporting purposes and does not impact IP profiling
View Live Graph – available if IP Graphing is enabled for the prefix
Open Packet Dump – available for Packet Sensors when the Response contains a
traffic capturing action
Open Flow List – available for Flow Sensors with the Flow Collector feature enabled
Shows bi-directional flows that started or ended during the selected time interval.
Flow listings may have an up to 5-minute delay due to flow data file buffering. Time
zone differences are not adjusted
Delete BGP Prefix – available if a BGP announcement with the prefix exists
Generate Anomaly Report – generates a full anomaly report that can be viewed in a
separate tab
Expire Anomaly – instructs the Sensor to clear the anomaly immediately, even if it’s
still active. The detecting Sensor must be running for the action to take effect

ADDITIONAL PARAMETERS VISIBLE WHEN DISPLAY IS SET TO “FULL”:

Total Pkts

Absolute number of packets counted since the anomaly started

Total Bits

Absolute number of bits counted since the anomaly started

Overall Traffic

Percentage value between the decoder traffic and the IP traffic

Threshold

Threshold value and unit

IP Zone
(Inheritance)

IP Zone used by the detecting Sensor. Click it to open the most specific prefix settings

Template

Threshold Template containing the threshold rule, if any

Expiration

Seconds that must pass for the anomaly to be considered inactive

Response
Actions
Name of the Response and a list of actions (with the Record Action parameter set) that
were executed

Comments

This field is hidden if the Classify/Set Comment action was not used

When a Filter detects a filtering rule, a new table is displayed within the same row with the traffic anomaly. In most themes, the rows of the Filter table have a red background for active filtering rules and a yellow background for inactive filtering rules.

Filter

Name of the Filter that detected the filtering rule. Click it to open a new tab with Filter-specific data

Filtering Rule

A summary of the filtering rule detected to isolate the malicious traffic. The filtering rules that are enabled for the decoder are listed in Configuration » General Settings » Anomaly Mitigation
A white flag within the same row indicates that the filtering rule conflicts with a whitelist rule, which also means that it was not applied to any Firewall

Started

Date and time when the filtering rule was generated

Latest Alarm

Latest time when the filtering rule matched traffic above the threshold value

Pkts/s (Peak)

Packets/second value for the traffic matching the filtering rule. In parentheses, peak pkts/s value

Bits/s (Peak)

Bits/second value for the traffic matching the filtering rule. In parentheses, peak bits/s value

Firewall

Indicates the firewall backend(s) that applied the filtering rule: NetFilter Firewall Dataplane Firewall Hardware Offload BGP Flowspec or S/RTBH Third-party Firewall

Scrubbed

Percentage of abnormal traffic mitigated

Pkts

Absolute value with the packets matched by the filtering rule

Bits

Absolute value with the bits matched by the filtering rule

Actions

  • Open Packet Dump – available for Packet Filters when the Response contains a traffic capturing action

  • Open Flow List – available for Flow Sensors with the Flow Collector feature enabled. Shows bi-directional flows that started or ended during the selected time interval. Flow listings may have a 5-minute delay due to flow file buffering. Time zone differences are not adjusted

  • Expire Filtering Rule – instructs the Filter to clear the filtering rule and the corresponding firewall rules immediately

Anomaly Archive

It lists all traffic anomalies sorted by time, in descending order. By clicking the down arrow on any column header, you can apply row filters, change sorting direction, or toggle the visibility of columns.

The [+] sign from the first column expands the anomaly for additional information, mitigation data, etc. The columns are explained in the previous section.

Anomaly Overview

Provides trends and summarizations of traffic anomalies detected on the selected Sensor Interfaces, using the selected decoders, for the selected time-frame.

Anomaly Distribution

Provides pie charts with various anomaly statistics.