Introduction to NTA Automatic Diversion

Introduction to NTA Automatic Diversion

dezembro 28, 2023 | NSFOCUS

NTA supports configuring automatic diversion for Region/IP Group traffic alerts and Region/IP Group DDoS attack alerts. There are different diversion methods for various scenarios, including ADS Diversion, Flowspec Diversion, BGP Diversion, and Null-Route Diversion

For the Region/IP Group traffic alert, the following conditions must be met to perform automatic diversion after the alert is triggered:

  • Diversion is configured in the Traffic Diversion Rule -> Region/IP Group Diversion Policy.
  • The alert level matches the diversion level specified in the Region/IP Group Traffic Alert for the corresponding Alert Type. If the Divert Traffic of Medium-level Alert is configured in the Diversion Level, low-level alerts will not be automatically diverted.

For example, when the configuration is as follows:

  • Traffic Diversion Rule -> IP Group Diversion Policy -> Diversion Policy for Abnormal Inbound IP Group Traffic is configured for BGP diversion.

Ÿ   No Diversion is configured in IP Group Traffic Alert -> IP GROUP INBOUND TRAFFIC ABNORMAL -> Diversion Level.

Result: The traffic alert generated in the Inbound direction of this IP group will not be automatically diverted because the Diversion Level configuration is No Diversion, so any level of alert that triggers this IP group Inbound Traffic Alert will not be automatically diverted.

For the Region/IP Group DDoS Attack alert, the following conditions must be met to perform automatic diversion after the alert is triggered:

  • Diversion is configured in the Traffic Diversion Rule -> IP Diversion Policy. When there are multiple diversion policies in the IP Diversion Policy, the one on top has the highest priority. Policy priorities can be manually set. Once a policy is hit, the system quits matching against other policies.

  • The alert level matches the diversion level specified in the Region/IP Group DDoS Attack Alert for the corresponding Alert Type. If the Divert Traffic of Medium-level Alert is configured in the Diversion Level, low-level alerts will not be automatically diverted.

IP diversion policy priority and match order: IP Group > Region > Global (Configuration in Configuration -> Global Divert Settings -> Default Diversion Configuration). Once a policy is hit, the system quits matching against other policies.