Cisco Traffic Anomaly Detectors

Cisco Traffic Anomaly Detector XT 5600

  • Viewing Options

  • PDF (119.7 KB)
  • Feedback


The Cisco ® Traffic Anomaly Detector XT 5600 from Cisco Systems ® is a complete solution to help large organizations protect against distributed denial-of-service (DDoS) or other cyber attacks, enabling users to quickly initiate mitigation services to block the attack before business is adversely affected.
Based on a unique, patented multiverification process (MVP) architecture, the Cisco Traffic Anomaly Detector XT utilizes the latest behavioral analysis and attack recognition technology to proactively detect and identify all types of cyber assaults.
By constantly monitoring traffic destined for a protected device, such as a Web or e-commerce application server, the Cisco Traffic Anomaly Detector XT compiles detailed profiles that indicate how individual devices behave under "normal" operating conditions. If the Cisco Traffic Anomaly Detector XT detects any per-flow deviations from the profile, it considers the anomalous behavior of a potential attack and responds based on user preference: by sending an operator alert to initiate a manual response, by triggering an existing management system, or by launching the Cisco Guard XT DDoS Mitigation Appliance to immediately begin mitigation services.
Combined with the Cisco Guard XT, the Cisco Traffic Anomaly Detector XT contributes to the industry's most comprehensive DDoS defense system. Through the MVP architecture, the Cisco Traffic Anomaly Detector XT and Cisco Guard XT detect, divert, isolate, and remove malicious attack flows without impacting legitimate transactions, helping to deliver robust protection to networks and business-critical traffic.


Cyber attacks are on the rise, with DDoS assaults representing the fastest-growing threat facing online businesses today. These attacks, which have evolved from simple acts of publicity-seeking vandalism to highly focused events designed to disrupt the business operations of targeted victims, have grown increasingly relentless and malicious, driving many businesses to the brink of ruin.
Attack techniques are also growing more sophisticated. Attackers mimic valid requests, spoof source identification, and use armies of compromised "zombie" hosts to overwhelm Internet data centers and existing defenses, while making identification and blocking of the malicious traffic flows virtually impossible.
The Cisco Traffic Anomaly Detector XT works with the Cisco Guard XT to provide a complete detection and mitigation solution that protects enterprises, hosting centers, government agencies, and service provider environments from DDoS attacks. When the Traffic Anomaly Detector XT identifies a potential attack by noticing deviations from known "normal" behavior, it alerts the Guard XT to begin diverting traffic destined for the targeted devices-and only that traffic-for inspection. All other traffic continues to flow freely, reducing the impact on overall business operations while increasing the number of devices or zones a single Guard XT can protect.
Diverted traffic is rerouted through the Cisco Guard XT, which is typically deployed off the critical path at any point in the network- from enterprise entrance access points to peering points off an ISP backbone. The diverted traffic is then scrutinized to identify and separate "bad" flows from legitimate transactions. Attack packets are identified and removed, while legitimate traffic is forwarded to its original destination, ensuring that real users and real transactions always get through, guaranteeing maximum availability.

Figure 1


Recognition and Learning

The Cisco Traffic Anomaly Detector XT resides off the critical path to monitor mirrored traffic flows at full gigabit line rates, building detailed profiles of "normal" behavior for each protected device without consuming valuable switch or router resources.
Using sophisticated behavior-based anomaly detection technology, the Cisco Traffic Anomaly Detector XT will detect any activity that deviates from those profiles at both global and granular session levels, enabling highly accurate identification of all types of known and Day Zero attacks. Granular, per-connection state analysis of all packets enable fast and thorough detection and identification of the most elusive and sophisticated attacks-from subtle, low-rate server resource exhaustion attacks to large-scale attacks launched by hundreds of thousands of distributed zombies.
The Traffic Anomaly Detector XT also includes a behavioral recognition engine that eliminates the need to continually update profiles, and reduces the large number of alerts and false positives common with static signature-based approaches. In addition, the Cisco Traffic Anomaly Detector XT comes preconfigured with default profiles for immediate operation out of the box; automated learning allows users to create specific tuning recommendations that can be reviewed by the operator.
Finally, session-state context recognizes validated session traffic and identifies session-abusive attacks to provide additional protection against malicious activity.

High Performance

The high-performance Cisco Traffic Anomaly Detector XT monitors attack flows at full gigabit line rates-enough to identify more than 100,000 sources per device in a single attack, providing robust protection for large, high-volume environments against distributed attacks.
In addition, multistage analysis of fully mirrored traffic delivers fast recognition of even the most stealthy low-rate attacks. To provide the greatest possible protection, the Cisco Traffic Anomaly Detector XT can be deployed downstream-close to protected resources in the data center, or upstream-adjacent to a Cisco Guard XT for more widespread coverage.

Reporting and Management

The Cisco Traffic Anomaly Detector XT uses a Web-based graphical user interface (GUI) that displays information in a simple, intuitive manner, dramatically simplifying configuration, operation, and attack identification and analysis.
Multiple real-time and historical reporting levels provide network operators, security administrators, and clients with detailed information to assist in attack detection, policy setting, and mitigation. Report statistics can also be exported to text files for back-end customization or for later review.
The Cisco Traffic Anomaly Detector XT can also be configured to proactively send alerts to network operators and to the Cisco Guard XT to initiate rapid response to attack conditions, including automated mitigation services to quickly thwart the attack. A Simple Network Management Protocol (SNMP) management information base (MIB) also makes all device-, protected zone-, and attack-level statistics available to standards-based management systems.


Designed for large hosting centers and online enterprises, the Cisco Traffic Anomaly Detector XT combines with the Cisco Guard XT DDoS Mitigation Appliance to provide a security solution that can help ensure uninterrupted business operations, even in the face of the most malicious assaults. For users, that translates into a significant competitive advantage as it can help ensure uncompromised availability and unparalleled protection of valuable business assets.


Table 1. Product Specifications



Hard Drive

80 GB


Two Gigabit Ethernet
Two 100BASE-T (management)

Power Supply

Dual 110-220V, 350W


62 lb /28.2 Kg


3.36 in. / 8.53 cm


17.5 in. / 44.5 cm


27.5 in. / 69.9 cm

Operating Temperature

10 to 35C (50.0 to 95.0F)

Nonoperating Temperature

10 to 43C (50.0 to 109.4F)

Operating: 8% to 80%

Non-Operating: 8% to 80%




Secure Web-based GUI

CLI: Console, Telnet, SSH

Cisco (Riverhead) SNMP MIB and MIB II




UL recognized


FCC Rules Part 15 compliant

Attack Protection
• Spoofed and Non-spoofed Attacks
• TCP (syns, syn-acks, acks, fins, fragments)
• UDP (random port floods, fragments)
• ICMP (unreachable, echo, fragments)
• Client Attacks
• Inactive and total connections
• HTTP Get flood
• BGP Attacks


Table 2. Ordering Information

Product Name

Part Number

SMARTnet Number

Cisco Traffic Anomaly Detector XT 5600 with 1000BASE-SX Multi Mode Fiber Optic Ports with LC Connectors, Dual AC Power, RAID



Cisco Traffic Anomaly Detector XT Appliance 5.0 Software



To place an order, visit the Cisco Ordering Home Page.


Whether your company is a large organization, a commercial business, or a service provider, Cisco is committed to maximizing the return on your network investment. Cisco offers a portfolio of technical support services to help ensure that your Cisco products operate efficiently, remain highly available, and benefit from the most up-to-date system software.
The Cisco Technical Support Services organization offers the following features, providing network investment protection and minimal downtime for systems running mission-critical applications:
· Provides Cisco networking expertise online and on the telephone
· Creates a proactive support environment with software updates and upgrades as an ongoing integral part of your network operations, not merely a remedy when a failure or problem occurs
· Makes Cisco technical knowledge and resources available to you on demand
· Augments the resources of your technical staff to increase productivity
· Complements remote technical support with onsite hardware replacement
· Cisco Technical Support Services include:

– Cisco SMARTnet® support

– Cisco SMARTnet Onsite support

· Cisco Software Application Services, including Software Application Support and Software Application Support plus Upgrades