DescriptionThis article provides some explanations related to the following IPs DDOS log sample:
date=2014-12-17 time=10:34:32 vd=Z2O-IPS pri=alert type=ips subtype=anomaly attack_name=ip_src_session count=744 dst=194.72.6.57 dst_port=53 dstname=ns3.bt.net msg="anomaly: ip_src_session, 11927 > threshold 10000, repeats 744 times" severity=critical src=172.23.104.183 src_int=Z2_EgAc_106 src_port=53379 status=detected
SolutionWhat does 11927 > threshold 10000 mean?
The meaning of the threshold explains that the ip_src_session DDOS rule samples the number of packets sent by an individual IP address then matches this to a DDOS policy.
How does this threshold works?
The sampling of the IP flows for a particular IP address takes place around every second, so in this sample it means that between sampling when the IP flow was below the threshold (10000) on the previous attempt and then above the threshold (11927) on the next sampling of the number of IP flows therefore triggering a log.
Explain the repetition message "repeat 744 times"?
This is related to the number of times this DDOS rule has been triggered, in this sample the count=744 field in the log relates to the ..repeats 744 times"
