Quarantining anomalies in DDI Central

What Is Anomaly Quarantine?

The Quarantine feature in DDI Central’s Anomaly Detection module provides an automated, zero-touch containment layer that isolates suspicious clients and domains as soon as their behavior crosses defined risk thresholds.

Modern DNS and DHCP attacks often hide behind routine-looking traffic—one unusual query, one rapid DHCP lease exchange, one anomalous domain pattern. The quarantine engine ensures these weak signals do not turn into full-scale compromises.

Unlike traditional systems that only alert, DDI Central automatically contains risky clients/domains and then leaves the remediation decision to the administrator. Admins review, validate, and release quarantined entities after investigation— ensuring both security and operational control remain intact.

How Quarantine works

The Anomaly Detection Engine follows a three-pronged approach to classify and isolate threats:

  1. Suspicious Client Detection
    Behavioral patterns like DGA signatures, tunneling attempts, starvation waves, rapid solicit storms, duplicate IDs, or abnormal query bursts are analyzed.
  2. Suspicious Domain Detection
    Domains exhibiting high-entropy labels, algorithmic patterns, malicious TLDs, or unusual query behavior are flagged.
  3. Automated Quarantine Enforcement
    When risk scores exceed the quarantine threshold, clients or domains are automatically isolated through OS-specific pathways (Windows or Linux), both at DNS and DHCP levels.

The system does not wait for manual intervention. It isolates immediately and allows admins to review and take action later.

Quarantine Threshold (Severity Score)

The quarantine engine uses a configurable (customisable) severity score to decide when an anomaly should be isolated.

Navigate to:

Settings → System → Security → Quarantine Threshold

  • Set the minimum severity score at which an anomaly should trigger automatic quarantine.
  • Any client or domain whose anomaly score exceeds this threshold is isolated immediately.

This ensures predictable, risk-based containment.

Quarantine Pathways (Windows vs. Linux)

The quarantine actions depend on:

  • The type of anomaly detected
  • The operating system ecosystem (Windows / Linux)
  • Whether the event affects DNS or DHCP services

Below is the complete breakdown.

Windows Quarantine Pathways

DNS Quarantine (Windows)

A. ClientSubnet Quarantine

The suspicious client is placed into a restricted Client Subnet automatically.

Effect:

  • ✔ DNS queries from that client never reach the resolver
  • ✔ All queries are dropped
  • ✔ The client becomes effectively isolated at DNS level

B. DNS Firewall Domain Quarantine

The suspicious domain being accessed is automatically added to DNS Firewall.

Effect:

  • ✔ The domain is blocked across the entire infrastructure
  • ✔ No client can resolve the flagged domain
  • ✔ Prevents lateral spread or recursive abuse

DHCP Quarantine (Windows)

MAC Filter Quarantine (Filter)

The suspicious client’s MAC address is automatically added to the MAC filter list.

Effect:

  • ✔ DHCP server denies any lease to that MAC
  • ✔ Even if the device self-assigns, rotates IPs, or spoofs IPs, it is blocked
  • ✔ Enforcement is MAC-based → highly sticky, tamper-resistant

Linux Quarantine Pathways

DNS Quarantine (Linux)

A. ACL-Based Quarantine

Suspicious Linux clients are automatically added to a dedicated ACL.

Effect:

  • ✔ Their DNS queries are blocked before reaching the resolver
  • ✔ They are instantly isolated at DNS level

B. DNS Firewall Domain Quarantine

Same as Windows.

Effect:

  • ✔ Suspicious domains are blocked globally
  • ✔ Prevents cross-platform exposure

DHCP Quarantine (Linux)

Reserved Host Quarantine (DHCP Reservation)

The violating client is assigned a restrictive DHCP reservation with no network access.

Effect:

  • ✔ The client cannot receive a valid IP lease
  • ✔ Communication with the rest of the network is denied
  • ✔ The device is fully isolated from DHCP services

The Quarantine page: Accessing the Quarantine page

To view and manage quarantined entries:

Navigation: Left Menu → Anomaly DetectionQuarantine

This opens two structured tables:

DNS Quarantine tables

Filter Options:

  • Host
  • Quarantined Through (ACL, Client Subnet)
  • Cluster

Search through

  • Host IP
  • Quarantined Through (ACL / Client Subnet / DNS Firewall)
  • Cluster

Allows quick isolation of:

  • ✓ Windows DNS quarantines
  • ✓ Linux DNS quarantines
  • ✓ Domain-level quarantines (via DNS Firewall)

DHCP Quarantine list

Filter Options:

  • Host
  • Filter
  • Cluster

Search through:

  • Specifying a specific string in MAC Address
  • Specific pattern in IP address
  • Quarantined Through (Host / Filter)
  • Cluster (Source)

Allows quick identification of:

  • ✓ MAC-blocked Windows clients
  • ✓ Host-reservation blocked Linux clients
  • ✓ Cross-cluster DHCP quarantines

What Admins can do on this page

Although DDI Central automatically quarantines, admins retain full control:

Admins can:

  • Investigate the anomaly using DDI Central reports
  • Validate whether the quarantine is justified
  • Apply filters to segment DNS and DHCP quarantines
  • View isolation method (ACL[Linux DNS], Client Subnet[Windows DNS], Filter[Windows DHCP], Host [Linux DHCP], DNS Firewall[Anomalous domain blocking -Linux and Windows])
  • Release quarantined clients by deleting them after remediation
  • Delete quarantine entries if false positives
  • Track clusters and subnets to see where containment occurred

Admins cannot / need not do:

  • ✘ Cannot prevent automatic quarantine (by design, security-first)
  • ✘ Cannot bypass severity scoring logic
  • Do not need to manually quarantine—engine auto-enforces