Contents
This section shows reports information about the IPDS module, the information saved by the stats collector can be read and analyzed.
This view shows the total information about a certain day, a complete week, a month or a date range and comparing with the previous range, this comparison method gives you an idea with a simple view if the system has increased in attacks or not, taking into consideration this information the systems administrator can see if the rules need to be modified or some rules are not matching against any attack.
Let us describe the different tables shown in this Report view.
Reporting fields.
The reporting section is composed of a main form for searches, this form allows the system administrators to find information based on a date range or time inside the IPDS stats collector database. The fields for the search are:
Show data: By week, By Month, By date range. The IPDS report will be created for this period.
Choose a start date: Indicate here the start date for the reporting.
Compare to Previous week: The requested range of time is compared with the previous range of time, that method gives you an idea about attackers’ behaviour, showing if the attacks have increased or decreased over time.
Print action: The information is saved in PDF in a local document, this Report can be used internally by the cyber security team or CISOs. Do you want to know what SKUDONET IPDS Reports look like? Click here
Attacks by type of defense.
This table shows the stopped attacks in the indicated period for the different modules inside the IPDS system.
Policy: The kind of policy applied by the security rule. If the security Rule is Reject the source connection will be dropped, if the security Rule is Accept the source connection is allowed. The security Rule Accept is used in SKUDONET v10 only for the Blocklist security module. If the source IP is whitelisted the connection will bypass this blocklist security module, A whitelisted IP doesn’t mean that the other security modules will not apply, the connection will pass always through the DoS, RBL and WAF if those rule types are configured in the farm.
Blacklists: Number of hits or attacks stopped by this security module in the requested period for all the farms using IPDS.
DoS: Number of hits or attacks stopped by this security module in the requested period for all the farms using IPDS.
RBL: Number of hits or attacks stopped by this security module in the requested period for all the farms using IPDS.
WAF: Number of hits or attacks stopped by this security module in the requested period for all the farms using IPDS.
Whitelist: Number of hits or requests passed by this security module in the requested period for all the farms using IPDS.
Attacks detected by farms.
This table shows the attacks stopped by each security module grouped by farms, the list of farms will show the subtotal of hits done per farm and the total of hits with a summary of all the farms. In case some column doesn’t show information for a certain farm means that this kind of rule isn’t used by the farm or the rule hasn’t hit yet.
Farm name: The farm name protected by the IPDS.
Bkaclist: The total of attacks stopped by the blocklist rules configured in this farm in the indicated period.
DoS: The total of requests stopped by the DoS rules configured in this farm in the indicated period.
RBL: The total of requests stopped by the RBL rules configured in this farm in the indicated period.
WAF: The total of requests stopped by the WAF rules configured in this farm in the indicated period.
Whitelists: The total of requests stopped by the Whitelist rules configured in this farm in the indicated period.
Total: Subtotal of requests hit by the used security modules for the indicated farm.
Attacks detected by rules.
This table shows information about the IPDS module grouped by rule name and gives information about which kind of rule hits more.
The table shows the following fields:
Rule Name: The rule name that hit.
Kind of rule: A certain rule can be only of a certain type, the types in the IPDS module are: Blacklist, Dos, RBL, WAF and Whitelist.
Total: The total of hits done by this particular rule name.
Top 10 Attacks by source IP.
This table shows the top 10 source IPs identified by the IPDS. When a security rule matches, the source IP is saved internally, later this information is grouped and shown in this table. If the number of hits is high you could consider putting those IPs in your custom blocklist.
The fields shown in this table are as follows:
IP: Source IP detected by the protecting rule. Normally a source IP of an attacker.
Total: the number of times the source IP has been found for the indicated period.
Top 10 Attacks by URLs
This table shows the top 10 URLs attacked and stopped by the WAF rules.
The fields shown in the table are:
URL: The destination URL was attacked and stopped by the WAF
Total: The number of times the WAF rules stopped the attack in the indicated period.
Attacks by hours.
This table shows a summary of attacks by hour during the period requested in the report, this table shows the behaviour of the attackers, for example, the previous table shows that in the period requested the DoS attacks increased at 17.00 but at 10.00 the Blocklist attacks are the most stopped.
SKUDONET recommends doing a complete configuration of all the security modules inside the IPDS, doing a good configuration of Blocklist and DoS as a first security filter and finally filtering traffic in WAF for Layer 7 protection. That way will ensure that less malicious traffic will reach the WAF where more CPU and RAM are required. The Blocklist, RBL and DoS security rules are configured inside SKUDONET in the early stage of the operating system, which it means is closer to the ingress, which is the main reason for the great efficiency of SKUDONET IPDS. The WAF system protects with more than 400 security rules analyzing Headers and Body content inefficiently but any WAF action requires more CPU and RAM by nature.
