Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1) - Product Overview [Cisco Services Modules]

Table Of Contents

Product Overview

Understanding the Cisco Traffic Anomaly Detector Module

Understanding DDoS

Understanding Zones

Understanding How the Detector Module Operates

Understanding the Learning Process

Understanding the Zone Policies

Understanding How the Detector Module Performs Zone Anomaly Detection

Understanding the Detect and Learn Function

Understanding Attack Reports

Understanding the Anomaly Detection Process

Product Overview

This chapter provides a general overview of the Cisco Traffic Anomaly Detector Module (Detector module) and describes its components and how it works. The chapter contains the following sections:

•Understanding the Cisco Traffic Anomaly Detector Module

•Understanding DDoS

•Understanding Zones

•Understanding How the Detector Module Operates

•Understanding the Anomaly Detection Process

Understanding the Cisco Traffic Anomaly Detector Module

You can install the Detector module in one of the following products:

•Catalyst 6500 series switch

•Cisco 7600 series router

The Detector module is a passive monitoring device that continuously looks for indications of a Distributed Denial of Service (DDoS) attack against a protected destination (referred to as a zone), such as a server, firewall interface, or router interface. The Detector module works optimally with the Cisco Anomaly Guard Module but it can also operate as a separate DDoS detection and alarm component.

You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module.

The Detector module analyzes copies of all inbound traffic destined for the protected zone or zones and compares the current traffic to a set of behavioral thresholds (the zone policy) to detect anomalous traffic behavior. When the Detector module identifies anomalous behavior that is considered to be a possible attack, the Detector module can activate a Cisco Anomaly Guard Module to mitigate these attacks.

The Detector module uses the following features to monitor traffic:

•An algorithm-based system that learns the zone traffic, adopts itself to the traffic characteristics, and provides the Detector module with references and instructions in the form of thresholds and policies.

•A system that either remotely activates Cisco Anomaly Guard Modules to assume protection over the zone or zones, or records the traffic anomalies in the Detector module syslog.

By using these features the Detector module can assume its detection role while unobtrusively remaining in the background.

Understanding DDoS

The primary goal of DDoS attacks, is to deny legitimate users access to a specific computer or network resource. These attacks are originated by individuals who send malicious requests to targets that degrade service, disrupt network services on computer servers and network devices, and saturate network links with unnecessary traffic.

DDoS attacks occur when malicious users compromise hundreds or thousands of hosts (zombies) over the Internet and place a Trojan in the system. A Trojan is a nonreplicating program that is disguised as a harmless application, which takes a harmful action that the user does not expect. Trojans take instructions from a master server controller by the attacker on when and how to launch a coordinated attack. Zombies run automated scripts that hinder a protected server's network resources with spurious requests for service. The attacks can be a flood of spurious home page requests to a web server that shuts out legitimate users or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the compromised computers that actually execute the attacking code may number in the hundreds of thousands and are distributed over multiple autonomous systems and may be administered by multiple organizations. These distributed attacks generate a traffic volume that cannot be handled by the lower bandwidths available at a typical zone. See the "Understanding Zones" section for information about zones.

Understanding Zones

The Detector module monitors a zone for DDoS attacks. A zone can be one of the following elements:

•A network server, client, or router

•A network link or subnet or an entire network

•An individual Internet user or a company

•An Internet Service Provider (ISP)

•Any combination of these elements

After the Detector module identifies a DDoS attack, it can automatically activate a Cisco Anomaly Guard Module to protect the zone against the attack or it can notify the user to activate the Cisco Anomaly Guard Module manually.

The Detector module can analyze the traffic for different zones simultaneously if their network address ranges do not overlap.

When you define a zone, you configure the network addresses and the policies that the Detector module uses for zone anomaly detection. You assign a name to the zone, and use this name to refer to it.

Understanding How the Detector Module Operates

The Detector module analyzes the traffic for evolving signs of an upcoming DDoS attack. Once a traffic abnormality is detected the Detector module either records the event in its syslog or remotely activates the remote Guards on its lists. These remote Guards protect the zones against the evolving DDoS attack. Figure 1-1 illustrates the detection operation.

You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module.

Figure 1-1 Cisco Traffic Anomaly Detector Module Operation

The Detector module learns the zone traffic characteristics so that it can form a basis on which to compare zone traffic and trace any anomalies that might become malicious.

These sections contain the following topics:

•Understanding the Learning Process

•Understanding the Zone Policies

•Understanding How the Detector Module Performs Zone Anomaly Detection

•Understanding the Detect and Learn Function

•Understanding Attack Reports

Understanding the Learning Process

When no current attack is occurring on the network, the learning process creates a baseline of normal traffic patterns that the Detector module uses as a reference point to help detect the existence of anomalies. These reference points are called Policies.

The learning process consists of the following two phases:

•Policy Construction Phase—Creates the zone policies. The policy templates provide the rules that the Detector module uses to construct the zone policies. The traffic flows transparently through the Detector module, which allows it to discover the main services that the zone uses.

•Threshold Tuning Phase—Tunes the zone policies to fit the traffic rates of the zone services. The traffic flows transparently through the Detector module, which enables the Detector module to tune the thresholds for the services that it discovered during the policy construction phase.

Understanding the Zone Policies

The zone policies are the building blocks of the Detector module and are the basis to which the Detector module compares the zone traffic in order to trace any anomalies that might become malicious. When the traffic flow exceeds a policy threshold, the Detector module identifies the traffic as abnormal or malicious and configures a set of filters (dynamic filters) dynamically to apply the appropriate detection level to the traffic flow according to the severity of the attack.

See Chapter 5, "Configuring Zones," for more information on traffic learning. See Chapter 7, "Configuring Policy Templates and Policies," for more information on zone policies.

Understanding How the Detector Module Performs Zone Anomaly Detection

You can activate the Detector module protection in the following ways:

•Automatic protect mode—The dynamic filters are activated automatically.

•Interactive protect mode—The dynamic filters are activated manually, interactively. The dynamic filters are grouped as recommended actions for you to complete. You can review these recommendations and decide whether to accept, ignore, or direct these recommendations to automatic activation.

See "Using Interactive Detect Mode," for more information.

Understanding the Detect and Learn Function

You can activate the threshold tuning phase and activate zone detection simultaneously (the detect and learn function) to enable the Detector module to learn the zone policy thresholds and at the same time monitor the policy thresholds for traffic anomalies. When the Detector module detects an attack, it stops the learning process but continues zone detection. This process prevents the Detector module from learning malicious traffic thresholds. The Detector module resumes the learning process when the attack ends. See the "Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously" section on page 8-17 for more information.

Understanding Attack Reports

The Detector module provides an attack report for every zone so that you can display the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. See "Using Attack Reports," for more information.

Understanding the Anomaly Detection Process

The Detector module uses three types of filters to direct the zone traffic to the required detection level. You can configure these filters to customize the traffic direction and the functions that the Detector module uses to detect traffic anomalies.

The Detector module uses the following types of filters:

•Bypass filters—Prevent the Detector module from handling specific traffic flows.

•Flex-Content filters—Count a specified packet flow. The flex-content filter provides extremely flexible filtering capabilities such as filtering based on fields in the IP and TCP headers and filtering based on content bytes.

•Dynamic filters—Apply the analysis detection level to the traffic flow. The Detector module creates dynamic filters as the result of the analysis of traffic flow. The dynamic filters either record the event in the Detector module syslog, or activate a Cisco Anomaly Guard Module to protect the zone. Dynamic filters have a limited life span and are removed after the attack ends.

The Detector module performs a statistical analysis of the traffic and coordinates between the policies (which monitor the zone traffic for anomalies) and the filter system.

	Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1)
	Product Overview
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1) Index Preface Product Overview Configuring the Detector Module on the Supervisor Engine Initializing the Detector Module Configuring the Detector Module Configuring Zones Configuring Zone Filters Configuring Policy Templates and Policies Learning the Zone Traffic Characteristics Detecting Zone Traffic Anomalies Using Interactive Detect Mode Understanding Attack Reports Using Detector Module Diagnostics Tools Performing Maintenance Tasks	Download this chapter Product Overview Download the complete book Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1), Book-Length PDF (PDF - 3 MB) Table Of Contents Product Overview Understanding the Cisco Traffic Anomaly Detector Module Understanding DDoS Understanding Zones Understanding How the Detector Module Operates Understanding the Learning Process Understanding the Zone Policies Understanding How the Detector Module Performs Zone Anomaly Detection Understanding the Detect and Learn Function Understanding Attack Reports Understanding the Anomaly Detection Process Product Overview This chapter provides a general overview of the Cisco Traffic Anomaly Detector Module (Detector module) and describes its components and how it works. The chapter contains the following sections: •Understanding the Cisco Traffic Anomaly Detector Module •Understanding DDoS •Understanding Zones •Understanding How the Detector Module Operates •Understanding the Anomaly Detection Process Understanding the Cisco Traffic Anomaly Detector Module You can install the Detector module in one of the following products: •Catalyst 6500 series switch •Cisco 7600 series router The Detector module is a passive monitoring device that continuously looks for indications of a Distributed Denial of Service (DDoS) attack against a protected destination (referred to as a zone), such as a server, firewall interface, or router interface. The Detector module works optimally with the Cisco Anomaly Guard Module but it can also operate as a separate DDoS detection and alarm component. You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. The Detector module analyzes copies of all inbound traffic destined for the protected zone or zones and compares the current traffic to a set of behavioral thresholds (the zone policy) to detect anomalous traffic behavior. When the Detector module identifies anomalous behavior that is considered to be a possible attack, the Detector module can activate a Cisco Anomaly Guard Module to mitigate these attacks. The Detector module uses the following features to monitor traffic: •An algorithm-based system that learns the zone traffic, adopts itself to the traffic characteristics, and provides the Detector module with references and instructions in the form of thresholds and policies. •A system that either remotely activates Cisco Anomaly Guard Modules to assume protection over the zone or zones, or records the traffic anomalies in the Detector module syslog. By using these features the Detector module can assume its detection role while unobtrusively remaining in the background. Understanding DDoS The primary goal of DDoS attacks, is to deny legitimate users access to a specific computer or network resource. These attacks are originated by individuals who send malicious requests to targets that degrade service, disrupt network services on computer servers and network devices, and saturate network links with unnecessary traffic. DDoS attacks occur when malicious users compromise hundreds or thousands of hosts (zombies) over the Internet and place a Trojan in the system. A Trojan is a nonreplicating program that is disguised as a harmless application, which takes a harmful action that the user does not expect. Trojans take instructions from a master server controller by the attacker on when and how to launch a coordinated attack. Zombies run automated scripts that hinder a protected server's network resources with spurious requests for service. The attacks can be a flood of spurious home page requests to a web server that shuts out legitimate users or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the compromised computers that actually execute the attacking code may number in the hundreds of thousands and are distributed over multiple autonomous systems and may be administered by multiple organizations. These distributed attacks generate a traffic volume that cannot be handled by the lower bandwidths available at a typical zone. See the "Understanding Zones" section for information about zones. Understanding Zones The Detector module monitors a zone for DDoS attacks. A zone can be one of the following elements: •A network server, client, or router •A network link or subnet or an entire network •An individual Internet user or a company •An Internet Service Provider (ISP) •Any combination of these elements After the Detector module identifies a DDoS attack, it can automatically activate a Cisco Anomaly Guard Module to protect the zone against the attack or it can notify the user to activate the Cisco Anomaly Guard Module manually. The Detector module can analyze the traffic for different zones simultaneously if their network address ranges do not overlap. When you define a zone, you configure the network addresses and the policies that the Detector module uses for zone anomaly detection. You assign a name to the zone, and use this name to refer to it. Understanding How the Detector Module Operates The Detector module analyzes the traffic for evolving signs of an upcoming DDoS attack. Once a traffic abnormality is detected the Detector module either records the event in its syslog or remotely activates the remote Guards on its lists. These remote Guards protect the zones against the evolving DDoS attack. Figure 1-1 illustrates the detection operation. You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. Figure 1-1 Cisco Traffic Anomaly Detector Module Operation The Detector module learns the zone traffic characteristics so that it can form a basis on which to compare zone traffic and trace any anomalies that might become malicious. These sections contain the following topics: •Understanding the Learning Process •Understanding the Zone Policies •Understanding How the Detector Module Performs Zone Anomaly Detection •Understanding the Detect and Learn Function •Understanding Attack Reports Understanding the Learning Process When no current attack is occurring on the network, the learning process creates a baseline of normal traffic patterns that the Detector module uses as a reference point to help detect the existence of anomalies. These reference points are called Policies. The learning process consists of the following two phases: •Policy Construction Phase—Creates the zone policies. The policy templates provide the rules that the Detector module uses to construct the zone policies. The traffic flows transparently through the Detector module, which allows it to discover the main services that the zone uses. •Threshold Tuning Phase—Tunes the zone policies to fit the traffic rates of the zone services. The traffic flows transparently through the Detector module, which enables the Detector module to tune the thresholds for the services that it discovered during the policy construction phase. Understanding the Zone Policies The zone policies are the building blocks of the Detector module and are the basis to which the Detector module compares the zone traffic in order to trace any anomalies that might become malicious. When the traffic flow exceeds a policy threshold, the Detector module identifies the traffic as abnormal or malicious and configures a set of filters (dynamic filters) dynamically to apply the appropriate detection level to the traffic flow according to the severity of the attack. See Chapter 5, "Configuring Zones," for more information on traffic learning. See Chapter 7, "Configuring Policy Templates and Policies," for more information on zone policies. Understanding How the Detector Module Performs Zone Anomaly Detection You can activate the Detector module protection in the following ways: •Automatic protect mode—The dynamic filters are activated automatically. •Interactive protect mode—The dynamic filters are activated manually, interactively. The dynamic filters are grouped as recommended actions for you to complete. You can review these recommendations and decide whether to accept, ignore, or direct these recommendations to automatic activation. See "Using Interactive Detect Mode," for more information. Understanding the Detect and Learn Function You can activate the threshold tuning phase and activate zone detection simultaneously (the detect and learn function) to enable the Detector module to learn the zone policy thresholds and at the same time monitor the policy thresholds for traffic anomalies. When the Detector module detects an attack, it stops the learning process but continues zone detection. This process prevents the Detector module from learning malicious traffic thresholds. The Detector module resumes the learning process when the attack ends. See the "Tuning Zone Policy Thresholds and Enabling Zone Anomaly Detection Simultaneously" section on page 8-17 for more information. Understanding Attack Reports The Detector module provides an attack report for every zone so that you can display the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. See "Using Attack Reports," for more information. Understanding the Anomaly Detection Process The Detector module uses three types of filters to direct the zone traffic to the required detection level. You can configure these filters to customize the traffic direction and the functions that the Detector module uses to detect traffic anomalies. The Detector module uses the following types of filters: •Bypass filters—Prevent the Detector module from handling specific traffic flows. •Flex-Content filters—Count a specified packet flow. The flex-content filter provides extremely flexible filtering capabilities such as filtering based on fields in the IP and TCP headers and filtering based on content bytes. •Dynamic filters—Apply the analysis detection level to the traffic flow. The Detector module creates dynamic filters as the result of the analysis of traffic flow. The dynamic filters either record the event in the Detector module syslog, or activate a Cisco Anomaly Guard Module to protect the zone. Dynamic filters have a limited life span and are removed after the attack ends. The Detector module performs a statistical analysis of the traffic and coordinates between the policies (which monitor the zone traffic for anomalies) and the filter system.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.