guidelines for the flood signatures

darin.marais · ‎01-22-2004

I'm looking for some guidelines for the flood signatures

ICMP Flood

UDP Flood

Net Flood ICMP Request

Net Flood ICMP Reply

Net Flood ICMP Any

Net Flood UDP

I have used the "diagnostic" mode to determine values for these signatures but I am really not sure if the values that I have chosen are not maybe to high. I wonder if anyone would be able to share some information/guidelines on values they consider to be normal in a network. > Say for instances min/max values for small, medium and large networks.

What maximum levels should be considered as totally abnormal for each of these events.

Do people choose to filter certain hosts for these alarms like for instance network management station; dns servers etc. after averages have been determined.

Should a rule of thumb be never filter source or destinations for these events?

Any ideas would be greatly appreciated

mcerha · ‎01-28-2004

The values computed by the diagnostic mode represent a snapshot in time of your network. Unfortunately, we don't compute any kind of intelligent threshold for you at this time. So, you'll need to take a sampling of the traffic rates reported back in the alarms while in diagnostic mode and average them to compute your specific thresholds. The time of day can affect this threshold. For instance, the profile of the network might change when people go home for the day, so this will need to be taken into account. Every network has it's own unique peculiarities, and generic recommendations are hard to make. In general though, take your computed thresholds and bump them up some (5-10%) to iron out the occasional small spike, and definitely filter out obvious problem hosts like network mgmt. stations. Real attacks will likely greatly exceed your normal thresholds and be very obvious.