Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0) - Introduction [Cisco Services Modules]

Table Of Contents

Introduction

What is DDos

The Cisco Anomaly Guard Module

Zones

How the Guard Module Operates

Protection Mechanisms

Filters

Protection Modules

Protection Cycle

Introduction

This chapter provides a general overview of the Cisco Anomaly Guard Module (Guard), its components and how it works. The chapter includes the following sections:

•What is DDos

•The Cisco Anomaly Guard Module

•Zones

•How the Guard Module Operates

•Protection Mechanisms

•Protection Cycle

What is DDos

The Distributed Denial of Service (DDoS) attacks are attacks in which malicious individuals cause thousands of compromised computers ("zombies") to run automated scripts that cripple a protected server's (the zone) network resources with spurious requests for service. The attacks can be, for example, a flood of bogus home page requests to a web server that shuts out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the zombies actually executing the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations. These distributed attacks generate a volume of traffic that cannot be handled by the lower bandwidths available at a typical zone, including the largest corporations.

DDoS attacks are a statistical phenomenon, and consequently require the formation of a detailed statistical traffic profile. DDoS research points that DDoS zombies are distributed in number and in autonomous systems, that there is a close integration between legitimate and bogus requests for service and that DDoS attacks use random settings such as spoofed IP source addresses or random settings of TCP flags.

DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive.

A DDoS defense system would, therefore, have to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network element.

The Cisco Anomaly Guard Module

The Cisco Anomaly Guard Module (Guard module) is a Cisco IOS application module that you can install in the Catalyst 6500 series switch with a Supervisor Engine 2 with a Multilayer Switch Feature Card (MSFC) or Supervisor Engine 720.

It is a denial-of-service (DoS) mitigation product that receives traffic diverted from attacked targets, cleans this traffic, and forwards the cleaned traffic to its original path. It is deployed in a distributed upstream configuration, at the ISP/MSP/backbone level, protecting the entire network. When an attack is detected, the system diverts only the attacked zone traffic to the Guard. The data flow is analyzed. All DDoS components are removed and clean traffic is allowed to continue flowing to the intended zone. The Guard allows a transparent zone traffic flow, while constantly filtering the traffic, and remaining attuned to zone traffic characteristics, so as to be on the alert for evolving attack patterns.

To accomplish these tasks the Guard employs the following components:

•Traffic diversion mechanisms that redirect (divert) the zone traffic to the Guard Learning and Protection systems and then return (inject) the legitimate traffic flow back to the zone. This is performed while preventing interference to network traffic.

•An algorithm-based learning system that learns the zone traffic, adapts itself to its particular characteristics, and supports the protection system with references and protection instructions in the form of thresholds and policies. In addition, the Guard has on-demand protection to answer situations in which the zone is under attack, but the Guard has not completed its learning process and has not finished tuning to the zone traffic.

•A protection system that distinguishes between legitimate and suspicious traffic and filters the malicious traffic. Only the legitimate traffic is then allowed to pass on to the zone.

Integrating these components enables the Guard to assume its protective role when there is an attack, but to remain unobtrusively in the background for the rest of the time. When there are no suspected attacks you do not need to activate the diversion process, and the Guard module does not see the traffic.

Zones

A zone is a network element that the Guard module protects against DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company; an Internet Service Provider (ISP), or any combination of the above. The Guard module can protect different zones simultaneously as long as their network address ranges do not overlap.

A zone is the definition of a network element, configured so that the Guard module can protect it from DDoS attacks. You assign a name to the zone and use this name to refer to it.

How the Guard Module Operates

To protect the target host (zone), traffic to this host must be diverted to the Guard module. You can wait for an external indication (from the Cisco Traffic Anomaly Detector Module or any other means) of an attack before setting the Guard to protect the zone, or you can instruct the Guard to protect the zone as soon as you complete configuring the zone. The Guard analyses the data flow. All DDoS elements are blocked, the malicious packets are removed from the diverted stream and clean traffic is returned to the main data path and allowed to continue flowing to the intended zone. Figure 1-1 schematically describes the protection operation.

The diversion is configured globally, via the Guard module routing configuration. See "Configuring Zone Traffic Diversion" for further details.

Figure 1-1 Cisco Anomaly Guard Module Operation

In order to form a basis on which to compare zone traffic and trace any anomalies that might, in turn, become malicious, the Guard learns the zone traffic characteristics.

You can also protect a zone without performing the learning process if necessary, for example, when a zones under attack. The system-defined zone templates include predefined protection policies and filters that are suitable for protecting a zone that has not finished the learning process. See the "On-Demand Protection" section for further details.

The learning process consists of two phases, during which the Guard learns the zone traffic and adapts itself to the particular characteristics:

1. The Policy Construction Phase—In this phase, the Guard creates the zone policies. The policy templates provide the rules that are used to construct the policies. The traffic flows transparently through the Guard enabling it to discover the main services the zone uses.

2. The Threshold Tuning Phase—In this phase, the Guard tunes the policies to fit the zone services traffic rates. The traffic flows transparently through the Guard, enabling it to tune the thresholds for the services discovered during the policy construction phase.

The policies are the mechanism that measure a particular traffic flow and take action against the flow when there is a threshold violation. The protection policies are constructed from policy templates.

See "Configuring Zones" for more information on traffic learning. See "Configuring Policy Templates and Policies" for more information on zone policies.

When the policies sense abnormal or malicious traffic (by means of threshold violation), they dynamically configure a set of filters (Dynamic Filters) to direct the traffic to the appropriate protection module according to the severity of the attack.

You can activate the Guard protection in the following ways:

•Automatic protect mode—The Dynamic filters are activated without user intervention.

•Interactive protect mode—The Dynamic filters are activated manually, interactively. The Dynamic filters are grouped as recommendations that await your decision. You can review these recommendations and decide which of them to accept, ignore, or direct to automatic activation.

See "Interactive Protect Mode" for further details.

The Guard provides an attack report for every zone to help form a clear picture of the zone status. The attack report provides details of the attack, starting with the production of the first Dynamic filter, and ending with protection termination.

See "Attack Reports" for further details.

Protection Mechanisms

The Guard protection system uses the following mechanisms:

•Filters

•Protection Modules

Filters

The zone filters direct the diverted traffic to the relevant protection modules. The Guard enables you to set filter configurations to design a variety of possibilities for customized traffic direction and anti-DDoS attack mechanisms. The Guard uses the following types of filters:

•User Filter—The User filters are used to direct specified traffic flow to the relevant Guard protection modules.

•Bypass filter—Bypass filters are used to prevent specific traffic flows from being handled by the Guard protection mechanisms.

•Flex filter—The Flex filter is used to count or drop a specified packet flow. It is a Berkley Packet filter that provides extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. You can use complex Boolean expressions, but you can only configure one Flex filter per zone.

•Dynamic filter—The Guard creates Dynamic filters as the result of the analysis of traffic flow. It continuously adapts this set of filters to the zone traffic and the type of the DDoS attack. Dynamic filters have a limited life span and are erased after the attack has terminated.

Protection Modules

The Guard module protection modules apply different processes over the traffic flows. The Guard has the following protection modules:

•Analysis protection module—This protection module allows the traffic to flow monitored, but unhindered, during protection as long as no abnormalities are traced. Once abnormalities are traced traffic flows are directed to the appropriate protection module.

•Basic protection module—This protection module has anti-spoofing and anti-zombie mechanisms that authenticate traffic. These mechanisms inspect the suspicious traffic flow to verify its source.

•Strong protection module—This protection module has more severe anti-spoofing mechanisms. These authentication mechanisms inspect the flow packets to verify the flow legitimacy.

•Drop protection module—This protection module drops malicious traffic.

•Rate Limiting protection module—This protection module limits the rate of a desired traffic flow or of the overall zone traffic (see the "Configuring Bypass Filters" section for further details).

•Recognition protection module—This protection module coordinates between the Guard policies and the filter system.

Protection Cycle

Figure 1-2 illustrates the Guard protection cycle:

Figure 1-2 The Guard Protection Cycle

Once protect mode is activated, the Guard diverts the zone traffic. The Guard policies measure the traffic flow and take action against a particular traffic flow where there is a threshold violation. The actions taken can range from merely issuing a notification, to creating new filters (Dynamic filters). These direct the diverted traffic to the relevant protection modules. The protection modules authenticate the traffic. A sample of the traffic flows to the Recognition protection module. The Guard passes the traffic to the Rate Limiting protection module which drops traffic that exceeds the defined rate. The cleaned traffic is injected back to the zone.

The Recognition protection module leads a closed-loop feedback cycle to adjust the Guard protection measures to the dynamically changing zone traffic characteristics. The Guard adopts the proper protection strategies to answer the changing DDoS attack types and traffic flows. The Guard stops the protection if no Dynamic filters are in use and no new Dynamic filter has been added over a predefined period of time.

	Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0)
	Introduction
Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0) Index Preface Introduction Configuring the Guard Module on the Supervisor Engine Module Initializing the Guard Module Configuring the Guard Module Configuring Zone Traffic Diversion Configuring Zones Configuring Zone Filters Configuring Policy Templates and Policies Interactive Protect Mode Attack Reports Guard Module Diagnostics and Maintenance Analyzing Guard Module Mitigation Glossary	Download this chapter Introduction Download the complete book Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0) Book-Length PDF (PDF - 2 MB) Table Of Contents Introduction What is DDos The Cisco Anomaly Guard Module Zones How the Guard Module Operates Protection Mechanisms Filters Protection Modules Protection Cycle Introduction This chapter provides a general overview of the Cisco Anomaly Guard Module (Guard), its components and how it works. The chapter includes the following sections: •What is DDos •The Cisco Anomaly Guard Module •Zones •How the Guard Module Operates •Protection Mechanisms •Protection Cycle What is DDos The Distributed Denial of Service (DDoS) attacks are attacks in which malicious individuals cause thousands of compromised computers ("zombies") to run automated scripts that cripple a protected server's (the zone) network resources with spurious requests for service. The attacks can be, for example, a flood of bogus home page requests to a web server that shuts out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the zombies actually executing the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations. These distributed attacks generate a volume of traffic that cannot be handled by the lower bandwidths available at a typical zone, including the largest corporations. DDoS attacks are a statistical phenomenon, and consequently require the formation of a detailed statistical traffic profile. DDoS research points that DDoS zombies are distributed in number and in autonomous systems, that there is a close integration between legitimate and bogus requests for service and that DDoS attacks use random settings such as spoofed IP source addresses or random settings of TCP flags. DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive. A DDoS defense system would, therefore, have to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network element. The Cisco Anomaly Guard Module The Cisco Anomaly Guard Module (Guard module) is a Cisco IOS application module that you can install in the Catalyst 6500 series switch with a Supervisor Engine 2 with a Multilayer Switch Feature Card (MSFC) or Supervisor Engine 720. It is a denial-of-service (DoS) mitigation product that receives traffic diverted from attacked targets, cleans this traffic, and forwards the cleaned traffic to its original path. It is deployed in a distributed upstream configuration, at the ISP/MSP/backbone level, protecting the entire network. When an attack is detected, the system diverts only the attacked zone traffic to the Guard. The data flow is analyzed. All DDoS components are removed and clean traffic is allowed to continue flowing to the intended zone. The Guard allows a transparent zone traffic flow, while constantly filtering the traffic, and remaining attuned to zone traffic characteristics, so as to be on the alert for evolving attack patterns. To accomplish these tasks the Guard employs the following components: •Traffic diversion mechanisms that redirect (divert) the zone traffic to the Guard Learning and Protection systems and then return (inject) the legitimate traffic flow back to the zone. This is performed while preventing interference to network traffic. •An algorithm-based learning system that learns the zone traffic, adapts itself to its particular characteristics, and supports the protection system with references and protection instructions in the form of thresholds and policies. In addition, the Guard has on-demand protection to answer situations in which the zone is under attack, but the Guard has not completed its learning process and has not finished tuning to the zone traffic. •A protection system that distinguishes between legitimate and suspicious traffic and filters the malicious traffic. Only the legitimate traffic is then allowed to pass on to the zone. Integrating these components enables the Guard to assume its protective role when there is an attack, but to remain unobtrusively in the background for the rest of the time. When there are no suspected attacks you do not need to activate the diversion process, and the Guard module does not see the traffic. Zones A zone is a network element that the Guard module protects against DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company; an Internet Service Provider (ISP), or any combination of the above. The Guard module can protect different zones simultaneously as long as their network address ranges do not overlap. A zone is the definition of a network element, configured so that the Guard module can protect it from DDoS attacks. You assign a name to the zone and use this name to refer to it. How the Guard Module Operates To protect the target host (zone), traffic to this host must be diverted to the Guard module. You can wait for an external indication (from the Cisco Traffic Anomaly Detector Module or any other means) of an attack before setting the Guard to protect the zone, or you can instruct the Guard to protect the zone as soon as you complete configuring the zone. The Guard analyses the data flow. All DDoS elements are blocked, the malicious packets are removed from the diverted stream and clean traffic is returned to the main data path and allowed to continue flowing to the intended zone. Figure 1-1 schematically describes the protection operation. The diversion is configured globally, via the Guard module routing configuration. See "Configuring Zone Traffic Diversion" for further details. Figure 1-1 Cisco Anomaly Guard Module Operation In order to form a basis on which to compare zone traffic and trace any anomalies that might, in turn, become malicious, the Guard learns the zone traffic characteristics. You can also protect a zone without performing the learning process if necessary, for example, when a zones under attack. The system-defined zone templates include predefined protection policies and filters that are suitable for protecting a zone that has not finished the learning process. See the "On-Demand Protection" section for further details. The learning process consists of two phases, during which the Guard learns the zone traffic and adapts itself to the particular characteristics: 1. The Policy Construction Phase—In this phase, the Guard creates the zone policies. The policy templates provide the rules that are used to construct the policies. The traffic flows transparently through the Guard enabling it to discover the main services the zone uses. 2. The Threshold Tuning Phase—In this phase, the Guard tunes the policies to fit the zone services traffic rates. The traffic flows transparently through the Guard, enabling it to tune the thresholds for the services discovered during the policy construction phase. The policies are the mechanism that measure a particular traffic flow and take action against the flow when there is a threshold violation. The protection policies are constructed from policy templates. See "Configuring Zones" for more information on traffic learning. See "Configuring Policy Templates and Policies" for more information on zone policies. When the policies sense abnormal or malicious traffic (by means of threshold violation), they dynamically configure a set of filters (Dynamic Filters) to direct the traffic to the appropriate protection module according to the severity of the attack. You can activate the Guard protection in the following ways: •Automatic protect mode—The Dynamic filters are activated without user intervention. •Interactive protect mode—The Dynamic filters are activated manually, interactively. The Dynamic filters are grouped as recommendations that await your decision. You can review these recommendations and decide which of them to accept, ignore, or direct to automatic activation. See "Interactive Protect Mode" for further details. The Guard provides an attack report for every zone to help form a clear picture of the zone status. The attack report provides details of the attack, starting with the production of the first Dynamic filter, and ending with protection termination. See "Attack Reports" for further details. Protection Mechanisms The Guard protection system uses the following mechanisms: •Filters •Protection Modules Filters The zone filters direct the diverted traffic to the relevant protection modules. The Guard enables you to set filter configurations to design a variety of possibilities for customized traffic direction and anti-DDoS attack mechanisms. The Guard uses the following types of filters: •User Filter—The User filters are used to direct specified traffic flow to the relevant Guard protection modules. •Bypass filter—Bypass filters are used to prevent specific traffic flows from being handled by the Guard protection mechanisms. •Flex filter—The Flex filter is used to count or drop a specified packet flow. It is a Berkley Packet filter that provides extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. You can use complex Boolean expressions, but you can only configure one Flex filter per zone. •Dynamic filter—The Guard creates Dynamic filters as the result of the analysis of traffic flow. It continuously adapts this set of filters to the zone traffic and the type of the DDoS attack. Dynamic filters have a limited life span and are erased after the attack has terminated. Protection Modules The Guard module protection modules apply different processes over the traffic flows. The Guard has the following protection modules: •Analysis protection module—This protection module allows the traffic to flow monitored, but unhindered, during protection as long as no abnormalities are traced. Once abnormalities are traced traffic flows are directed to the appropriate protection module. •Basic protection module—This protection module has anti-spoofing and anti-zombie mechanisms that authenticate traffic. These mechanisms inspect the suspicious traffic flow to verify its source. •Strong protection module—This protection module has more severe anti-spoofing mechanisms. These authentication mechanisms inspect the flow packets to verify the flow legitimacy. •Drop protection module—This protection module drops malicious traffic. •Rate Limiting protection module—This protection module limits the rate of a desired traffic flow or of the overall zone traffic (see the "Configuring Bypass Filters" section for further details). •Recognition protection module—This protection module coordinates between the Guard policies and the filter system. Protection Cycle Figure 1-2 illustrates the Guard protection cycle: Figure 1-2 The Guard Protection Cycle Once protect mode is activated, the Guard diverts the zone traffic. The Guard policies measure the traffic flow and take action against a particular traffic flow where there is a threshold violation. The actions taken can range from merely issuing a notification, to creating new filters (Dynamic filters). These direct the diverted traffic to the relevant protection modules. The protection modules authenticate the traffic. A sample of the traffic flows to the Recognition protection module. The Guard passes the traffic to the Rate Limiting protection module which drops traffic that exceeds the defined rate. The cleaned traffic is injected back to the zone. The Recognition protection module leads a closed-loop feedback cycle to adjust the Guard protection measures to the dynamically changing zone traffic characteristics. The Guard adopts the proper protection strategies to answer the changing DDoS attack types and traffic flows. The Guard stops the protection if no Dynamic filters are in use and no new Dynamic filter has been added over a predefined period of time.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.