Algorithm activation strategy¶
| Algorithm name | Internal / core routers | Edge routers | Public IP addresses defined in IP Groups |
| Bogon Traffic | No | Yes | Yes |
| BotNet Detection | FlowPro Defender | FlowPro Defender | N/A |
| Breach Attempt Detection | Yes | Yes | Yes |
| DDoS Detection | No | Yes | Yes |
| Denied Flows Firewall | Yes | No | No |
| DNS Command and Control | FlowPro Defender | FlowPro Defender | N/A |
| DNS Data Link | FlowPro Defender | FlowPro Defender | N/A |
| DNS Hits | Yes | Yes | Yes |
| Domain Reputation | FlowPro Defender | FlowPro Defender | N/A |
| DRDoS Detection | No | Yes | Yes |
| FIN Scan | Yes | Yes | No |
| Host Reputation | No | Yes | Yes |
| Host Watchlist | No | Yes | Yes |
| ICMP Destination Unreachable | Yes | No | No |
| ICMP Port Unreachable | Yes | No | No |
| IP Address Violations | Yes | Yes | Yes |
| JA3 Fingerprinting | FlowPro Defender | FlowPro Defender | N/A |
| Malware Behavior Detection | FlowPro Defender | FlowPro Defender | N/A |
| Multicast Violations | Yes | Yes | Yes |
| Large Ping | Yes | Yes | Yes |
| NetFlow Domain Reputation | Yes | Yes | Yes |
| Null Scan | Yes | Yes | No |
| Odd TCP Flags Scan | Yes | Yes | No |
| Packet Flood | Yes | Yes | Yes |
| Persistent Flow Risk | Yes | Yes | No |
| P2P Detection | Yes | Yes | No |
| Ping Flood | Yes | Yes | Yes |
| Ping Scan | Yes | Yes | Yes |
| Protocol Misdirection | Yes | Yes | Yes |
| Reverse SSH Shell | Yes | Yes | Yes |
| RST/ACK Detection | Yes | Yes | No |
| Slow Port Scan | Yes | Yes | Yes |
| Source Equals Destination | Yes | Yes | Yes |
| SYN Scan | Yes | Yes | No |
| TCP Scan | Yes | Yes | No |
| UDP Scan | Yes | Yes | No |
| Worm Attack | Yes | Yes | Yes |
| Worm Propagation | Yes | Yes | Yes |
| XMAS Scan | Yes | Yes | No |
Algorithms for public IP addresses
These addresses should be defined as an IP Group, which will cause these addresses to be treated as part of a protected network. Algorithms, such as DDoS, will not trigger an alarm unless the target of the DDoS is an internal address (defined within an IP Group).
If the primary concern is ‘internal to internal’ and ‘internal to external’ monitoring, then enable algorithms on the core routers. Ensure that any routable IP addresses that should be monitored as part of the internal network are defined within an IP Group. Monitoring ‘internal to internal’ and ‘internal to external’ traffic is highly recommended for identification of traffic patterns that may indicate a compromised asset and to assist with incident response.
If the primary concern is monitoring public assets, ensure that all public IP addresses are contained within an IP Group. Add the edge routers to most algorithms.