Host Agent Templates

The Hosts category of agents uses information from PacketShaper's host database. These agents are useful for identifying hosts that are using too much bandwidth or that may be attacking your network, for example spoofing and SYN attacks.

Agent Template Name	Default Agent Name	Description
High Bandwidth Host	na	An agent based on the High Bandwidth Host template monitors hosts, evaluating whether any one is using too much bandwidth, and can help prevent any one host from consuming too much bandwidth. The High Bandwidth Host agent will not return correct values if the unit has more than one instance of this agent type. The agent tracks hosts sending and/or receiving an excessive amount of traffic, allowing you to find hosts that are downloading data at high levels. Agent Parameters RedThreshold: An unacceptable percentage of bandwidth consumed by a single host GreenThreshold: An acceptable percentage of bandwidth Default values for the parameters are as follows: RedThreshold >10% of bandwidth on either link GreenThreshold < 5% of bandwidth on either link Yellow 5%-10% of bandwidth on either link Evaluation interval: 1 minute Action File Variables $host-ip, $direction, $avg-bps Example
NFPM Side Unknown	Spoofing - Server, Spoofing - Client	Agents based on the New Flows Per Minute (NFPM) Side Unknown template detect hosts that may be spoofing. Spoofing attacks send packets that appear to be from a trusted source by maliciously setting the source and/or destination to false addresses. The traffic can then gain access to hosts or services that should be secure. A host is considered to be in violation if it exceeds the defined number of new flows per minute. Agent Parameters Side: client or server SideThreshold: Number of new flows per minute New Flows Per Minute The number of new flows initiated from a host (in the case of a client host) or to a host (in the case of a server) during a one-minute period. ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses of any hosts (such as servers) that you know are not spoofing. See Host Exception Lists. RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of new flows per minute (SideThreshold) GreenThreshold: An acceptable number of violating hosts Default values for the parameters are as follows: SideThreshold > 100,000 new flows per minute ViolatingHosts = violatingHosts (name of host list) ExceptionHosts = exceptionHosts (name of host list) RedThreshold >= 1 violating hosts GreenThreshold <= 0 Evaluation interval: 1 minute Note: In order for the agents to work properly, you must set the SideThreshold to a value that is appropriate for your network traffic patterns. Action File Variables $side, $sideThreshold, $violatingHosts, $exceptionHosts Example
NFPM Failed Flow	na	An agent based on the New Flows Per Minute (NFPM) Failed Flow template detects hosts that may be SYN attacking. It identifies hosts that have failed flows during the evaluation interval AND that have new flows per minute that exceed the FlowsThreshold. Agent Parameters FlowsThreshold: Number of new flows per minute New Flows Per Minute The number of new flows initiated from a host (in the case of a client host) or to a host (in the case of a server) during a one-minute period. ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses of any hosts (such as servers) that you know are not syn attacking. See Host Exception Lists. RedThreshold: An unacceptable number of violating hosts; a host is in violation if it has any failed flows AND exceeds the defined number of new flows per minute (FlowsThreshold) GreenThreshold: An acceptable number of violating hosts Default values for the parameters are as follows: FlowsThreshold > 100,000 new flows per minute ViolatingHosts = violatingHosts (name of host list) ExceptionHosts = exceptionHosts (name of host list) RedThreshold >= 1 violating hosts GreenThreshold <= 0 Evaluation interval: 1 minute Note: In order for the agents to work properly, you must set the FlowsThreshold to a value that is appropriate for your network traffic patterns. Action File Variables $flowsThreshold, $violatingHosts, $exceptionHosts Example
Failed Flow Ratio	na	Agents based on the Failed Flow Ratio template detect hosts that have a high ratio of failed flows compared to new client flows per minute. Agent Parameters RatioThreshold: Percentage of new client flows per minute that are failed flows ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses of any hosts (such as servers) that you know are not syn attacking. See Host Exception Lists. RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the RatioThreshold GreenThreshold: An acceptable number of violating hosts Default values for the parameters are as follows: RatioThreshold > 100 percent ViolatingHosts = violatingHosts (name of host list) ExceptionHosts = exceptionHosts (name of host list) RedThreshold >= 1 violating hosts GreenThreshold <= 0 Evaluation interval: 1 minute Note: In order for the agents to work properly, you must set the RatioThreshold to a value that is appropriate for your network traffic patterns. Action File Variables $ratioThreshold, $violatingHosts, $exceptionHosts Example
Host Info Variables	Syn Attack - Failed Flow	With the Host Info Variables template, you can select a variable to monitor hosts: Current Connections, New Flows Client, New Flows Server, Failed Flows. Agent Parameters VariableName: Current Connections, New Flows Client, New Flows Server, Failed Flows FlowsThreshold: Number of new flows or connections per minute ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists. Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent. ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses of any hosts (such as servers) that you know are not syn attacking. See Host Exception Lists. RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of flows or connections (FlowsThreshold) GreenThreshold: An acceptable number of violating hosts Default values for the parameters are as follows: FlowsThreshold > 100,000 (connections, new flows per minute, or failed flows) ViolatingHosts = violatingHosts (name of host list) ExceptionHosts = exceptionHosts (name of host list) RedThreshold >= 1 violating hosts GreenThreshold <= 0 Evaluation interval: 1 minute Note: In order for the agents to work properly, you must set the FlowsThreshold to a value that is appropriate for your network traffic patterns. Action File Variables $variableName, $flowsThreshold, $violatingHosts, $exceptionHosts Example

Agent Template Name

Default Agent Name

Description

High Bandwidth Host

An agent based on the High Bandwidth Host template monitors hosts, evaluating whether any one is using too much bandwidth, and can help prevent any one host from consuming too much bandwidth. The High Bandwidth Host agent will not return correct values if the unit has more than one instance of this agent type. The agent tracks hosts sending and/or receiving an excessive amount of traffic, allowing you to find hosts that are downloading data at high levels.

Agent Parameters

RedThreshold: An unacceptable percentage of bandwidth consumed by a single host

GreenThreshold: An acceptable percentage of bandwidth

Default values for the parameters are as follows:

RedThreshold >10% of bandwidth on either link
GreenThreshold < 5% of bandwidth on either link
Yellow 5%-10% of bandwidth on either link
Evaluation interval: 1 minute

Action File Variables

$host-ip, $direction, $avg-bps

Example

NFPM Side Unknown

Spoofing - Server,

Spoofing - Client

Agents based on the New Flows Per Minute (NFPM) Side Unknown template detect hosts that may be spoofing. Spoofing attacks send packets that appear to be from a trusted source by maliciously setting the source and/or destination to false addresses. The traffic can then gain access to hosts or services that should be secure. A host is considered to be in violation if it exceeds the defined number of new flows per minute.

Agent Parameters

Side: client or server

SideThreshold: Number of new flows per minute

New Flows Per Minute
The number of new flows initiated from a host (in the case of a client host) or to a host (in the case of a server) during a one-minute period.

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

Note: All host agents have the same default violating host list name (violatingHosts). If you want to maintain unique host lists for each agent, make sure to change the name when defining the agent.

ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses of any hosts (such as servers) that you know are not spoofing. See Host Exception Lists.

RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of new flows per minute (SideThreshold)

GreenThreshold: An acceptable number of violating hosts

Default values for the parameters are as follows:

SideThreshold > 100,000 new flows per minute
ViolatingHosts = violatingHosts (name of host list)
ExceptionHosts = exceptionHosts (name of host list)
RedThreshold >= 1 violating hosts
GreenThreshold <= 0
Evaluation interval: 1 minute

Note: In order for the agents to work properly, you must set the SideThreshold to a value that is appropriate for your network traffic patterns.

Action File Variables

$side, $sideThreshold, $violatingHosts, $exceptionHosts

Example

NFPM Failed Flow

An agent based on the New Flows Per Minute (NFPM) Failed Flow template detects hosts that may be SYN attacking. It identifies hosts that have failed flows during the evaluation interval AND that have new flows per minute that exceed the FlowsThreshold.

Agent Parameters

FlowsThreshold: Number of new flows per minute

New Flows Per Minute
The number of new flows initiated from a host (in the case of a client host) or to a host (in the case of a server) during a one-minute period.

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

ExceptionHosts: Name of host list that contains hosts to be excluded. You should edit this host list and add the IP addresses of any hosts (such as servers) that you know are not syn attacking. See Host Exception Lists.

RedThreshold: An unacceptable number of violating hosts; a host is in violation if it has any failed flows AND exceeds the defined number of new flows per minute (FlowsThreshold)

GreenThreshold: An acceptable number of violating hosts

Default values for the parameters are as follows:

FlowsThreshold > 100,000 new flows per minute
ViolatingHosts = violatingHosts (name of host list)
ExceptionHosts = exceptionHosts (name of host list)
RedThreshold >= 1 violating hosts
GreenThreshold <= 0
Evaluation interval: 1 minute

Note: In order for the agents to work properly, you must set the FlowsThreshold to a value that is appropriate for your network traffic patterns.

Action File Variables

$flowsThreshold, $violatingHosts, $exceptionHosts

Example

Failed Flow Ratio

Agents based on the Failed Flow Ratio template detect hosts that have a high ratio of failed flows compared to new client flows per minute.

Agent Parameters

RatioThreshold: Percentage of new client flows per minute that are failed flows

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the RatioThreshold

GreenThreshold: An acceptable number of violating hosts

Default values for the parameters are as follows:

RatioThreshold > 100 percent
ViolatingHosts = violatingHosts (name of host list)
ExceptionHosts = exceptionHosts (name of host list)
RedThreshold >= 1 violating hosts
GreenThreshold <= 0
Evaluation interval: 1 minute

Note: In order for the agents to work properly, you must set the RatioThreshold to a value that is appropriate for your network traffic patterns.

Action File Variables

$ratioThreshold, $violatingHosts, $exceptionHosts

Example

Host Info Variables

Syn Attack - Failed Flow

With the Host Info Variables template, you can select a variable to monitor hosts: Current Connections, New Flows Client, New Flows Server, Failed Flows.

Agent Parameters

VariableName: Current Connections, New Flows Client, New Flows Server, Failed Flows

FlowsThreshold: Number of new flows or connections per minute

ViolatingHosts: Name of host list. Adaptive response will automatically add violating hosts to this host list. For more information about using violating host lists, see Violating Host Lists.

RedThreshold: An unacceptable number of violating hosts; a host is in violation if it exceeds the defined number of flows or connections (FlowsThreshold)

GreenThreshold: An acceptable number of violating hosts

Default values for the parameters are as follows:

FlowsThreshold > 100,000 (connections, new flows per minute, or failed flows)
ViolatingHosts = violatingHosts (name of host list)
ExceptionHosts = exceptionHosts (name of host list)
RedThreshold >= 1 violating hosts
GreenThreshold <= 0
Evaluation interval: 1 minute

Note: In order for the agents to work properly, you must set the FlowsThreshold to a value that is appropriate for your network traffic patterns.

Action File Variables

$variableName, $flowsThreshold, $violatingHosts, $exceptionHosts

Example