Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0)
Creating and Configuring Zones
Download this chapter
Creating and Configuring ZonesCreating and Configuring Zones
Download the complete book
Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL-Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL- (PDF - 3 MB)
give_us_feedback

Table Of Contents

Creating and Configuring Zones

Zone Overview

Zone Protection Activation Methods and Coverage Options

Protection Activation Methods

Extent of Zone Protection

Understanding Sub-zones

Creating a Zone from a Zone Template

Creating a Zone from an Existing Zone

Modifying a Zone Configuration

Adding an IP Address to a Zone Configuration

Deleting an IP Address from a Zone Configuration

Deleting a Zone


Creating and Configuring Zones

This chapter describes how to create and manage Detector module zones.

This chapter includes the following sections:

Zone Overview

Zone Protection Activation Methods and Coverage Options

Creating a Zone from a Zone Template

Creating a Zone from an Existing Zone

Modifying a Zone Configuration

Adding an IP Address to a Zone Configuration

Deleting an IP Address from a Zone Configuration

Deleting a Zone

Zone Overview

A zone is a network element that the Detector module monitors for DDoS attacks. You can create a zone that represents one or all of the following network objects:

A network server, client, or router

A network link or subnet, or an entire network

An individual Internet user or a company

An Internet Service Provider (ISP)

Once the Detector module identifies a DDoS attack, it can activate a Cisco Anomaly Guard Module automatically to protect the zone against the attack or it can notify you to activate the Cisco Anomaly Guard Module manually. The Detector module can monitor the traffic of multiple zones simultaneously providing their network address ranges do not overlap. When you create a new zone, you create a zone configuration that includes the following attributes:

Zone description—Defines the zone name and description.

Zone network definition—Defines the zone network attributes which include the zone network IP address and subnet mask.

Policy templates—Defines the types of policies the Detector module creates when you perform the learning process. Each zone template contains a set policy templates.

Policies—Analyzes zone traffic and executes an action when the zone receives a traffic anomaly. Each zone configuration has its own set of policies, whether they are the default policies that came with the zone template or the zone-specific policies created during the learning process. Each policy executes an action when the zone traffic exceeds the policy threshold, indicating an attack. Policy actions can range from sending a notification to activating a Cisco Anomaly Guard Module to protect the zone against the DDoS attack.

Zone Filters—Direct the zone traffic to the required protection level and define the way the Detector module handles specific traffic flows. You can use zone filters to count a specific traffic flow, or to bypass the Detector module anomaly detection features. You can modify the default filter configurations to produce customized zone filter configurations that determine which anomaly detection features the Detector module applies to the traffic flow.

You can create a zone using of the following methods:

Use a pre-defined Detector module or Cisco Anomaly Guard Module zone template—You create a zone based on the configuration of one of the Detector or Guard zone templates. Guard zone templates allow you to synchronize the zone configuration information between a Detector module and a Cisco Anomaly Guard Module. You configure the manual and automatic functions of zone synchronization using the CLI (refer to the Cisco Traffic Anomaly Detector Module Configuration Guide for more information).

Detector zone templates are for use only with the Detector module. Use the Detector module zone templates when you do not need to synchronize zone configuration information.

Each zone template has a set of pre-configured policies that define the network services the Detector module monitors. A zone template also contains a set of policy templates that the Detector module uses during the learning process when analyzing the zone traffic and creating policies for services it detects. Each new policy the Detector module creates during the learning process is constructed using the rules of the corresponding policy template.

Use an existing zone as a template—You create a new zone based on an existing zone configuration, which includes the policies and policy threshold values of the existing zone. If the traffic characteristics of the new zone is identical to the existing zone, then you do not have to perform the learning process on the new zone. If the traffic characteristics are different between the two zones, you will need to perform the learning process on the new zone so the Detector module can analyze the zone traffic and make the necessary policy modifications to the new zone configuration.

Zone Protection Activation Methods and Coverage Options

When you define a zone configuration using a GUARD_ zone template for zone synchronization, you can define the trigger, or activation method, the Cisco Anomaly Guard Module uses to automatically activate zone protection. You can also define the extent of the area the Cisco Anomaly Guard Module protects. For example, the Cisco Anomaly Guard Module can protect the entire zone or just a specific area within the zone.

This section includes the following information:

Protection Activation Methods

Extent of Zone Protection

Understanding Sub-zones

Protection Activation Methods

The Cisco Anomaly Guard Module can activate zone protection based on a zone name or the information it extracts from the traffic you divert to it.

The follow protection activation methods are available:

Zone name—The Cisco Anomaly Guard Module activates zone protection based on the zone name. An external indication to activate protection must include the zone name. This is the default method the Cisco Anomaly Guard Module uses for activating zone protection.

IP address—The Cisco Anomaly Guard Module activates zone protection when it receives an external indication that consists of an IP address or subnet that is part of the zone. The Cisco Anomaly Guard Module scans the zone database and activates the zone which has an address range that includes the received IP address or subnet. If you have configured several zones with an address range that includes the receive IP address, the Cisco Anomaly Guard Module will choose to activate the zone with the longest prefix match. That is, the zone which has the most specific address range that includes the receive IP address. The received IP address or subnet must be completely included in the zone IP address range.

Packet—The Cisco Anomaly Guard Module activates zone protection when it receives packets for a zone in its database. When the Cisco Anomaly Guard Module receives the packets, it scans the zone database and activates the zone which has an address range that includes the received packet IP address. If you have configured several zones with an address range that includes the received packet IP address, the Cisco Anomaly Guard Module activates the zone with the longest prefix match. That is, the zone with the most specific address range that includes the received packet IP address. The received IP address or subnet must be completely included in the zone IP address range.

Extent of Zone Protection

The activation extent defines whether to activate protect mode for the entire zone or for a partial zone once the Cisco Anomaly Guard Module receives an external indication. This indication can be a command from an external device, such as the Detector module, or traffic that is destined to the zone (packet).

The Cisco Anomaly Guard Module supports the following activation extents:

Entire zone—Activate protection for the entire zone. The Cisco Anomaly Guard Module activates protection when it receives traffic that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone.

IP Address only—Activate protection for only a specified IP address or subnet within a zone. When the Cisco Anomaly Guard Module receives traffic that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone, it creates a new zone referred to as a sub-zone (see the "Understanding Sub-zones" section below). This is the default setting for the activation extent parameter.

Understanding Sub-zones

The Cisco Anomaly Guard Module creates a sub-zone when it activates protect mode for a partial zone (a zone that does not include the complete IP address range of the source zone). The IP address range of the sub-zone is included in the address range of the source zone.

The sub-zone configuration is identical to the configuration of the source zone apart from the IP address and name. The name of the sub-zone consists of the first 30 characters of the name of the source zone, the IP address and the subnet, concatenated with underscores. If the sub-zone consists of a single IP address, the subnet is not added. For example, If the name of the source zone is scannet with an address range of 10.10.10.0 and a subnet of 255.255.255.0 and the Cisco Anomaly Guard Module activates protect mode for an internal range of IP address 10.10.10.192 and subnet 255.255.255.252, the name of the sub-zone is scannet_10.10.10.192_255.255.255.252. The IP address and subnet of the sub-zone are the ones that the Cisco Anomaly Guard Module received with the external indication, or the IP address of the packet that triggered the Cisco Anomaly Guard Module to activate protect mode.

Once protect mode for the sub-zone ends the Cisco Anomaly Guard Module erases the sub-zone. Protect mode for a sub-zone is terminated in the same manner as protect mode is terminated for an ordinary zone, according to the activation method and the protection termination timeout.

Creating a Zone from a Zone Template

To create a new zone using a zone template:

Step 1 Use one of the following methods to display the Create Zone screen:

Click Detector module Summary from the navigation pane to display the Detector module summary menu, then choose one of the following menu options:

Zones > Create Zone

Zones > Zone list and then click Add from the Zone list screen

Click any zone from the navigation pane to display the zone main menu, then choose Main > Create Zone from the zone main menu.

Step 2 Configure the parameters of the zone configuration as described in Table 4-1

Table 4-1 Zone Configuration Form Fields 

Field
Description

Name

Name of the new zone. Starting with a letter, enter an alphanumeric string from 1 to 63 characters in length. The string can contain underscores, but cannot contain any spaces.

Description

Text describing the zone. Enter an alphanumeric string from 1 to 80 characters in length.

Operation mode

Anomaly detect mode the Detector module operates in during an attack. From the Operation mode drop-down list, choose:

Automatic—The Detector module automatically activates all Dynamic filters as it creates them during an attack.

Interactive—You decide whether to accept or ignore the Dynamic filters the Detector module produces during an attack and presents to you as Detector module recommendations.

Refer to the "Changing Zone Operation Modes" section in "Activating Anomaly Detection" for details on zone detect modes.

Zone Template

Zone template that defines the default policies used in the zone configuration. The Detector module contains two sets of zone templates with the following prefixes:

DETECTOR_—Zone templates designed for Detector module use only. Select the DETECTOR_ version of the zone template when you are not going to synchronize the zone configuration with a Cisco Anomaly Guard Module.

GUARD_—Zone templates designed for use on the Detector module and the Cisco Anomaly Guard Module. Select the GUARD_ version of the zone template when you plan to synchronize the zone configuration with a Cisco Anomaly Guard Module using the CLI (refer to the Cisco Traffic Anomaly Detector Module Configuration Guide).

From the Template drop-down list, choose:

DETECTOR_DEFAULT—Default Detector module zone template.

DETECTOR_WORM—A zone template that enables to detect TCP worm attacks on the zone.

GUARD_DEFAULT—The Cisco Anomaly Guard Module default zone template. The Cisco Anomaly Guard Module may change the packet source IP address to the Cisco Anomaly Guard Module TCP-proxy IP address. You can use this template if you do not use ACLs (IP based access list), access policy or load balancing policy based on incoming IP address for the zone network.

GUARD_TCP_NO_PROXY—Zone template designed for a zone for which you do not want the Cisco Anomaly Guard Module to server as a TCP proxy. You can use this template if the zone is moderated according to IP addresses, such as an Internet Relay Chat (IRC) server-type zone.

Zone Template (continued)

Bandwidth Limited Link Templates—Zone templates designed primarily for applications involving a large network of small customers (or zones) and you want to detect attacks on the link rather than on a specific sever or service. To use a link template for this purpose, you must be able to segment your zones by known bandwidth. When creating a new zone using a link template, we recommend that you define the zone with an protect-ip state of only-dest-ip (see Protect-IP state in this table). The following Bandwidth Limited Link zone templates are available for 128 K, 1 M, 4 M, and 512 K links, respectively:

DETECTOR_LINK_128K

DETECTOR_LINK_1M

DETECTOR_LINK_4M

DETECTOR_LINK_512K

GUARD_LINK_128K

GUARD_LINK_1M

GUARD_LINK_4M

GUARD_LINK_512K

The policies that come with a link template are configured so that you can use them if the zone requires on-demand protection. You cannot perform the policy construction phase of the learning process when using a link template. You can, however, perform the threshold tuning phase (see the "Performing the Learning Process" section in "Learning Zone Traffic").

We recommend that you activate protect mode on the Cisco Anomaly Guard Module for these zones based on the attacked subnet or range by setting the activation-extent parameter in Step 4 to IP address only.

Protect-IP state

Guard-protection method the Detector module uses to activate remote Cisco Anomaly Guard Modules. The Guard-protection method you select can save Cisco Anomaly Guard Module resources by allowing the Cisco Anomaly Guard Module to focus on specific zone protection requirements. Choose the state from the Protect-IP state drop-down list:

Entire Zone—The Detector module activates the Cisco Anomaly Guard Module to protect the overall zone whenever a traffic anomaly is detected. Use this strategy when the overall zone consists of intra-related zones that must be protected as a group.

Only Dst IP—The Detector module activates the Cisco Anomaly Guard Module to apply protection to a specific part of the zone when the Detector module can determine the anomaly target within the zone. Choose this option to apply protection only to the attacked section of the zone rather than expend valuable protection resources on the overall zone.

Policy type—The Detector module activates the Cisco Anomaly Guard Module to apply protection over a particular zone once a traffic anomaly can be traced as destined to the particular zone. The Detector module also activates the Cisco Anomaly Guard Module protection over the overall zone once the detected anomaly cannot be traced as being destined to a particular zone. Use this strategy when the overall zone is composed of zones that are closely related and you want to avoid a situation in which a targeted area within a zone might inflict damage on the overall zone.

Protect-IP state (continued)

Only Dst IP by address—The Detector module activates a Cisco Anomaly Guard Module to protect a particular IP address, once traffic abnormality is traced as destined to that IP address. The IP address must be in the address range of one of the zones that is defined on the Cisco Anomaly Guard Module. However, the name of the zone on the Cisco Anomaly Guard Module does not have to be identical to the name of the zone name on the Detector module. We recommend this strategy when the zone names on the Cisco Anomaly Guard Module are not identical to the zone names on the Detector module, or when the overall zone consists of unrelated sub-zones.

Note To ensure that the Cisco Anomaly Guard Module activates protect mode only for the attacked IP address, make sure that the zone is defined on the Cisco Anomaly Guard Module with an activation extent of IP Address Only. This way you can activate the Guard to protect the attacked IP address, but refrain from diverting the traffic of the overall zone to the Guard.

IP address

Zone IP address.

Mask

Zone address mask. Select the address mask from the Mask drop-down list.


.

Step 3 Choose one of the following options:

OK—Saves the new zone configuration. The zone general view screen appears, displaying the zone configuration information.

(Optional) To configure the Attack Detection/Termination, Activation, and Packet-Dump parameters shown in the general view screen, click Config to open the Config screen, then proceed to the following steps:

Step 4 to configure Attack Detection/Termination parameters (GUARD_ zone templates only)

Step 5 to configure Activation parameters (GUARD_ zone templates only)

Step 6 to configure Packet Dump parameters

Clear—Reverts the form information back to the default values and clears any information you added.

Cancel—Exits the Create Zone screen without saving any information. The Zone List screen appears.

Step 4 (Optional) Configure the Attack Detection/Termination parameters for zones you create using a GUARD_ zone templates. This configuration affects the zone on the Cisco Anomaly Guard Module only. Table 4-3.

Table 4-2 Attack Detection/Termination Parameters

Field
Description

Malicious-rate detection threshold

Minimum rate of dropped zone packets. If the rate goes lower than this threshold, the Cisco Anomaly Guard Module may end protect mode for the zone. The Cisco Anomaly Guard Module drops zone packets that its protection mechanisms (Dynamic filters, Flex-Content filters and Rate Limiter) have identified as part of an attack. It counts the dropped packets using the zone Dropped counter. The default Malicious-rate detection threshold is 10 packets per second (pps).

Protection-end timer

Time at which the Cisco Anomaly Guard Module can terminate protect mode. The Cisco Anomaly Guard Module verifies whether an attack has ended by checking on the Dynamic filters it creates. The Cisco Anomaly Guard Module deactivates protect mode if no Dynamic filters are in use and no new Dynamic filter have been created over a predefined period of time. Enter a value from seconds to an infinite amount of time.

Filter-rate termination threshold

Threshold value that together with the malicious-rate termination threshold, specifies when the Cisco Anomaly Guard Module can deactivate Dynamic filters. Define this threshold in packets per second (pps).

Malicious-rate termination threshold

Threshold value, that together with the Filter-rate termination threshold, specifies when the Cisco Anomaly Guard Module can deactivate Dynamic filters. Define this threshold in packets per second (pps).


Step 5 (Optional) Configure the Activation range for zones you create using a GUARD_ zone templates. This configuration affects the zone on the Cisco Anomaly Guard Module only. Configure the parameters as described in Table 4-3.

Table 4-3 Activation Parameters

Field
Description

Activation interface

Protection activation method that defines how the Cisco Anomaly Guard Module identifies the zone for which it activates zone protection when it receives an external indication. By default, the Cisco Anomaly Guard Module activates zone protection based on the zone name. To activate zone protection without using the zone name, select one or both of the following alternative activation methods:

By packet—The Cisco Anomaly Guard Module activates zone protection based on the destination IP address of the received packets. The Detector module scans the zone database and activates the zone that has an address range that includes the received packet destination IP address.

By IP address—The Cisco Anomaly Guard Module activates zone protection based on the received IP address. The Detector module scans the zone database and activates the zone that has an address range that includes the received IP address or subnet.

Click the check box next to the required activation interface. If you select both By packet and By IP address, the Cisco Anomaly Guard Module uses the IP Address or Packet activation interface. If you do not click either check box, the Cisco Anomaly Guard Module uses the Zone name activation interface.

Activation extent

Defines whether the Cisco Anomaly Guard Module activates zone protection for the entire zone or for a part of the zone when the Cisco Anomaly Guard Module receives an external indication.

Choose one of the following options:

IP address only—Activate protection only for the specified IP address or subnet within the zone. This is the default activation extent setting.

Entire zone—Activate protection for the entire zone.


Step 6 (Optional) Configure the parameters of the Packet Dump area as described in Table 4-4.

Table 4-4 Packet Dump Parameters

Field
Description

Auto Packet Dump

Click the check box next to one of the following options:

On—Enable auto packet dump

Off—Disable auto packet dump (default setting)

Max. disk space

Enter the maximum amount of disk space (in MB) the Detector module is to use for auto packet dumps.


Creating a Zone from an Existing Zone

To create a new zone using an exiting zone as a template:

Step 1 Select a zone to be used as a zone template from the navigation pane. The zone main menu appears.

Step 2 Choose Main > Save as from the zone main menu. The Zone Save as screen appears.

Step 3 Define the new zone name. In the Name text field, enter the zone name as an alphanumeric string 1 to 63 characters in length. The string must start with a letter and can contain underscores, but no spaces.

Step 4 Choose one of the following options:

OK—Saves the new zone configuration. The zone general view screen appears.

Clear—Reverts the form information back to the default values and clears any information you added.

Cancel—Exits the Zone Save as screen without saving any information. The zone general view screen appears.

Modifying a Zone Configuration

To modify the parameters of a zone configuration:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Select Configuration > General from the zone main menu. The zone general view appears.

Step 3 Click Config (located below the first table). The Config Zone screen appears.

Step 4 Modify the desired zone parameters (see Table 4-1 for parameter descriptions).

Step 5 Choose one of the following options:

OK—Saves the new zone configuration. The zone general view screen appears.

Clear—Reverts the form information back to the default values and clears any information you added.

Cancel—Exits the Zone Save as screen without saving any information. The zone general view screen appears.

Adding an IP Address to a Zone Configuration

To add an IP address to the zone configuration:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > General from the zone main menu. The zone general view appears.

Step 3 Click Add (located below the second table). The Add Zone IP screen appears.

Step 4 Enter the following address information:

IP Address—Zone IP address

IP Mask—Zone IP address mask

Step 5 Choose one of the following options:

OK—Saves the new zone configuration. The zone general view screen appears.

Cancel—Exits the Add Zone IP screen without saving any information. The zone general view screen appears.

If you modify the zone IP address or subnet, perform one of the following tasks:

If the new IP address or subnet consists of a new service that was not previously defined in the zone network, activate the policy construction phase before activating zone detection or add the service manually. See the "Starting the Policy Construction Phase" section in "Learning Zone Traffic" or "Adding or Deleting a Service" section in "Managing Zone Policies" for more information.

If the zone is in the detect and learning operation state, mark the zone policies as untuned. Do not change the status of the zone policies to untuned if there is attack on the zone because that prevents the Detector module from detecting the attack, and causes the Detector module to learn thresholds of malicious traffic. See the "Marking the Zone Policies as Tuned or Untuned" section in "Learning Zone Traffic" for more information.

If the zone is not in the detect and learning operation state and you do not plan to activate the detect and learning operation state, activate the threshold tuning phase before activating zone detection. See the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic" for more information.

Deleting an IP Address from a Zone Configuration

To delete an IP address from the zone configuration:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > General from the zone main menu. The zone general view appears.

Step 3 Check the check box next to each IP address to be deleted. To delete all the IP addresses listed, check the check box in the header, next to the IP column.

Step 4 Click Delete (located below the second table). The IP address is removed from the zone configuration.

Deleting a Zone

To delete one or more zones:

Step 1 Click Detector module Summary from the navigation pane. The Detector module summary menu appears.

Step 2 Choose Zones > Zone list from the Detector module main menu. The Zone list screen appears.

Step 3 Check the check box next to each zone to be deleted, then click Delete. To delete all the zones listed, check the check box next to Zone, then click Delete. The delete validation screen appears.

Step 4 Choose one of the following options:

OK—The zone is deleted and the Zone list is displayed.

Cancel—The delete zone request is ignored and the Zone list displays.