NVSHAS-8423:add ddos detection in groups documentation; NVSHAS-8486:a…

…dd documentation for multus support in protect mode

docs/05.policy/02.modes/02.modes.md

@@ -38,6 +38,16 @@ In the Network map you can click on any conversation (green, yellow, red line) t
 
 In Protect mode, NeuVector enforcers will block (deny) any network violations and attacks detected. Violations are shown in the Network map with a red ‘x’ in them, meaning they have been blocked. Unauthorized processes and file access will also be blocked in Protect mode. DLP sensors which match will block network connections.
 
+In case of any network violation, NeuVector enforcers are put inline of network connections to block the traffic.
+
+There are two ways of putting an enforcer inline:
+
++ **Veth bridge**
+> If the container's interfaces are of 'Veth' type.
++ **Netfilter_queue**
+> If not all of the container's interfaces are of 'Veth' type, 'multus' CNI falls into this case.
+
+
 ### Switching Between Modes
 
 You can easily switch NeuVector Groups from one mode to another. Remember that in Discover mode, NeuVector is building a Security Policy for allowed, normal container behavior. You can see these rules in the Policy -> Groups tab or in detail in the Policy -> Network Rules menu. 

docs/05.policy/04.groups/04.groups.md

@@ -37,6 +37,27 @@ To enable host protection with process profile rules, select the 'nodes' group a
 Network connection violations of rules shown in the Network Rules for Nodes are never blocked, even in Protect mode. Only process violations are blocked in Protect mode on nodes.
 :::
 
+#### DDoS detection
+
+You can configure the following DDoS detection thresholds:
+
++ **Active Session Count**
+> Active sessions count on the group, exceeding this count can trigger a warning event
++ **Group Session Rate**
+> Connection Per Second(CPS) on the group, exceeding this rate can trigger a warning event
++ **Group Bandwidth**
+> Throughput meassured in (Mb/s) on the group, exceeding this bandwidth threshold can trigger a warning event
+
+![ddosDetection](group_ddos_threshold.png)
+
+:::note
+Neuvector samples the traffic for 60 seconds in average and checks whether the metric breaks the threshold or not.
+
+The DDoS detection measurement is more  meaningful in protect mode because the Neuvector enforcer becomes inline at the data-path.
+
+The DDoS detection thresholds can be configured for the container groups of type `Learned`, `User-created`, `CRD created` and `federal created`.
+:::
+
 #### Custom Groups
 
 Groups can be manually added by entering the criteria for the group. Note: Custom created groups don't have a Protection mode. This is because they may contain containers from different underlying groups, each of which may be in a different mode, causing confusion about the behavior.