Threshold Group | Notes |
Scalar thresholds | • Thresholds are set to either the observed maximum multiplied by the Layer 3 or Layer 4 percentage, or to the low traffic threshold, whichever is higher. • The system recommendation procedure does not set the threshold for the following scalar meters: New Connections, Most Active Destination, ACK Per Destination, RST Per Destination, FIN Per Destination, ESTAB Per Destination, Connection Per Destination. |
Protocol thresholds | • The system recommendation procedure does not set the threshold for TCP protocol (6) and UDP protocol (17). |
TCP/UDP Port, ICMP Type/Code | • Packet rates vary across ports, SPPs, and traffic direction. • All contiguous TCP/UDP ports or ICMP type/codes that have the same inbound and outbound traffic rates are grouped into ranges. • We limit the number of ranges to 512 to optimize the internal configuration database. • The system recommendation procedure uses an algorithm to generate a set of ranges and packet rate thresholds for them. The algorithm is based on the following factors: • The recorded baseline traffic for ports or type/code from 0 to 64K. • If the traffic is below the low traffic value, the low traffic value is considered the baseline. • Otherwise, the recorded baseline rates are multiplied by the Layer 4 adjustment percentage. • The resulting rates are divided by 512 to determine a round-up factor. • Rates are rounded up to next multiple of round-up factor. • If the number of ranges is below 512, the thresholds are set. • Otherwise, the rates are rounded to the next multiple of round-up factor, and so on, until the number of ranges is below 512. Then, the thresholds are set. • The system recommendation procedure does not set the threshold for widely used TCP service ports 21-23, 25, 53, 80, 110, 139, 443 and 590; or TCP/UDP SIP ports 5060 and 5061. It does not set the threshold for user-configured HTTP service ports. The thresholds for these are set to high values. |
HTTP Method | • Thresholds are set to either the observed maximum multiplied by the Layer 7 percentage, or to the low traffic threshold, whichever is higher. |
URL, Host, Cookie, Referer, User-Agent | • The rate meters for URLs and HTTP headers are based on indexes. • Packet rates vary across these indexes, SPPs, and traffic direction, depending on the time the baseline is taken. • The “observed maximum” used by the system recommendation procedure is the packet rate for the 95th percentile of observed rates for all indexes (excluding indexes with zero traffic), unless the number of indexes is unusually low. If low, the highest rate for all indexes is used. • Thresholds are set to either the observed maximum multiplied by the Layer 7 percentage, or to the low traffic threshold, whichever is higher. |
Upon saving, if the UI responds with an error that says config ddos global spp process status unset process-in-progess unset process-status-message end Then, do the procedure to generate thresholds again. |
Settings | Guidelines |
Layer <N> adjustment | • Percentage—Multiply the generated rates by the specified percentage to compute the recommended thresholds. • Factory default— Use factory default values instead of the recommended values. The factory default values are high so that the appliance can be placed inline and not immediately drop traffic. |
Layer <N> percentage | Multiply the generated maximum rates by the specified percentage to compute the recommended thresholds. For example, if the value is 100%, the threshold is equal to the generated maximum rate. If it is 300%, the threshold is three times the generated maximum rate. The default adjustment for Layer 3 is 300. The default for Layer 4 is 200. The default for Layer 7 is 200. The valid range is 100 to 300. |
Layer <N> low traffic threshold | Specify a minimum threshold to use instead of the recommended rate when the recommended rate is lower than this value. This setting is helpful when you think that the generated maximum rates are too low to be useful. The default is 500. For example, assume the generated maximum packet rate for inbound Layer 4 TCP packets is 2,000 and the outgoing rate is 3,000. The value of Layer 4 percentage is 300 (percent) and the value of Layer 4 low traffic threshold is 8,000. In this example, the recommended threshold for inbound packets is 8,000 (2,000 * 300% = 6,000). However, because 6,000 is less than the low traffic threshold of 8,000, the system sets the threshold to 8,000. In this example, the recommended threshold for outbound packets is 9,000 (3,000 * 300% = 9,000). Because 9,000 is greater than the low traffic threshold of 8,000, the system sets the threshold to 9,000. |
To configure with the CLI, use a command sequence similar to the following: config spp edit <spp_name> config ddos spp threshold-adjust set threshold-adjustment-type system-recommendation set threshold-system-recommended-report-period {1-hour | 8-hours | 1-day | 1-week | 1-month | 1-year} set threshold-system-recommended-layer-3 {layer3-percentage | layer3-factory-defaults} set threshold-system-recommended-layer-3-percentage <percent> set threshold-system-recommended-layer-3-low-traffic <integer> set threshold-system-recommended-layer-4 {layer4-percentage | layer4-factory-defaults} set threshold-system-recommended-layer-4-percentage <percent> set threshold-system-recommended-layer-4-low-traffic <integer> set threshold-system-recommended-layer-7 {layer7-percentage | layer7-factory-defaults} set threshold-system-recommended-layer-7-percentage <percent> set threshold-system-recommended-layer-7-low-traffic <integer> end |