End-to-End Workflow

The TPS standalone detector uses a simplified IP network configuration and automatically detects, profiles, and identifies attacks at any level of the network object, including active IP subnets, hosts, and services layers. Network object-based detection supports IPv4 networks and Netflow v9 and v10 for traffic monitoring.

For detailed information on how the TPS detector performs network object-based detection and victim service identification, see DDoS Mitigation Guide.

The following section describes the automated orchestration and end-to-end workflow using A10 Defend Orchestrator App:

1. Create a network object with an IPv4 address and with a netmask range from /8 to /16. The TPS detector auto-discovers active subnets, hosts, and services from the network object.

   To create a network object, go to Configurations >> Protected Objects >> Network Objects. Within the network object, specify the static packet rate, percentage, or per mille threshold to detect and break down a network object into IPv4 subnets. You can also set the percentage threshold to breakdown the service of an IP address based on the services configured under Zone Config Profile. For detailed information on creating a network object, see Network Objects.

   When associating a Zone Operational Policy with the network object, it is important to ensure that Zone Oper Policy has the Victim IP option selected under BGP routes. For details on creating a Zone Oper Policy, see Zone Operational Policies.

2. Once the network object is created, the operational mode is set to Learning mode by default. The TPS detector baselines traffic during normal traffic patterns to learn thresholds. After the initial learning period, traffic is continuously monitored for anomalies using network and histogram indicators.
3. When a DDoS attack is detected, a new zone is automatically created with the name format: <network object name_attack IP subnet>. For example, netobj10_10_1_0_0_24. For more information about viewing the newly created zone, see Configuration. The new zone contains the attacked IP address along with the Zone Config Profile and Zone Operational Policy defined for the network object. The zone is then deployed to the TPS mitigator.
4. A10 Defend Orchestrator App creates a BGP route to redirect the traffic from the attacked IP addresses to the mitigator. The new zone created for the network object is pushed to the TPS mitigator, and the mitigation status is changed to Mitigation. To view the BGP routes created for the attacked IP subnets, go to Configurations >> BGP >> Route. For more details on BGP Routes, see BGP Route.

5. When TPS mitigator escalates, TPS notifies A10 Defend Orchestrator App, and an Incident is generated for the zone associated with the network object. To check the status of the zone incident, go to Mitigation >> Zone Incident. For additional information about zone incidents, see DDoS Incidents.

6. Go to Monitoring >> logging >> A10 Defend Orchestrator App Audit Logs to view all the logs related to IP Anomaly attack detection. For information on A10 Defend Orchestrator App Audit Logs, see Monitoring.
7. If another attack is detected on an IP address that is within the same subnet, the network object zone is updated to include another attacked IP address and the same process of mitigation continues until the attack is stopped.

8. Once the traffic anomaly stops, the TPS detector sends IP Anomaly cleared notification to A10 Defend Orchestrator App and the following actions are performed:

   • A10 Defend Orchestrator App removes the BGP Route from the TPS mitigator for the attacked IP address.
   • If it is the last attacked IP address on the network object, A10 Defend Orchestrator App stops any on-going incidents and the network object is removed from the TPS device.
   • A report is generated for the protected network object. Go to Monitoring >> Reporting >> Reports >> Reports, download the report, and under Detector Logs section you can find the detailed information about the IP Anomaly attack.