Manual Chapter : Viewing DDoS DNS Attack Information
Applies To:Show Versions
BIG-IQ Centralized Management
- 7.0.0, 6.1.0
Viewing DDoS DNS Attack Information
View summary DDoS DNS attack information
You can review summary information about distributed denial of service (DDoS) attacks on the Domain Name System (DNS) for one or more BIG-IP devices.
- Select the information you want to see.
- To change the time period for which data is shown, select the period in the list at the top left, such asLast weekorLast month. If you selectBefore,Between, orAfter, you also specify the dates and times to use.By default, this setting isNow, which displays statistical data over the last 24 hours and current attack data.
- Statistical data for the last 24 hours is shown in the areas in the upper portion of the screen: Total Requests, Authoritative Requests, Recursive Requests, Return Messages, Data Center Overview, Record Types, Queries By Country, and Queries per Second.
- Current attack data is shown in the areas primarily in the lower portion of the screen: DNS Attacks, Top 25 Attack URLs, Attacks by Query Type and Duration, Top 10 Attackers, and Top 10 DNS DDoS Attacks.
- To focus on a single BIG-IP device rather than all devices, select the device name in the setting at the top of the screen. By default, this setting isAll Devices.
- To change how often the data is refreshed, select the interval in the setting at the top. By default, this setting is30 second refresh.
- To view additional details about objects that support it, hover over the object or click that object.
- Review the information on the screen associated with the following labels:
- Total Requestslists the total number of domain name system (DNS) queries.
- Authoritative Requestslists the number of DNS queries made to authoritative name servers.
- Recursive Requestslists the number of DNS queries made to recursive name servers.
- DNS Attackslists the number of Distributed Denial of Service (DDoS) attacks against DNS name servers.
- Return Messageslists the return message code, count, and a graph of the count change over time.
- Data Center Overviewdisplays the total number of requests on each data center on a map. Hover over each highlighted area for more details. You can use+and-to zoom in and out of the map locations.
- Record Typeslists the type requests per second of DNS mappings used to point a domain or subdomain to an IP address, and a graph of the RPS change over time.
- Queries by Countrylists the number of requests per second (RPS) by country, with the number including both authoritative and recursive requests.
- Queries per Secondshows a graph displaying the number of queries per second over time.
- Top 25 Attack URLsshows a pie graph that lists the top 25 URLs under DNS attack.
- Attacks by Query Type and Durationlists the DNS attacks by attack ID and query type for each listed attack. The relative size of the attack graphics indicates the relative duration of the attack. Click on a particular attack to see a screen with more details about that attack.
- Top 10 Attackersshows a pie graph that lists the top 10 DNS attackers.
- Top 10 DNS DDoS Attacksshows a bar graph that lists the top 10 DNS attack types being used.
- DNS Anomaliesshows a graph displaying the number of DNS differences in expected traffic patterns over time.
View details of a DDoS DNS attack
You can view the details of a particular DDoS attack on DNS name servers to better understand that particular attack. The identifier for the attack is shown in the screen title.
- In the Attacks by Query Type and Duration area, click an attack ID.
- Review the information.
- Source IP Locationsshows where on a map the source IP addresses are located, and the colors indicate how many source IP addresses are in an area. You can use+and-to zoom in and out of map locations.
- Attack Detailsshows details about the attack, such as the attack status, attack duration, target IP address, severity, and so on.
- Top 50 Source IPsshows a pie chart listing the 50 IP addresses from which the largest number of attacks originated.
- Destination IPsshows a pie chart listing the destination IP addresses being attacked.
- Packets Received/Droppedshows a graph over time of the number of packets received or dropped.
- Source IPshows the source IP addresses from which the attack is coming, and the queries per second (QPS).
- Destination IPshows the destination IP addresses and ports being attacked, and the total attacks for each IP address and port.
- Devicesshows the IP address of each BIG-IP device being attacked, the number of queries per second (QPS), and a historical graph showing the number of attacks over time.
- Eventsshows the BIG-IP devices that are being attacked, and the number of DoS packets being received and dropped.