Table Of Contents

Configuring Zone Filters

Overview

Filter Traffic Flows

Configuring the Flex Filter

Flex Filter Configuration Examples

Viewing the Flex Filter

Configuring Bypass Filters

Viewing the Bypass Filters

Deleting Bypass Filters

Configuring Dynamic Filters

Viewing Dynamic Filters

Deleting a Dynamic Filter

Configuring Zone Filters

---

This chapter describes how to configure Detector module filter system and how you can adapt these filters to the Detector module policies.

This chapter includes the following sections:

•Overview

•Configuring the Flex Filter

•Configuring Bypass Filters

•Configuring Dynamic Filters

Overview

The Detectorreceives a copy of the zone traffic by means of splitting or port mirroring. The zone's filters are the mechanism that directs the copy of the zone's traffic to the Detector's detection modules. The Detector enables you to set filter configurations to design a variety of possibilities for customized traffic direction and DDoS attack detection mechanisms.

Changes in the zone's filter configuration take effect immediately.

Figure 6-1 displays the Detector module filter system.

Figure 6-1

Detector Filter System

Traffic flows directly to the Analysis module, which analyses the zone traffic. You can configure the Detector to count a specific flow by using the Flex filter. You can configure specific flows to bypass the Detector detection mechanism by using the Bypass filter. The Detector passes a sample of the traffic to the Recognition and Statistics module. The Recognition module consists of policies that constantly measure the traffic flows. The policies take action against a particular traffic flow if they identify the flow as malicious or abnormal. This occurs when the flow violates the policy threshold. The actions the Detector takes can either be recording the event in its syslog or creating new filters (Dynamic filters). The Detector Dynamic filters can remotely activate the Guards on the Detector lists.

You can define your own protection preferences and configure the following filters:

•Bypass filter—Use Bypass filters to prevent specific traffic flows from being handled by the Detector protection mechanisms. See the "Configuring Bypass Filters" section for further details.

•Flex filter—Use the Flex filter to count a specified packet flow. It is a Berkley Packet filter that provides extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. You can use complex Boolean expressions, but you can only configure one Flex filter per zone. See the "Configuring the Flex Filter" section for further details.

Filter Traffic Flows

You must configure the flow the filters processes. Table 6-1 describes the filter's flow arguments.

See the "Configuring Bypass Filters" and "Configuring Dynamic Filters" sections for further details.

.

Table 6-1 Arguments for Filter Flows 

Parameter	Description
src-ip	Processes traffic coming from a specific IP address. Enter * for any.
ip-mask	(Optional) Processes traffic coming from a specific subnet. The mask can only contain Class C values. The default subnet is 255.255.255.255.
protocol	Processes traffic coming from a specific protocol. Enter * for any.
dest-port	Processes traffic destined to a specific destination port. Enter * for any.
fragments-type	(Optional) Specifies whether or not the filter will process fragmented traffic. The fragmented types are: •no-fragments—Non-fragmented traffic •fragments—Fragmented traffic •any-fragments—Fragmented and non-fragmented traffic The default is no-fragments.

Table 6-2 describes fields of the filter show commands.

See the "Viewing the Bypass Filters" and "Viewing Dynamic Filters" sections for further details.

Table 6-2 Filed Descriptions for Filter show Commands 

Field	Description
Source IP	Specifies the source IP address of the traffic the filter processes
Source Mask	Specifies the source address mask of the traffic the filter processes
Proto	Specifies the protocol number of the traffic the filter processes
DPort	Specifies the destination port of the traffic the filter processes
Frg	Specifies whether or not the filter processes fragmented traffic: •yes—The filter processes fragmented traffic •no—The filter processes non-fragmented traffic •any—The filter processes both fragmented and non-fragmented traffic

The source IP address, source address mask, protocol number, and destination port may be non-specific. An asterisk (*) indicates that the filter acts on all field values, or that more than one value was matched for the filter.

Configuring the Flex Filter

A Flex filter is a Berkley Packet filter with very selective filtering capabilities. Use the Flex filter to count a desired packet flow and to identify a specific malicious source of traffic. This filter has many parameters and is very flexible and enables you to define a specific traffic flow. However, you can only configure a single flex filter and it is resource consuming. We recommend that you use Flex filters cautiously as it might effect performance.

For a detailed explanation on the Berkley Packet filter configuration options see: http://www.freesoft.org/CIE/Topics/56.htm.

To configure the Flex filter, enter the following:

flex-filter count parameters

To delete the Flex filter use the no form of the command.

The arguments and keywords are as follows:

•count—Count the flow that is specified by parameters

•parameters—Define the flow

See the "Flex Filter Configuration Examples" section for configuration examples.

Table 6-3 describes the optional Flex filter parameters.

Table 6-3 Optional Flex Filter Parameters 

Parameter	Description
dst host host_ip_address	Traffic to a destination host IP address
src host host_ip_address	Traffic from a source host IP address
host host_ip_ address	Traffic to and from both source and destination host IP addresses
net net mask mask	Traffic to a specific network
net net/len	Traffic to a specific subnet
dst port destination_port_number	TCP or UDP traffic to a destination port number
src port source_port_number	TCP or UDP traffic from a source port number
port port_number	TCP or UDP traffic to and from both source and destination port numbers
less packet_length	Packets with a length equal to or less than the specific length in bytes
greater packet_length	Packets with a length equal to or greater than the specific length in bytes
ip proto protocol	Packets with a protocol number of the following protocols: ICMP, UDP, and TCP.
ip broadcast	Broadcast IP packets
ip multicast	Multicast packets
ether proto protocol	Ether protocol packets of a specific protocol number or name such as IP, ARP or RARP.
expr relop expr	Traffic that complies with the specific expression. See Table 6-4 for further details.

Table 6-4 describes the Flex filter expression rules.

Table 6-4 Flex Filter Expression Rules 

Expression Rule
relop	>, <, >=, <=, =, !=
expr	An arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accesses. To access data inside the packet, use the following syntax: proto [expr: size]
proto	Specifies the protocol layer for the index operation. The possible values are ether, ip, tcp, udp, or icmp. The byte offset, relative to the indicated protocol layer, is given by expr. The argument size is optional and indicates the number of bytes in the field of interest; it can be one, two, or four. The default is one. The argument len specifies the length of the packet.

You can combine primitives using the following methods:

•A parenthesized group of primitives and operators (parentheses are special to the Shell and must be escaped)

•Negation—Use ! or not

•Concatenation—Use && or and

•Alternation—Use || or or

Negation has the highest precedence. Alternation and concatenation have equal precedence and associate left to right. Explicit and tokens, not juxtaposition, are required for concatenation. If you specify an identifier without a keyword, the most recent keyword is used.

Flex Filter Configuration Examples

The following example shows how to count only unfragmented datagram and fragment zero of fragmented datagrams. This filter is implicitly applied to the TCP and Udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment:

admin@DETECTOR-conf-zone-scannet# flex-filter count ip[6:2]&0x1fff=0

The following 

This example shows how to count all TCP RST packets:

admin@DETECTOR-conf-zone-scannet# flex-filter count tcp [13] & 4 != 0

The following example shows how to count all ICMP packets that are not echo requests/echo reply (ping):

admin@DETECTOR-conf-zone-scannet# flex-filter count icmp[0] != 8 and 
icmp[0] != 0 

The following example shows how to count all TCP packets destined to port 80 that did not originate from port 1000:

admin@DETECTOR-conf-zone-scannet# flex-filter count tcp and dst port 
80 and not src port 1000

Viewing the Flex Filter

The Flex filter is part of the zone configuration. To view the Flex filter, use the show command or the show running-config command.

For example:

admin@DETECTOR-conf-zone-scannet# show

.

.

.

FLEX-FILTER: tcp and dst port 80 and not src port 1000

FLEX-FILTER ACTION: count

FLEX-FILTER COUNTER: 200

.

.

.

The Flex filter counter displays the number of packets that were handled by the filter.

Configuring Bypass Filters

The Bypass filter is used to prevent the Detector from handling specific traffic flows. You can configure the Bypass filter to direct trusted traffic away from the Detector's detection mechanisms, thus dropping the traffic directly.

To configure a Bypass filter, enter the following.

bypass-filter row-num src-ip [ip-mask] protocol dest-port [fragments-type]

Table 6-5 provides the arguments and keywords for the bypass-filter command.

Table 6-5 Arguments for the bypass-filter Command 

Parameter	Description
row-num	Assign a unique number from 1 to 9999. The row-number identifies the filter and defines priority among the Bypass filters. The Detector module operates the filters according to ascending row-number order.
Flow arguments and keywords	See Table 6-1 for further details on src-ip, ip-mask, protocol, dest-port and fragments-type.

---

Note You cannot specify both fragments-type and a destination port. To set the fragments-type, enter * for the destination port.

---

Viewing the Bypass Filters

To view the Bypass filters, enter the following:

show bypass-filters

Table 6-6 describes the fields in the show bypass-filters command output.

Table 6-6 Field Descriptions for the show bypass-filters Command 

Field	Description
Row	Specifies the Bypass filter priority
Filter flow	See Table 6-2 for further details on Source IP, Source Mask, Proto, DPort, and Frg.
RxRate (pps)	Specifies the current traffic rate, measured for this filter, in packets per second (pps).

Deleting Bypass Filters

To delete a Bypass filter perform the following steps:

---

Step 1 View the list of Bypass filters and identify the row number of the Bypass filter you want to delete. See the previous section,"Viewing the Bypass Filters", for further details.

Step 2 Delete the filter. Enter the following:

no bypass-filter row-num

The argument row-num specifies the Bypass filter's row number. Enter * to delete all Bypass filters.

---

For example:

admin@DETECTOR-conf-zone-scannet# no bypass-filter 10

Configuring Dynamic Filters

The Detector module analyses the diverted zone traffic in search of traffic anomalies. It identifies an anomaly when the flow violates the policy threshold.When it detects a policy threshold violation, the Detector module analyses results and creates a set of filters that continuously adapt to the zone traffic and type of DDoS attack. This filter set consists of the Dynamic filters.

These filters produce a notification record in the Detector module syslog or activate remote Guards to protect the zone.

You can access the Dynamic filters and configure them to suit your own needs.

Viewing Dynamic Filters

Use the show dynamic-filters command to view the Dynamic filters the Detector module produced. This command provides the following options:

•show dynamic-filters [details]—Displays a list of all Dynamic filters

•show dynamic-filters dynamic-filter-id [details]—Displays a single Dynamic filter

•show dynamic-filters sort {action | exp-time | id}—Displays a sorted list of all Dynamic filters

---

Note To view the pending filters, use the show recommendations command. See "Interactive Recommendations Mode" for further details.

---

Table 6-7 provides the arguments for the show dynamic-filters command.

Table 6-7 Arguments and Keywords for the show dynamic-filters Command 

Parameters	Description
dynamic-filter-id	The identification number (ID) of the specific Dynamic filter to display. This integer is assigned by the Detector module. To identify the filter ID, display the complete list of Dynamic filters.
details	Display the Dynamic filter in detail. The details consist of additional information on the attack flow, the triggering rate and the policy that produced it.
action	Display the Dynamic filters by their action.
exp-time	Display the Dynamic filters by their expiration time in ascending order.
id	Display the Dynamic filters by ascending ID number.

---

Note The Detector module displays a maximum of 1000 Dynamic filters. When more than 1000 Dynamic filters are active, examine the log file or the zone reports for the complete list of Dynamic filters.

---

For example:

admin@DETECTOR-conf-zone-scannet# show dynamic-filters 876 details

Table 6-8 Field Descriptions for show dynamic-filters
Command 

Field	Description
ID	Specifies the filter identification number.
Action	Specifies the action the filter performs on the traffic flow.
Exp Time	Specifies the amount of time the filter will be active. After the time expires, the filter is deleted.
Filter flow	See Table 6-2 for further details on Source IP, Source Mask, Proto, DPort, and Frg.
RxRate (pps)	Specifies the current traffic rate, measured for this filter, in packets per second (pps).

Table 6-8 describes the fields in the show dynamic-filters command output

Table 6-9 describes the fields in the show dynamic-filters details command output.

Table 6-9 Field Descriptions for show dynamic-filters details Command 

Field	Description
Attack flow	Specifies the attack flow characteristics. See Table 6-2 for further details on the flow fields.
Triggering Rate	Specifies the rate of the attack flow that violated a policy threshold.
Threshold	Specifies the policy threshold that was violated by the attack flow.
Policy	Specifies the policy that produced the specific Dynamic filter. See "Configuring Policy Templates and Policies" for further details.

Deleting a Dynamic Filter

You can delete Dynamic filters. However, this is only effective for a limited period of time since when the Detector module is in detect mode, it continues to configure new Dynamic filters to adapt its detection to the dynamically changing traffic state.

To delete a Dynamic filter perform the following steps:

---

Step 1 View the list of Dynamic filters and identify the ID of the Dynamic filter you want to delete. See the previous section,"Viewing Dynamic Filters", for further details.

Step 2 Delete the filter. Enter the following:

no dynamic-filter dynamic-filter-id

The argument dynamic-filter-id specifies the Dynamic filter's ID. Enter * to delete all Dynamic filters.

---

For example:

admin@DETECTOR-conf-zone-scannet# no dynamic-filter 876

---

Note To prevent unwanted Dynamic filters from being reproduced, deactivate the policy that produces them (see the "Changing the Policy State" section for further details). To find out which policy produced the unwanted Dynamic filters, see the sections about viewing Dynamic filters in this chapter. Alternately, you can perform one of the following:

•Configure a Bypass filter for the desired traffic flow (see the "Configuring Bypass Filters" section for further details).

•Increase the Threshold of the policy that produced the undesired Dynamic filter (see the "Configuring the Policy Threshold" section for further details).

---