This section describes the defense threshold. An appropriate defense threshold brings about effective anti-DDoS.
The defense threshold can be regarded as the upper limit for normal network traffic. If the actual traffic volume exceeds the upper limit, the FW takes appropriate action to defend against attacks. The threshold is therefore the trigger for defensive actions, and the setting of the threshold affects defense.
Threshold setting varies with network situation.
If the threshold is too low, high incidence of false positives may occur; if the threshold is too high, high incidence of false negatives may occur. Therefore, you must fine tune the threshold based on the normal traffic volume range of the network. When the normal traffic volume is unknown or before threshold learning starts, set the alarm threshold to the default value and tune the threshold based on the network conditions or threshold learning result. In normal cases, the threshold can be set to 1.2 to 2 times the normal traffic volume.
The FW automatically learns traffic features over the network and provides reference for manual settings. In normal cases, the system collects statistics about various types of traffic based on the destination IP address, calculates the peak value of each traffic type, and automatically sets the defense thresholds.
The FW learns the threshold in two modes: one-off learning and periodical learning.
One-off Learning: The FW learns the threshold in only one instance.
Periodical learning: The FW learns the threshold periodically.
The learning interval refers to the duration between adjacent threshold learning.
The FW can automatically apply the threshold that has been learned by using the automatic application function.
You can have the FW learn the threshold repeatedly to cope with the changes of network traffic models.