Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report... 6 Part 1: Summary... 6 Part 2: Filtered Traffic... 8 Part 3: Attacked Details... 9 Part 4: Protocol Details... 10 Part C: Monthly Report... 11 Part 1: Summary... 11 Part 2: Filtered Traffic... 13 Part 3: Attacked Details... 14 Part 4: Protocol Details... 15 V. Logout... 17 VI. Forget Password... 18 Appendix... 19
I. Note For customers who sign up per connection plan, only monthly report is available. For customers who sign up per bandwidth plan, real-time, daily and monthly reports are available. II. Login 1. Connect to http://www.wharftt.com 2. Select Product & Services Security Solutions 3. In tag, click More Version 1.0 1
3. Click the link Web Portal Customer Portal 4. Input username and password. Details refer to Welcome Letter. (Case sensitive) 5. Click Submit Version 1.0 2
III. Real-time, Daily and Monthly Report Part A: Real-time Report (Report generated in every 5 minutes from 00:00 onwards) 1. Select Real-time Report 2. Click the Line Num check box 3. Select the desired line number 4. Click the Icon of Calendar 5. Select the desired date on the pop-up calendar Version 1.0 3
6. Reports will be generated as follow Part 1: Traffic Details Field Name Time Maximum In Traffic Description Time range that the report covers The highest amount of incoming normal and attack traffic in bits / packets per second received under attack within the time range Maximum Out Traffic The highest amount of outgoing normal traffic received in bits / packets per second under attack within the time range Average In Traffic Average Out Traffic Average incoming normal and attack traffic in bits / packets per second received under attack within the time range Average outgoing normal traffic in bits / packets per second received under attack within the time range Remarks: 1. The difference between In Traffic and Out Traffic equals to the amount of Attack Traffic. 2. If there is no attack, the values of both In Traffic and Out Traffic will be zero. Version 1.0 4
Part 2: Protocol Details Field Name Time Description Time range that the report covers Received ICMP* Received TCP* Received UDP* Received Stream (others)* Total number of incoming ICMP bits / packets per second received under attack within the time range Total number of incoming TCP bits / packets per second received under attack within the time range Total number of incoming UDP bits / packets per second received under attack within the time range Total number of incoming unclassified attacks bits / packets per second received under attack within the time range Remarks: 1. If there is no attack, the value of Received Protocol will be zero. 2. * Please refer to Appendix Version 1.0 5
Part B: Daily Report (Report generated at 23:59 of the day) 1. Select Daily Report 2. Procedures refer to Real-time Report 3. Reports will be generated as follow Part 1: Summary Version 1.0 6
Field Name Time Total Received Total Filtered Description Time range that the report covers Total number of incoming normal and attack traffic in bits / packets received under attack within the day Total number of incoming normal and attack traffic in bits / packets received which has been filtered under attack within the day Number of High Severity Attack Number of Medium Severity Attack Number of Low Severity Attack Maximum In Traffic Total number of incoming attack which is classified as high severity under attack within the day Total number of incoming attack which is classified as medium severity under attack within the day Total number of incoming attack which is classified as low severity under attack within the day The highest amount of incoming normal and attack traffic in bits / packets per second received under attack within the time range Maximum Out Traffic The highest amount of outgoing normal traffic received in bits / packets per second under attack within the time range Average In Traffic Average incoming normal and attack traffic in bits / packets per second received under attack within the time range Average Out Traffic Average outgoing normal traffic in bits / packets per second received under attack within the time range Remarks: 1. The difference between In Traffic and Out Traffic equals to the amount of Attack Traffic. 2. If there is no attack, the values of both In Traffic and Out Traffic will be zero. Version 1.0 7
Part 2: Filtered Traffic Field Name Event ID Description ID number of the event Destination IP Severity Level Attack Types Start Time Duration (s) IP address which was under attack Severity level of the event Type of incoming attack received in the event, e.g. DDoS Attack, Traffic Anomaly, Network Misuse Starting time of the event Duration time of the event in seconds Version 1.0 8
Part 3: Attacked Details Others Field Name Attack Types Total Description Type of incoming attack received, e.g. UDP, ICMP, Stream* Total number of incoming normal and attack traffic in bits / packets received under attack Total number of incoming normal and attack traffic received in bits / packets which has been filtered under Total Filtered Filtered Percentage Attacked IP attack Percentage of the value of Total Filtered field over the value of Total field IP address which was under attack Remarks: 1. If there is no attack, there will be no record in Attacks Details. 2. * Please refer to Appendix Version 1.0 9
Part 4: Protocol Details Field Name Description Protocol Types Received Sent Time Received ICMP* Received TCP* Received UDP* Received Stream (others)* Type of incoming protocol received, e.g. TCP, UDP, ICMP* Total number of incoming normal and attack traffic in bits / packets received within the day Total number of outgoing normal traffic in bits / packets sent out within the day Time range that the report covers Total number of incoming ICMP bits / packets per second received under attack within the time range Total number of TCP bits / packets per second received under attack within the time range Total number of UDP bits / packets per second received under attack within the time range Total number of Incoming unclassified attacks bits / packets per second received under attack within the time range Remarks: 1. If there is no attack, the value of Received Protocol fields will be zero. 2. *Please refer to Appendix Version 1.0 10
Part C: Monthly Report (Report generated at 23:59 on the last day of the month) 1. Select Monthly Report 2. Procedures refer to Real-time Report 3. Reports will be generated as follow Part 1: Summary Version 1.0 11
Field Name Time Total Received Total Filtered Description Time range that the report covers Total number of incoming normal and attack traffic in bits / packets received under attack within the month Total number of incoming normal and attack traffic in bits / packets received which has been filtered under attack within the month Number of High Severity Attack Number of Medium Severity Attack Number of Low Severity Attack Maximum In Traffic Total number of incoming attack which is classified as high severity under attack within the month Total number of incoming attack which is classified as medium severity under attack within the month Total number of incoming attack which is classified as low severity under attack within the month The highest amount of incoming normal and attack traffic in bits / packets per second received under attack within the month The highest amount of outgoing normal traffic received in bits / packets per second under attack within the Maximum Out Traffic Average In Traffic month Average incoming normal and attack traffic in unit of bits / packets per second received under attack within the month Average Out Traffic Average outgoing normal traffic in unit of bits / packets per second received under attack within the month Remarks: 1. The traffic difference between In Traffic and Out Traffic equals to the amount of Attack Traffic. 2. If there is no attack, the values of both In Traffic and Out Traffic will be zero. Version 1.0 12
Part 2: Filtered Traffic Field Name Event ID Description ID number of the event Destination IP Severity Level Attack Types Start Time Duration (s) IP address which was under attack Severity level of the event Type of incoming attack received in the event, e.g. DDoS Attack, Traffic Anomaly, Network Misuse Starting time of the event Duration time of the event in seconds Version 1.0 13
Part 3: Attacked Details Others Field Name Attack Types Total Total Filtered Filtered Percentage Attacked IP Description Type of incoming attack received, e.g. UDP, ICMP, Stream* Total number of incoming normal and attack traffic in bits / packets received under attack Total number of incoming normal and attack traffic received in bits / packets which has been filtered under attack Percentage of the value of Total Filtered field over the value of Total field IP address which was under attack Remarks: 1. If there is no attack, there will be no record in Attacks Details. 2. * Please refer to Appendix Version 1.0 14
Part 4: Protocol Details Date Date Field Name Protocol Types Received Sent Date Received ICMP* Received TCP* Received UDP* Received Stream (others)* Description Type of Incoming protocol received, e.g. TCP, UDP, ICMP* Total number of incoming normal and attack traffic in bits / packets received within the month Total number of outgoing normal traffic in bits / packets sent out within the month Date that the report covers Total number of incoming ICMP bits / packets per second received under attack within the day Total number of incoming TCP bits / packets per second received under attack within the day Total number of incoming UDP bits / packets per second received under attack within the day Total number of Incoming unclassified attacks bits / packets per second received under attack within the day Remarks: 1. If there is no attack, the value of Received Protocol fields will be zero. 2. * Please refer to Appendix Version 1.0 15
IV. Change user password 1. Select Change Password 2. Input Current Password, New Password and verify the New Password 3. Click Change Now Version 1.0 16
V. Logout 1. Select Logout 2. Logout successfully 3. Click Login Again to login again Version 1.0 17
VI. Forget Password 1.: Click Forget Password 2. Input your username 3. Click Submit 4. A new password will be generated and sent to your email account Version 1.0 18
Appendix Alarm Catalog Attack Type Attack Description Attack DDoS Attack SYN FLOOD Large amount of SYN_RECV status exists in the server, half-open connection caused below situations: o o o Traversal, exhaust CPU and RAM SYN / ACK retry SYN Timeout: 30 seconds to 2 minutes As a result, lack of resources to handle normal connection request ACK / RST FLOOD Large amount of ACK packets are sent, resources are driven to handle the request of ACK/RST packets. As a result, bandwidth congestion is found. Http Get Flooding CC (Challenge Collapsar) Proxy requests the server to get large amount of dynamic content such as performing a large scale of database enquiry from the web service. This will led to CPS resources exhaustion. Normal Web enquiry will be dropped. This is a logical attacks which will not consume large amount of bandwidth. In addition to Http GetFlood, Http Post could also be applied. UDP DNS FLOOD Enormous requests of DNS Query sent out with the aim to consume server resources. As a result, the bandwidth is congested and the normal DNS query cannot get through. Spoof IP generates domain name randomly. As the domain name is new to the server, the server is required to get information from other server for verification purpose. This process continues and thus creates chain effect to exhaust server recourses. UDP FLOOD Large amount of UDP packets are sent. These packets are huge in size to cause bandwidth congestion. As a result, packet loss are found on UDP application such as audio / video conference ICMP FLOOD Large amount of ICMP packets are sent. These packets are huge in size to cause bandwidth congestion As a result, the network performance cannot be proved via some ICMP commands such as ping command Version 1.0 19
Stream / Others Attacks are unclassified FLOOD Worm Code Red Aims at Destination Port 80 by means of protocol type TCP SQL Slammer Aims at Destination Port 1434 by means of protocol type UDP Worm. Blaster Aims at Destination Port 135 by means of protocol type TCP Worm.killsblast Aims at Destination Port 2048 by means of protocol type ICMP Worm. Sasser Aims at Destination Port 445 by means of protocol type TCP Mail worm External network address frequently connect to internal network address' NetBIOS port (TCP and UDP port 137,138,139,445 WinNuke Sudden increase in Destination IP and Destination Port, including respective identical packets and bytes Network Misuse Private IP Anomaly The illegally existing IP in the network will be monitored Dark IP Anomaly Traffic Abnormal Bps Anomaly The bps, pps, session statistics and abnormal distribution in the network will be monitored Pps Anomaly Session Anomaly P2P Traffic Bittorrent Limited number of server with huge traffic: normally traffic in 10% of the IP addresses will occupy 90% of the total traffic. The P2P Emuler Thunder Pplive traffic coverage of servers can thus be traced. High and suddeny increase in amount of IIS/Internet Information Services: server performing P2P download will have high amount of IIS Port variation rate: As most of the P2P download software uses "port hopping" technology, the server port will change continuously Version 1.0 20
Others during P2P download process Characteristics of Topological analysis: P2P download's endpoint useually uses some default port to communicate with other end points. Flow record analysis can be used to find the topological relationships among these endpoints and to confirm that whether the server is a specific value of the P2P endpoint or not. If the value reaches certain level, the server can be confirmed as a P2P endpoint. Huge amount of idle connection: P2P endpoint usuallly has a lot of idle connection, it is shown as low traffic record in the flow record Customized Abnormal Alarm will be created acrroding to customers' customized setting Performance Availability Abnormal Availability Abnormal alarm will be created when monitoring infrastructure is unable to connect Performance Abnormal Performance Abnormal alarm will be created when monitoring infrastructure performance exceeds the default value Version 1.0 21