Table Of Contents
Activating the Interactive Detect Mode
Deciding on the Detector Recommendations
Detecting Traffic Anomalies
This chapter describes how to use Web-Based Management (WBM) to detect zone traffic anomalies and DDoS attacks on the Cisco Traffic Anomaly Detector Module (Detector module)
You must configure the Detector module and the zones as described in the previous chapters of this guide before you can detect traffic anomalies.
This chapter includes the following sections:
Overview
Before activating the zone in detect mode, we recommend that you let the Detector module study the zone traffic patterns. The learning process allows the Detector module to learn the traffic patterns of each zone and to create sets of recommended thresholds for statistical analysis of the traffic.
After learning the zone traffic characteristics, the Detector module is ready to detect zone traffic anomalies. You can instruct the Detector module to start detection as soon as you have finished configuring the zones. The Detector module would then begin to apply its detection policies.
Detection can be activated in two ways:
•
Automatic detect mode— Dynamic filters are activated without user intervention.
•
See the "Managing Zones" section for further details.
When the detection policies sense a threshold violation that indicate anomalies or malicious traffic, they dynamically configure a set of filters to take the appropriate action.
Zone Detection
After learning the zone traffic characteristics, the Detector module is ready to detect zone traffic anomalies. During zone detect mode, the Detector module applies its detection policies.
Figure 7-1 Detection Menu
Activating Detect Mode
To activate zone detect mode, perform one of the following:
•
•
Deactivating Detect Mode
To deactivate the zone detect mode, perform one of the following:
•
•
Dynamic Filters
As the Detector module analyses the zone traffic, it organizes the results into a set of filters that are continuously adapted to the zone traffic and type of DDoS attack. This filter set consists of Dynamic filters. Once abnormal traffic is detected, the Dynamic filters either notify the Detector syslog or activate a remote Guard or Guards.
For a comprehensive overview of Dynamic filters, refer to the Cisco Traffic Anomaly Detector Module Configuration Guide. To view the Dynamic filters, perform one of the following:
•
•
Figure 7-2 Dynamic Filters Table
The Dynamic filters table (Figure 7-2) displays the Dynamic filters filtered according to the policy that created them and displays information about the ongoing attack. Table 7-1 describes the Dynamic filters fields.
Table 7-1 Field Descriptions for Dynamic Filters
Created by
The policy that created the Dynamic filter. Click on the policy name to display the policy details. See the "Zone Policies" section for further details.
Activation
The date and time the Dynamic filter was activated.
Expiration
The time the is due to expire. After this time, the Dynamic filter is erased.
Src IP
The source IP address on which the Dynamic filter is applied.
Protocol
The protocol number on which the Dynamic filter is applied.
Dst Port
The destination port on which the Dynamic filter is applied.
Fragments
Indicates whether the attack stream contains fragmented packets.
Action
The action taken by the Dynamic filter.
Rate (pps)
The approximate attack rate.
Details
Indicates whether there is additional information available for this filter. Click i to view additional information.
A value of * for any of the parameters indicates one of the following:
•
•
To display detailed information on the filter click i in the details column.
See the "Dynamic Filter Details" section for further details.
Dynamic Filter Details
Dynamic Filter Details provides detailed information on the Dynamic filters. To display the detected anomalies details table click i in the details column in the Dynamic Filter table.
Figure 7-3 Dynamic Filter Details
The Dynamic filter details screen (Figure 7-3) includes three tables:
•
•
•
Deleting Dynamic Filters
To delete a Dynamic filter, check the box next to the filter in the Dynamic Filters Details Table (see Figure 7-2) and click Delete.
You can remove all Dynamic filters. This is effective for a limited period of time since the Detector module, being in protect mode, continues to configure new Dynamic filters to adapt its protection to the dynamically changing traffic state.
To prevent unwanted Dynamic filters from being reproduced, deactivate the policy that produces them. See the "Configuring Policies" section for further details. To find out which policy produced the unwanted Dynamic filters, see the sections about viewing Dynamic filters in this chapter.
Alternately, you can perform one of the following:
•
•
Interactive Detect Mode
When a DDoS attack begins, the Detector module policies create Dynamic filters. When the zone is in interactive detect mode, the Detector module does not activate these Dynamic filters automatically, but waits for your decision. These filters are called pending Dynamic filters. The recommendations are a summary of the pending Dynamic filters according to the policies that produced them. In the interactive detect mode, the Detector module enables you to decide on which filters the policies activate on launching. The Detector module functions according to your decision whether to accept or ignore the activating the filter. In this way, the Detector module lets you decide on which action it takes in real time. In an interactive mode, the Detector module enhances your control over the activation of protective measures as a DDoS attack progresses.
The recommendations are a summary of the pending Dynamic filters according to the policies that produced them. The information includes the policy name that recommended it, data on the traffic anomaly that resulted in policy activation, the number of pending filters and the recommended action.
For a comprehensive overview of the Interactive recommendations mode, refer to the Cisco Traffic Anomaly Detector User Guide.
Activating the Interactive Detect Mode
The operation mode is a characteristic of a zone.
To activate the interactive detect mode, perform the following steps:
Step 1
Step 2
Step 3
See the "Managing Zones" section for further details.
You can decide to end the interactive detect mode at any time and return to the automatic detect mode. The Detector module disregards any decisions made while in the interactive mode. The policies resume their role of automatically producing and activating their filters and automatically accepting all pending Dynamic filters and recommendations.
Viewing New Recommendations
The following icon indicates that there are new recommendations.
The recommendations icon appears in the following locations:
•
•
•
•
When the Detector module has new recommendations, the number of pending Dynamic filters is greater than zero. You can see this in the zone status summary on the zone home page under Pending Dynamic filters.
To view new recommendations, perform one of the following:
•
•
Figure 7-4 Recommendations
Table 7-3 describes the fields in the Recommendations table (Figure 7-4).
Table 7-3 Field Descriptions for Recommendations
The recommendation identification number (ID).
Recommendation
The recommended action.
Created By
The policy that created the filter. Click on the policy name to display the Policy details. See the "Configuring Parameters" section for further details.
# of PFs
The number of pending Dynamic filters that constitute the recommendation. Each pending filter was created as a result of traffic flow that violated the policy threshold. Click on the number to view the pending Dynamic filters that constitute the recommendation.
Attack flow
Provides Information on the attack flow:
•
•
•
•
Thr.
The policy threshold that was violated.
Min.
Minimum attack rate. The rate of the lowest pending Dynamic filter is displayed for recommendations that include several pending Dynamic filters.
Max.
Maximum attack rate. The rate of the highest pending Dynamic filter is displayed for recommendations that include several pending Dynamic filters.
Creation
The date and time the recommendation was created.
A value of * for any of the parameters indicates one of the following:
•
•
Deciding on the Detector Recommendations
The Detector enables you to decide on its recommendations. Your decisions determine whether a pending Dynamic filter will be activated or deactivated. You can also instruct the Detector to always automatically activate the pending Dynamic filters of a specific policy. The Detector module will no longer display that policy's filters for you to decide on.
You can decide to instruct the Detector module to prevent a policy from producing recommendations (and their pending Dynamic filters). To prevent a policy from producing recommendations, disable or inactivate the policy. See the "Configuring Parameters" section for further details.
As the DDoS attack continues and changes its characteristics, the Detector module policies continue to produce recommendations for you to view and act on. You can change the operation mode to automatic during the ongoing attack.
The Detector module activates the Dynamic Filters produced by the policies for at least a user-defined (Filters timeout) time span. See the "Dynamic Filters" section for further details.
To decide on the Detector module recommendations, perform the following steps
Step 1
Step 2
Step 3
Table 7-4 describes the actions you can take for a recommendation.
You can also decide to selectively accept Pending Dynamic Filters instead of accepting the recommendation.
Pending Dynamic Filters
The pending Dynamic filters measure each flow that violated a threshold. Pending Dynamic filters that were produced by the same policy are shown as a single recommendation. To view the Pending Dynamic filters, click on the number of pending filters (# of PFs column) in the recommendations table (see Figure 7-4).
Figure 7-5 Pending Dynamic Filters
Table 7-5 describes the Pending Dynamic filters fields (Figure 7-5).
Table 7-5 Field Descriptions for Pending Dynamic Filters
Created by
Indicates the policy that created the Dynamic filter. Click on the policy name to display the Policy details. See the "Zone Policies" section for further details.
Activation
The date and time the Dynamic filter was created.
Src IP
The source IP address of the attack stream.
Protocol
The protocol number of the attack stream.
Dst Port
The destination port of the attack stream.
Fragments
Indicates whether the attack stream contains fragmented packets.
Action
The action taken by the Dynamic filter.
Recent rate
The current attack rate.
Trig. Rate (pps)
The triggering rate—the approximate attack rate that triggered the production of the Dynamic filter.
Details
Indicates whether additional information is available for this filter. Click i for additional information.
To selectively accept a pending Dynamic filter, check the check box next to the required filter and click Accept.
You can define a timeout for the Dynamic filter (Filters timeout). The Detector activates the Dynamic Filters produced by the policies for the time that you define. See the "Dynamic Filters" section section for further details.
To display detailed information for the Dynamic filter, click i in the details column (Figure 7-6).
Figure 7-6
Pending Dynamic Filter Details
The pending Dynamic filter details includes three tables:
•
•
•
