Cisco Traffic Anomaly Detector Module Web-Based Management Configuration Guide (Software Version 4.0)
Introduction
Download this chapter
IntroductionIntroduction
Download the complete book
Cisco Traffic Anomaly Detector Module Web-Based Management Configuration Guide (Software Version 4.0)Cisco Traffic Anomaly Detector Module Web-Based Management Configuration Guide (Software Version 4.0) (PDF - 1 MB)
give_us_feedback

Table Of Contents

Introduction

System Requirements

What is DDoS

The Cisco Traffic Anomaly Detector Module

The User Interface


Introduction

This chapter provides an overview of the Cisco Traffic Anomaly Detector Module Web-Based Management (WBM) interface. This chapter includes the following sections:

System Requirements

What is DDoS

The Cisco Traffic Anomaly Detector Module

The User Interface

System Requirements

The Cisco Traffic Anomaly Detector Module (Detector module) has a Web-Based Management interface that supports an Internet Browser, Microsoft Internet Explorer 5 or higher, that supports HTML, Tables, Cookies, JavaScript and Frames.

We recommend that you use a screen resolution of minimum of 1024 by 768 pixels.

No software installation is required.

What is DDoS

The Distributed Denial of Service (DDoS) attacks are attacks in which malicious individuals cause thousands of compromised computers (zombies) to run automated scripts that cripple a protected server's (the zone) network resources with spurious requests for service. The attacks can be, for example, a flood of bogus home page requests to a web server that shuts out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the zombies actually executing the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations.

DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive.

It must be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network element

The Cisco Traffic Anomaly Detector Module

The Detector module is a detection and protection activation component. The Detector module is best suited to work in conjunction with the Cisco Anomaly Guard Module, but it can also operate as a separate DDoS detection and alarm component. The Detector module obtains a copy of the traffic either by using the port mirroring feature (such as SPAN) of a switch, or by using an optical splitter. Then it constantly monitors the traffic, and closely remains tuned to zone traffic characteristics for evolving attack patterns.

To accomplish the above-mentioned tasks the Detector module employs the following components:

An algorithm-based learning system that learns the zone traffic, adopts itself to its particular characteristics, and supports the Detector's detection mechanisms with references and instructions in the form of Thresholds and Policies.

A system that either remotely activates Cisco Guard or Guards to assume protection over the zone or zones, or records the traffic anomalies in the Detector syslog.

Integrating these components enables the Detector to assume its detection role while unobtrusively staying in the background.

The User Interface

The WBM provides access to various Detector module configuration and management screens, allowing you to view statistics, and graphically monitor the system status.

The WBM allows configuring and monitoring the Detector's various detection mechanisms. It provides a subset of the CLI functionality and deals with detected zone configuration, status, and reports. Configuration parameters, relating to procedures such as initial Detector setup procedure and network-level setup of the Detector are only accessible through the CLI and cannot be performed using the WBM. See the Cisco Traffic Anomaly Detector Module Configuration Guide for further details

Figure 1-1 displays the WBM user interface. The user interface is divided into different areas.

Figure 1-1 WBM User Interface

Area
Function

1

Main Menu Bar—Displays the main menu for the link that is selected in the navigation pane. There are different menu bars for the Detector module and the zones. If you select the Detector module Summary in the navigation pane, the Detector module main menu is displayed. If you select one of the zones in the navigation pane, the main menu of the specific zone is displayed. (See Figure 1-1.)

You can navigate to the page you want, either by selecting a menu option, or by using the navigation path.

2

Navigation Path—Displays the path to the current location. Click the location in the path to navigate to that location and display the relevant information in the display area.

3

Navigation Pane—Displays a list of links to the home pages of the zones and of the Detector module. Click a link from the list to display the relevant home page in the display area (5). The selected item is highlighted by a white frame.

You can change the size of the pane.

4

Information Area—Provides access to the Detector module Home page and other useful information.

5

Display Area—Displays the views that are selected.

You can change the size of the display area.


Figure 1-2

WBM Menu Hierarchy

Note Some menu items are dimmed and are unavailable.