Real-Time Traffic Anomaly Detection

TABLE OF CONTENTS

• Overview
• Common Use Cases
• Prerequisites
• Enable Real-Time Anomaly Detection (RTTAD)
• Setup Demo Video
• Manage RTTAD

Overview

Constellix's Real-Time Traffic Anomaly Detection (RTTAD) is a machine-learning tool that serves as an alert system in the event of inconsistent domain traffic patterns. RTTAD is a proactive monitoring service that utilizes a domain's historical data to learn traffic patterns. When there is an unexpected spike or surge in traffic, the tool sends an automatic alert. The collected data can be repurposed to best suit the organization's needs. This guide will assist in enabling, managing, and disabling RTTAD for domain(s). 

Common Use Cases for Real-Time Traffic Anomaly Detection

This service work with Constellix's analytics tools to display DNS traffic in real-time and is most commonly used to assist in detecting:

• Distributed-denial-of-service (DDoS) attacks
• System configuration trouble
• System outages
• Firewall configuration issues
• Marketing mistakes

See DNS Analytics to learn more about the platform.

Prerequisites

• A domain has been added to your Constellix account
• Basic understanding of DNS Analytics

Enable Real-Time Traffic Anomaly Detection

Once logged into your Constellix DNS dashboard, the following steps will guide you through the process of enabling RTTAD in your environment 

1. Access the RTTAD Environment

In the Constellix DNS dashboard, select the domain you want to configure RTTAD for from the Recently Updated Domains list. Optionally, you can locate the domain using the search bar on the upper left.

Note: Options available may vary depending on the current configurations set for your domain.

Note: the status of RTTAD will be indicated at the top of the screen, below the domain name. Click on the Activate Anomaly Detection button to enable the tool.

Optionally, you can access the RTTAD environment from the Analytics dashboard and click on the + icon next to the domain in the Anomaly column.

Both of these navigation paths will lead to the Anomaly Detection page. 

2. Select the Domain to Add RTTAD

In the Manage Scheduled Anomaly Detections section of the Anomaly Detection page, tick the box next to the domain(s) for which RTTAD will be enabled/

3. Select Aggregation Preference

In the description section, select the aggregation preference using the dropdown box. 

Note: Billing is dependent on the type of monitoring aggregation selected.

Aggregated to world - this selection bases the anomalies on the sum of the domain's traffic from around the world. This option is recommended for domains that receive five billion or below queries per month.

Aggregated to region - this selection bases the anomalies on the sum of the domain's traffic for a specific region. This option is recommended for domains that receive above five billion 

Aggregated to city - this selection bases the anomalies on the sum of the domain's traffic for a specific city, which gathers information from each point of presence (PoP) from around the world.

4. Save Changes

Click on the Save button or to save changes to several domains, click on Save All at the bottom of the section.

5. Verify Changes

Verify Anomaly Detection is now enabled from the Domain page of the dashboard with the following changes indicated:

• Anomaly Detection On will appear in green.
• The Activate Anomaly Detection button will change to a Manage Anomaly Detection button. 

Real-Time Traffic Anomaly Detection Demo Video

This setup demonstration video will facilitate enabling and managing RTTAD.

Manage Real-Time Traffic Anomaly Detection 

To configure RTTAD with environmental specifics, log into the Constellix dashboard. The proceeding steps will facilitate set up from the DNS tab of the menu bar. Navigate to the domain's page via the DNS or Analytics tab. 

Ensure Anomaly Detection is On and click on the Manage Anomaly Detection button.

NOTE: If anomaly Detection is Off, follow the steps to enable the RTTAD  before proceeding with management steps. 

On the Anomaly Detection screen, the following management actions can be taken:

• Add groups and contacts - you will need to set up contacts and groups of individuals who will be notified in the event of a traffic anomaly.
• Set notification groups for a domain - Link notification groups to the RTTAD-enabled domain.

Once these are set, the contacts will be notified if the traffic has gone above or below the expected traffic patterns for the domain. 

Anomaly Detection Notification

Once notification groups are established, an email will be sent to the contacts that were added for the domain if an anomaly is detected. with related information. 

A graph of relative information will be included to indicate when traffic went above or below the expected traffic patterns that the tool predetermined through its machine-learning capabilities to be considered normal for the domain. 

This information is mostly utilized to investigate where traffic is coming from (region, record name, etc.) via the Data Explorer. 

Visit our website for more information on our services and features.