Cisco Anomaly Guard Module Configuration Guide (Software Version 5.0) - Product Overview [Cisco Services Modules]

Table Of Contents

Product Overview

Understanding the Cisco Anomaly Guard Module

Understanding DDos

Understanding Zones

Understanding How the Guard Module Operates

Understanding the Learning Process

Understanding the Zone Policies

Understanding How the Guard Module Performs Zone Protection

Understanding the Protect and Learn Function

Understanding On-Demand Protection

Using Attack Reports

Understanding the Protection Process

Understanding the Protection Cycle

Product Overview

This guide provides instructions for the Cisco Anomaly Guard Module (Guard module). It describes how to perform administration tasks, the general operations needed for the Guard operation and explains how to use Guard module.

This chapter provides a general overview of the Cisco Anomaly Guard Module (Guard) and describes its components and how it works. The chapter contains the following sections:

•Understanding the Cisco Anomaly Guard Module

•Understanding DDos

•Understanding Zones

•Understanding How the Guard Module Operates

•Understanding the Protection Process

•Understanding the Protection Cycle

Understanding the Cisco Anomaly Guard Module

You can install the Cisco Anomaly Guard Module (Guard module) in one of the following products:

•Catalyst 6500 series switch with a Supervisor Engine 2 and a Multilayer Switch Feature Card 2 (MSFC2), or Supervisor Engine 720. The Catalyst 6500 requires IOS Release 12.2(18)SXD3 and later releases.

•Cisco 7600 series router with a Supervisor Engine 720. The Cisco 7600 series router requires IOS Release 12.2(18)SXE and later releases.

The Guard module protects a network element, the zone, against DDoS attacks. The Guard module receives the diverted traffic from the attacked targets, identifies and removes specific attack packets, and forwards legitimate traffic packets to their original destination. See the "Understanding Zones" section for more information.

Typically, you deploy the Guard module in a distributed upstream configuration at the backbone level. When the Guard module detects an attack, it diverts only traffic of the attacked zone to the Guard. Traffic of other zones continues to flow unhindered. The Guard module analyzes the packets and removes the DDoS components so that clean traffic packets can flow to the intended zone.

The Guard constantly filters the traffic and stays on the alert for evolving attack patterns.

To Guard has these features:

•Traffic diversion mechanisms that divert the zone traffic to the learning and protection processes and then return the legitimate traffic flow back to the zone while preventing interference to network traffic.

•An algorithm-based learning system that learns the zone traffic, adapts itself to its particular characteristics, and supports the protection processes with references and protection instructions in the form of thresholds and policies. In addition, the Guard module has on-demand protection to answer situations in which the zone is under attack, but the Guard has not yet completed the learning process and has not finished tuning to the zone traffic.

•Protection processes that can distinguish between legitimate and suspicious traffic and can filter the malicious traffic so that only the legitimate traffic is allowed to pass on to the zone.

Integrating these components enables the Guard to assume its protective role when there is an attack, but to remain unobtrusively in the background for the rest of the time. When there are no suspected attacks you do not need to activate the diversion process, and the Guard module does not see the traffic.

Understanding DDos

Distributed Denial of Service (DDoS) attacks occur when malicious users cause thousands of compromised computers (zombies) to run automated scripts that hinder a protected server's network resources with spurious requests for service. The attacks can be a flood of spurious home page requests to a Web server that shuts out legitimate users or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the compromised computers that actually execute the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems and may be administered by multiple organizations. These distributed attacks generate a traffic volume that cannot be handled by the lower bandwidths available at a typical zone. See the "Understanding Zones" section for information about zones.

A DDoS defense system has to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network.

Understanding Zones

The Guard module protects a network element, known as z zone, against DDoS attacks. A zone can be one of the following elements:

•A network server, client, or router

•Anetwork link or subnet or an entire network

•An individual Internet user or a company

•An Internet Service Provider (ISP)

•Any combination

The Guard module can protect different zones simultaneously as long as their network address ranges do not overlap.

When you define a zone, you configure parameters such as the network addresses and the policies that the Guard module uses for zone protection. You assign a name to the zone, and use this name to refer to it.

Understanding How the Guard Module Operates

To protect the target host (zone), the Guard module diverts the zone traffic to itself. You can wait for an external indication, such as from a Cisco Traffic Anomaly Detector Module, of an attack before setting the Guard module to protect the zone, or you can instruct the Guard module to protect the zone as soon as you complete configuring the zone. The Guard module analyses the data flow, blocks all DDoS elements, removes the malicious packets from the diverted stream, and returns the clean traffic to the main data path so that it continues flowing to the intended zone. Figure 1-1 describes the protection operation.

The diversion is configured globally, via the Guard module routing configuration. See "Configuring Traffic Diversion" for more information.

Figure 1-1 Cisco Anomaly Guard Module Operation

The Guard module learns the zone traffic characteristics so that it can form a basis on which to compare zone traffic and trace any anomalies that might become malicious.

This sections contains the following topics:

•Understanding the Learning Process

•Understanding the Zone Policies

•Understanding How the Guard Module Performs Zone Protection

•Understanding the Protect and Learn Function

•Understanding On-Demand Protection

•Using Attack Reports

Understanding the Learning Process

The learning process consists of the following two phases:

•Policy Construction Phase—Creates the zone policies. The policy templates provide the rules that the Guard module uses to construct the zone policies. The traffic flows transparently through the Guard which allows it to discover the main services that the zone uses.

•Threshold Tuning Phase—Tunes the zone policies to fit the traffic rates of the zone services. The traffic flows transparently through the Guard, which enables the Guard module to tune the thresholds for the services that it discovered during the policy construction phase.

Understanding the Zone Policies

The zone policies are the building blocks of the Guard module and are the basis to which the Guard module compares the zone traffic in order to trace any anomalies that might become malicious. When the traffic flow exceeds a policy threshold, the Guard identifies the traffic as abnormal or malicious and configures a set of filters (dynamic filters) dynamically to apply the appropriate protection level to the traffic flow according to the severity of the attack.

See "Configuring Zones" for more information on traffic learning. See "Configuring Policy Templates and Policies" for more information on zone policies.

Understanding How the Guard Module Performs Zone Protection

You can activate the Guard protection in the following ways:

•Automatic protect mode—The Dynamic filters are activated automatically.

•Interactive protect mode—The Dynamic filters are activated manually, interactively. The Dynamic filters are grouped as recommended actions for you to complete. You can review these recommendations and decide whether to accept, ignore, or direct these recommendations to automatic activation.

See "Using Interactive Protect Mode" for more information.

Understanding the Protect and Learn Function

You can activate the threshold tuning phase and activate zone protection simultaneously (the protect and learn function) to enable the Guard module to learn the zone policy thresholds and at the same time monitor the policy thresholds for traffic anomalies. When the Guard module detects an attack, it stops the learning process but continues zone protection. This process prevents the Guard module from learning malicious traffic thresholds. The Guard module resumes the learning process when the attack ends. See the "Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously" section for more information.

Understanding On-Demand Protection

You can also protect a zone without enabling the Guard module to learn the zone traffic characteristics by using the system-defined zone templates that include predefined policies and filters that are suitable for protecting a zone of which the Guard module does not know the traffic characteristics. See the "Enabling On-Demand Protection" section for more information.

Using Attack Reports

The Guard provides an attack report for every zone so that you can display the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. See "Understanding Attack Reports," for more information.

Understanding the Protection Process

The Guard module uses four types of filters to direct the zone traffic to the required protection level. You can configure these filters to customize the traffic flow and control the anti-DDoS protection operation.

The Guard module uses the following types of filters:

•User Filters—Apply the required protection level to the specified traffic flows.

•Bypass filters—Prevent the Guard module from handling specific traffic flows.

•Flex-Content filters—Count or drop a specified traffic flow. The Flex-Content filter provides extremely flexible filtering capabilities and can filter according to fields in the IP and TCP headers and according to content bytes.

•Dynamic filters—Apply the required protection level to the specified traffic flows. The Guard creates Dynamic filters based on its analysis of the traffic flow. The Guard module continuously adapts this set of filters to the zone traffic and the type of the DDoS attack. Dynamic filters have a limited life span and are erased after the attack ends.

The Guard module has three protection levels in which it applies different processes to the traffic flows:

•Analysis protection level—The Guard module allows the traffic to flow monitored, but unhindered, during zone protection if no anomalies are traced. Once the Guard module traces anomalies, it directs the traffic to the appropriate protection level.

•Basic protection level—The Guard module activates anti-spoofing and anti-zombie functions to authenticate the traffic by inspecting the suspicious traffic flow to verify its source.

•Strong protection level—This Guard module activates severe anti-spoofing functions that inspect the traffic flow packets to verify its legitimacy.

The Guard module performs statistical analysis of the traffic and coordinates between the zone policies, that monitor the zone traffic for anomalies, and the zone filters. In addition, it limits the rate of traffic that it injects on to the zone to prevent traffic overflow.

Understanding the Protection Cycle

The Guard protection cycle applies the zone filters, the zone policies and the Guard protection levels to the traffic flow to clean the zone traffic and inject legitimate traffic only to the zone. Figure 1-2 illustrates the Guard protection cycle.

Figure 1-2 The Guard Protection Cycle

Once zone protection is activated, the zone policies monitor the zone traffic flow. The policies take action against a particular traffic flow when the flow exceeds the policy threshold. The actions can range from issuing a notification to creating new filters (Dynamic filters) that direct the diverted traffic to the relevant protection levels. The Guard module uses several types of authentication methods, dependant on the protection level, to authenticate the traffic. The Guard module analyses the traffic flow, drops the traffic that exceeds the defined rate that the zone can handle, and then injects the legitimate traffic back to the zone.

The Guard module leads a closed-loop feedback cycle to adjust the Guard module protection measures to the dynamically changing zone traffic characteristics. The Guard adopts the proper protection strategies to answer the changing DDoS attack types and traffic flows. The Guard stops zone protection if no Dynamic filters are in use, the traffic to the zone has not been dropped, or new Dynamic filters have been added, over a predefined period of time.

	Cisco Anomaly Guard Module Configuration Guide (Software Version 5.0)
	Product Overview
Cisco Anomaly Guard Module Configuration Guide (Software Version 5.0) Index Preface Product Overview Configuring the Guard Module on the Supervisor Engine Initializing the Guard Module Configuring the Guard Module Configuring Traffic Diversion Configuring Zones Configuring Zone Filters Configuring Policy Templates and Policies Using Interactive Protect Mode Understanding Attack Reports Using the Guard Module Diagnostics Tools Performing Maintenance Tasks Analyzing Guard Module Mitigation	Download this chapter Product Overview Download the complete book Cisco Anomaly Guard Module Configuration Guide (Software Version 5.0), Book-Length PDF (PDF - 3 MB) Table Of Contents Product Overview Understanding the Cisco Anomaly Guard Module Understanding DDos Understanding Zones Understanding How the Guard Module Operates Understanding the Learning Process Understanding the Zone Policies Understanding How the Guard Module Performs Zone Protection Understanding the Protect and Learn Function Understanding On-Demand Protection Using Attack Reports Understanding the Protection Process Understanding the Protection Cycle Product Overview This guide provides instructions for the Cisco Anomaly Guard Module (Guard module). It describes how to perform administration tasks, the general operations needed for the Guard operation and explains how to use Guard module. This chapter provides a general overview of the Cisco Anomaly Guard Module (Guard) and describes its components and how it works. The chapter contains the following sections: •Understanding the Cisco Anomaly Guard Module •Understanding DDos •Understanding Zones •Understanding How the Guard Module Operates •Understanding the Protection Process •Understanding the Protection Cycle Understanding the Cisco Anomaly Guard Module You can install the Cisco Anomaly Guard Module (Guard module) in one of the following products: •Catalyst 6500 series switch with a Supervisor Engine 2 and a Multilayer Switch Feature Card 2 (MSFC2), or Supervisor Engine 720. The Catalyst 6500 requires IOS Release 12.2(18)SXD3 and later releases. •Cisco 7600 series router with a Supervisor Engine 720. The Cisco 7600 series router requires IOS Release 12.2(18)SXE and later releases. The Guard module protects a network element, the zone, against DDoS attacks. The Guard module receives the diverted traffic from the attacked targets, identifies and removes specific attack packets, and forwards legitimate traffic packets to their original destination. See the "Understanding Zones" section for more information. Typically, you deploy the Guard module in a distributed upstream configuration at the backbone level. When the Guard module detects an attack, it diverts only traffic of the attacked zone to the Guard. Traffic of other zones continues to flow unhindered. The Guard module analyzes the packets and removes the DDoS components so that clean traffic packets can flow to the intended zone. The Guard constantly filters the traffic and stays on the alert for evolving attack patterns. To Guard has these features: •Traffic diversion mechanisms that divert the zone traffic to the learning and protection processes and then return the legitimate traffic flow back to the zone while preventing interference to network traffic. •An algorithm-based learning system that learns the zone traffic, adapts itself to its particular characteristics, and supports the protection processes with references and protection instructions in the form of thresholds and policies. In addition, the Guard module has on-demand protection to answer situations in which the zone is under attack, but the Guard has not yet completed the learning process and has not finished tuning to the zone traffic. •Protection processes that can distinguish between legitimate and suspicious traffic and can filter the malicious traffic so that only the legitimate traffic is allowed to pass on to the zone. Integrating these components enables the Guard to assume its protective role when there is an attack, but to remain unobtrusively in the background for the rest of the time. When there are no suspected attacks you do not need to activate the diversion process, and the Guard module does not see the traffic. Understanding DDos Distributed Denial of Service (DDoS) attacks occur when malicious users cause thousands of compromised computers (zombies) to run automated scripts that hinder a protected server's network resources with spurious requests for service. The attacks can be a flood of spurious home page requests to a Web server that shuts out legitimate users or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the compromised computers that actually execute the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems and may be administered by multiple organizations. These distributed attacks generate a traffic volume that cannot be handled by the lower bandwidths available at a typical zone. See the "Understanding Zones" section for information about zones. A DDoS defense system has to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network. Understanding Zones The Guard module protects a network element, known as z zone, against DDoS attacks. A zone can be one of the following elements: •A network server, client, or router •Anetwork link or subnet or an entire network •An individual Internet user or a company •An Internet Service Provider (ISP) •Any combination The Guard module can protect different zones simultaneously as long as their network address ranges do not overlap. When you define a zone, you configure parameters such as the network addresses and the policies that the Guard module uses for zone protection. You assign a name to the zone, and use this name to refer to it. Understanding How the Guard Module Operates To protect the target host (zone), the Guard module diverts the zone traffic to itself. You can wait for an external indication, such as from a Cisco Traffic Anomaly Detector Module, of an attack before setting the Guard module to protect the zone, or you can instruct the Guard module to protect the zone as soon as you complete configuring the zone. The Guard module analyses the data flow, blocks all DDoS elements, removes the malicious packets from the diverted stream, and returns the clean traffic to the main data path so that it continues flowing to the intended zone. Figure 1-1 describes the protection operation. The diversion is configured globally, via the Guard module routing configuration. See "Configuring Traffic Diversion" for more information. Figure 1-1 Cisco Anomaly Guard Module Operation The Guard module learns the zone traffic characteristics so that it can form a basis on which to compare zone traffic and trace any anomalies that might become malicious. This sections contains the following topics: •Understanding the Learning Process •Understanding the Zone Policies •Understanding How the Guard Module Performs Zone Protection •Understanding the Protect and Learn Function •Understanding On-Demand Protection •Using Attack Reports Understanding the Learning Process The learning process consists of the following two phases: •Policy Construction Phase—Creates the zone policies. The policy templates provide the rules that the Guard module uses to construct the zone policies. The traffic flows transparently through the Guard which allows it to discover the main services that the zone uses. •Threshold Tuning Phase—Tunes the zone policies to fit the traffic rates of the zone services. The traffic flows transparently through the Guard, which enables the Guard module to tune the thresholds for the services that it discovered during the policy construction phase. Understanding the Zone Policies The zone policies are the building blocks of the Guard module and are the basis to which the Guard module compares the zone traffic in order to trace any anomalies that might become malicious. When the traffic flow exceeds a policy threshold, the Guard identifies the traffic as abnormal or malicious and configures a set of filters (dynamic filters) dynamically to apply the appropriate protection level to the traffic flow according to the severity of the attack. See "Configuring Zones" for more information on traffic learning. See "Configuring Policy Templates and Policies" for more information on zone policies. Understanding How the Guard Module Performs Zone Protection You can activate the Guard protection in the following ways: •Automatic protect mode—The Dynamic filters are activated automatically. •Interactive protect mode—The Dynamic filters are activated manually, interactively. The Dynamic filters are grouped as recommended actions for you to complete. You can review these recommendations and decide whether to accept, ignore, or direct these recommendations to automatic activation. See "Using Interactive Protect Mode" for more information. Understanding the Protect and Learn Function You can activate the threshold tuning phase and activate zone protection simultaneously (the protect and learn function) to enable the Guard module to learn the zone policy thresholds and at the same time monitor the policy thresholds for traffic anomalies. When the Guard module detects an attack, it stops the learning process but continues zone protection. This process prevents the Guard module from learning malicious traffic thresholds. The Guard module resumes the learning process when the attack ends. See the "Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously" section for more information. Understanding On-Demand Protection You can also protect a zone without enabling the Guard module to learn the zone traffic characteristics by using the system-defined zone templates that include predefined policies and filters that are suitable for protecting a zone of which the Guard module does not know the traffic characteristics. See the "Enabling On-Demand Protection" section for more information. Using Attack Reports The Guard provides an attack report for every zone so that you can display the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. See "Understanding Attack Reports," for more information. Understanding the Protection Process The Guard module uses four types of filters to direct the zone traffic to the required protection level. You can configure these filters to customize the traffic flow and control the anti-DDoS protection operation. The Guard module uses the following types of filters: •User Filters—Apply the required protection level to the specified traffic flows. •Bypass filters—Prevent the Guard module from handling specific traffic flows. •Flex-Content filters—Count or drop a specified traffic flow. The Flex-Content filter provides extremely flexible filtering capabilities and can filter according to fields in the IP and TCP headers and according to content bytes. •Dynamic filters—Apply the required protection level to the specified traffic flows. The Guard creates Dynamic filters based on its analysis of the traffic flow. The Guard module continuously adapts this set of filters to the zone traffic and the type of the DDoS attack. Dynamic filters have a limited life span and are erased after the attack ends. The Guard module has three protection levels in which it applies different processes to the traffic flows: •Analysis protection level—The Guard module allows the traffic to flow monitored, but unhindered, during zone protection if no anomalies are traced. Once the Guard module traces anomalies, it directs the traffic to the appropriate protection level. •Basic protection level—The Guard module activates anti-spoofing and anti-zombie functions to authenticate the traffic by inspecting the suspicious traffic flow to verify its source. •Strong protection level—This Guard module activates severe anti-spoofing functions that inspect the traffic flow packets to verify its legitimacy. The Guard module performs statistical analysis of the traffic and coordinates between the zone policies, that monitor the zone traffic for anomalies, and the zone filters. In addition, it limits the rate of traffic that it injects on to the zone to prevent traffic overflow. Understanding the Protection Cycle The Guard protection cycle applies the zone filters, the zone policies and the Guard protection levels to the traffic flow to clean the zone traffic and inject legitimate traffic only to the zone. Figure 1-2 illustrates the Guard protection cycle. Figure 1-2 The Guard Protection Cycle Once zone protection is activated, the zone policies monitor the zone traffic flow. The policies take action against a particular traffic flow when the flow exceeds the policy threshold. The actions can range from issuing a notification to creating new filters (Dynamic filters) that direct the diverted traffic to the relevant protection levels. The Guard module uses several types of authentication methods, dependant on the protection level, to authenticate the traffic. The Guard module analyses the traffic flow, drops the traffic that exceeds the defined rate that the zone can handle, and then injects the legitimate traffic back to the zone. The Guard module leads a closed-loop feedback cycle to adjust the Guard module protection measures to the dynamically changing zone traffic characteristics. The Guard adopts the proper protection strategies to answer the changing DDoS attack types and traffic flows. The Guard stops zone protection if no Dynamic filters are in use, the traffic to the zone has not been dropped, or new Dynamic filters have been added, over a predefined period of time.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.