Table Of Contents
Zone Statistics and Diagnostics
Zone Counters
Analyzing Traffic
Zone Event Log
Zone Detection Summary Report
Detection Graph
Total Attack Statistics
Per Attack Summary
Zone Attack Reports
General Details
Attack Statistics
Detected Anomalies
Detected Anomalies Details
Viewing Policy Statistics
Zone Statistics and Diagnostics
This chapter describes how to perform tasks used for monitoring zones and displaying various zone statistics and diagnostics on the Cisco Traffic Anomaly Detector Module using Web-Based Management (WBM).
This chapter includes the following sections:
•
Zone Counters
•Zone Event Log
•Zone Detection Summary Report
•Zone Attack Reports
•Viewing Policy Statistics
Zone Counters
The zone counters (Figure 8-1) enable you to analyze the zone traffic in order to verify the zone status and to determine whether the zone protection is functioning properly. You can view the zone counters for a configurable period of time as a graph to see how zone protection is evolving. The information relates to the current zone.
To view the zone counters, choose the relevant zone and choose Diagnostics > Counters from the zone main menu.
Figure 8-1 Zone Counters
The Received counter provides information on the total packets that the Detector module receives and handles for the current zone.
The following information is available for the Received counter:
•Packets—Total number of packets destined to the zone since last activation.
•Bits—Total number of bits destined to the zone since last reload.
•pps—Current traffic rate destined to the zone, measured in packets per second.
•bps—Current traffic rate destined to the zone, measured in bits per second.
To change the graph settings, perform the following steps:
Step 1 Check the boxes of the counters to display in the graph.
Step 2 Select a time period for the graph from the drop-down list.
Step 3 Select a type from the drop-down list to specify the traffic rate units.
Step 4 Click Update Graph to update the graph with the new settings.
A legend identifying the counters appears below the graph and the minimum, maximum and average rates for each counter are displayed for the time period and rate units selected.
Analyzing Traffic
It is important to analyze the traffic flow in order to determine whether traffic is flowing properly to the zone. The following section provides information to help you analyze the traffic flow, indicating possible problems and their solutions:
Received packets greater than zero indicates proper traffic flow to the zone.
If Received packets equals zero, this could indicate one of the following:
•Detector moduleDetector moduleIf the current rate (pps or bps) of received packets for the Detector module or for zones on the same switch also equals zero, this could indicate that there is a problem with one of the following:
–Configuration of traffic capturing.
–Traffic destined to the zone or zones is blocked before it reaches the switch the Detector module is connected to.
•If the Received packets current rate (pps or bps) of the Detector module or other zones connected to the same switch is greater than zero, verify that a Bypass filter is not defined for the zone
Zone Event Log
The zone event log (Figure 8-2) provides useful monitoring and troubleshooting information. To view the zone event log, choose Diagnostics > Event log from the zone main menu.
Figure 8-2 Zone Event Log
Table 8-1 describes the different severity levels.
Table 8-1 Event Log Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
To filter the events according to their severity level, check the boxes for the requested severity levels and click Filter Events. Only those events with the requested severity levels appear.
Zone Detection Summary Report
The Detector module provides a protection summary report for each zone to help form a clearer picture of the detected attacks on the zone. It summarizes the DDoS attacks on the zone during a user-defined period of time. The Detector module records the relevant details during attacks and organizes the data into different categories. The report gives details of the total number and intensity of the attacks, and a short summary for each of the attacks. The data is also presented graphically.
To view the zone protection summary report choose Diagnostics > Attack Reports from the zone main menu.
The zone protection summary report appears. It includes data fields and tables that are grouped in three sections:
•Detection Graph
•Total Attack Statistics
•Per Attack Summary
By default, the report is displayed for a period of the last month.
To change the time period of a protection summary report, perform the following steps:
Step 1 In the report, enter the Period from and to dates. You can enter the dates manually or click on the calendar icon (at the right of each field) and select a date.
Step 2 Click Get Reports.
Detection Graph
The protection graph provides a graphical summary of the attacks during the user-defined period of time.
Figure 8-3 Zone Detection Summary Report - Detection Graph
The X-axis displays the time over which the attack occurred. The Y-axis displays the average attack rate in packets per second (pps). Each attack is represented by a bar. If you hold your mouse over any of the attack bars for a few seconds, the average attack rate is displayed.
Note Click on the attack bar to access the attack report (see the"Zone Attack Reports" section).
Total Attack Statistics
The total attack statistics table (Figure 8-4) provides information on the number of attacks on the zone and the aggregated attack details during the period of time you defined.
Figure 8-4 Zone Detection Summary Report—Total Attack Statistics
Table 8-2 describes the fields in the report.
Table 8-2 Field Descriptions for Total Attack Statistics Report
Field
|
Description
|
Attacks Detected
|
The number of attacks detected.
|
Attacks Duration
|
The aggregated duration of the detected attacks.
|
Max. Traffic Rate
|
The maximum rate of malicious traffic destined to the zone.
|
Total Rx
|
The total amount of traffic destined to the zone.
|
Per Attack Summary
The Per Attack Summary provides a table with a list of the DDoS attacks on the zone during the time period you defined.
Figure 8-5 Zone Detection Summary Report—Per Attack Summary
Table 8-3 describes the fields in the columns of the table.
Table 8-3 Field Descriptions for Summary Report
Field
|
Description
|
#
|
The identification number (ID) of the detected attack.
|
Start time
|
The date and time of the detected attack.
|
Duration
|
The duration of the detected attack in hours, minutes, and seconds.
|
Type
|
The type of detected attack. Possible values are:
•Tcp connections—A detected flow with unusual number of TCP concurrent connections with or without data.
•HTTP—An unusual HTTP traffic flow.
•Tcp incoming—A detected flow attacking a TCP service when the Zone is a server.
•Tcp outgoing—A detected attack flow in which the client seems to be the Zone, such as SYN-ACK attacks on connections initiated by Zone when the Zone is the client.
•Unauthenticated tcp—A detected flow that the Detector anti-spoofing mechanisms haven't succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.
•DNS (Udp)—An attacking DNS-UDP protocol flow.
•DNS (Tcp)—An attacking DNS-TCP protocol flow.
•Udp—An attacking UDP protocol flow.
•Non tcp/udp protocols—A non TCP/UDP attacking protocol flow.
•Fragments—A detected flow with an unusual quantity of fragmented traffic.
•Hybrid—An attack composed of several attacks with different characteristics.
•IP scan—A detected flow initiated from source IP address that tried to access many zone destination IP addresses.
•port scan—A detected flow initiated from source IP address that tried to access many zone ports.
•user detected—An anomaly flow detected by the user.
|
Peak (pps)
|
The maximum attack rate measured in packets per second.
|
Received Pkts
|
The total number of packets destined to the zone that was handled by the Detector module during the attack.
|
Click in any of the fields to access the attack report (see "Zone Attack Reports" section).
Zone Attack Reports
The Detector module provides an attack report for every zone to help form a clearer picture. The attack report gives details of the attack, starting with the production of the first Dynamic filter, and ending either by a user decision or after a defined period of time that no new Dynamic filters were added.
The Detector module records the relevant details during an attack and organizes the data into categories. Attack reports are available for both past attacks and the current attack.
To view a zone attack report, perform these steps:
Step 1 Select the relevant zone.
Step 2 Select Diagnostics > Attack Reports from the zone main menu.
Step 3 To view details of the attack:
•Click on the attack bar in the "Detection Graph"
OR
•Click on any of the fields for the attack in the "Per Attack Summary" table.
When an attack is in progress, a Report button is displayed on the home page for the zone under attack.
To view the current attack report:
•Click Report on the zone home page
OR
•Select Diagnostics > Attack Reports from the zone main menu and click on any of the fields for the attack in progress in the "Per Attack Summary" table.
The attack report includes data fields and tables, grouped together in sections:
•General Details
•Attack Statistics
•Detected Anomalies
General Details
The first section of the report (Figure 8-6) provides information related to the timing of the attack. It includes information on when the attack started, when it ended, and how long it lasted.
To view more details of the report, click i or Show details for all events.
Figure 8-6 Attack Report—General Details
All counters are integers except for rate. You can select the statistics units from the drop-down list.
To change the statistic units, choose the units from the drop-down list and click Set units.
Attack Statistics
The attack statistics provides information on Received packets. Table 8-4 describes the information provided:
Table 8-4 Attack Statistics
Field
|
Description
|
Total
|
The total number of packets in the category.
|
Max Rate
|
The maximum packet rate that was measured.
|
Average Rate
|
The average packet rate.
|
The traffic rate is displayed in the units that were selected from the drop-down list in the "General Details" section.
Detected Anomalies
The Detected Anomalies table (Figure 8-7) provides details of the anomalies the Detector module detected in the zone traffic. A flow is classified as being an anomaly when it requires the production of a Dynamic filter. These anomalies can occur infrequently or can turn into systematic DDoS attacks. The Detector module clusters anomalies with the same type and flow parameters (such as source IP address, destination port) under one anomaly type.
Figure 8-7 Attack Report—Detected Anomalies
The following information is provided for each anomaly:
Table 8-5 Field Descriptions for Detected Anomalies
Field
|
Description
|
#
|
The identification number (ID) of the detected anomaly.
|
Start time
|
The date and time the anomaly was detected.
|
Duration
|
The duration of the anomaly in hours, minutes, and seconds
|
Type
|
The type of the detected anomaly. Possible values are:
•Tcp_connections—A detected flow with unusual number of TCP concurrent connections, with or without data.
•HTTP—An unusual HTTP traffic flow.
•Tcp incoming—A detected flow attacking a TCP service when the zone is a server.
•Tcp outgoing—A detected attack flow in which the client appears to be the zone, such as SYN-ACK attacks on connections initiated by the zone when the zone is the client.
•Unauthenticated tcp—A detected flow that the Detector module anti-spoofing mechanisms have not succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.
•DNS (Udp)—An attacking DNS-UDP protocol flow.
•DNS (Tcp)—An attacking DNS-TCP protocol flow.
•Udp—An attacking UDP protocol flow.
•Non tcp/udp protocols—A non TCP/UDP attacking protocol flow.
•Fragments—A detected flow with an unusual amount of fragmented traffic.
•TCP ratio—A detected flow with an unusual ratio between different types of TCP packets (for example, SYN packets versus FIN/RST packets).
•IP scan—A detected flow initiated from a source IP address that tried to access many zone destination IP addresses.
•port scan—A detected flow initiated from a source IP address that tried to access many zone ports.
•user detected—An anomaly flow detected by user definitions.
|
Triggering rate
|
The anomaly traffic rate that violated a policy threshold.
|
% Threshold
|
The percentage by which the triggering rate is above the policy threshold.
|
Anomaly Flow
|
The anomaly traffic flow. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow and the flow packet type.
If the anomaly flow is on a specific port, it is displayed as: dst=ip address:port
|
Details
|
Indicates whether additional information can be viewed for this filter. Click i for additional information.
|
A value of * for any of the parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly's parameter.
A value of # for any of the parameters indicates the number of values measured for that anomaly's parameter.
Detected Anomalies Details
The detected anomalies details table provides additional information on the Dynamic filters that constitute the detected anomaly.
To display the detected anomalies details table click i in the details column for the filter in the detected anomalies table.
The following information is provided:
Table 8-6 Field Descriptions for Detected Anomalies Details
Field
|
Description
|
Start time
|
The date and time the anomaly was detected.
|
End time
|
The expiration date and time of the Dynamic filter.
|
Rate (pps)
|
The rate measured in packets per second.
•Thresh—Indicates the policy threshold that was violated by the detected anomaly.
•Triggered—Indicates the anomaly traffic rate that violated a policy threshold.
|
Count
|
The number of packets that were handled by the Dynamic filter.
|
Detected flow
|
Provides the following information on the detected attack flow that caused the production of the Dynamic filter:
•Prot.—The protocol number.
•Src IP—The source IP.
•Src Port—The source port.
•Dst IP—The destination IP.
•Dst Port—The destination port.
•frag.—Indicates the fragmentation characteristics of the detected traffic flow.
•Type—The detected anomaly type. Refer to the Catalyst 6500 Series Switch Traffic Anomaly Detector Module Configuration Guide for further details.
|
Action flow
|
Provides information on the action flow that was addressed by the Dynamic filter. The action flow can have a wider range than the detected flow. For example, the detected flow could indicate a specific source port for a specific source IP whereas the action flow could indicate all source ports for the specific source IP. The columns represent the dynamic filter traffic data.
•Prot.—The protocol number.
•Src IP—The source IP.
•Src Port—The source port.
•Dst IP—The destination IP.
•Dst Port—The destination port.
•frag.—Indicates the fragmentation characteristics of the action flow.
|
Viewing Policy Statistics
The policy statistics table (Figure 8-8) enables you to view the rate of the traffic flowing through each policy for a specific zone. This helps you to determine whether only legitimate traffic is passed to the zone and to manually tune thresholds.
To view the policy statistics table, choose Diagnostics > Policy Statistics from the zone main menu.
Figure 8-8
Policy Statistics Table
The policy statistics table displays the information in three sections. The information in each section is sorted by value, with the highest values appearing at the top:
•Rate—The rate of traffic flowing through the policy.
•Ratio—The ratio between the number of SYN flagged packets and the number of FIN/RST flagged packets. This information is available only for syn_by_fin policies.
•Connections—The number of concurrent connections or source IP addresses. This information is available for tcp_connections policies and the following packet types:
in_nodata_conns for the Analysis protection module
For easier management, you can set screen filters to display only a partial list of the statistics available.
To set a screen filter, click Set Screen Filter, choose the values of the parameters from the drop-down lists in the Policy Filter and click OK.
A partial list of the policies, meeting the criteria that you specified, appears. Details of the selected path and the maximum keys per policy appear in the Screen Filter frame.
Note If you change one of the parameters, all the parameters that are listed below it, are automatically cleared and you must enter new values.
Table 8-7 describes the policy statistics fields.
Table 8-7 Policy Statistics
Field
|
Description
|
Policy template
|
The policy template that was used to construct the policy.
|
Service
|
The services the policy relates to.
|
Level
|
The module used to process the traffic flow.
|
Type
|
The packet type. Possible values are:
•auth_pkts—Packets that underwent either TCP handshake or UDP authentication.
•in_nodata_conns—Zone incoming connections that have no data transfer on the connection (packets without a data payload).
•in_pkts—Zone incoming DNS query packets.
•in_unauth_pkts—Zone incoming unauthenticated DNS queries.
•out_pkts—Zone incoming DNS reply packets.
•reqs—Request packets with data payload.
•syns—Synchronization packets—TCP SYN flagged packets.
•syn_by_fin—SYN and FIN flagged packets. Verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.
•unauth_pkts—Packets that did not undergo TCP handshake.
•pkts—All packet types that do not fall under any other category in the same protection level.
|
Policy
|
The policy.
|
Key
|
The key (traffic characteristics) that was used to aggregate the policies. Possible values are:
•dst_ip—Traffic destined to a zone IP address.
•dst_ip_ratio—The ratio of SYN and FIN flagged packets destined to a specific IP address.
•dst_port_ratio—The ratio of SYN and FIN flagged packets destined to a specific port.
•global—A summation of all traffic flow as defined by the other policy sections.
•src_ip—Traffic destined to the zone aggregated according to source IP address.
•src_net—Traffic destined to the zone aggregated according to source subnet IP address.
•dst_port—Traffic destined to a specific zone port.
•protocol—Traffic destined to the zone aggregated according to protocol.
•src_ip_many_dst_ips—This is the key used for IP scanning. Traffic from a single IP address destined to many zone IP addresses.
•src_ip_many_port—This is the key used for port scanning. Traffic from one IP address destined to many zone ports.
|
Value
|
The rate, ratio or number of connections depending on the section of the table. The information in each section is sorted by value, with the highest value appearing first.
|
