Supported DDoS attack types and signatures


Wanguard doesn't need a "signature database". Signatures are needed by IDSes and IPSes, not by DDoS mitigation systems which deal solely with volumetric attacks. The attack types are differentiated through decoders, and you can enable a lot of them in Configuration » General Settings » Anomaly Detection. Most decoders are hard-coded for performance reasons.

You can define packets/s and bits/s thresholds for the following built-in decoders: IP, TCP, TCP+SYN, UDP, ICMP, OTHER, BAD, TCP-NULL, TCP+RST, TCP+ACK, TCP+SYNACK, NETBIOS, HTTP, HTTPS, MAIL, DNS, SIP, IPSEC, WWW, SSH, NTP, SNMP, RDP, YOUTUBE, NETFLIX, HULU AND FACEBOOK. Each decoder is described in detail in the User Guide.
Note that we regularly add or modify existing decoders, based on user feedback. You can also create your own decoders using BPF expressions or Flow Filtering expressions.
In the default configuration, a few high-level thresholds are defined for the decoders IP, SYN, TCP, UDP, ICMP, and OTHER.

Wanguard Sensor is able to detect anomalies without the use of previously-set thresholds through "traffic profiling". Traffic profiling is a feature used to detect unusual traffic spikes.



Author
Andrisoft Team
Date Created
2014-01-22 13:42:13
Date Updated
2017-11-29 03:41:56
Views
11824