ENA NetDefender

ENA NetDefender—ENA’s advanced, on-demand DDoS mitigation and scrubbing service—proactively scans and analyzes your network for DDoS attacks. Whenever we detect an attack, we automatically reroute your traffic to one of our ENA NetDefender scrubbing centers to remove the malicious packets from your Internet connection while leaving all the good traffic intact.

You can view reports and data for both active and past attacks through the ENA NetDefender portal at my.ena.com.

Log in to ENA NetDefender

  1. Point your browser to my.ena.com.
  2. Enter your my.ena.com credentials.
  3. Select ENA NetDefender.

Attack Status At-A-Glance

During a live attack, the color of the ENA NetDefender Sentinel cycles warm red and orange tones and you see a horizontal bar graph showing permitted and discarded traffic.

The ENA NetDefender Sentinel cycles through cool blue and green tones when your network activity is normal.

Viewing Data During a Live Attack

Your Dashboard

Current traffic activity

The color of the ENA NetDefender Sentinel in the Current traffic activity panel gives you a real-time indication as to whether your network is currently being monitored or actively scrubbed for an attack.

When your network is currently under attack and scrubbing is underway by ENA NetDefender, the color of the ENA NetDefender Sentinel cycles warm red and orange tones. The ENA NetDefender Sentinel cycles through cool blue and green tones when your network activity is normal.

You also see a bar graph in this panel showing the percentage of discarded traffic in bytes and packets in 15 second intervals. The discarded traffic segment of the bar shows in red.

Note: Your my.ena.com ENA NetDefender portal pulls data at 15 second intervals. It may take up to 15 seconds for the ENA NetDefender Sentinel color to reflect the live attack and for the horizontal bar graph to show discarded traffic data.

Traffic Statistics

To access traffic statistics, click the Traffic tab or the Details button on the Dashboard.

Histogram

During a live attack, you see a red bar showing inbound traffic in bytes. Inbound traffic during an attack includes both the normal, clean traffic on your network as well as the excess attack traffic. This is real time data and is refreshed in approximately 15 second intervals.

A green bar denotes the inbound traffic in packets per second at the same point in time.

Hover your mouse over a bar in the graph to see more detail.

The scale on the left of the graph shows bytes per second. The scale on the right of the graph shows packets per second.

You can hide/show bars in the histogram by clicking on the legend at the bottom.

Filter by Destination IP

You can filter the data on the histogram by Destination IP to identify which IP addresses on your network are under attack. This feature can be used to find information about individual attacks even when multiple simultaneous attacks are being scrubbed by ENA NetDefender. It can also be used to see the history of attacks on a specific IP if you experience repeated activity.

Note: The IP addresses in your network appear in the drop-down. They are masked in the screencast.

Viewing traffic statistic details

Click on a bar in the histogram to open up the Traffic details line graph. The line graph appears below the histogram.

Use the radio button to select bits/s or packets/s under Units.

The green line represents Inbound traffic. The yellow line represents Discarded Inbound traffic. The space between those two data points is the value for the clean traffic on your network.

Hover your mouse over a line in the graph to see additional details for that point.

Click and drag on an area on the line graph to zoom in on it. To return to the default view, click Reset zoom. The table below the line graph shows additional detail including the protocol, inbound volume, discarded inbound volume, and the corresponding percent discarded for each protocol.

Viewing Data from Completed Attacks

Your Dashboard

Your dashboard gives you an overview of current and recent attack activity on your network.

Current traffic activity

The ENA NetDefender Sentinel cycles through cool blue and green tones when your network activity is normal. When you see this, ENA NetDefender is actively monitoring your network traffic for anomalies.

Recently scrubbed attacks

In the Recently scrubbed attacks panel, you see the following information for the seven most recent completed attacks on your network:

  • Start time
  • Attack category
  • Risk
  • Attack name

Traffic Statistics

Click Details in the Current activity window on the Dashboard or the Traffic tab to see detailed data on your network traffic utilization during recent attacks. This data reflects analysis conducted by ENA, specific to your network. Here you will find the inbound and discarded traffic information correlated to an event.

Histogram

Initially, you see data for the default time interval of Last Day. If your network did not experience an attack during the last day there is No Data to Display. Adjust the time interval to look further back in history.

Use the Destination IP drop down to filter traffic data for attacks on a specific IP on your network.

If an attack occurred within the selected time interval, a yellow bar represents the inbound traffic in bytes during an attack and a green bar represents the inbound traffic in packets per second at the same point in time. These data points include both the clean and malicious traffic that was inbound at that time.

Hover your mouse over a bar in the graph to see more detail.

The scale on the left of the graph shows bytes. The scale on the right of the graph shows packets.

You can hide/show bars in the histogram by clicking on the legend at the bottom.

Viewing traffic statistic details

Click on a bar in the histogram to open up the Traffic details line graph. The line graph appears below the histogram.

Use the radio button to select bits/s or packets/s under Units.

The green line represents Inbound traffic. The yellow line represents Discarded Inbound traffic. The space between those two data points is the value for the clean traffic on your network.

Hover your mouse over a line in the graph to see additional details for that point.

Click and drag on an area on the line graph to zoom in on it. To return to the default view, click Reset zoom. The table below the line graph shows additional detail including the protocol, inbound volume, discarded inbound volume, and the corresponding percent discarded for each protocol.

Attacks

Click the Attacks tab to see detailed information on attacks experienced on your network. This data is drawn from the underlying technology solution so that you can see exactly what data points are being recorded. You will find information regarding inbound traffic as well as detail on the source and destination addresses, attack category, attack name, and time.

Recent attacks monitor

The histogram will default to Last Day time interval unless another time interval was selected previously on the Traffic details screen. If your network did not experience any attacks in the last 24 hours, you see a No Data to Display message. Use the Time Interval drop down to expand the time period.

Use the drop-down to filter the data by Attack category.

Data for recent attacks show in yellow and green.

The scale on the left axis is for bytes per second. The scale on the right is for packets per second.

Hover your mouse over a specific attack to see more detail about that attack.

You see the name of the attack at the top of the pop-up. Details below include:

TypeDescription
Policy nameThe name assigned to your account by ENA. Typically this is your school district name.
CategoryAttack category. DoS, DDoS, etc.
RiskLevel established by the software and set based on datasets of attacks across the internet over long periods of time. See risk level descriptions below.
Start timeThe time at which ENA NetDefender monitoring alerted on the anomaly
SRC IPSource IP address – if multiple sources, “Multiple” is presented.
DST IPDestination IP address – if multiple destinations, “Multiple” is presented.

ENA CTAC will be able to provide more granular information on the targets of those attacks if requested.

DST portDestination port.
Device IPIP of targeted device.
Direction“Outbound” refers to leaving the ENA NetDefender platform and moving toward your network.
Action typeAction taken by ENA NetDefender to either drop traffic or, in some cases, decide to permit traffic forward to your network.
Inbound (bytes)Inbound traffic in bytes per second.
Inbound (packets)Inbound traffic in packets per second.

Recent attacks table

Use the Show columns drop-down to select the data you would like to see about recent attacks. Options include:

ColumnDescription
Start timeThe time at which ENA NetDefender monitoring alerted on the anomaly
Attack categoryDoS, DDoS, etc.
RiskLevel established by the software and set based on datasets of attacks across the internet over long periods of time. See risk level descriptions below.
Attack nameIf a common attack name is available, it is shown here. Examples include:  Network flood; UDP flood; Mirai
Source addressIP address – if multiple sources, “Multiple” is presented.
Destination addressIP address – if multiple destinations, “Multiple” is presented.

ENA CTAC will be able to provide more granular information on the targets of those attacks if requested.

PolicyThe name assigned to your account by ENA. Typically this is your school district name.
Anomaly IDIdentifier within the ENA NetDefender platform.
Direction“Outbound” refers to leaving the ENA NetDefender platform and moving toward your network.
Action typeAction taken by ENA NetDefender to either drop traffic or, in some cases, decide to permit traffic forward to your network.
Inbound traffic(B)Inbound traffic in bytes per second.
Inbound traffic (packets)Inbound traffic in packets per second.

Download All Attack Summaries

To download a CSV file of all attack summaries, click Download CSV at the top of the Attacks page.

Risk Levels

Risk level is established by the software conducting the monitoring of your network. The risk level is not based on your network alone, but on data aggregated from attacks across the internet over time.

 
RiskDescription
InfoThe risk does not pose a threat to normal service operation.
LowThe risk does not pose a threat to normal service operation, but may be part of a prelimnary action for malicious behavior.
MediumThe risk may pose a threat to normal service operation, but is not likely to cause complete service outage, remote code execution, or unauthorized access.
HighThe risk is very likely to pose a threat to normal service availability, and may cause complete service outage, remote code execution or unauthorized access.

Print Graphs and Charts

Click on the hamburger menu many for any chart or graph to download a printable copy.