- What Are Abnormal Upload Alarms?
- How Do I Identify 'Good' vs 'Bad' Alarms?
- How Do I Handle Abnormal Upload Alarms?
What Are Abnormal Upload Alarms?
Abnormal alarms are types of alarms that are telling you something different is happening.
Let's use a real-world scenario as an analogy. Assume you have a security camera at your front door and someone keeps walking in front of it. Your camera may alert you with an alarm. Then, based on if you recognize the person/thing, you can choose an appropriate response (e.g., investigating further, calling the police, or ignoring it).
Firewalla's abnormal alarms are generated by a similar mechanism, where we have software that detects how devices usually upload/transfer to the internet. If unusual behavior is detected, the abnormal upload alarm will be raised. Learn more about managing Alarms.
How Do I Identify 'Good' vs 'Bad' Alarms?
This alarm identification process is complex. We are slowly enhancing the algorithm and may eventually automate this process. To evaluate an alarm, we recommend you:
- Look at the timestamp of the alarm and recall if it was triggered by known events.
- Were you the one who triggered the upload?
- Did someone or something you know trigger the upload?
- Tap into the alarm. You will see a bunch of detailed information. Check the following fields:
- Device & Destination Info:
- If your device is transferring data to its own servers (e.g., a Google device is uploading to Google), then the transfer is likely legit.
- If your device is transferring data to an unrecognized or questionable country, then the transfer may not be legit and you should block it.
- Data Transferred:
- If you get an alarm from a device and then a Firewalla alarm saying that the device is transferring data (e.g., your smart doorbell sends you an alert, then Firewalla sends you an abnormal upload alarm), then you know the transfer activity is normal.
- Device & Destination Info:
Additionally, if you want to learn more about the website or the IP address your device is communicating with, you can tap on the domain or IP address, and choose to look up more security info about the destination/source on a 3rd party website.
How Do I Handle Abnormal Upload Alarms?
For example, say you have an internet-enabled security camera.
- Most of the time a security camera won't detect motion, so it will generally stay silent or occasionally send little packets of data to the cloud server.
- Suppose you are outside and want to view your backyard. You remotely connect to the camera, and your camera uploads an image of your backyard to a cloud drive. Since this type of activity from your camera doesn't usually happen, Firewalla will classify it as 'abnormal' (this is just a simplified example, the actual detection algorithm is a bit more complex).
- Firewalla will send you an Abnormal Upload alarm.
- If you know you were the cause of this activity, you can ignore the alarm. However, if you were not, it's likely that someone may be looking at your camera and you should block it.
- Abnormal Upload alarms may be delayed. The abnormal upload detection algorithm needs time to run, so it is possible that your equipment is off-site when the alarm is triggered. At times, the time at which the alarm is generated may be different from the time at which the suspicious activity occurred. The computation of "abnormal" is relative to a time period, so it is highly possible that something in the past may later be classified as abnormal
Please note that if any block is preventing services from working, it may be best to lift the block.
Comments
6 comments
Thanks for the article, but there is room for improvement. Using your example above, if you are first going to monitor a device for a while to get a baseline, on say a camera, it should see that uploads over time are normal. The abnormal would be uploads larger than average, destinations say to risky countries, or just other countries outside of the average. Maybe you can build the logic overtime based on what the box sees, and the feedback from the user about the alarms, to update the baseline.
I get constant abnormal upload alarms on my Ring doorbell, they are really just normal uploads.
Keep up the great work!!! Thanks!
The abnormal upload alarm feature is useless until it can learn what is really abnormal or not. LIke the previous poster and many others on the help forum, I get *constant* abnormal upload alarms for my (multiple) Ring devices - ie dozens per day. The behavior is normal, yet Firewalla is not learning that this is normal after multiple weeks. So now I just have to mute the alarm on each of these devices, which means I won't get an alarm if something truly abnormal does start happening on these devices. :-(
I like this feature, but the lack of how to mute is what needs improved.
For example, I keep getting Abnormal Upload on my proxy server in the house. I would like to mute the alert just for one INTERNAL system. The only option I am given is muting the alert to the destination of the abnormal upload IP for all devices.
I want to mute the abnormal destination only for one internally system, not all my devices
about ring devices. Wouldn't it be easier to "mute" the alarm not per each device instead of muting the domain for all devices, where the ring-system is connecting to? I don't know the ring-system actually, but it'll connect to one domain, isn't it?
If the abnormal thing happens through hacking the domain and go the "official" way, firewalla also can't know that's abnormal. If the abnormal thing happens over another domain, then the alert will still be activated.
@mozarella It supports mute domains for a specific device, and we are working on something new :)
On Web, you can do it via Alarms -> Alarms Settings -> Abnormal Upload -> Create Mute Setting -> Matching [domain] -> On [your device]
On APP, it's Alarms -> Alarms Settings -> Abnormal Upload -> Mute Setting -> Add destination -> next -> Apply To
Can this feature be enhanced to allow for us to set "only alert if X amount of data over Y amount of time?" Or X amount of throughput over Y amount of time?
I don't care that 1 megabyte got uploaded to some S3 bucket by some IOT device, unfortunately that's probably quite normal for any IOT device. But what I do care about is if my IOT Cameras are normally idling at 64bps throughput (background pings / keep-alives / heartbets) and suddenly a device spikes to 1 mbps for more than 1 minute. That tells me that the device is actively streaming data, like somebody is listening in on an echo device or watching a live video stream.
Please sign in to leave a comment.