ACOS offers more nuanced DDoS protection by being able to blacklist individual IP addresses on DDoS attack in a NAT IP pool.
When a DDoS attack targeted towards a specific IP address within a NAT IP pool is detected, then the ACOS device will add that IP address to the blacklist. The ACOS blacklist can contain up to 1024 IP addresses at any given moment.
ACOS determines a DDoS attack when a large number of out-of-sequence packets are sent to a NAT IP within a short time. The packets-per-second (PPS) limit configures the maximum number of out-of-sequence packets allowed before an IP is blacklisted. The PPS threshold can range from 0 to 30000000 out-of-sequence packets. Out-of-sequence packets include the first packet for new sessions or illegitimate packets such as no session match or no LSN full-cone match.
The IP Blacklisting analytics requires the log parametrization of the system logs. You can view the blacklisted IPs that are causing the attacks, through ACOS or A10 Control.
| NOTE: | IP Blacklisting works on ACOS 5.2.1-P6 or later version. |
To view the IP Blacklisted IPs data, navigate to Analytics > Security > IP Blacklist.
The following fields are available for the configuration:
|
Field |
Description |
|---|---|
|
Blacklisted NAT IP |
Total NAT IPs displays the total number of IPs from all the pools. IP Blacklisted displays number of blacklisted IPs. |
|
Top 10 Blacklisted IP: Port Protocol |
Displays top 10 blacklisted entries. Displays only L3 IPs and L4 IP port protocols. |
|
Blacklisted Events |
Displays number of IPv4 L3, IPv4 L4, and IPv6 L3 added and removed entries. |
|
Blacklisted Events List |
Lists details of all the blacklisted events in the table. You can use the Search option to display the search result for the required blacklisted event. |
For more information about IP Blacklist for DDoS protection, see the IPv4-to-IPv6 Transition Solutions Guide.