Skip to main content
Version: v7

Pattern Score

Overview

In today’s networks, cyber-attacks cause damage or theft and disrupt services with enormous economic and financial impacts. Software implementations cannot meet performance goals; a combination of software and hardware can be more effective for high-performance pattern matching. Packet content scanning at high speed has become extremely important due to its applications in network security, network monitoring, and traffic management in general.

Haltdos supports pattern scoring on the behalf of the behavior of the packet.

pattern_score

How to Use

  1. Go to Apps > DDoS > Advance Settings > Pattern Score

  2. Configure the settings as per requirement.

  3. Click on Save Changes.

pattern_score

ParameterAccepted ValuesDescription
TCP SYN PACKET WITH NO OPTIONSLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
OUT OF RANGE MSSLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
MSS IN NON-SYN PACKETLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
WINDOW SCALE IN NON-SYN PACKETLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
TOP SOURCE PORT TOP TALKERLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
SOURCE PORT ZEROLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
SOURCE PORT OUT OF RANGELOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
TCP SEQUENCE NUMBER TOP TALKERLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
TCP SEQUENCE NUMBER ZEROLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
TCP URGENT POINTER WITHOUT FLAGLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
TCP ACK NUMBER WITHOUT FLAGLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
TCP FLAGS TOP TALKERLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
SUSPICIOUS TCP FLAG COMBINATIONSLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
TCP RESERVED FLAGSLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
TCP SUSPICIOUS WINDOW SIZELOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
SOURCE PREFIX TOP TALKERLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
SUSPICIOUS CHECKSUMLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
TCP URGENT POINTER TOP TALKERLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
ICMP DESTINATION TOP TALKERLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
UDP DESTINATION TOP TALKERLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS DESTINATION TOP TALKERLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS ANY QUERYLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS BAD ANSWER COUNTLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS BAD EDNS0 NAMELOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS BAD FLAGSLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS BAD LENGTHLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS BAD NAMESERVER COUNTLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS BAD RETURN CODELOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS EDNS0 WITH DOLOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH
DNS RARE QUERY TYPELOW, MEDIUM, HIGHSpecify suspicion score as LOW, MEDIUM or HIGH

Under the packet scoring section, users can configure what kind of severity level should be used while setting up the packet score. In Haltdos Anti DDoS solution, we provide packet score to all packets those are going through the Anti DDoS solution. We have defined here three categories of packet scoring which can be customizable by the users. User can change the packet scoring mechanism from low, medium and high. The low level indicates that packet scoring will be start from lower level and