Version v25.12
Version v25.12 adds: commenting on setting changes, changing the order of policy countermeasures, a new countermeasure RECK, DNAT in General IPv4 Protection, many improvements to the autodetection mechanism.
The functionality of DNS, ATLS, SLOW countermeasures has been expanded, as well as the synchronization mechanism, BGP interaction and TACACS+.
Multiple UX improvements made.
Changes in v25.12
EventLog. Added comments on settings changes.
To increase the transparency of changes made to the protection settings during operation, as well as for the convenience of recording both the changes themselves and the motivation for them, or other additional information on the work being done, an “Editing session” has been added.
An editing session is a mode in which all settings changes that the user has made during the session are linked to the session ID and accompanied by a comment. The Event Log shows the session ID for all changes made during the editing session.
A new tab has been added to the event log, which displays all completed sessions. You can jump from each completed session to the events of that session.
Clicking the “Start session” button in the upper panel on any page of the Web interface opens a window for entering comments and a button for launching. You can add comments at any time while the editing session is active.
A new parameter “Editing session usage” has been added to the user’s profile. The value of this parameter determines how the user is allowed to make changes to the settings:
- Disabled – the user can make changes to the settings without starting the editing session as it was before the v25.12 MITIGATOR version. The controls of the editing session are not displayed;
- Optional – the user can start an editing session and log changes, but the system allows him to make changes without starting an editing session;
- Required – in order to make any changes to the settings, the user must start an editing session.
The default value is “Disabled”.
EventLog. Added logging of values in events of manual modification of countermeasures tables.
The changed values are now recorded in the event log in the “Details” field during manual editing of the countermeasures tables.
Policy. Added the ability to change the order of policy countermeasures.
Now, on the “Settings” tab of the protection policy page in the “Countermeasures application order” panel, you can change the order of policy countermeasures.
You can not change the order for some elements.
New protection policies are created with a standard arrangement of countermeasures. When copying the protection policy, the arrangement of countermeasures is also copied.
At any time, the order of the countermeasures in the policy can be reset to the default one.
Important: The ability to change the order of countermeasures allows you to adapt the protection policy to sophisticated user scenarios, but it comes with risks. When a new countermeasure is added to the MITIGATOR, its position in the processing chain is determined, among other things, by the complexity of the operation logic, and therefore by the consumption of system resources. In standard configuration, when processing attacking traffic, simple countermeasures are applied first, reducing the volume of traffic for processing by subsequent countermeasures, and complex ones are applied only to the remaining traffic. If complex countermeasures are moved to the top of the list, they will take over all attacking traffic, which may affect system performance.
Detect. Thresholds for relative change per clock cycle have been added.
In addition to the <element>.Xxx.Diff. thresholds, which were triggered by an absolut
change in the monitored metric, <element>.Xxx.Ratio. thresholds have been added for the
relative change in the metric per cycle — that is, for the ratio of the metric value in the
current cycle to its value in the previous cycle.
Refer to the built-in autodetection documentation for details.
Detect. Thresholds for relative and absolute changes in the metric have been added for BGP announcement based on Flow data.
To enable BGP announcements in case of sudden traffic changes, .Diff. and .Ratio.
thresholds have been added for both incoming and dropped traffic.
| Name | Description |
|---|---|
BGP.<announce_type>.Flow.Input{Pps,Bps}.{Diff,Ratio}* |
on input traffic |
BGP.<announce_type>.Flow.Drop{Pps,Bps}.{Diff,Ratio}* |
on all dropped traffic |
BGP.<announce_type>.Flow.Drop.Other{Pps,Bps}.{Diff,Ratio}* |
on traffic dropped not on MITIGATOR |
Detect. Thresholds for the number of IP addresses in TBL have been added.
For all countermeasures, policies, and BGP announcements, On/Off thresholds have been added
for the number of IP addresses in TBL: <element>.TBL.IPs.On and <element>.TBL.IPs.Off.
Additionally, similar thresholds <element>.TBL.IPs.Diff are available for changes in the
number of IP addresses in TBL.
In particular, if you set <element>.TBL.IPs.On but do not set <element>.TBL.IPs.Off,
you get a threshold that keeps the countermeasure enabled as long as the specified number
of IP addresses remains in TBL.
Detect. Thresholds for incident registration based on entry data into the packet processor and Collector have been added.
Now, incident recording is triggered by the following thresholds:
Incidents.Input{Pps,Bps}— for total incoming traffic;Incidents.Drop{Pps,Bps}— for total dropped traffic;Incidents.Flow.Input{Pps,Bps}— for total incoming traffic based on Collector data;Incidents.Flow.Drop{Pps,Bps}— for total dropped traffic based on Collector data.
Additionally, thresholds for absolute and relative rate changes are available: .Diff. and .Ratio.
Refer to the built-in autodetection documentation for details.
Detect. Thresholds for incoming traffic minus WL‑passed traffic have been added.
Thresholds have been added for incoming and passed traffic, minus the traffic sent to output by the WL countermeasure:
<element>.Protected.Input{Pps,Bps}.{On,Off}— for incoming traffic;<element>.Protected.Pass{Pps,Bps}.{On,Off}— for passed traffic;<element>.Protected.Input{Pps,Bps}.{Diff,Ratio}*— for changes in incoming traffic;<element>.Protected.Pass{Pps,Bps}.{Diff,Ratio}*— for changes in passed traffic.
Detect. A mechanism to keep a countermeasure enabled in case of frequent switching has been added.
If the countermeasure <element> switches more than <element>.Latch.SwitchLimit times
within <element>.Latch.ObservationTicks cycles, it is activated and held enabled for
<element>.Latch.HoldTicks cycles.
Refer to the built-in autodetection documentation for details.
RECK. New RECK countermeasure has been added in General Protection.
A new countermeasure, RECK “Repetition Check”, has been added to General Protection IPv4. This countermeasure enables defense against Flood attacks without using the challenge‑response procedure.
In terms of configuration settings and traffic processing behavior, RECK is similar to RETR.
DNAT. DNAT function has been adedd to General Protection IPv4.
ATLS. The reassembly of segmented «ClientHello» messages has been added.
An option has been added that, when enabled, allows the countermeasure to assemble ClientHello messages from segments and process them. The collection of TLS fingerprints also takes assembled ClientHello messages into account.
If reassembly is enabled, it is performed even for ClientHello messages from clients being already authenticated.
DNS. Graphs for request types have been added.
SLOW. An independent test mode activation option has been added.
Now the test mode for SLOW can be enabled independently of LCON.
TACACS+. The capability to work with multiple TACACS+ servers has been added.
When multiple servers are added, the account attributes are verified against the first server in the queue. If it is unavailable, the next server in the list is used, and so on.
Routing Rules. The ability to specify ICMP6 in routing rules has been added.
An ICMP6 alias has now been added to the «Protocol» field for routing rules
within IPv6 protection policies.
BGP. System prefix lists .aggregated. and .protected. for IPv6 have been added.
Sync. An indication of the blocking source has been added to TBL synchronization.
Previously, when table synchronization was enabled on instances, any entry added to
the TBL table via the synchronization mechanism showed sync as the source of addition.
Now, for all instances, the display has been updated to show the short name of the
countermeasure that originally placed the IP address into blocking.
The synchronization indicator has been changed to a boolean flag.
Example:
instance_id,instance_name,ip,ttl,source,from_sync,policy_id,policy_name,country,city,as_number,as_name
1,Mitigator0,1.1.1.1,300,ATLS,false,1,Default,"Finland","Tampere",39699,"Lounea Palvelut Oy"Overview. Export and import of widget presets for the Overview page have been added.
Now on the “Overview” page you can copy the set and layout of widgets to the clipboard, as well as add a preset from the clipboard. This allows you to share the dashboard configuration with other users.
Overview. A setting for displaying section widgets has been added.
Now on the “Overview” page you can configure the display layout of widgets — the number of columns per row and the column height, just like in Flow Analysis.
