Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0)
Configuring Zones
Download this chapter
Configuring ZonesConfiguring Zones
Download the complete book
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0) Book-Length PDFCisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0) Book-Length PDF (PDF - 2 MB)
give_us_feedback

Table Of Contents

Configuring Zones

Overview

Basic Zone Configuration

Creating a Zone

Duplicating a Zone

Learning the Zone Traffic Characteristics

Constructing Policies

Terminating the Policy Construction Phase

Tuning Thresholds

Terminating the Threshold Tuning Phase

Configuring the Zone Remote Guard List

Interactive Recommendations Mode

Detecting Zone Traffic Anomalies

Configuring Guard-Protection Activation Forms

Analyzing the Zone Traffic

Viewing Zone Counters

Viewing the Zone Status


Configuring Zones

This chapter describes how to create and manage zones. These procedures are required to set the Detector module to protect the zone.

This chapter contains the following major sections:

Overview

Basic Zone Configuration

Learning the Zone Traffic Characteristics

Configuring the Zone Remote Guard List

Interactive Recommendations Mode

Detecting Zone Traffic Anomalies

Analyzing the Zone Traffic

Overview

The zone configuration process consists of the following steps:

Step 1 Basic zone configuration—The basic configuration includes creating a zone and configuring the zone's name and description, the zone's network address and operation definitions, and basic networking characteristics such as the zone's bandwidth. See the "Basic Zone Configuration" section for further details.

Step 2 Learning the zone traffic and adjusting policies—Create protection policies. The policies are the mechanisms that measure a particular traffic flow and take action against the flow as a result of threshold violation. The Detector module creates the protection policies using templates, in a two-phase process of learning the zone traffic. The action a policy takes can range from merely notifying to activating a remote Guard to protect the zone against the DDoS attack. See the "Learning the Zone Traffic Characteristics" section for further details.

Step 3 Configuring the Detector filters - The zone's filters are the mechanism that directs the diverted traffic to the required analysis modules. The Detector enables you to set its preferred filter configurations and thus design a variety of possibilities for customized traffic direction and anti-DDoS detection mechanisms. See "Configuring Zone Filters," for further details.

Basic Zone Configuration

When creating a new zone, you can create a zone based on system-defined templates or use an existing zone as a template. The template defines the zone initial configuration.

To create a new zone and configure its basic characteristics, perform the following steps:

Step 1 Create a new zone based on system-defined templates. See the "Creating a Zone" section.

OR

Create a zone based on an existing zone. See the "Duplicating a Zone" section.

Note To change the configuration of an existing zone enter the zone configuration mode. Use the zone zone-name command.

Step 2 Define the zone's IP address. You must define this to enable the Detector module to perform traffic learning and detection.

When initially defined, the zone IP address must be inserted when the zone is not in detect mode. However, a zone's subnet or its additional IP addresses can be added when the zone is in detect mode.

To add additional IP addresses, enter this command more than once. You can add up to 100 IP entries (specific IP address or subnet) for each zone.

Enter the following: 

ip address ip-addr [ip-mask]

Table 5-1 provides the arguments for the ip address command.

Table 5-1 Arguments for the ip address Command 

Parameter
Description
ip-addr

The zone IP address. The zone can also be a subnet.

ip-mask

(Optional) The IP mask. The default subnet mask is 255.255.255.255.


Step 3 (Optional) Add a description to the zone for identification purposes. Enter the following: 

description string

The string length is limited to a maximum of 80 characters.

To modify a zone's description re-enter the zone description. The new description overrides the former.

For example: 

admin@DETECTOR-conf-zone-scannet# ip address 192.168.100.34 
255.255.255.252

admin@DETECTOR-conf-zone-scannet# description This zone is used for 
demonstration purposes

Note To display the configuration file of the newly configured zone, use the show running-config command at the zone prompt.

Creating a Zone

To create a zone based on system-defined templates, enter the following:

zone new-zone-name [template] [interactive]

After executing the command, the Detector module enters the configuration mode of the new zone. If you enter the name of an existing zone, the Detector module enters the specific zone configuration mode.

Table 5-2 .

Table 5-2 Arguments and Keywords for the zone Command 

Parameter
Description

new-zone-name

The name of a new zone. The name is an alphanumeric string up to 63 characters. The string must start with a letter, can contain underscores but cannot contain any spaces.

template

(Optional) A template that defines the zone configuration. The default is to create the zone using the Detector module DEFAULT zone template.

See Table 5-3 for further details.

interactive

Sets the operation mode of the new zone to interactive. In this mode the Dynamic filters the policies produce appear as recommendations. You must decide whether or not to activate each Dynamic filter. See "Interactive Recommendations Mode," for further details.


Table 5-3 displays the Detector module zone templates.

Table 5-3 Detector Module Zone Templates 

Template
Description

DEFAULT

The Detector module default zone template.

Bandwidth-limited Link Templates

Templates designed for detection of large subnets segmented according to zones with known bandwidth. You can initiate Detection on zones defined by these templates without undergoing the learning process. It is recommended to define such a zone with a protect-ip state of only-dest-ip (See the "Configuring Guard-Protection Activation Forms" section for further details).

The following bandwidth-limited link templates are available for 128K, 1M, 4M, and 512K links respectively:

LINK_128K

LINK_1M

LINK_4M

LINK_512K

Note You cannot perform learning policy-construction for these templates.


Note To display the zone templates, use the show templates command. To display the template default policies, use the show templates template-name policies command.

For example: 

admin@DETECTOR-conf# zone scannet interactive 

admin@DETECTOR-conf-zone-scannet#

Duplicating a Zone

You can create a new zone based on an existing one.

To duplicate a zone, perform one of the following:

Enter the following at the Configuration prompt:

zone new-zone-name copy-from base-zone-name

The argument base-zone-name specifies the name of the zone that is used as a template for the new zone.

For example: 

admin@DETECTOR-conf#zone scanserver copy-from scannet 
admin@DETECTOR-conf-zone-scanserver#

OR

Enter the following at the relevant zone prompt:

zone new-zone-name copy-from-this

The configuration of the new zone is copied from the configuration of the current zone.

For example: 

admin@DETECTOR-conf-zone-scannet# zone mailserver copy-from-this 

admin@DETECTOR-conf-zone-mailserver#

The argument new-zone-name specifies the name of the new zone. The zone name is an alphanumeric string up to 63 characters. The string must start with a letter, can contain underscores but cannot contain any spaces.

After executing the command, the Detector module enters the configuration mode of the new zone.

Learning the Zone Traffic Characteristics

During the Learning phases, the Detector learns the zone's traffic characteristics. The results are translated into detection policies. These instruct the Detector detection system how to regard the zone traffic flows.

Note For the learning phases to take place, you must configure port mirroring on the switch, or connect the Detector to a router using an optical splitter.

The Policy Templates are the Detector's tools for constructing the policies. These define the types of zone policies to be created according to traffic characteristics. The policy templates also define the Maximum Services and Minimum Threshold for each service policy in accordance to the guiding parameters provided (see "Configuring Policy Templates and Policies," for further details).

The learning process consists of two phases, during which the Detector learns the zone's traffic and adapts itself to the particular characteristics:

1. Constructing Policies—In this phase, the Detector creates the zone policies using the Policy Templates. The traffic flows transparently through the Detector enabling it to discover the main services the zone uses.

2. Tuning Thresholds—In this phase, the Detector tunes the policies to fit the zone services traffic rates. The traffic flows transparently through the Detector, enabling it to tune the thresholds for the services it discovered while constructing the zone policies.

The Detector learns the zone's traffic characteristics to acquire a basis on which to compare zone traffic and trace any anomalies that might, in turn, become malicious.

Once the policies are created, you can add and delete policies, or change policy parameters such as thresholds, services, time-outs and actions.

Constructing Policies

In this phase, the Detector creates the zone policies using the Policy Templates. The traffic flows transparently through the Detector enabling it to discover the main services the zone uses. You can configure the policy construction guiding rules. See "Configuring Policy Templates and Policies." for further details.

Note Policy Construction cannot be performed for zones based on the bandwidth-limited link templates: LINK_128K, LINK_1M, LINK_4M and LINK_512K.

To construct the zone policies, perform the following steps:

Step 1 Enter the following: 

learning policy-construction

Tip Check that the Detector receives a copy of the zone traffic. Wait at least ten seconds after initiating the policy construction phase and issue the show rates command. Verify that the value of the Received traffic rate is greater than zero. A value or zero indicates that the Detector is not receiving a copy of the zone traffic. Check the configuration of traffic sources for capturing traffic. See the "Configuring Traffic Sources for Capturing Traffic" section for further details.

Step 2 After a sufficient period of time, terminate the policy construction phase and decide how to handle the newly constructed policies.

Note We recommend letting the Policy Construction phase continue for at least two hours before proceeding to the next phase.

See the next section, "Terminating the Policy Construction Phase" for further details.

For example: 

admin@DETECTOR-conf-zone-scannet# learning policy-construction

Timesaver You can issue policy learning commands for several zones at the same time. Issue the command at the Global prompt and use an asterisk (*) as a wildcard. For example, to initiate policy construction for all zones, enter learning policy-construction * at the Global prompt. To accept the results of the policy construction phase for all Detector module zones with names that begin with scan (such as scannet, scanserver and so on), type no learning scan* accept at the Global prompt.

Terminating the Policy Construction Phase

There are three ways to terminate the policy construction phase:

Accept the suggested policies—To accept the Detector's suggested policies, enter the following at the relevant zone prompt: 

no learning accept

The Detector erases previously learned policies and thresholds.

After accepting the newly constructed policies, you can manually add or remove policies or change the policy parameters. See "Configuring Policy Templates and Policies." for further details.

Reject the suggested policies—To reject the Detector's suggested policies, type the following at the relevant zone prompt: 

no learning reject

In this case, the Detector stops the process and erases all its learned data. As a result, the Detector reverts back to its default settings (in the case of a new zone) or to the zone traffic configurations prior to the learning phase.

View the suggested policies—You can view the outcome of the learning process before making a decision. See the "Creating Snapshots and Comparing Policies" section for further details.

For example: 

admin@DETECTOR-conf-zone-scannet# no learning accept

Tuning Thresholds

In this stage, the Detector further analyses the zone traffic and defines thresholds for the policies constructed during the previous phase. The Detector sets default values for the policy operational parameters (Timeout and Action). See "Configuring Policy Templates and Policies," for information on how to configure the values of the operational parameters.

To tune the policy thresholds, perform the following steps:

Step 1 Enter the following at the relevant zone prompt: 

learning threshold-tuning

Step 2 After a sufficient period of time, terminate the threshold-tuning phase and decide how to handle the newly constructed policies.

Note We recommend that you run the threshold-tuning phase during peak traffic time (the busiest day) for a minimum of 24 hours.

See the next section, "Terminating the Threshold Tuning Phase" for further details.

For example: 

admin@DETECTOR-conf-zone-scannet# learning threshold-tuning

Timesaver You can issue policy learning commands for several zones at the same time. Issue the command at the Global prompt and use an asterisk (*) as a wildcard. For example, to initiate policy construction for all zones, enter learning threshold-tuning * at the Global prompt. To accept the results of the policy construction phase for all Detector module zones with names that begin with scan (such as scannet, scanserver and so on), enter no learning scan* accept at the Global prompt.

Use the show policies statistics command to view the learning results.

See the "Viewing Policies" section for further details.

Terminating the Threshold Tuning Phase

There are three ways to terminate the threshold-tuning phase:

Accept the suggested policies—To accept the Detector's suggested policies, type the following at the relevant zone prompt: 

no learning accept

The Detector erases previously learned thresholds.

After accepting the newly constructed policies, you can manually change the policy parameters. See "Configuring Policy Templates and Policies." for further details.

Reject the suggested policies—To reject the Detector's suggested thresholds, type the following at the relevant zone prompt: 

no learning reject

In this case, the Detector stops the threshold-tuning phase and reverts to the results from the policy-construction phase and previous threshold. This results in a situation whereby newly constructed policies have thresholds that are tuned for on-demand protection or that were obtained according to past traffic characteristics.

View the suggested policies—You can view the outcome of the learning process before making a decision. See the "Creating Snapshots and Comparing Policies" section for further details.

For example: 

admin@DETECTOR-conf-zone-scannet# no learning accept

Configuring the Zone Remote Guard List

When the Detector detects a zone traffic abnormality it logs the event (an action known as notify) or activates remote Guards that initialize actions to protect the zone.

You can configure the following lists of remote Guards:

Zone-specific remote Guard list—A list of remote Guards that are activated to protect the zone.

Detector default list—The default list of remote Guards. The Detector activates these Guards if the zone-specific remote Guard list is empty. See the "Configuring the Default Remote Guard List" section for further details.

The Detector activates the Guards listed in the zone-specific remote Guard list. If the list is empty, the Detector turns to the Detector default remote Guard list.

To enable activation of remote Guards, perform the following:

1. Configure the remote Guard lists

2. Configure the Guard activation connection (see the "Configuring Remote Guard Activation Connection" section for further details)

You should verify that the Detector has at least one remote Guard in either the default remote Guard list or in the zone-specific remote Guard list (see the "Configuring the Zone Remote Guard List" section) to activate remotely. If no remote Guard is defined in either lists, the Detector records the event in its log-file.

Caution If you change the remote Guard lists you must either regenerate the Detector public SSH key or manually add the existing key to the remote Guards. See the "Managing SSH Keys" section for further details.

To add a Guard to the zone-specific remote Guard list, enter the following:

remote-guard remote-guard-address [description]

Table 5-4 provides the arguments and keywords for the remote-guard command.

Table 5-4 Arguments and Keywords for the remote-guard Command 

Parameter
Description
remote-guard-address

The remote Guard IP address.

description

The remote Guard description (Optional). The description can have a maximum of 63 characters.


For example: 

admin@DETECTOR-conf-zone-scannet# remote-guard 192.168.100.33

Note To view the zone remote Guard list, use the show zone command.

Interactive Recommendations Mode

The Interactive Recommendation mode enable you to decide whether or not to activate the filters the policies launch. The Detector functions in accordance with your decision to accept, ignore, or time the filter's activation. This way, the Detector lets you decide on the production of detection measures in real time and enhances your control over the activation of protective measures as a DDoS attack progresses. See "Interactive Recommendations Mode" for further details.

The recommendations are a summary of the pending dynamic filters according to the policies that produced them. The information includes the policy name that recommended it, data on the traffic anomaly that resulted in policy activation, the number of pending filters and the recommended action.

The interactive recommendations mode is an attribute of the zone.

You can create a zone with the interactive recommendations mode activated. Enter the following:

zone new-zone-name interactive

See the "Creating a Zone" section for further details.

Alternatively, you can activate the interactive recommendations mode of an existing zone. Enter the following at the relevant zone prompt:

interactive

If you deactivate the interactive recommendations mode of a zone, the Detector automatically accepts all existing recommendations and assumes automatic detection.

Detecting Zone Traffic Anomalies

After learning the zone traffic characteristics the Detector is ready to detect traffic anomalies in the zone traffic.

To activate zone detection, enter the following at the relevant zone prompt:

detect

For example: 

admin@DETECTOR-conf-zone-scannet# detect

Configuring Guard-Protection Activation Forms

You can apply different Guard-protection forms. These forms are designed to save Guard-protection resources and better focus on the zone detection and protection requirements. The protection forms range from assuming protection over a particular zone that is a part of an overall zone (for example, a specific server that is part of a protected network environment) to assuming protection over the overall zone.

The Detector supports the following Guard-protection activation forms:

all-zone—The Detector activates the Guard to assume protection over the overall zone whenever traffic abnormality is detected. We recommend this strategy when the overall zone consists of inter-related zones that cannot be risked.

only-dest-ip—The Detector activates the Guard protection over a particular sub-zone once traffic abnormality is traced as destined to that sub-zone. We recommend this strategy when the overall zone consists of unrelated sub-zones. This way you can assume protection per an attacked sub-zone and not spend valuable protection resources over the overall zone.

policy-type—The Detector activates the Guard protection over a specific sub-zone once traffic abnormality is traced as destined to that sub-zone. If the Detector cannot associate the traffic abnormality with a particular sub-zone, it activates the Guard protection over the overall zone. We recommend this strategy when the overall zone consists of highly related sub-zones. This way you can avoid a situation in which a targeted zone may inflict damage on the overall zone.

To activate the Guard-protection forms, enter the following at the relevant zone prompt:

protect-ip-state {all-zone | only-dest-ip | policy-type}

For example:

admin@DETECTOR-conf-zone-scannet# protect-ip-state all-zone

Analyzing the Zone Traffic

You can display an overview of the zone status or the zone rates or counters.

Viewing Zone Counters

You can use the following commands to analyze zone traffic:

show rates—Displays the average traffic rate of the Received counter.

show rates details—Displays the average traffic rate of the Received counter.

show rates history—Displays the average traffic rate of the Received counter for every minute, in the past 24 hours,

show counters—Displays the Received counter.

show counters details—Displays the Received counter.

show counters history—Displays the value of the Received counter for every minute in the past hour.

The rate units are in bits per second (bps) and in packets per second (pps).

Note Zone rates are only available when the zone is in learning or detect mode.

The Guard measures the total traffic and computes the average traffic rate. A rate with the value of cleared indicates a time when the zone was not detected.

The counters units are in packets and in Kilo bits. The counters are set to zero when detection is initiated.

Table 5-5 The Detector Module Counters 

Counter
Description

Received

The total packets, destined to the zone, that were handled by the Detector module.


Table 5-5 displays the Detector module counters.

For example: 

admin@GUARD-conf-zone-scannet# show rates

Viewing the Zone Status

You can display an overview of a particular zone to get a general picture of the zone and its current status. Use the show command to display an overview of the zone. The overview includes the following information:

Zone status—Indicates whether the zone is currently protected, is in one of the learning phases, or is inactive.

Zone basic configuration—Describes the basic zone configuration such as, operation mode (automatic or interactive), thresholds and timers and IP addresses. See the "Basic Zone Configuration" section for more details.

Zone filters—Includes the Flex filter configuration, the number of Dynamic filters and the User filter configuration. If the zone is in interactive mode, the overview displays the number of recommendations. See the "Configuring the Flex Filter" section and the "" section for further details.

Zone traffic rates—Displays the zone legitimate and malicious traffic rates. See the "Viewing Zone Counters" section for further details.

For example: 

admin@DETECTOR-conf-zone-scannet# show