The Previously Null Routed Sources sensor aggregates data about traffic from null-routed sources. The sensor reports on the hosts with the highest volume of normally-routed traffic that previously had null-routed traffic.
Troubleshooting a Previously Null Routed Sources Alert
An alert from the Previously Null-Routed Sources sensor may indicate that Access Control Lists (ACLs) are applied inconsistently across the enterprise. ACL problems may result from a security violation.
Audit all ACLs to ensure that they are properly configured and conform to established network access and usage policies. Try to determine whether the ACLs have unauthorized modifications.
It is also possible that the host is sending malicious traffic in various ways and the ACLs are catching some of that traffic. It may be worthwhile to investigate the type of traffic that the ACLs do not block. To do this, use the Host link on the Anomaly Drill-in to run a Flow Forensic report in the NFA console.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|