Hi all,
I'm new to the forums, so excuse me if this has already been asked and answered. I did search through several video series and tried to search the forums, but didn't find anything specific to my questions.
We utilize Solarwinds NTA at my work, and occasionally we see large ingress spikes of traffic. I believe these to be probes or scans sometimes, but finding out the who/what/where/how with NTA seems to be like pulling teeth!
As an example, we recently had almost a 7Gb/s ingress spike for ~15 minutes. I tried to set an absolute time period to those 15 minutes, filtered by ingress, and checked the NTA Summary page (as well as a few custom views we've created for identifying such traffic). Either we don't have our NTA configuration optimized to find this data, or I'm not really understanding how to read the data it is showing.
Basically my questions for anyone out there who uses NTA:
+ Is there any good documentation or video series that explains how to use NTA for forensics relating to a DDoS attack that you know of? If so, please post any good info here!
+ Have you created a custom view that you use for similar forensics? I'm not looking for deep packet inspection, but anything that may make this particular function more easily understood for the average user.
Thanks all..
Patrick