Understanding Application-Level DDoS Logging

Intrusion Detection and Prevention (IDP) generates three types of application-level distributed denial-of-service (application-level DDoS) event logs: attack, state transition, and ip-action. These event logs provide visibility into the application-level DDoS state and provide notifications on occurrences of application-level DDoS attacks for each protected application server.

IDP generates application-level DDoS attack event logs when logging is enabled and an event matches an application-level DDoS policy rule. When you configure a rule with logging enabled, the device creates a log entry for each attack event that matches the rule. For more information about the application-level DDoS rulebase, see Understanding IDP Application-Level DDoS Rulebases.

The attack event log contains the following information:

• Time generated (the date/time in which the log is generated)
• Ingress and egress zone and interface information
• Sources and destination IP address and port numbers
• Connection, context, and context value rates
• Time-binding information
• Policy name
• Rulebase name and rule name
• application-level DDoS application name
• Layer 4 protocol
• Application service (such as DNS and HTTP)
• Context and value rates
• Context value (presented in ASCII and hexadecimal formats)
• Action taken on the event

To reduce the volume of application-level DDoS attack event logs, when you configure an application-level DDoS application with time-binding-count in a rule that has logging enabled, IDP generates an application-level DDoS attack event log only when an attack is detected for time-binding-count times for each time-binding-period seconds. Without time-binding-count configured for an application-level DDoS application, IDP generates an application-level DDoS attack event log for each detected attack, and these logs are subjected to log suppression. The repeat-count field in the log represents how many times this log event would have been sent if log suppression was applied.

IDP generates application-level DDoS state transition event logs when the number of application transactions exceeds or falls behind the configured connection or context hit rate thresholds. State transition event logs are enabled by default, and IDP generates state transition event logs based on user-configured connection, context, or context value thresholds. IDP exhibits hysteresis for state transitions, due to this fact, the state transition log event is generated after incoming traffic connection or context rates have fallen behind by 20 percent (by default) of the configured threshold.

Note: State transition logging is enabled by default and cannot be enabled or disabled, it is part of the standard system logging.

The state event log contains the following information:

• Time generated (the date/time in which the log is generated)
• IP address of the protected server
• Port
• Interface and zone
• Policy name
• Rulebase name and rule name
• application-level DDoS application name
• Layer 4 protocol
• Application service (such as DNS and HTTP)
• Description of the transition event
• Description of the context value (presented in ASCII and hexadecimal formats)

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding IDP Log Suppression Attributes
• Understanding IDP Logging
• Understanding IDP Log Information Usage on the Infranet Controller
• IDP Application-Level DDoS Attack Overview