Table Of Contents
Creating and Configuring Zones
Overview
The Zone Home Page
Zone Status Bar
Zone Traffic Summary
Zone Status Summary
Zone Recent Events
Managing Zones
Reconfiguring a Zone
Deleting a Zone
Zone Status Icons
Creating and Configuring Zones
This chapter describes how to create and manage zones and includes the following sections:
•
Overview
•The Zone Home Page
•Managing Zones
•Zone Status Icons
Overview
A zone is a network element that the Guard module protects against DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company; an Internet Service Provider (ISP), or any combination the above. The Guard module can protect different zones simultaneously, as long as their network address ranges do not overlap. The zone configuration includes the following:
•Basic zone configuration—Includes the zone's name and description, the zone's network address and operation definitions, and basic networking characteristics such as the zone's bandwidth. See the "Managing Zones" section for further details.
•Policies—Define the protection policy. The policies are the mechanism that enable the Guard module to analyze a particular traffic flow and take action against the flow as a result of threshold violation. The policies are constructed from policy templates, that provide the construction guiding rules. The policies are constructed in a learning process that consists of two learning phases. See "Protecting Zones," for further details. Action taken by the policies can range from merely notifying, to directing the traffic to Guard module anti-spoofing or anti-zombie mechanisms and even dropping malicious traffic. See "Configuring Zone Filters and Policy Templates," for further details.
•Filters—Direct the diverted traffic to the required protection modules. You can set the filter configurations and design different possibilities to customize traffic direction and anti-DDoS attack mechanisms. See "Configuring Zone Filters and Policy Templates," for further details.
•Diversion—Divert the zone traffic from the main data path to the Guard module. To protect the target host (zone) using the Guard module, traffic destined to the host must be diverted to the Guard module. You configure zone diversion via the Guard module global routing configuration and not as part of the zone configuration. For information about configuring zone diversion, refer to the Anomaly Guard Module Configuration Guide.
The Zone Home Page
The zone home page (Figure 4-1) provides a summary of the zone status.
You can navigate to this page in a number of ways:
•Select the zone from the All Zones list in the navigation pane.
•If the zone is currently in protect mode, select the zone under the Protected Zones list in the navigation pane.
•On the zone pages, select Zone from the navigation path.
•Select the zone from the zone list (Guard Module Summary > Zones > Zone list).
The zone home page is divided into four sections:
•Zone Status bar
•Zone Traffic summary
•Zone Status summary
•Zone Recent events
The following buttons appear beneath the zone status bar in certain circumstances.
•Protect—Switches the zone to protect mode. This is equivalent to selecting Protection> Protect from the zone main menu and is only available if the zone is in standby.
•Deactivate—Deactivates the zone detect mode. This is equivalent to selecting Protection > Deactivate from the zone main menu and is only available if the zone is in protect mode.
•Report—Provides a link to the current attack report. This is equivalent to selecting Diagnostics > Attack reports from the zone main menu and clicking on the current attack (the attack with an end time of attack in progress). It is only available if there is a current attack in progress. See "Zone Statistics and Diagnostics," for further details.
Figure 4-1 Zone Home Page
Zone Status Bar
The zone status bar provides a quick reference to the status of the zone and includes the following information:
•The zone name.
•The zone operation mode— Indicates whether the zone is in automatic protect mode or in interactive protect mode. The operation mode only appears if the zone is active and it appears in brackets. See the "Managing Zones" section for further details.
The zone status—Indicates zone operation mode. The status can be one of the following: Protected, Inactive, Constructing policy and Tuning thresholds. See the "Zone Status Summary" section for further details.
•Indication of new recommendations—Indicates that new recommendations are available. This indication is available only if the Guard module is in interactive protect mode. See "Interactive Protect Mode" section for further details.
Zone Traffic Summary
The zone traffic summary graph displays the zone related traffic rate over the last two hours in bits per second (bps). Legitimate traffic passed by the Guard module to the zone, appears in green. Malicious traffic that was destined to the zone and dropped appears in red.
Table 4-1 describes the fields that appear below the zone traffic summary graph.
Table 4-1 Field Descriptions for Fields below Zone Traffic Summary Graph
Field
|
Description
|
Min
|
The minimum traffic rate measured over the last two hours in bits per second (bps).
|
Max
|
The maximum traffic rate measured over the last two hours in bits per second (bps).
|
Avg
|
The average traffic rate measured over the last two hours in bits per second (bps).
|
Cur
|
The current traffic rate in bits per second (bps).
|
The information appears separately for legitimate traffic and malicious traffic.
Zone Status Summary
The zone status summary provides the following information:
•The number of active Dynamic filters. Active Dynamic filters provides a link to the Dynamic filters page. See "Dynamic Filters" section for further details.
•The number of pending Dynamic filters. The number of pending Dynamic filters is greater than 1 when the zone is in interactive protect mode and there are new recommendations.
Pending Dynamic filters provides a link to the recommendations page. See the "Dynamic Filters" section for further details on dynamic filters. See the "Interactive Protect Mode" section for further details on recommendations.
•Last attack time—The date and time of the last attack on the zone.
•Activation time—The date and time that protect mode was activated.
Zone Recent Events
The recent events table displays the recent events in the zone with a minimum severity level of notify. These events also appear in the zone event log and the Guard module event log.
Managing Zones
To protect a zone against DDoS attacks, you must configure the zone network characteristics on the Guard module.
To create a new zone, perform one of the following:
•From the Guard module main menu select Zones > Create Zone
•From the Guard module main menu select Zones > Zone list and click Add
•From the zone main menu select Main > Create Zone
•From the zone main menu select Main > Save as
This copies the current basic zone configuration to a new zone. It is equivalent to the zone CLI command with the option copy-from-this. Refer to the Anomaly Guard Module Configuration Guide for further details.
Table 4-2 describes the zone basic configuration fields.
Table 4-2 Field Descriptions for Zone Configuration
Field
|
Description
|
Name
|
The name of a new zone. The name is an alphanumeric from 1 to 63 characters. The string must start with a letter, can contain underscores but cannot contain any spaces.
|
Description
|
A description of the zone. The string length is limited to a maximum of 80 characters.
|
From Template
|
A template that defines the zone configuration. The Template can be one of the following:
•DEFAULT—The Guard module default zone template.
•TCP_NO_PROXY—A template designed for a zone for which no TCP proxy is to be used. This template can be used if the zone is moderated according to IP addresses such as an Internet Relay Chat (IRC) server-type zone. Refer to the Anomaly Guard Module Configuration Guide for further details.
•Bandwidth Limited Link Templates—Templates designed for on-demand protection of large subnets segmented according to zones with known bandwidth. You should assume protection for the zone for the attacked subnet or range. We recommend that you define such zones with protect-ip-state of only-dest-ip. See Protect-IP state in the Cisco Traffic Anomaly Detector Web-Based Management (WBM) User Guide for further details.
The following Bandwidth Limited Link templates are available for 128K, 1M, 4M, and 512K links respectively:
–LINK_128K
–LINK_1M
–LINK_4M
–LINK_512K
You cannot perform policy construction for these templates.
|
Operation mode
|
The mode used for activating zone Dynamic filters. Possible values are:
•Automatic—The Dynamic filters will be activated automatically.
•Interactive—The interactive mode enables you to define the action taken for each Dynamic filter. The Dynamic filters recommended by the policies, appear as recommendations. You can specify whether to accept or reject each Dynamic filter.
See "Interactive Protect Mode" section for further details.
|
Max. Rate
|
The amount of traffic allowed to pass to the zone, displayed as an integer. The rate is measured in bits, kilo-bits, kilo-packets, mega-bits, or packets. Configure the value according to the traffic volume the zone can handle.
|
Burst
|
The highest traffic peak allowed to pass to the zone. The peak is an integer. The units are bits, kilo-bits, kilo-packets, mega-bits, or packets and are the same as the rate units.
|
Flex filter
|
(Optional) The Flex filter configuration. See the"Configuring the Flex Filter" section for further details.
|
Filter Action
|
(Optional) The Flex filter action. Possible values are:
•disable—The Flex filter is disabled.
•count—The Flex filter is used to count the flow.
•drop—The Flex filter is used to drop the flow.
|
Protection-end Timer
|
The time after which the Guard module can terminate protect mode.
The Guard module verifies whether an attack has ended by checking on Dynamic filters that have been added. The Guard module deactivates protect mode if no Dynamic filters are in use and no new Dynamic filter has been added over a predefined period of time.
Possible values can range from seconds to infinite.
|
Filter-rate termination threshold
|
The threshold, that together with the Malicious-rate termination threshold, specifies when the Guard module can inactivate Dynamic filters.
Define this threshold in packets per second (pps).
See the Note on Dynamic filter termination for further details.
|
Malicious-rate termination threshold
|
The threshold, that together with the Filter-rate termination threshold, specifies when the Guard module can inactivate Dynamic filters.
Define this threshold in packets per second (pps).
See the Note on Dynamic filter termination for further details.
|
IP address
|
The zone IP address.
|
Mask
|
The zone address mask. Select the address mask from the drop-down list.
|
Note We recommend that you set the bandwidth value to the highest bandwidth measured entering the zone. If unknown, leave the default burst and Max. rate blank and choose unlimited units from the drop-down list.
After you create the zone, the Guard module displays the configuration in three tables.
To change the zone basic configuration, click the Config button below the first table and enter the parameters in the Zone Form.
To change the Flex filter configuration, click Config below the second table with the Flex filter information, and enter the parameters in the Zone Form. See the "Configuring the Flex Filter" section.
To add additional IP addresses and subnets, click the Add button under the third (IP) table. You should repeat this for each zone IP address or subnet mask. You can enter or delete additional IP addresses and subnets while the zone is active.
Note Dynamic filter termination
Once the Dynamic filter timeout expires, the Guard module determines whether to inactivate the Dynamic filter when one of the following applies:
•The total malicious traffic rate (equaling the sum of the spoofed and dropped traffic) is less than or equal to the Malicious-rate termination threshold.
•The Filter-rate termination threshold is equal to or greater than both the following:
–The Dynamic filter's current traffic rate
–The Dynamic filter's average traffic rate during a user-configured time span (defined by the policy's Timeout parameter)
See the "Configuring Parameters" section for further details on the Dynamic filter timeout.
Reconfiguring a Zone
To reconfigure an existing zone, select Configuration > General from the zone main menu and click the Config button below the first table.
Deleting a Zone
To delete a zone, select Zones > Zone list from the Guard module main menu, select the check box for the zone and click Delete.
Zone Status Icons
Icons represent the zone status and appear in the navigation pane and in the zone status bar. Table 4-3 describes the zone status icons.
Table 4-3 Zone Status Icons
Icon
|
Status
|
|
Zone in standby mode
|
|
Zone in the learning process (the policy contruction phase or the threshold tuning phase)
|
|
Zone in protect mode
|
|
New recommendations. This icon appears in addition to the zone icon and indicates that new recommendations are available.
|
