Manual Chapter : Viewing DDoS DNS Attack Information

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Viewing DDoS DNS Attack Information

View summary DDoS DNS attack information

You can review summary information about distributed denial of service (DDoS) attacks on the Domain Name System (DNS) for one or more BIG-IP devices.
  1. Click
    Monitoring
    DASHBOARDS
    DDoS
    DNS
    .
  2. Select the information you want to see.
    • To change the time period for which data is shown, select the period in the list at the top left, such as
      Last week
      or
      Last month
      . If you select
      Before
      ,
      Between
      , or
      After
      , you also specify the dates and times to use.
      By default, this setting is
      Now
      , which displays statistical data over the last 24 hours and current attack data.
      • Statistical data for the last 24 hours is shown in the areas in the upper portion of the screen: Total Requests, Authoritative Requests, Recursive Requests, Return Messages, Data Center Overview, Record Types, Queries By Country, and Queries per Second.
      • Current attack data is shown in the areas primarily in the lower portion of the screen: DNS Attacks, Top 25 Attack URLs, Attacks by Query Type and Duration, Top 10 Attackers, and Top 10 DNS DDoS Attacks.
    • To focus on a single BIG-IP device rather than all devices, select the device name in the setting at the top of the screen. By default, this setting is
      All Devices
      .
    • To change how often the data is refreshed, select the interval in the setting at the top. By default, this setting is
      30 second refresh
      .
    • To view additional details about objects that support it, hover over the object or click that object.
  3. Review the information on the screen associated with the following labels:
    • Total Requests
      lists the total number of domain name system (DNS) queries.
    • Authoritative Requests
      lists the number of DNS queries made to authoritative name servers.
    • Recursive Requests
      lists the number of DNS queries made to recursive name servers.
    • DNS Attacks
      lists the number of Distributed Denial of Service (DDoS) attacks against DNS name servers.
    • Return Messages
      lists the return message code, count, and a graph of the count change over time.
    • Data Center Overview
      displays the total number of requests on each data center on a map. Hover over each highlighted area for more details. You can use
      +
      and
      -
      to zoom in and out of the map locations.
    • Record Types
      lists the type requests per second of DNS mappings used to point a domain or subdomain to an IP address, and a graph of the RPS change over time.
    • Queries by Country
      lists the number of requests per second (RPS) by country, with the number including both authoritative and recursive requests.
    • Queries per Second
      shows a graph displaying the number of queries per second over time.
    • Top 25 Attack URLs
      shows a pie graph that lists the top 25 URLs under DNS attack.
    • Attacks by Query Type and Duration
      lists the DNS attacks by attack ID and query type for each listed attack. The relative size of the attack graphics indicates the relative duration of the attack. Click on a particular attack to see a screen with more details about that attack.
    • Top 10 Attackers
      shows a pie graph that lists the top 10 DNS attackers.
    • Top 10 DNS DDoS Attacks
      shows a bar graph that lists the top 10 DNS attack types being used.
    • DNS Anomalies
      shows a graph displaying the number of DNS differences in expected traffic patterns over time.

View details of a DDoS DNS attack

You can view the details of a particular DDoS attack on DNS name servers to better understand that particular attack. The identifier for the attack is shown in the screen title.
  1. Click
    Monitoring
    DASHBOARDS
    DDoS
    DNS
    .
  2. In the Attacks by Query Type and Duration area, click an attack ID.
  3. Review the information.
    • Source IP Locations
      shows where on a map the source IP addresses are located, and the colors indicate how many source IP addresses are in an area. You can use
      +
      and
      -
      to zoom in and out of map locations.
    • Attack Details
      shows details about the attack, such as the attack status, attack duration, target IP address, severity, and so on.
    • Top 50 Source IPs
      shows a pie chart listing the 50 IP addresses from which the largest number of attacks originated.
    • Destination IPs
      shows a pie chart listing the destination IP addresses being attacked.
    • Packets Received/Dropped
      shows a graph over time of the number of packets received or dropped.
    • Source IP
      shows the source IP addresses from which the attack is coming, and the queries per second (QPS).
    • Destination IP
      shows the destination IP addresses and ports being attacked, and the total attacks for each IP address and port.
    • Devices
      shows the IP address of each BIG-IP device being attacked, the number of queries per second (QPS), and a historical graph showing the number of attacks over time.
    • Events
      shows the BIG-IP devices that are being attacked, and the number of DoS packets being received and dropped.