Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.0)
Using Interactive Detect Mode
Download this chapter
Using Interactive Detect ModeUsing Interactive Detect Mode
Download the complete book
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.0), Book-Length PDFCisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.0), Book-Length PDF (PDF - 3 MB)
give_us_feedback

Table Of Contents

Using Interactive Detect Mode

Overview

Activating Interactive Detect Mode

Deactivating Interactive Detect Mode

Displaying Recommendations

Managing Recommendations


Using Interactive Detect Mode

When you enable zone anomaly detection, the Cisco Traffic Anomaly Detector Module (Detector module) analyses the zone traffic and searches for policy thresholds that have been exceeded. Once it detects a policy threshold that has been exceeded, it analyses the traffic and creates a set of filters (dynamic filters) to handle the traffic. The dynamic filters can either be activated automatically or interactively. This chapter describes the interactive detect mode and includes the following major sections:

Overview

Activating Interactive Detect Mode

Deactivating Interactive Detect Mode

Displaying Recommendations

Managing Recommendations

Overview

When a DDoS attack begins, the Detector module policies create dynamic filters. When the zone is in interactive detect mode, the Detector module does not activate these dynamic filters automatically, but waits for you to decide what action to take. The filters that await your decision are called pending dynamic filters. The Detector module groups the pending dynamic filters according to the policy that produced them in recommendations, which provide a summary of the pending filters and include information about the name of the policy that caused the creation of the pending dynamic filters, the data on the traffic anomaly that resulted in policy activation, the number of pending dynamic filters, and the recommended action. You decide which pending dynamic filters to accept, ignore, or direct to automatic activation, giving you greater control over which actions to take when an attack is in progress.

The Guard continues to produce pending dynamic filters as long as it is in interactive detect mode. You can activate interactive detect mode at any time during zone anomaly detection, but you can view recommendations and their pending dynamic filters only if the Guard is in interactive detect mode and a DDoS attack on the zone is in progress. You can configure the interactive detect mode when defining the zone, before or after activating zone detection.

When the Detector module has more than 1,000 pending dynamic filters, it performs the following actions:

Displays an error message instructing you to deactivate the zone and reactivate it in automatic detect mode.

Records the recommendations in the zone log file and report, and then it discards them.

The Detector module does not display a notification when new recommendations are available. To keep track of recommendations, do one of the following tasks:

Use the show command in zone configuration mode to view the status of the zone.

Use the event monitor command to receive notification when a new pending dynamic filter is created.

Use an external syslog server to receive notification of new pending dynamic filters.

You can stop interactive detect mode at any time and return to automatic detect mode. The Detector module disregards any decisions made while in the interactive detect mode and accepts all currently pending dynamic filters. The policies resume their role of automatically producing and activating the dynamic filters. See "Configuring Policy Templates and Policies".

Activating Interactive Detect Mode

To activate interactive detect mode for an existing zone, enter the interactive command in zone configuration mode.

To create a new zone configured for interactive detect mode, enter the following command in configuration mode:

zone new-zone-name interactive

The new-zone-name argument specifies the name of the new zone. The zone name is an alphanumeric string that must start with a letter, cannot include any spaces, and can have no more than 63 characters.

The following example shows how to create a new zone configured for interactive detect mode: 

user@DETECTOR-conf# zone scannew interactive

The new zone is created with a default zone template that is configured for interactive detect mode. See for more information.

Deactivating Interactive Detect Mode

To deactivate the interactive detect mode, enter the no interactive command in zone configuration mode. When you deactivate the interactive detect mode, the interactive status of the policies becomes always-accept.

The following example shows how to deactivate interactive detect mode for the zone scannet: 

user@DETECTOR-conf-zone-scannet# no interactive

Displaying Recommendations

You can display a list of all recommendations, a list of pending dynamic filters, or a specific recommendation for a zone by entering the following command in zone configuration mode:

show recommendations [recommendation-id] [pending-filters]

Table 8-1 provides the keywords and arguments for the show recommendations command.

Table 8-1 Keywords and Arguments for the show recommendations Command 

Parameter
Description
recommendation-id

(Optional) The ID for a specific recommendation.

pending-filters

(Optional) Displays a list of the pending filters for a specific recommendation.


The following example shows how to display a list of all recommendations: 

user@DETECTOR-conf-zone-scannet# show recommendations

Table 8-2 describes the fields in the show recommendations command output.

Table 8-2 Field Descriptions for the show recommendations
Command Output 

Field
Description

ID

The recommendation identification number.

Policy

The policy that created the recommendation.

Threshold

The policy threshold that was exceeded.

Detection date

The date and time that the recommendation was created.

Attack flow

The characteristics of the attack flow. The characteristics include the protocol number, source IP address, source port, destination IP address, and destination port. They indicate whether or not the traffic is fragmented. Any indicates that there is both fragmented and nonfragmented traffic.

Min current rate

The minimum attack rate measured in pps.

For recommendations that have several pending dynamic filters, the rate of the lowest pending dynamic filter is displayed.

Max current rate

Maximum attack rate measured in pps.

For recommendations that have several pending dynamic filters, the rate of the highest pending dynamic filter is displayed.

No. of pending-filters

The number of pending dynamic filters that were created because the policy threshold was exceeded.

Recommended action

The recommended action. This action is taken if you accept the recommendation.


To display a list of all recommendations with recommendation IDs before displaying pending filters for a specific recommendation, use the show recommendations command.

Table 8-3 describes the fields in the show recommendations pending-filters command output.

Table 8-3 Field Descriptions for the show recommendations pending-filters Command 

Field
Description

ID

The recommendation identification number.

Policy

The policy that created the recommendation.

Threshold

The policy threshold, in pps, that was exceeded.

Pending-filter-id

The pending dynamic filter identification number.

Detection date

The date and time that the recommendation was created.

Attack flow

The flow characteristics of the attack. The characteristics include the protocol number, source IP address, source port, destination IP address, and destination port. They indicate whether or not the traffic is fragmented. Any indicates that there is both fragmented and non-fragmented traffic.

Triggering rate

The attack rate (in pps) that triggered the creation of the pending dynamic filter.

Current rate

The current attack rate in pps.

Recommended action

The recommended action. This action is taken if you accept the recommendation.

Action flow

The resulting characteristics of traffic flow to the zone if you accept the pending dynamic filter. The characteristics include the protocol number, source IP address, source port, destination IP address, and destination port. They indicate whether or not the traffic is fragmented. Any indicates that there is both fragmented and non-fragmented traffic.


A value of * for any of the parameters indicates one of the following:

The value is undetermined.

More than one value was measured for the parameter.

Note You can view recommendations and their pending dynamic filters only if the Guard is in interactive detect mode and a DDoS attack on the zone is in progress.

The following example shows how to display the pending dynamic filters of recommendation 135: 

user@DETECTOR-conf-zone-scannet# show recommendations 135 
pending-filters

Managing Recommendations

You can decide whether or not to activate recommendations. You can make decisions for all recommendations, a specific recommendation, or for a specific pending dynamic filter. Your decisions determine whether or not the pending dynamic filters in a policy become dynamic filters and for how long.

You can instruct the Detector module to automatically activate the pending dynamic filters of a specific policy. You can also instruct the Detector module to prevent policies from producing recommendations. The Detector module policies continue to produce recommendations if the zone is in interactive detect mode and a DDoS attack is in progress so we recommend that you view the zone status when you manage recommendations to verify the zone status and determine whether or not additional actions are required.

The zone policies can take the following actions:

notify—The policy records the an event in the Detector syslog. The event details the policy of which the threshold was exceeded.

remote-activate—The Detector activates one or more remote Guards to start protecting the zone.

Note When you accept a recommendation, additional recommendations that contain the same or partial flow as the accepted recommendation and have the same action and timeout are also accepted. The Detector module deletes these recommendations.

To decide on recommendations for a zone, enter the following command in zone configuration mode:

recommendation recommendation-id [pending-filters pending-filter-id] decision [timeout]

Table 8-4 provides the arguments and keywords for the recommendation command.

Table 8-4 Arguments and Keywords for the recommendation
Command 

Parameter
Description

recommendation-id

The specific recommendation identification number. An asterisk (*) is a wildcard, indicating all recommendations.

pending-filter-id

(Optional) The ID for a specific pending dynamic filter.

decision

The action taken on the recommendation. The following are possible values:

accept—Accepts the specific recommendation. The pending dynamic filters become dynamic filters.

always-accept—Accepts the specific recommendation. The decision applies automatically whenever the recommendation policy produces new recommendations. Pending dynamic filters automatically become dynamic filters.

If you take this action, the Detector module no longer displays such recommendations.

always-ignore—Ignores the specific recommendation. No dynamic filter or pending dynamic filters are produced. The decision automatically applies to all future recommendations produced by the policy.

If you decide to always ignore a recommendation, the Detector module no longer displays it.

timeout

(Optional) The length of time that the decision applies. The following are possible values:

forever—Activates the dynamic filters produced by the recommendations for as long as detection is in effect. See the "Configuring Dynamic Filters" section for more information.

new-timeout—Activates the dynamic filters produced by the policies for a period of time that you define. This time is measured in seconds. See "Configuring Dynamic Filters" section for more information.


You can configure the interactive status for a specific policy, or any part of it, and decide whether or not that part of the policy should produce recommendations and pending dynamic filters. Configuring the interactive status of a policy gives you control and enables you to improve how policies adapt to traffic flows. See "Configuring the Policy Interactive Status" section for more information.

The Guard does not display always-accept or always-ignore recommendations. When you decide to always ignore or accept a recommendation, your decision becomes part of the interactive-status of the policy that created the recommendation.

You can disable or inactivate a policy in order to prevent it from producing recommendations and their pending dynamic filters. Use the state command to disable or inactivate a policy. See the "Changing the Policy State" section for more information.

The following example configures the interactive status for dns_tcp policy templates with service 53, using the analysis detection level: 

user@DETECTOR-conf-zone-scannet-policy-/dns_tcp/53/analysis/# 
interactive-status always-accept

See the "Understanding Policy Path Sections" section for more information.