Understanding Application-Level DDoS Logging

Intrusion Detection and Prevention (IDP) generates three types of application-level distributed denial-of-service (application-level DDoS) event logs: attack, state transition, and ip-action. These event logs provide visibility into the application-level DDoS state and provide notifications on occurrences of application-level DDoS attacks for each protected application server.

IDP generates application-level DDoS attack event logs when logging is enabled and an event matches an application-level DDoS policy rule. When you configure a rule with logging enabled, the device creates a log entry for each attack event that matches the rule. For more information about the application-level DDoS rulebase, see Understanding IDP Application-Level DDoS Rulebases.

The attack event log contains the following information:

To reduce the volume of application-level DDoS attack event logs, when you configure an application-level DDoS application with time-binding-count in a rule that has logging enabled, IDP generates an application-level DDoS attack event log only when an attack is detected for time-binding-count times for each time-binding-period seconds. Without time-binding-count configured for an application-level DDoS application, IDP generates an application-level DDoS attack event log for each detected attack, and these logs are subjected to log suppression. The repeat-count field in the log represents how many times this log event would have been sent if log suppression was applied.

IDP generates application-level DDoS state transition event logs when the number of application transactions exceeds or falls behind the configured connection or context hit rate thresholds. State transition event logs are enabled by default, and IDP generates state transition event logs based on user-configured connection, context, or context value thresholds. IDP exhibits hysteresis for state transitions, due to this fact, the state transition log event is generated after incoming traffic connection or context rates have fallen behind by 20 percent (by default) of the configured threshold.

Note: State transition logging is enabled by default and cannot be enabled or disabled, it is part of the standard system logging.

The state event log contains the following information:

Related Topics