-
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0)
-
Index
-
Preface
-
Introduction
-
Configuring the Detector Module on the Supervisor Engine Module
-
Initializing the Detector Module
-
Configuring the Detector Module
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Interactive Detect Mode
-
Attack Reports
-
Detector Module Diagnostics and Maintenance
-
Glossary
-
Table Of Contents
Configuring Policy Templates and Policies
Configuring Policy Template Parameters
Configuring All Policy Template Parameters Simultaneously
Configuring All Policy Parameters Simultaneously
Configuring the Policy Threshold
Multiplying a Threshold by a Factor
Configuring Specific IP Thresholds
Configuring the Interactive Status
Creating Snapshots and Comparing Policies
Configuring Policy Templates and Policies
This chapter provides an explanation on the Detector module policies and policy structure, and describes how to configure the policy parameters.
This chapter contains the following sections:
•
Creating Snapshots and Comparing Policies
The Detector Module Policies
The policies are the building blocks of the Detector module statistical engine. They are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. Each zone has a set of policies that are tuned to the zone traffic patterns. These policies are the basis to which the Detector module compares zone traffic in order to trace any anomalies that might, in turn, become malicious.
To create policies that are tuned to the zone's particular traffic characteristics, the Detector module learns the zone traffic in a two-phase learning process. It uses pre-defined policy templates. Each policy template is used to create policies that deal with the detection aspects the Detector module requires to detect a specified DDoS threat.
After the policies are created, you can add and delete policies or change policy parameters.
Policy Structure
The Detector module performs statistical analysis on zone traffic flow. Each policy measures a specific traffic flow. The policy defines the characteristics the Detector module uses for the analysis. The policy name is composed of sections. Each section describes a different role that relates to different traffic characteristic. For example, the policy http/80/analysis/syns/src_ip measures traffic flow of HTTP SYN packets, destined to port 80, that were authenticated by the Detector module analysis detection module and aggregated according to source IP addresses.
Figure 7-1 provides an example of a policy name.
Figure 7-1 Policy Name
Table 7-1 details the policy name section.
Table 7-1 Policy Name Sections
Policy template
This section denotes which policy template was used to produce the policy. Each policy template deals with the detection aspects the Detector module requires to detect a specified DDoS threat. See the "Policy Templates" section for further details.
Service
This section denotes which port number or protocol number the detection policy relates to. See the "Services" section for further details.
Detection module
This section denotes the detection module the Detector module uses to process the traffic flow. See the "This section denotes the detection module the Detector module uses to process the traffic flow. This section is informational, you can not configure the detection module." section for further details.
Packet type
This section denotes the packet types the Detector module monitors. See the "Packet Type" section for further details.
Traffic characteristics
This section denotes the traffic characteristics that the Detector module uses to aggregate the policy. See the "Traffic Characteristics" section for further details.
The first four sections of the policy name (policy-template, service, detection-module and packet-type) define what type of traffic is analyzed. The last section of the policy path (traffic-characteristics) defines how to analyze the flow.
Policies have cross dependencies and priorities. If there are two policies that define the same traffic flow, the Detector module will analyze the flow using the policy that is more specific. For example, policies relating to TCP services exclude the HTTP services that are handled by the HTTP-related policies.
You can configure the policy's operational aspects. These define what triggers the policy and the action the policy assumes once such it is activated. See the "Configuring Policies" section for further details.
Creating Policies
The Detector module creates the zone policies in a learning process. The learning process consists of two phases, during which the Detector learns the zone's traffic and adapts itself to the particular characteristics:
1.
•
See the "Learning the Zone Traffic Characteristics" section for further details.
Policy Templates
A Policy Template is a collection of policy constructing guiding rules and the output of each template is a group of policies. The name of the policy template is derived from the characteristics that are common to all the policies it creates. This can be a protocol (such as DNS), an application (such as http) or the objective (such as ip_scan). For example, the policy template tcp_connections produces policies that relate to connection, such as the number of concurrent connections. If you define a zone with the DEFAULT zone template, the Detector module uses these policy templates.
Table 7-2 describes the Detector module policy templates.
Tip
To view a list of all policy templates, enter the command policy-template at the zone prompt and press TAB twice.
Configuring Policy Template Parameters
During the Learning phases, the zone's traffic flows transparently through the Detector. Each active policy template produces a group of policies, according to the Zone's traffic characteristics. The Detector enables you to define the maximum number of policies the Detector produces from a specific policy template. The Detector ranks the services that the policy template relates to by their level of traffic volume. The Detector then picks up the services that have exceeded the defined minimum threshold with the highest traffic volume and creates a policy for each one of them. Some of the policy templates create an additional policy to handle all traffic flows for which a specific policy was not added. These policies are added with a service of any.
You can configure the following policy template parameters:
•
•
•
To configure the policy template parameters, enter the policy template configuration command mode. Enter the following:
policy-template policy-template-name
The argument policy-template-name specifies the name of the desired policy template. See Table 7-2 for further details.
After executing the command, the Detector module enters the policy template configuration mode.
For example:
admin@DETECTOR-conf-zone-scannet# policy-template httpadmin@DETECTOR-conf-zone-scannet-policy_template-http#
Note
Maximum Number of Services
This parameter defines the maximum number of services from which a policy is created for the specified policy template. The Detector ranks the services that the policy template relates to by their level of traffic volume. The Detector picks up the services that have exceeded the defined minimum threshold (as defined by the min-threshold parameter) with the highest traffic volume and creates policies for each one of them. An additional policy to handle all other traffic flows with the characteristics of the policy template may be added with a service of any.
Note
This parameter can be defined only for policy templates that detect services, such as tcp_services. It cannot be configured for policy templates that relate to a specific service, such as dns_tcp that relates to service 53, or for policy templates that relate to a specific traffic characteristic, such as fragments.
Limiting the service number allows you to configure the Detector policies to your preferred traffic flow requirements.
To configure the maximum number of services, enter the following:
max-services max-services
The argument max-services is an integer that defines the maximum number of services.
Note
For example:
admin@DETECTOR-conf-zone-scannet-policy_template-tcp_services# max-services 5Minimum Threshold
This parameter defines the minimum traffic volume threshold for a service. Once the threshold is exceeded, the Detector produces policies that relate to the services' traffic according to the particular traffic flow that violated the threshold.
This parameter cannot be configured for policy templates that are essential for proper zone detection and therefore always produce a policy, such as fragments.
Setting the threshold enables you to better adapt the Detector detection to the traffic volume of the zone services.
To configure the minimum threshold, enter the following:
min-threshold min-threshold
The argument min-threshold is an integer that defines the minimum threshold rate in pps. When measuring the concurrent connection and syn/fin ratio, the threshold is the total number of connections.
For example:
admin@DETECTOR-conf-zone-scannet-policy_template-http# min-threshold 12Policy Template State
This parameter defines the policy template state. The policy template can be enabled or disabled. Disabling a policy template prevents it from producing policies once the Detector undergoes the policy construction phase.
Caution
Use the disable command to disable a policy template.
Use the enable command to enable a policy template.
Configuring All Policy Template Parameters Simultaneously
You can configure all policy template operational parameters with a single command. Enter the following:
policy-template policy-template-name max-services min-threshold {disabled | enabled}
Table 7-4 provides the arguments and keywords for the policy-template command.
Table 7-4 Arguments and Keywords for the policy-template Command
policy-template-name
The policy template name. See Table 7-1 for further details.
max-services
The maximum number of policies the Detector produces from a specified policy template. See the "Maximum Number of Services" section for further details.
min-threshold
The minimum threshold that must be exceeded for the Detector module to rank the service. See the "Minimum Threshold" section for further details.
disabled
Disable the policy template from producing policies. See the "Policy Template State" section for further details.
enabled
Enable the policy template. See the "Policy Template State" section for further details.
Note
This example shows how to set the parameters of the policy template tcp_services. The maximum number of services is set to 3. The minimum threshold is unchanged (-1) and the policy state is set to enabled.
admin@DETECTOR-conf-zone-scannet# policy-template tcp_services 3 -1 enabledThe Policy Sections
The policy path consists of the following sections:
Services
This section denotes which zone application port or protocol the policy relates to. Policies have cross dependencies and priorities. If there are two policies that define the same traffic flow, the Detector module will analyze the flow using the policy that is more specific. The service any relates to all traffic that does not specifically match other services created from the same policy template.
Caution
Adding a Service
You can add services to a policy template, in addition to the services that were discovered in the policy construction phase, and create more specific policies. The new service is added to all policies that were created from the specified policy template. The new service is defined with default values. You can define the threshold manually. However, we recommend that you run the threshold tuning phase (see the "Tuning Thresholds" section for further details) to tune the policies to the zone's traffic.
You can add a new service to the following policy templates:
•
•
•
•
Note
To add a service, enter the following at the policy template prompt:
add-service service-num
OR
Enter the following at the zone prompt:
policy-template policy-template-name add-service service-num
Table 7-5 provides the arguments for the policy-template command.
Table 7-5 Arguments for the policy-template Command
The policy template name. See Table 7-2 for further details.
service-num
The protocol or port number.
For example:
admin@DETECTOR-conf-zone-scannet-policy_template-tcp_services# add-service 25
Deleting a Service
You can delete a specific service relating to a policy template.
To delete a service from a policy, enter the following at the policy template prompt:
remove-service service-num
OR
Enter the following at the zone prompt:
policy-template policy-template-name remove-service service-num
See Table 7-5 for information on the arguments for the policy-template command.
Note
For example:
admin@DETECTOR-conf-zone-scannet-policy_template-tcp_services# remove-service 25
Detection Module
This section denotes the detection module the Detector module uses to process the traffic flow. This section is informational, you can not configure the detection module.
The Analysis detection module lets the traffic flow without intervention.
Packet Type
This section describes the packet characteristic that the Detector module monitors. The packet characteristics can be one of the following:
•
•
•
Table 7-6 describes the packet types the Detector module monitors.
Traffic Characteristics
This section describes the traffic characteristics that was used to aggregate the policies. The first four sections of the policy name (policy-template, service, detection-module and packet-type) define what type of traffic is analyzed. Traffic characteristics define how to analyze the flow. There can, therefore, be different policies that analyze the same traffic flow but measure the rate according to different characteristics.
Table 7-7 describes the traffic characteristics the Detector module monitors.
Configuring Policies
After completing the learning processes, you can view specific policy parameters. Displaying these parameters helps you decide whether the policy parameters suit the zone's traffic. You can configure a single policy or a group of policies. If necessary, you can configure the policy parameters to adapt the policy to the zone's traffic requirements.
To display the configuration of the policy parameters, use the show command at the policy path prompt.
You can configure a specific policy or group of policies.
To enter the policy configuration mode, enter the following at the zone prompt:
policy policy-path
The argument policy-path specifies the policy path section. See the "Policy Structure" section for further details.
Note
For example:
admin@DETECTOR-conf-zone-scannet# policy dns_tcp/*/analysis/syns/global admin@DETECTOR-conf-zone-scannet-policy-/dns_tcp/*/analysis/syns/ global#You can configure the following parameters:
•
•
•
•
•
The policy action, timeout and threshold may be changed at every section of the policy path. However, more policies are affected when these parameters are changed at the higher-level policy sections (such as policy template or service sections). Configuring these parameters at a high-level policy path hierarchy will change these parameters in all the sub-policy paths.
Tip
For example, the policy: tcp_services//analysis//global.
Configuring All Policy Parameters Simultaneously
You can configure all policy parameters with a single command. Enter the following at the zone prompt:
policy policy-path threshold action timeout state
Table 7-8 provides the arguments for the policy command.
Table 7-8 Arguments for the policy Command
is the policy path section. See "Policy Structure" for further details.
The threshold that must be exceeded for the Detector module to take action. See the "Configuring the Policy Threshold" section for further details.
The action a policy assumes as a result of traffic violation. See the "Configuring the Action" section for further details.
The minimum time span the policy action is valid. See the "Configuring the Timeout" section for further details.
The policy state. See the "Changing the Policy State" section for further details.
Note
This example sets the parameters of the policy dns_tcp/53/analysis/pkts/dst_ip. The threshold is set to 300, the policy timeout is set to 360 seconds, the policy action is set to remote-activate, and the policy state is set to active.
admin@DETECTOR-conf-zone-scannet# policy dns_tcp/53/analysis/pkts/dst_ip 300 remote-activate 360 activeChanging the Policy State
The Detector module policies have three possible states:
•
•
•
Caution
To change the policy state, enter the following for the relevant policy section:
state {active | disabled | inactive}
Caution
If you run the policy-construction phase after disabling a policy, the policies are reconfigured according to the traffic flow. This could result in the policy being reactivated.
For example:
admin@DETECTOR-conf-zone-scannet-policy-/dns_tcp/*/analysis/syns# state disabled
Configuring the Policy Threshold
This parameter defines the threshold traffic rate for a specific policy. Once violated, the policy takes an action. It is adjusted by the learning threshold-tuning phase. The threshold is measured in packets per second (pps) except for the following policies:
•
•
To configure the policy threshold, enter the following:
threshold threshold
The argument threshold specifies the policy threshold.
For example:
admin@DETECTOR-conf-zone-scannet-policy-/dns_tcp/*/analysis/syns/global# threshold 300
Multiplying a Threshold by a Factor
You can multiply the threshold of a policy or a group of policies by a factor. This way you can increase or decrease the threshold of a policy or a group of policies if the traffic volume does not represent the zone traffic.
To multiply the threshold by a factor, enter the following:
policy policy-path thresh-mult threshold-multiply-factor
Table 7-9 provides the arguments for the policy thresh-mult command.
Table 7-9 Arguments for the policy thresh-mult Command
The policy template name. See Table 7-2 for further details.
A real number to multiply the threshold by.
For example:
admin@DETECTOR-conf-zone-scannet# policy */*/*/*/src_ip thresh-mult 0.5Configuring Specific IP Thresholds
In cases of known high-volume traffic from an IP source, you can configure a threshold to apply to the specific IP source address.
In cases of a non-homogenous zone (that is, a zone that has more than a single IP address defined) where there is known high-volume traffic only to part of the zone, you can configure a threshold to apply to the specific IP destination address.
You can configure a specific IP threshold only for policies with traffic characteristics od destination IP (dest_ip).
To configure a specific IP threshold, enter the following:
policy policy-path threshold-list ip threshold [ip threshold ...]
Table 7-10 provides the arguments for the policy threshold-list command.
Table 7-10 Arguments for the policy threshold-list Command
The policy template name. See Table 7-2 for further details.
The specific IP address.
The threshold traffic rate in pps except for policies measuring concurrent connections and SYN-by-FIN ratio where the threshold is the number of connections.
You can add up to five specific IP thresholds for each policy. You can enter all specific IP thresholds in a single command.
The following example shows how to set specific IP thresholds for IP addresses 10.10.10.2 and 10.10.15.2 for the policy http/80/analysis/syns/src_ip.
admin@DETECTOR-conf-zone-scannet-policy-/http/80/analysis/syns/src_ip# threshold-list 10.10.10.2 500 10.10.15.2 500Configuring the Timeout
This parameter defines the minimum time span that the policy action is valid. To configure the timeout, enter the following:
timeout {forever | timeout}
Table 7-11 provides the arguments for the timeout command.
You can change the timeout of a group of policies simultaneously. Use the policy set-timeout command at the relevant zone prompt.
Configuring the Action
This parameter defines the type of action the policy takes once its threshold is violated. To configure the policy action, enter the following:
action policy-action
Table 7-12 describes the policy actions.
Table 7-12 Policy Actions
notify
The policy notifies you of the threshold violation
remote-activate
Remote Guards are activated as a result of threshold violation. The remote Guards are defined in the remote-guard list. See the "Configuring the Zone Remote Guard List" section and the "Activating Remote Guards" section for further details.
Use the policy set-action command at the relevant zone prompt to change the action of a group of policies simultaneously.
The following example shows how to set the action of all policies that relate to dns_tcp.
admin@DETECTOR-conf-zone-scannet# policy dns_tcp/ set-action remote-activateset action of dns_tcp/ to remote-activate:4 policy actions set.Configuring the Interactive Status
This parameter defines the interactive status the pending Dynamic filters, created by the policy, assume. The interactive status is applicable only for zones in interactive mode during detection. See "Interactive Recommendations Mode" for further details.
To configure the interactive-status, enter the following:
interactive-status {always-ignore | always-accept | interactive}
Table 7-13 provides the keywords for the interactive-status command.
If you have set the interactive status of a recommendation of a currently protected zone to always-accept or always-ignore, use the interactive-status command to modify the status of the policy's pending Dynamic filters. For example, if you have defined the status of a recommendation to always-accept, the recommendation and the recommendation's pending Dynamic filters are longer displayed. To choose to ignore the recommendations or pending Dynamic filters the recommendation produces, change the policy interactive status to interactive or always-accept.
For example:
admin@DETECTOR-conf-zone-scannet-policy-/dns_tcp/53/analysis/pkts/src_ ip# interactive-status always-acceptCreating Snapshots and Comparing Policies
You can save a snapshot of the learning parameters (services, thresholds and other policy related data) at any stage during the learning phases, and review it later. The Detector module saves this data as a new zone. You can compare the snapshot to the zone or to another snapshot to verify the outcome of the learning process and trace differences in policies, services, and thresholds.
The Detector module continues its learning phases while the snapshot is taken.
Tip
To compare policies and view the outcome of the learning process, perform the following steps:
Step 1
Note
Enter the following:
snapshot zone-name new-zone-nameTable 7-14 provides the arguments for the snapshot command.
The Snapshot creates a new zone. After you have verified the snapshot parameters, or compared two snapshots, you can delete the snapshot. Alternatively, you can decide to keep the snapshot and delete the original zone.
Step 2
diff zone-name zone-name [percent]Table 7-15 provides the arguments for the diff command.
For example:
admin@DETECTOR# snapshot scannet scannet-8amCopying Policies
You can copy policy configuration, or partial configuration, from a source zone to the current zone. This way you can configure the zone policies without having to apply the learning phases.
Caution
To copy a service from a source zone, enter the following:
copy-services src-zone-name [service-path]
Table 7-16 provides the arguments and keywords for the copy-services command.
The default is to copy all policies.
The following example shows how to copy all policies that relate to the policy template tcp_connections from the zone webnet to the current zone, scannet.
admin@DETECTOR-conf-zone-scannet# copy-services webnet tcp_connections/Monitoring Policies
You can monitor the policies to see how well they are suited to the zone traffic volume and services.
You can perform the following:
Viewing Policies
You can display the zone's policies. Display the zone's policies to verify that they are adapted to the zone's traffic characteristics. You can configure only policies from the list.
To view the zone's policies, enter the following:
show policies
Note
Table 7-17 provides a description of the fields in the show policies command output.
Table 7-17 Field Descriptions of the show policies Command Output
Policy
The policy name. See the "Policy Structure" section for further details.
State
The policy state. See the "Changing the Policy State" section for further details.
IStatus
The policy interactive status. See the "Configuring the Interactive Status" section for further details.
Threshold
The policy threshold that once violated, causes the Detector module to take action. See the "Configuring the Policy Threshold" section for further details.
List
The number of specific IP thresholds defined for the policy. See the "Configuring Specific IP Thresholds" section for further details.
Action
The action the policy takes once the threshold is violated. See the "Configuring the Action" section for further details.
Timeout
The minimum time span the policy action is valid. See the "Configuring the Timeout" section for further details.
To display the details of a specific policy, use the show policies details command.
Viewing Policy Statistics
You can view the rate of the traffic flowing through a policy or a group of policies. You can determine whether the type of services and volume represent the zone traffic. The Detector module displays the traffic flows forwarded to the zone, with the highest rates as measured by the policies.
Note
To display the policy statistics, enter the following:
show policies statistics [policy-path] [num-entries]
Table 7-18 provides the arguments for the show policies statistics command output.
Table 7-18 Arguments for the show policies statistics Command
Defines a group of policies. See the "Policy Structure" section for further details.
The number of entries to display. The Detector module displays the policies with the highest values.
The Detector module displays the information in three tables. The information in each table is sorted by value, with the highest values appearing at the top.
Table 7-19 displays the fields in the tables in the show policies statistics command output.
Table 7-19 Field Descriptions of the show policies statistics Command Output Tables
Key
The traffic characteristic that was used to aggregate the policies. For example, in the policy tcp_services/any/analysis/syns/dst_ip, the key is the destination IP address. If the traffic characteristic that was used to aggregate the policies is global, the key displays N/A. See Table 7-6 for further details.
Policy
The policy name. See the "Policy Structure" section for further details.
Rate
Policies that measure traffic rate. The Detector module displays the rate of the traffic, flowing through the policy, measured in packets per second (pps). The rate is calculated based on traffic samples.
Connection
Policies that measure the number of connections or source IP addresses. This information is available for policies tcp_connections and for the following packets types:
•
•
Ratio
Policies that measure the ratio between flagged packets. The Detector module displays the ratio between the number of SYN flagged packets and the number of FIN/RST flagged packets. This information is available only for syn_by_fin policies.
Note
