DDoS Incidents

An incident is created when a particular zone service is under a DDoS attack. An incident helps to track and manage the mitigation of an attack on a zone service. If a protected zone has more than one service that is simultaneously under attack, A10 Defend Orchestrator App creates multiple incidents, one for each service in the zone under attack.

A zone incident captures information such as start and end time of the attack, attack type, total attack bandwidth, and peak attack rate.

A zone service incident can be created manually through GUI or REST API, or automatically through GUI when it receives an attack detected notification from the A10 detector (in the case of reactive deployment) or the TPS mitigator (if it's deployed in a proactive mode).

In case of proactive deployment, the inbound traffic continuously flows through the mitigator, TPS automatically starts mitigation when it detects an attack. In case of reactive deployment, A10 Defend Orchestrator App configures TPS mitigator to advertise BGP routes and redirects the traffic to the attacked service through TPS.

For a reactive mode deployment, after the incident creation, a user can enable or disable automatic start and stop mitigation for a zone. Using A10 Defend Orchestrator App, this option can be set globally under Administration > Settings or at a per zone level through the Zone Operational Policy associated with that zone.

If the automatic start and stop mitigation is enabled, A10 Defend Orchestrator App starts mitigation for a zone after the incident is created for any service. If there are attacks on multiple services, A10 Defend Orchestrator App stops mitigation after the attack stops on the last of the attacked services.

NOTE:

Incidents are for A10 Defend Orchestrator App TPS local incidents and are not associated to incidents on ACOS TPS devices.

Perform the following steps to access the TPS Incidents page:

1. Navigate to Incidents > DDoS Incidents from the main menu.

   Table 17 : Zone Incidents Global Actions

   Field	Purpose
   Search By	Select one of the following zone incidents to filter the incidents: Incident Name Zone Name Service Attack Type Peak Rate PPS Peak Rate BPS Total Bandwidth Packets Total Bandwidth Bytes
   Search Incident or Zone	Enter a string (from the list of TPS Incidents).
   Filters by Time Frame	Enter the start and end date and time. All incidents that match the Status selected for this period will be listed. If only a start time is provided, and a search is done, then the end time is assumed to be the current time. For example, if the status Stopped was selected, and only a start time was provided, A10 Defend Orchestrator App would search for all incidents that were stopped beginning at the specified start time, up until the current time. If only an end time is provided, and a search is done, then the start time is considered the beginning of time. For example, if the status Stopped was selected and only an end time was provided, A10 Defend Orchestrator App would search for all stopped incidents that occurred until the end time.
   Filter By Status	Select one of the following statuses: All—Includes all types of attacks with their respective status. New—Indicates that an attack is detected but the mitigation has not started. Hence, it requires immediate attention. Ongoing—Indicates that an attack is detected, and the mitigation is started. Therefore, TPS is currently mitigating the attack. Stopped—Indicates that the attack is stopped. A10 Defend Orchestrator App receives an escalation level 0 notification from all mitigators that were part of the mitigator group associated with that zone.

2. (Optional) The following buttons appear across the upper-right side of the TPS Incidents table:

   Table 18 : Zone Incidents Fields

   Options	Purpose
   Add	Click the button to add a new Incident, see Create a New DDoS Incident (Zone) for further information.
   Refresh	Select the option to refresh the information displayed for the TPS Incidents.
   Bulk Actions	Under Bulk Actions, you can take actions on all incidents in one go. To delete, hover over Bulk Actions and select Delete or download the summary of all incidents by selecting Incident Summary Report.

   Table 19 : Zone Incidents Window

   Column heading	Description
   Status	Displays the status of the incident being mitigated. Status may be New, Ongoing, or Stopped.
   Incident Name	Displays the name of the incident. Click on Incident Name to move to Mitigation Console page with selected Incident.
   Zone Name	Displays the name of the zone.
   Service	Displays the service provided for the incident.
   Attack Type	Displays the type of attack assessed by TPS.
   Incident Time	Displays the time when the incident happened. The time stamp is as follows: Created—Displays the time when the incident was created in red. Started—Displays the time when the mitigation started for the incident in orange. Stopped—Displays the time when the mitigation stopped for the incident in green.
   Peak	Displays the peak attack rate in packets per second (PPS) and bytes per second (BPS).
   Total	Displays the total number of packets and bytes passed and dropped.
   Chart (PPS)	Displays the graphical representation of traffic related to the incident, plotted over time. Passed packets are shown in green and dropped packets are shown in red.
   Actions	Click to view the following actions: Info—Displays a summary of the zone incident information in a pop-up. For information on zone incident information, see Zone Incident Info. Edit—Allows you to make the changes to zone incident. For information on configurable parameters, see Create a New DDoS Incident (Zone). Using the Edit option, you can do the following things: Stop — Stop a new or ongoing incident Start Mitigation — Start mitigation for an incident. Report— Redirects you to the Schedule Report page. For scheduling a report, see Create a Report Schedule. Mitigation Console—This is displayed only when the incident status is Ongoing. Mitigation Console redirects the page to Incidents > Mitigation Console page. Zone Mitigation Console allows you to view complete information about the selected zone incident. For more information about Zone Mitigation Console, see Zone Service.