{{indexmenu_n>3}}
====== Detecting DDoS attacks, BotNet activity, and visits to specific resources using triggers in QoE ======

[[dpi:qoe_analytics:qoe_gui:offline_analytics:triggers_and_notifications|Triggers]] are used to search data in QoE Stor based on specified parameters. When a trigger fires, one of the following actions can occur:
  * Notification in GUI
  * HTTP action
  * Email notification
\\
Required SSG DPI options:
  * [[dpi:dpi_options:opt_statistics]]
  * [[dpi:dpi_options:opt_notify]]
Required additional modules:
  * [[dpi:dpi_components:dpiui|]]
  * [[dpi:qoe_analytics:implementation_administration|]]

===== Example: configuring a trigger to detect the source of a Flood-type DDoS attack =====

=== General trigger information ===

{{ :dpi:qoe:use_cases:ddos_common.png?nolink&600 |}}

Trigger name: “DDOS source detection”, days of the week – all, check frequency – 1 hour, trigger activation frequency – once, start and end times not set.

<note>Every day, the system will perform a check every hour based on the conditions described below.</note>

=== Queries ===

{{ :dpi:qoe:use_cases:ddos_query.png?nolink&600 |}}

  * Add field
  * Name: A
  * Select table for scanning: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
  * Select period from “now – 15 minutes” to “now”

<note>In this case, the system analyzes traffic for the selected page during the last 15 minutes.</note>

=== Conditions ===

{{ :dpi:qoe:use_cases:ddos_conditions.png?nolink&600 |}}

  * Add two "+" fields
  * Link – AND
  * Function – avg
  * Condition 1 – session lifetime <= 20 (ms)
  * Condition 2 – number of sessions >= 1500

<note>This means the trigger will fire if sessions with lifetimes ≤ 20ms AND more than 1500 sessions from the same IP host are detected.</note>

=== Error handling ===

{{ :dpi:qoe:use_cases:ddos_error.png?nolink&600 |}}

  * “If no errors” — no data
  * “If there is an error or timeout” — save last state

<note>In this configuration, no data will be saved if there are no errors, but if errors occur, information about suspicious sessions will be saved as a table.</note>

=== Actions ===
== E-mail action ==

{{ :dpi:qoe:use_cases:ddos_email.png?nolink&600 |}}

  * Click the "</>" icon to auto-fill the form
  * Enter the recipient email address in the “To” field
  * When triggered, a notification will be sent to the specified email containing the trigger ID, name, status, and report link (saved state).

== Notification ==

{{ :dpi:qoe:use_cases:ddos_notification.png?nolink&600 |}}

  * Click "</>" to auto-fill the form
  * Select notification type — “Warning”
  * A notification will be created in the SSG system

{{ :dpi:qoe:use_cases:ddos_alerts.png?nolink&600 |}}

The report link can be obtained from the notifications menu.

{{ :dpi:qoe:use_cases:ddos_report.png?nolink&400 |}}

Select the notification  
Click **Details**

{{ :dpi:qoe:use_cases:ddos_details.png?nolink&400 |}}

Follow the report link — it will open in a new browser window.

== HTTP action ==

{{ :dpi:qoe:use_cases:ddos_http.png?nolink&600 |}}

Click "</>" to auto-fill the form, select the method suitable for your ticket system, and enter the URL address.

<note important>Keep in mind — values such as session count and packet rate are averaged. Fine-tuning should be performed based on your network specifics.</note>

===== Example: configuring a trigger to detect the target of a Flood-type DDoS attack =====
This configuration differs from the previous example in steps 2 and 3 (Queries and Conditions).

=== Queries ===

{{ :dpi:qoe:use_cases:ddos_target_query.png?nolink&600 |}}

In the report field, select Raw full netflow → Tables → Attacks detection → Top subscribers → Maxi

=== Conditions ===

{{ :dpi:qoe:use_cases:ddos_target_conditions.png?nolink&600 |}}

Series — “Flow volume to subscribers, Pct/s” >= 10000

<note important>Values such as session count and packet rate are averaged. Fine-tuning should be performed based on your network specifics.</note>

====== BotNet analysis ======
This configuration differs from the previous example in steps 2 and 3 (Queries and Conditions).

=== Queries ===

{{ :dpi:qoe:use_cases:botnet_query.png?nolink&600 |}}

  * Select Raw full netflow → Tables → Attacks detection → Top application protocols → Maxi for “A”
  * Raw full network → Tables → Raw log → Full raw log for “B”

=== Conditions ===

{{ :dpi:qoe:use_cases:botnet_conditions.png?nolink&600 |}}

Since BotNet often uses ports 6667 and 1080 — add each destination/source port by selecting query “B” with “OR” condition, and Flow Pcts/s >= 2000.
<note>In this configuration, the trigger will fire if on any of the ports (6667/1080) the packet rate exceeds 2000 per second.</note>

<note important>Values such as session count and packet rate are averaged. Fine-tuning should be performed based on your network specifics.</note>

====== Detecting subscriber visits to competitor resources ======
=== General trigger information ===

{{ :dpi:qoe:use_cases:competitors_common.png?nolink&600 |}}

Trigger name: “Interest in competitors”, days of the week – all, check frequency – 1 hour, trigger activation frequency – once, start and end times not set.

<note>Every day, the system will perform a check every hour based on the conditions described below.</note>

=== Queries === 

{{ :dpi:qoe:use_cases:competitors_query.png?nolink&600 |}}

  * Add “+” field
  * Name A — select table: Raw clickstream → Tables → Raw clickstream
  * Name B — select table: Raw full netflow → Tables → Attacks detection → Top hosts IPs → Maxi
  * Select period from “now – 1 hour” to “now”
  * This setup analyzes traffic hourly based on the selected tables.

=== Conditions ===

{{ :dpi:qoe:use_cases:competitors_conditions.png?nolink&600 |}}

  * Add 3 “+” fields
  * First field — select table “A”; Link – “OR”; Function – “avg”; Series Host = *megafon.ru (or your competitor)
  * Second field — select table “B”; Link – “AND”; Function – “avg”; Series Flow volume from subscriber, Pct/s >= 800

<note>The trigger will fire if at least 800 packets (indicating a meaningful visit) from a subscriber to a competitor’s website are detected.</note>

=== Error handling ===

{{ :dpi:qoe:use_cases:competitors_errors.png?nolink&600 |}}

  * “If no errors” — no data
  * “If there is an error or timeout” — save last state

<note>In this configuration, no data will be saved if there are no errors, but if errors occur, information about suspicious sessions will be saved as a table.</note>

=== Actions ===
== E-mail action ==

{{ :dpi:qoe:use_cases:competitors_email.png?nolink&600 |}}

  * Click to auto-fill the form
  * Enter recipient email address in “To” field

<note>When triggered, an email containing notification details — ID, trigger name, status, and report link (saved state) — will be sent to the specified address.</note>

== Notification ==

{{ :dpi:qoe:use_cases:competitors_notifications.png?nolink&600 |}}

  * Click "</>" to auto-fill the form
  * Select notification type — “Warning”
  * A notification will be created in the SSG system

{{ :dpi:qoe:use_cases:competitors_alerts.png?nolink&600 |}}

The report link can be obtained from the notifications menu.

{{ :dpi:qoe:use_cases:competitors_report.png?nolink&400 |}}

Select the notification  
Click **Details**

{{ :dpi:qoe:use_cases:competitors_details.png?nolink&400 |}}

Follow the report link — it will open in a new browser window.

== HTTP action ==

{{ :dpi:qoe:use_cases:competitors_http.png?nolink&600 |}}

  * Click "</>" to auto-fill the form
  * Select the method suitable for your ticket system and enter the URL address

<note important>Keep in mind — values such as session count and packet rate are averaged. Fine-tuning should be performed based on your network specifics.</note>