Table Of Contents

Product Overview

Understanding the Cisco Traffic Anomaly Detector Module

Understanding DDos

Understanding Zones

Understanding How the Detector Module Operates

Understanding the Learning Process

Understanding the Zone Policies

Understanding How the Detector Module Performs Zone Anomaly Detection

Understanding the Detect and Learn Function

Using Attack Reports

Understanding the Anomaly Detection Process

Product Overview

---

This guide provides instructions for the Cisco Traffic Anomaly Detector Module (Detector module). It describes how to perform administration tasks, the general operations needed for the Detector operation and explains how to use Detector module.

This chapter provides a general overview of the Cisco Traffic Anomaly Detector Module (Detector) and describes its components and how it works. The chapter contains the following sections:

•Understanding the Cisco Traffic Anomaly Detector Module

•Understanding DDos

•Understanding Zones

•Understanding How the Detector Module Operates

•Understanding the Anomaly Detection Process

Understanding the Cisco Traffic Anomaly Detector Module

You can install the Cisco Traffic Anomaly Detector Module (Detector module) in one of the following products:

•Catalyst 6500 series switch with a Supervisor Engine 2 and a Multilayer Switch Feature Card 2 (MSFC2), or Supervisor Engine 720. The Catalyst 6500 requires IOS Release 12.2(18)SXD3 and later releases.

•Cisco 7600 series router with a Supervisor Engine 720. The Cisco 7600 series router requires IOS Release 12.2(18)SXE and later releases.

You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module.

The Detector module analyzes the zone traffic, and sends out an alert when a DoS attack is detected. The Detector module can detect attacks and activate protection mechanisms. It is best suited to work alongside with the Cisco Anomaly Guard Module but it can also operate as a separate DDoS detection and alarm component.

The Detector module constantly monitors the traffic and closely aware of zone traffic characteristics that might indicate evolving attack patterns and can activate a configured Cisco Anomaly Guard Module to mitigate these attacks.

The Detector module uses the following features to monitor traffic:

•An algorithm-based system that learns the zone traffic, adopts itself to the traffic characteristics, and provides the Detector module with references and instructions in the form of thresholds and policies.

•A system that either remotely activates Cisco Anomaly Guard Modules to assume protection over the zone or zones, or records the traffic anomalies in the Detector module syslog.

Using these features the Detector module can assume its detection role while unobtrusively remaining in the background.

Understanding DDos

Distributed Denial of Service (DDoS) attacks occur when malicious users cause thousands of compromised computers (zombies) to run automated scripts that hinder a protected server's network resources with spurious requests for service. The attacks can be a flood of spurious home page requests to a Web server that shuts out legitimate users or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the compromised computers that actually execute the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems and may be administered by multiple organizations. These distributed attacks generate a traffic volume that cannot be handled by the lower bandwidths available at a typical zone. See the "Understanding Zones" section for information about zones.

A DDoS defense system has to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network.

Understanding Zones

The Detector module monitors a network element, known as the zone, for DDoS attacks. A zone can be one of the following elements:

•A network server, client, or router

•Anetwork link or subnet or an entire network

•An individual Internet user or a company

•An Internet Service Provider (ISP)

•Any combination

After the Detector module identifies a DDoS attack, it can activate a Cisco Anomaly Guard Module automatically to protect the zone against the attack or it can notify the user to activate the Cisco Anomaly Guard Module manually.

The Detector module can analyze the traffic for different zones simultaneously as long as their network address ranges do not overlap.

When you define a zone, you configure parameters such as the network addresses and the policies that the Detector module uses for zone anomaly detection. You assign a name to the zone, and use this name to refer to it.

Understanding How the Detector Module Operates

The Detector module analyses the traffic for evolving signs of an upcoming DDoS attack. Once a traffic abnormality is detected the Detector module either records the event in its syslog or remotely activates the remote Guards on its lists. These remote Guards protect the zones against the evolving DDoS attack. Figure 1-1 illustrates the detection operation.

You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module.

Figure 1-1 Cisco Traffic Anomaly Detector Module Operation

The Detector module learns the zone traffic characteristics so that it can form a basis on which to compare zone traffic and trace any anomalies that might become malicious.

This sections contains the following topics:

•Understanding the Learning Process

•Understanding the Zone Policies

•Understanding How the Detector Module Performs Zone Anomaly Detection

•Understanding the Detect and Learn Function

•Using Attack Reports

Understanding the Learning Process

The learning process consists of the following two phases:

•Policy Construction Phase—Creates the zone policies. The policy templates provide the rules that the Detector module uses to construct the zone policies. The traffic flows transparently through the Detector which allows it to discover the main services that the zone uses.

•Threshold Tuning Phase—Tunes the zone policies to fit the traffic rates of the zone services. The traffic flows transparently through the Detector, which enables the Detector module to tune the thresholds for the services that it discovered during the policy construction phase.

Understanding the Zone Policies

The zone policies are the building blocks of the Detector module and are the basis to which the Detector module compares the zone traffic in order to trace any anomalies that might become malicious. When the traffic flow exceeds a policy threshold, the Detector identifies the traffic as abnormal or malicious and configures a set of filters (dynamic filters) dynamically to apply the appropriate detection level to the traffic flow according to the severity of the attack.

See "Configuring Zones" for more information on traffic learning. See "Configuring Policy Templates and Policies" for more information on zone policies.

Understanding How the Detector Module Performs Zone Anomaly Detection

You can activate the Detector protection in the following ways:

•Automatic protect mode—The Dynamic filters are activated automatically.

•Interactive protect mode—The Dynamic filters are activated manually, interactively. The Dynamic filters are grouped as recommended actions for you to complete. You can review these recommendations and decide whether to accept, ignore, or direct these recommendations to automatic activation.

See "Using Interactive Detect Mode" for more information.

Understanding the Detect and Learn Function

You can activate the threshold tuning phase and activate zone detection simultaneously (the detect and learn function) to enable the Detector module to learn the zone policy thresholds and at the same time monitor the policy thresholds for traffic anomalies. When the Detector module detects an attack, it stops the learning process but continues zone detection. This process prevents the Detector module from learning malicious traffic thresholds. The Detector module resumes the learning process when the attack ends. See the "Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously" section for more information.

Using Attack Reports

The Detector provides an attack report for every zone so that you can display the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. See "Understanding Attack Reports," for more information.

Understanding the Anomaly Detection Process

The Detector module uses three types of filters to direct the zone traffic to the required detection level. You can configure these filters to customize the traffic direction and the functions that the Detector module uses to detect traffic anomalies.

The Detector module uses the following types of filters:

•Bypass filters—Prevent the Detector module from handling specific traffic flows.

•Flex-Content filters—Count a specified packet flow. The flex-content filter provides extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes.

•Dynamic filters—Apply the analysis detection level to the traffic flow. The Detector module creates dynamic filters as the result of the analysis of traffic flow. The dynamic filters either record the event in the Detector module syslog, or activate a Cisco Anomaly Guard Module to protect the zone. Dynamic filters have a limited life span and are erased after the attack ends.

The Detector module performs a statistical analysis of the traffic and coordinates between the policies, which monitor the zone traffic for anomalies, and the filter system.