Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0) - Introduction [Cisco Services Modules]

Table Of Contents

Introduction

What is DDos

The Cisco Traffic Anomaly Detector Module

Zones

How the Detector Module Operates

Detection Mechanisms

Filters

Modules

Introduction

This chapter provides a general overview of the Cisco Traffic Anomaly Detector Module, its components and how it works. The chapter includes the following sections:

•What is DDos

•The Cisco Traffic Anomaly Detector Module

•Zones

•How the Detector Module Operates

•Detection Mechanisms

What is DDos

The Distributed Denial of Service (DDoS) attacks are attacks in which malicious individuals cause thousands of compromised computers ("zombies") to run automated scripts that cripple a protected server's (the zone) network resources with spurious requests for service. The attacks can be, for example, a flood of bogus home page requests to a web server that shuts out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the zombies actually executing the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations. These distributed attacks generate a volume of traffic that cannot be handled by the lower bandwidths available at a typical zone, including the largest corporations.

DDoS attacks are a statistical phenomenon, and consequently require the formation of a detailed statistical traffic profile. DDoS research points that DDoS zombies are distributed in number and in autonomous systems, that there is a close integration between legitimate and bogus requests for service and that DDoS attacks use random settings such as spoofed IP source addresses or random settings of TCP flags.

DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive.

A DDoS defense system would, therefore, have to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network element.

The Cisco Traffic Anomaly Detector Module

The Cisco Traffic Anomaly Detector Module (Detector module) is a Cisco IOS application module that you can install in the Catalyst 6500 series switch.

It is a denial-of-service (DoS) detection product. It receives a copy of the traffic on the switch, analyzes that traffic, and sends out an alert when a DoS attack is detected.The Detector can detect attacks and activate protection mechanisms. It is best suited to work alongside with the Cisco Guard but it can also operate as a separate DDoS detection and alarm component. The Detector gets a copy of the traffic either by using the port mirroring feature (such as SPAN) of a switch, or by means of splitting. Then it constantly monitors the traffic, and closely remains tuned to zone traffic characteristics for evolving attack patterns. The Detector module can also activate a configured Cisco Anomaly Guard Module to mitigate these attacks.

To accomplish this, the Cisco Traffic Anomaly Detector employs the following components:

•An algorithm-based learning system that learns the zone traffic, adopts itself to its particular characteristics, and supports the Detector's detection mechanisms with references and instructions in the form of Thresholds and Policies.

•A system that either remotely activates Cisco Anomaly Guards to assume protection over the zone or zones, or records the traffic anomalies in the Detector syslog.

Integrating these components enables the Detector to assume its detection role while unobtrusively remaining in the background.

Zones

A zone is a network element which the Detector monitors for DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company; an Internet Service Provider (ISP), or any combination of the above. Once the Detector identifies a DDoS attack, it can activate a remote Guard automatically to protect the zone against the attack or notify the user to activate the Guard manually.

The Detector can analyze the traffic for different zones simultaneously, as long as their network address ranges do not overlap.

A zone is the definition of a network element on the Detector, configured so that the Detector can detect DDoS attacks against it. The definition consists of configuration such as the network addresses and the detection policies. You assign a name to the zone, and use this name to refer to it.

How the Detector Module Operates

The Detector receives a copy of the zone traffic by means of splitting or port mirroring. The Detector analyses the traffic for evolving signs of an upcoming DDoS attack. Once a traffic abnormality is detected the Detector either records the event in its syslog or remotely activates the Guards on its lists. These Guards protect the zones against the evolving DDoS attack. Figure 1-1 illustrates the detection operation.

Figure 1-1 Cisco Traffic Anomaly Detector Module Operation

In order to form a basis on which to compare zone traffic and trace any anomalies that might, in turn, become malicious, the Detector learns the zone's traffic characteristics.

The learning process consists of two phases, during which the Detector learns the zone's traffic and adapts itself to the particular characteristics:

1. The Policy Construction Phase—In this phase, the zone policies are created using the Detector Policy Templates, which provide the rules that are used to construct the policies. The traffic flows transparently through the Detector enabling it to discover the main services used by the zone.

2. The Threshold Tuning Phase—In this phase, the policies are tuned to fit the zone services traffic rates. The traffic flows transparently through the Detector, enabling it to tune the thresholds for the services discovered during the policy construction phase.

The policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. This can either be remotely activating a Guard, or recording the event in the Detector syslog. The detection policies are constructed from policy templates.

See "Configuring Zones" for more information on traffic learning. See "Configuring Policy Templates and Policies" for more information on zone policies.

When the Detector policies sense abnormal or malicious traffic (by means of threshold violation), they dynamically configure a set of filters (Dynamic Filters) to direct the traffic to the appropriate module according to the severity of the attack.

You can activate the Detector's protection in the following ways:

•Automatic mode—The dynamic filters are activated without user intervention.

•Interactive mode—Dynamic filters are activated manually, interactively. The dynamic filters are grouped as recommendations that wait for your decision. You can review these recommendations and decide which of them to accept, ignore, or direct to automatic activation.

See "Interactive Recommendations Mode" for further details.

The Detector provides an attack report for every zone to help form a clear picture of the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination.

Detection Mechanisms

The Detector's protection system uses the following mechanisms:

•Filters

•Modules

Filters

The zone's filters are the mechanism that directs the zone's mirrored traffic to the Detector's detection modules. The Detector enables you to set filter configurations to design a variety of possibilities for customized traffic direction and DDoS attack detection mechanisms. The Detector uses the following types of filters:

•Bypass filter—Bypass filters are used to prevent specific traffic flows from being handled by the Detector protection mechanisms.

•Flex filter—The Flex filter is used to count a specified packet flow. It is a Berkley Packet filter that provides extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. You can use complex Boolean expressions, but you can only configure one flex filter per zone.

•Dynamic filter—The Detector creates dynamic filters as the result of the analysis of traffic flow. The Dynamic filters either record the event in the Detector's syslog, or activate a remote Guards.

Modules

The Detector has two modules that work closely together to coordinate the detection:

•The Analysis module—Analyses the zone traffic flows.

•The Recognition and Statistics module—Monitors the zone traffic for abnormalities.

	Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0)
	Introduction
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0) Index Preface Introduction Configuring the Detector Module on the Supervisor Engine Module Initializing the Detector Module Configuring the Detector Module Configuring Zones Configuring Zone Filters Configuring Policy Templates and Policies Interactive Detect Mode Attack Reports Detector Module Diagnostics and Maintenance Glossary	Download this chapter Introduction Download the complete book Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0) Book-Length PDF (PDF - 2 MB) Table Of Contents Introduction What is DDos The Cisco Traffic Anomaly Detector Module Zones How the Detector Module Operates Detection Mechanisms Filters Modules Introduction This chapter provides a general overview of the Cisco Traffic Anomaly Detector Module, its components and how it works. The chapter includes the following sections: •What is DDos •The Cisco Traffic Anomaly Detector Module •Zones •How the Detector Module Operates •Detection Mechanisms What is DDos The Distributed Denial of Service (DDoS) attacks are attacks in which malicious individuals cause thousands of compromised computers ("zombies") to run automated scripts that cripple a protected server's (the zone) network resources with spurious requests for service. The attacks can be, for example, a flood of bogus home page requests to a web server that shuts out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the zombies actually executing the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations. These distributed attacks generate a volume of traffic that cannot be handled by the lower bandwidths available at a typical zone, including the largest corporations. DDoS attacks are a statistical phenomenon, and consequently require the formation of a detailed statistical traffic profile. DDoS research points that DDoS zombies are distributed in number and in autonomous systems, that there is a close integration between legitimate and bogus requests for service and that DDoS attacks use random settings such as spoofed IP source addresses or random settings of TCP flags. DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive. A DDoS defense system would, therefore, have to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network element. The Cisco Traffic Anomaly Detector Module The Cisco Traffic Anomaly Detector Module (Detector module) is a Cisco IOS application module that you can install in the Catalyst 6500 series switch. It is a denial-of-service (DoS) detection product. It receives a copy of the traffic on the switch, analyzes that traffic, and sends out an alert when a DoS attack is detected.The Detector can detect attacks and activate protection mechanisms. It is best suited to work alongside with the Cisco Guard but it can also operate as a separate DDoS detection and alarm component. The Detector gets a copy of the traffic either by using the port mirroring feature (such as SPAN) of a switch, or by means of splitting. Then it constantly monitors the traffic, and closely remains tuned to zone traffic characteristics for evolving attack patterns. The Detector module can also activate a configured Cisco Anomaly Guard Module to mitigate these attacks. To accomplish this, the Cisco Traffic Anomaly Detector employs the following components: •An algorithm-based learning system that learns the zone traffic, adopts itself to its particular characteristics, and supports the Detector's detection mechanisms with references and instructions in the form of Thresholds and Policies. •A system that either remotely activates Cisco Anomaly Guards to assume protection over the zone or zones, or records the traffic anomalies in the Detector syslog. Integrating these components enables the Detector to assume its detection role while unobtrusively remaining in the background. Zones A zone is a network element which the Detector monitors for DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company; an Internet Service Provider (ISP), or any combination of the above. Once the Detector identifies a DDoS attack, it can activate a remote Guard automatically to protect the zone against the attack or notify the user to activate the Guard manually. The Detector can analyze the traffic for different zones simultaneously, as long as their network address ranges do not overlap. A zone is the definition of a network element on the Detector, configured so that the Detector can detect DDoS attacks against it. The definition consists of configuration such as the network addresses and the detection policies. You assign a name to the zone, and use this name to refer to it. How the Detector Module Operates The Detector receives a copy of the zone traffic by means of splitting or port mirroring. The Detector analyses the traffic for evolving signs of an upcoming DDoS attack. Once a traffic abnormality is detected the Detector either records the event in its syslog or remotely activates the Guards on its lists. These Guards protect the zones against the evolving DDoS attack. Figure 1-1 illustrates the detection operation. Figure 1-1 Cisco Traffic Anomaly Detector Module Operation In order to form a basis on which to compare zone traffic and trace any anomalies that might, in turn, become malicious, the Detector learns the zone's traffic characteristics. The learning process consists of two phases, during which the Detector learns the zone's traffic and adapts itself to the particular characteristics: 1. The Policy Construction Phase—In this phase, the zone policies are created using the Detector Policy Templates, which provide the rules that are used to construct the policies. The traffic flows transparently through the Detector enabling it to discover the main services used by the zone. 2. The Threshold Tuning Phase—In this phase, the policies are tuned to fit the zone services traffic rates. The traffic flows transparently through the Detector, enabling it to tune the thresholds for the services discovered during the policy construction phase. The policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. This can either be remotely activating a Guard, or recording the event in the Detector syslog. The detection policies are constructed from policy templates. See "Configuring Zones" for more information on traffic learning. See "Configuring Policy Templates and Policies" for more information on zone policies. When the Detector policies sense abnormal or malicious traffic (by means of threshold violation), they dynamically configure a set of filters (Dynamic Filters) to direct the traffic to the appropriate module according to the severity of the attack. You can activate the Detector's protection in the following ways: •Automatic mode—The dynamic filters are activated without user intervention. •Interactive mode—Dynamic filters are activated manually, interactively. The dynamic filters are grouped as recommendations that wait for your decision. You can review these recommendations and decide which of them to accept, ignore, or direct to automatic activation. See "Interactive Recommendations Mode" for further details. The Detector provides an attack report for every zone to help form a clear picture of the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. Detection Mechanisms The Detector's protection system uses the following mechanisms: •Filters •Modules Filters The zone's filters are the mechanism that directs the zone's mirrored traffic to the Detector's detection modules. The Detector enables you to set filter configurations to design a variety of possibilities for customized traffic direction and DDoS attack detection mechanisms. The Detector uses the following types of filters: •Bypass filter—Bypass filters are used to prevent specific traffic flows from being handled by the Detector protection mechanisms. •Flex filter—The Flex filter is used to count a specified packet flow. It is a Berkley Packet filter that provides extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. You can use complex Boolean expressions, but you can only configure one flex filter per zone. •Dynamic filter—The Detector creates dynamic filters as the result of the analysis of traffic flow. The Dynamic filters either record the event in the Detector's syslog, or activate a remote Guards. Modules The Detector has two modules that work closely together to coordinate the detection: •The Analysis module—Analyses the zone traffic flows. •The Recognition and Statistics module—Monitors the zone traffic for abnormalities.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.