Understanding Application-level DDoS Statistic Reporting

To successfully mitigate application-level distributed denial-of-service (DDoS) attacks on your network environment, you need to set the appropriate rule thresholds. To identify the appropriate thresholds, you need to analyze network statistical data. With application-level DDoS statistic reporting, you can collect application information on connection, context and rates, and data records from application requests destined for your protected servers. With this information, you can determine trends to help you create more efficient rules for your environment.

Following are the main features of statistic reporting:

Note: Statistic reports are saved on the Routing Engine (RE) data storage device in the /var/log/addos directory. There must be at least 2 GB of free space to allow report logging.

The IDP module polls for application-level DDoS records and takes a snapshot of current activity at intervals that you define. Each statistical record collected represents an application request data entry (context value) up to 4 KB. Information collected includes the server IP address, zone, connection, and context rates, protocol, and Layer 7 service and context values. The max-context-values setting determines how many records should be collected per application context.

The filenaming convention for reports stored in /var/log/addos comprises the prefix addos-stats along with the record creation timestamp in the format YYYYMMDDHHMMSS (year/month/day/hour/minute/seconds). For example: addos-stats-20100501091500, is May 1, 2010 at 9:15 AM.

The report files are in comma-separated value (.csv) format and should be copied off the device to be analyzed in a program that can read .csv files, such as Excel. See Table 59 for descriptions of each field in the application-level DDoS statistic record.

Table 59: Application-Level DDoS Statistic Record Fields

Field

Description

time

Time the event occurred.

record-type

Type of record that is created. Type app-record is supported.

record-data

Identifies the type of data collected (addos-http-url or addos-dns).

destination-ip

Destination IP of the application request.

ddos-app-name

Name of the configured application object defined in the application-level DDoS rule.

conn/sec

Connection attempts per second by the application.

context-name

Context name in the application header.

context-hits/tick

Number of context hits per tick interval. The default tick interval is 60 seconds.

context-value-hits/tick

Number of context value hits per tick interval. The default tick interval is 60 seconds.

context-value

Application context name. The context-value is reported both in hexadecimal and ASCII formats and is no larger than 4 K.

The following output shows an application-level DDoS statistic record.

2010:01:16:04:23:53,app-record,my-http,5.0.0.1,trust,6,http-url-parsed,1234/60sec,1234/60sec,ascii:/abc.html hex:2f6162632e68746d6c
2010:01:16:04:23:53,app-record,my-http,5.0.0.1,trust,6,http-url-parsed,932791/60sec,932791/60sec,ascii:/index.html hex:2f696e6465782e68746d6c

The following screen shot shows a formatted application-level DDoS statistic report.

Image s030648.gif

Note: To clear out statistics files that are no longer needed, you run the operational command request system storage cleanup.

You can use the statistical data you collect to analyze application-level DDoS activity and identify the types and rates of application activity hitting your server. Typically, you will initially set your rules to have low thresholds with no action; then, once you profile your environment by analyzing the collected statistics, you can protect your servers by setting appropriate limits and configuring effective actions for attacks.

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.