What are "Abnormal" Upload alarms?
Abnormal alarms are types of alarms that are telling you something different is happening.
Let's take an example from the real world, assume you have a security camera at your front door and someone keeps on walking in front of it, the system may beep you on this. And based on if you know the person/thing, you decide to sound a loud horn, call the police or ignore.
Firewalla abnormal alarms are generated by a similar mechanism, where we have software that detects the difference between how devices upload/transfer to the internet. If anything different, the upload alarm will occur.
Take the internet enabled security camera as an example:
(This is just a simplified example, the actual algorithm is a bit more complex)
1. Most of the time this real-world camera won't detect motion, so it will stay silent, may send little packets to the cloud server. Here, everything is normal.
2. Suppose you are outside and want to view your backyard, you remotely connected to this camera, your camera will upload a your backyard image to a cloud drive. Since you don't do this often and not always from the same source, Firewalla algorithm will notice this activity and classify it as 'abnormal'.
3. An alarm will be sent to you
4. When you receive this alarm, if you know you were doing the viewing, you can ignore it. But if you are not, likely someone may be looking at your camera, then ... block it.
5. Upload alarm may be delayed. The abnormal upload detection algorithm runs over a period of time. So it is possible that your equipment may not be on-site when the alarm happened. In times, the alarm generation time may be different from the alarm time. The computation of "abnormal" is relative to a time period, so it is highly possible that something in the past may be classified as abnormal as time passes.
How to identify 'good' vs 'bad'?
This identification process is a bit complex, we are slowly enhancing the algorithm or may eventually automate this process.
STEP 1: Look at the timestamp of the alarm and recall if it was triggered by known events, such as:
- Were you the one trigger the upload? such as viewing the camera remotely?
- If it is a Ring device, did someone just at your front door? (which triggered ring to record video ... upload to the cloud)
STEP 2: Tap into the alarm, you will see a bunch of detailed information, check out following fields:
Device & Destination Info:
- If Google is transferring to Google, then likely the transfer is legit.
- If the upload alarm is to a country of questionable nature, then a block may be necessary.
Data Transferred:
- If you get a "Ring doorbell" alarm and then a firewalla alarm saying the Ring Doorbell is transferring data, then likely you know what's transferred is normal.
*NOTE: By any time if the block is causing services to stop, then maybe best just unblock it.
Comments
6 comments
Thanks for the article, but there is room for improvement. Using your example above, if you are first going to monitor a device for a while to get a baseline, on say a camera, it should see that uploads over time are normal. The abnormal would be uploads larger than average, destinations say to risky countries, or just other countries outside of the average. Maybe you can build the logic overtime based on what the box sees, and the feedback from the user about the alarms, to update the baseline.
I get constant abnormal upload alarms on my Ring doorbell, they are really just normal uploads.
Keep up the great work!!! Thanks!
@mozarella It supports mute domains for a specific device, and we are working on something new :)
On Web, you can do it via Alarms -> Alarms Settings -> Abnormal Upload -> Create Mute Setting -> Matching [domain] -> On [your device]
On APP, it's Alarms -> Alarms Settings -> Abnormal Upload -> Mute Setting -> Add destination -> next -> Apply To
The abnormal upload alarm feature is useless until it can learn what is really abnormal or not. LIke the previous poster and many others on the help forum, I get *constant* abnormal upload alarms for my (multiple) Ring devices - ie dozens per day. The behavior is normal, yet Firewalla is not learning that this is normal after multiple weeks. So now I just have to mute the alarm on each of these devices, which means I won't get an alarm if something truly abnormal does start happening on these devices. :-(
I like this feature, but the lack of how to mute is what needs improved.
For example, I keep getting Abnormal Upload on my proxy server in the house. I would like to mute the alert just for one INTERNAL system. The only option I am given is muting the alert to the destination of the abnormal upload IP for all devices.
I want to mute the abnormal destination only for one internally system, not all my devices
about ring devices. Wouldn't it be easier to "mute" the alarm not per each device instead of muting the domain for all devices, where the ring-system is connecting to? I don't know the ring-system actually, but it'll connect to one domain, isn't it?
If the abnormal thing happens through hacking the domain and go the "official" way, firewalla also can't know that's abnormal. If the abnormal thing happens over another domain, then the alert will still be activated.
Can this feature be enhanced to allow for us to set "only alert if X amount of data over Y amount of time?" Or X amount of throughput over Y amount of time?
I don't care that 1 megabyte got uploaded to some S3 bucket by some IOT device, unfortunately that's probably quite normal for any IOT device. But what I do care about is if my IOT Cameras are normally idling at 64bps throughput (background pings / keep-alives / heartbets) and suddenly a device spikes to 1 mbps for more than 1 minute. That tells me that the device is actively streaming data, like somebody is listening in on an echo device or watching a live video stream.
Please sign in to leave a comment.