Knowledge Center

Network Security Platform DoS profile - learning and detection modes
Technical Articles ID:   KB71628
Last Modified:  1/5/2018


McAfee Network Security Platform


This article explains the learning and detection modes for the DoS (Denial of Service) profile in Network Security Platform. 

Learning mode
Learning mode starts when the Sensor is first added to a network. The standard learning mode period is usually 48 hours, after which the Sensor will enter detection mode but will continue to adjust continuously over time.

During the learning mode period, the Sensor catalogues the traffic into BINs. The Sensor divides the traffic in BINs by subnet, up to a total of 128 BINs per sensor. BINs may reference a large network segment such as and, or may reference a more specific segment such as

Each BIN will contain values that describe the amount of traffic for the specific protocol.

To view the BINs:

  1. Open a command line session to the Sensor.
  2. Type the following command and press ENTER:

    show dospreventionprofile <packet-type> <direction>

    For example:

    show dospreventionprofile tcp-syn inbound 

      0: AS=25.000% LT=1.568% ST=0.00% ltR=0.001 stR=0.000
      1: AS=12.500% LT=0.039% ST=0.00% ltR=0.000 stR=0.000
      2: AS=0.781% LT=0.110% ST=0.00% ltR=0.000 stR=0.000
      3: AS=0.781% LT=2.499% ST=0.00% ltR=0.001 stR=0.000
      4: AS=3.125% LT=1.831% ST=0.00% ltR=0.001 stR=0.000
      5: AS=6.250% LT=0.534% ST=0.00% ltR=0.000 stR=0.000
      6: AS=3.125% LT=0.609% ST=0.00% ltR=0.000 stR=0.000
  • AS(%) -- percentage of the IP address space this BIN occupies
  • LT(%) -- percentage of long-term traffic that falls into this BIN
  • ST(%) -- percentage of short-term traffic that falls into this BIN
  • ltRate -- long-term average traffic rate (in packets per second) for this BIN
  • stRate -- short-term traffic rate (in packets per second) for this BIN

Detection mode
After the 48-hour learning mode period, the Sensor automatically enters Detection mode. There is no default blocking for DoS; you can enable blocking after the Sensor has established an acceptable network profile profile.

To enable DoS blocking in the Network Security Manager:
  1. Log on to the Manager.
  2. Select IPS Settings from the left pane.
  3. Click the Advanced Policies tab.
  4. Select Default IPS Attack Settings.
  5. Locate the attack type you want, and set it to Block.

When the Sensor is in detection mode and detects a possible DoS attack, the BINs that contain the possible detection of the offending traffic will change and display a # (hash). The Sensor will act on the traffic based on the settings for the specific attack (block and alert or alert only).

DoS Prevention Severity and Threshold
The Sensor adjusts the profile constantly to prevent false positive detections for small network traffic changes and events that might be interpreted as a DoS attack. You can customize this behavior based on the severity of a detected attack and adjust the threshold as necessary.

To view the severity: 

  1. Open a command line session to the Sensor.
  2. Type the following command and press ENTER:

    show dospreventionseverity <packet-type> <direction>

    NOTE: Technical Support recommends not changing the default severity levels unless you have in-depth knowledge of your network and can ensure that the change will not cause a false detection of a DoS attack.
To modify the Threshold of a specific attack:
  1. Log on to the Manager.
  2. Select IPS Settings
  3. Select Advanced Policies
  4. Select Default IPS Attack Settings.
  5. Select the Threshold tab and edit the specific attack you want to change.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.