You are here: Cookbook > Threat Prevention > Protecting Internal Servers to Defend Attack via Abnormal Behavior Detection

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection

This example introduces how to use Abnormal Behavior Detection to find attacks about servers as early as possible, and integrate with Mitigation to protect servers better.

As shown in the topology, the device is deployed in the data center exit. After enable and configure the Abnormal Behavior Detection, when a Web server is infected by SYN flood frequently, a mail server is infected by port scan attacks periodically, Trojan implanted to the intranet host, Trojan fake domain name by DGA algorithm technology, and connect external network control server, the administrator can find these attacks and protect the internal hosts and servers.

* To use Abnormal Behavior Detection, apply and install the StoneShield license.

 

Step 1: Enabling Abnormal Behavior Detection to defend internal hosts

Select Network > Zone. Select 'trust' zone, click Edit, and select the <Threat Protection>tab.

  • Abnormal Behavior Detection: Select the Enable check box .
  • Host Defender : Select the Host Defender check box. To enable the abnormal behavior detection of the HTTP factor, select the Advanced Protection check box. To enable the DDoS protection for the host, select the DDoS Protection check box. To capture and save the corresponding evidence that leads to the alarm of abnormal behavior, select Forensic.

Step 2: Configuring the critical asset object (Web Server and Mail Server)

Select Network > Zone. Select 'dmz' zone, click Edit, and select the <Threat Protection>tab.
  • Abnormal Behavior Detection: Select the Enable check box .

1. Configuring the Abnormal Behavior Detection object (Web Server ), and enabling the web server advanced protection.

Click Object > Critical Assets, and click New.

  • Name: Web Server
  • Type: Server
  • IP: 172.20.0.10
  • Web Server Advanced Protection: Select the check box.
2. Configuring the Abnormal Behavior Detection object (Mail Server )

Click Object > Critical Assets, and click New.

  • Name: Mail Server
  • Type: Server
  • IP: 172.18.1.20
Step 3: Viewing the results of Abnormal Behavior Detection

1. Viewing the results from iCenter

Results of Web Server:

  • Select iCenter>Critical Assets, click the critical assets name 'Web Server' link in the list, to view the information of this critical asset.
  • For example, click the Internal Recon> 'TCP SYN Flood Attack' link in the kill chain list, to view the Abnormal Behavior Detection information and the trend chart of the actual value, predictive value of the detected object.

Results of Mail Server:

  • Select iCenter>Critical Assets, click the critical assets name 'Mail Server' link in the list, to view the information of this critical asset.
  • For example, click the Initial Exploit> 'Port Scan' link in the kill chain list, to view the Abnormal Behavior Detection information and the trend chart of the baseline, thresholds of the detected object.
Results of Internal Host:

1. Click iCenter > Threat, and click Filter to add conditions.

  • Detected by : Abnormal Behavior Detection

2. For example, click the The Domain Name of DNS Response Is Malicious Domain Generated by DGA link in the list, to view the malware and abnormal behavior attack details detected according the DNS mapping.

In Threat Analysis tab, you can view the information of host that send DGA fake domain name attack.

2. Viewing the results from threat log

1. Select Monitor>Log>Threat, click Filter to add conditions to show logs that march your filter.

  • Detected By: Abnormal Behavior Detection
2. The log of Abnormal Behavior Detection will be displayed.
Step 4: Integrating with Mitigation, and configuring the mitigation rules for attacks.

Select iCenter> Mitigation> Mitigation Rule, and select the Enable Auto Mitigation check box.

Configuring mitigation rules for Port Scan

In Mitigation Rulepage, click New

  • Log Type: Scan
  • Severity: Low
  • Value: >= 10 Time
  • Action Type: User defined > IP Block
  • Duration: 60

Configuring mitigation rules for TCP SYN Flood Attack

In Mitigation Rulepage, click New

  • Log Type: DoS> DDoS Flood
  • Severity: Low
  • Value: >= 10 Time
  • Role: Attacker
  • Action Type: User defined >Session Control
  • Session Type: New Session
  • Total Number: 20
  • Drop Percent: 50
  • Duration: 60
Step 5: Viewing the results of mitigation rules

Click iCenter > Mitigation>Mitigation Action to view the mitigation action results details of mitigation rules