I'm looking for some guidelines for the flood signatures
Net Flood ICMP Request
Net Flood ICMP Reply
Net Flood ICMP Any
Net Flood UDP
I have used the "diagnostic" mode to determine values for these signatures but I am really not sure if the values that I have chosen are not maybe to high. I wonder if anyone would be able to share some information/guidelines on values they consider to be normal in a network. > Say for instances min/max values for small, medium and large networks.
What maximum levels should be considered as totally abnormal for each of these events.
Do people choose to filter certain hosts for these alarms like for instance network management station; dns servers etc. after averages have been determined.
Should a rule of thumb be never filter source or destinations for these events?
The values computed by the diagnostic mode represent a snapshot in time of your network. Unfortunately, we don't compute any kind of intelligent threshold for you at this time. So, you'll need to take a sampling of the traffic rates reported back in the alarms while in diagnostic mode and average them to compute your specific thresholds. The time of day can affect this threshold. For instance, the profile of the network might change when people go home for the day, so this will need to be taken into account. Every network has it's own unique peculiarities, and generic recommendations are hard to make. In general though, take your computed thresholds and bump them up some (5-10%) to iron out the occasional small spike, and definitely filter out obvious problem hosts like network mgmt. stations. Real attacks will likely greatly exceed your normal thresholds and be very obvious.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...