This article explains the learning and detection modes for the Denial of Service (DoS) profile in Trellix IPS.
Learning mode
Learning mode starts when the Sensor is first added to a network. The standard learning mode period is usually 48 hours. After that time, the Sensor enters the detection mode but continues to adjust continuously over time.
In the learning mode, the Sensor catalogs the traffic into BINs. The Sensor divides the traffic in BINs by subnet, up to a total of 128 BINs per sensor. BINs might reference a large network segment such as 10.0.0.0/8 and 112.0.0.0/5, or might reference a more specific segment such as 8.8.8.0/29.
Each BIN contains values that describe the amount of traffic for the specific protocol.
To view the BINs:
- Open a command-line session to the Sensor.
- Type the following command and press Enter:
show dospreventionprofile <packet-type> <direction>
For example:
show dospreventionprofile tcp-syn inbound
0: 0.0.0.0/2 AS=25.000% LT=1.568% ST=0.00% ltR=0.001 stR=0.000
1: 128.0.0.0/3 AS=12.500% LT=0.039% ST=0.00% ltR=0.000 stR=0.000
2: 64.0.0.0/7 AS=0.781% LT=0.110% ST=0.00% ltR=0.000 stR=0.000
3: 192.0.0.0/7 AS=0.781% LT=2.499% ST=0.00% ltR=0.001 stR=0.000
4: 96.0.0.0/5 AS=3.125% LT=1.831% ST=0.00% ltR=0.001 stR=0.000
5: 160.0.0.0/4 AS=6.250% LT=0.534% ST=0.00% ltR=0.000 stR=0.000
6: 80.0.0.0/5 AS=3.125% LT=0.609% ST=0.00% ltR=0.000 stR=0.000
- AS(%) -- percentage of the IP address space this BIN occupies
- LT(%) -- percentage of long-term traffic that falls into this BIN
- ST(%) -- percentage of short-term traffic that falls into this BIN
- ltRate -- long-term average traffic rate (in packets per second) for this BIN
- stRate -- short-term traffic rate (in packets per second) for this BIN
Detection mode
After the 48-hour learning mode period, the Sensor automatically enters Detection mode. There's no default blocking for DoS; you can enable blocking after the Sensor has established an acceptable network profile.
To enable DoS blocking in the Manager:
- Log on to the Manager.
- Select IPS Settings from the left pane.
- Click the Advanced Policies tab.
- Select Default IPS Attack Settings.
- Locate the attack type you want, and set it to Block.
When the Sensor is in detection mode and detects a possible DoS attack, the BINs that contain the possible detection of the offending traffic change and display a # (hash). The Sensor acts on the traffic based on the settings for the specific attack (block and alert or alert only).
DoS Prevention Severity and Threshold
The Sensor adjusts the profile constantly to prevent false-positive detections for small network traffic changes and events that might be interpreted as a DoS attack. You can customize this behavior based on the severity of a detected attack and adjust the threshold as necessary.
To view the severity:
- Open a command-line session to the Sensor.
- Type the following command and press Enter:
show dospreventionseverity <packet-type> <direction>
NOTE: Technical Support recommends that you don't change the default severity levels unless you have in-depth knowledge of your network and can ensure that the change doesn't cause a false detection of a DoS attack.
To modify the Threshold of a specific attack:
- Log on to the Manager.
- Select IPS Settings.
- Select Advanced Policies.
- Select Default IPS Attack Settings.
- Select the Threshold tab and edit the specific attack that you want to change.