Table Of Contents

Detecting Traffic Anomalies

Overview

Zone Detection

Activating Detection

Deactivating Detection

Dynamic Filters

Dynamic Filter Details

Deleting Dynamic Filters

Interactive Recommendations Mode

Activating the Interactive Recommendations Mode

Viewing New Recommendations

Deciding on the Detector's Recommendations

Pending Dynamic Filters

Pending Dynamic Filter Details

Detecting Traffic Anomalies

---

This chapter describes how to perform tasks for detecting zone traffic anomalies and DDoS attacks on the Cisco Traffic Anomaly Detector using the Web-Based Management (WBM).

Processes described in this chapter must be performed after completing the Cisco Traffic Anomaly Detector configuration and zone configuration described in the previous chapters of this guide.

This chapter includes the following sections:

•Overview

•Zone Detection (activate/deactivate detection)

•Dynamic Filters (view or add Dynamic filters during indication on traffic anomaly)

•Interactive Recommendations Mode (using the Detector's recommendations)

Overview

Before activating the Cisco Traffic Anomaly Detector's detection for a zone, it is recommended to let the Detector study the zone's traffic patterns. The monitoring feature allows the Cisco Traffic Anomaly Detector to learn the traffic patterns of each zone and to create sets of recommended thresholds for statistical analysis of the traffic.

After learning the zone traffic characteristics, the Detector is ready to detect zone traffic anomalies. You may wish to command the Detector to detect right after completing the zone configurations. The Detector would then begin to apply its detection policies.

The Detector's detection can be activated in two manners:

•Automatic detection mode—Activation of the dynamic filters is carried out without user intervention.

•Interactive detection mode—Dynamic filters are activated manually, in an interactive mode. The Dynamic filters are grouped as recommendations that await user decision. You may review these recommendations and manually decide which of them to accept, ignore, or direct to automatic activation.

See the "Creating Zones and Basic Zone Configuration" section in "Zone Creation and Configuration," for further details.

When the Detector detection policies sense anomal or malicious traffic (by means of threshold violation), they dynamically configure a set of filters (Dynamic filters) to assume the appropriate action.

The Cisco Traffic Anomaly Detector system provides a series of tools for adjusting a zone's detection mechanism while detection is active.

Zone Detection

After learning the zone traffic characteristics, the Detector is ready to detect zone traffic anomalies. During the zone detection process, the Detector applies its detection policies.

Figure 7-1 Detection Menu

Activating Detection

To activate zone detection, perform one of the following:

•On the Zone's "home page", click Detect.

•From the Zone's main menu, select Detection > Detect.

Deactivating Detection

To deactivate the zone's detection, perform one of the following:

•On the Zone's "home page", click Deactivate.

•From the Zone's main menu, select Detection > Deactivate.

Dynamic Filters

As the Detector analyses the zone traffic it processes its analysis results into a set of filters that are continuously adapted to the zone traffic and type of DDoS attack. This filter set consists of the Dynamic filters. Once anomal traffic is detected, the Dynamic filters either notify the Detector's syslog or activate a remote Guard or Guards.

For a comprehensive overview of Dynamic filters, refer to Chapter 8, "Advanced Filter Procedures," in the Cisco Traffic Anomaly Detector User Guide.

To view the Dynamic filters, perform one of the following:

•From the Zone's main menu, select Detection > Dynamic filters.

•On the Zone's "home page", click Active dynamic filters in the zone's status summary table.

Figure 7-2 Dynamic Filters Table

The Dynamic filters table (Figure 7-2) displays the dynamic filters filtered according to the policy that created them.

The information in the table is related to the ongoing attack. The table includes the following information:

Parameter	Description
Created by	Indicates the policy that created the filter. Clicking on the policy name will display the Policy details (see the "Zone Policies" section in "Zone Traffic Learning and Policy Construction," for further details).
Activation	Indicates the date and time the filter was activated.
Expiration	Indicates the filter expiration time. After that, the filter is erased.
Src IP	Indicates the source IP address the Dynamic filter is applied on.
Protocol	Indicates the protocol number the Dynamic filter is applied on.
Dst Port	Indicates the destination port the Dynamic filter is applied on.
Fragments	Indicates whether the attack stream contains fragmented packets.
Action	Indicates the action taken by the filter.
Rate (pps)	Indicates the approximate attack rate.
Details	Indicates whether additional information can be viewed for this filter. Click i for additional information.

A value of "*" for any of the parameters indicates one of the following:

•The value is undetermined.

•More than one value was measured for the filter's parameter.

To display detailed information on the filter:

Click i in the details column (see the "Dynamic Filter Details" section for further details).

Dynamic Filter Details

The Dynamic Filter Details provides detailed information on the dynamic filters.

To display the detected anomalies details table:

From the details column in the Dynamic Filter table, click i.

Figure 7-3 Dynamic Filter Details

The Dynamic filter details screen (Figure 7-3) includes three tables:

•Information on the policy that created the filter—as detailed above.

•Information on the attack flow—as detailed above.

•Information on the filter creation trigger:

Parameter	Description
Policy Threshold	Indicates the threshold defined for the policy that was violated by the attack.
Triggering rate	Indicates the approximate attack rate that triggered the production of the dynamic filter.

Deleting Dynamic Filters

You may wish to delete Dynamic filters.

To delete a Dynamic filter:

1. Select the check box next to the filter in the Dynamic Filters Details Table (see Figure 7-2).

2. Click Delete.

You may choose to remove all dynamic filters. The action is effective for a limited period of time since the Detector, being in Detection operation mode, continues to create new Dynamic filters to adopt its detection to the dynamically changing traffic state.

---

Note To prevent undesired Dynamic filters from being reproduced, deactivate the policy that produces them (see the "Policy Configuration" section in "Zone Traffic Learning and Policy Construction," for further details). To find out which policy produced the undesired Dynamic filters see the sections about viewing Dynamic filters in this chapter. Alternatively, you may perform one of the following:

•Configure a Bypass filter for the desired traffic flow (see the "Bypass Filter Configuration" section in "Advanced Zone Procedures," for further details).

•Increase the Threshold of the policy that produced the undesired Dynamic filter.

---

Interactive Recommendations Mode

In the Interactive Recommendations mode, the Detector enables you to decide on the activation of the filters the policies launch. The Detector functions in accordance with the your decision to accept or ignore the filter's activation. In this way, the Detector lets you decide on the production of its action measures in real time. The Detector in an interactive mode enhances your control over the activation of the Detector's detection measures as a DDoS attack progresses.

The recommendations are a summary of the pending dynamic filters aggregated according to the policies that produced them. The Detector recommendation data consists of the policy name that recommended it, data on the traffic anomaly that resulted in policy activation, the number of pending filters and the recommended action.

For a comprehensive overview of the Interactive recommendations mode, refer to the "Interactive Recommendations Mode" section in Chapter 6, "Filter Procedures," in the Cisco Traffic Anomaly Detector User Guide.

Activating the Interactive Recommendations Mode

The operation mode is a characteristic of a zone.

To activate the interactive recommendations mode:

1. From the Zone's main menu select Configuration > General.

2. Click Config.

3. Set the operation mode to interactive.

4. Click OK.

See the "Creating Zones and Basic Zone Configuration" section in "Zone Creation and Configuration," for further details.

You may choose to end the interactive mode of operation at any time and thus return to the automatic operation mode. This results in the Detector disregarding the decisions made while in the interactive mode. The policies resume their role of automatically producing and activating their filters and automatically accept all pending Dynamic filters and recommendations.

Viewing New Recommendations

New recommendations are indicated by the following icon.

The recommendations icon appears in the following locations:

•On the navigation pane, next to the zone's icon in the All Zones list

•On the navigation pane, next to the zone's icon in the Under detection list

•On the Zone's "home page", in the zone status bar

•In the Zone list table

When the Detector offers new recommendations, an additional indication is apparent in the form of the number of pending Dynamic filters that is greater than zero. This can be viewed in the zone's status summary on the Zone's "home page" under Pending Dynamic filters.

To view new recommendations, perform one of the following:

•From the Zone's main menu select Detection > Recommendations.

•On the Zone's "home page", click Pending Dynamic filters in the zone's status summary.

Figure 7-4 Recommendations

The Recommendations table (Figure 7-4) provides the following information:

Parameter	Description
ID	Indicates the detection recommendation identification number.
Recommendation	Indicates the recommended action.
Created By	Indicates the policy that created the filter. Click on the policy name to display the Policy details (see the "Configuring the Policy Operational Parameters" section in "Zone Traffic Learning and Policy Construction," for further details).
# of PFs	Indicates the number of pending Dynamic filters that constitute the recommendation. Each pending filter was created as a result of traffic flow that violated the policy threshold. Click on the number to view the pending dynamic filters that constitute the recommendation.
Attack flow	Provides Information on the attack flow: •Src IP—Indicates the source IP address of the attack stream. •Protocol—Indicates the protocol number of the attack stream. •Dst Port—Indicates the destination port of the attack stream. •Dst IP—Indicates the destination IP address of the attack stream.
Thr.	Indicates the policy threshold, in pps, that was violated.
Min.	Recent Rate—Indicates the minimum attack rate measured in pps. Note The rate of the lowest pending filter is displayed for Recommendations that aggregate several pending filters.
Max.	Recent Rate—Indicates the maximum attack rate measured in pps. Note The rate of the highest pending filter is displayed for Recommendations that aggregate several pending filters.
Creation	Indicates the date and time the recommendation was created.

A value of "*" for any of the parameters indicates one of the following:

•The value is undetermined.

•More than one value was measured for the filter's parameter.

Deciding on the Detector's Recommendations

The Detector enables you to decide on its policies recommendations. Your decisions determine whether a pending filter will be activated or deactivated. You may also instruct the Detector to automatically, always activate, a specific policy's pending filters. This results in the Detector no longer displaying that policy for you to decide on.

You may, alternatively, decide to instruct the Detector to prevent a policy from producing recommendations (and their pending filters). To prevent a policy from producing recommendations, the policy should be disabled or inactivated. See the "Configuring the Policy Operational Parameters" section in "Zone Traffic Learning and Policy Construction," for further details.

As the DDoS attack continues and changes its characteristics so the Detector's policies continue to produce recommendations that you will have to view and decide on.

The Detector activates the Dynamic Filters (see the "Dynamic Filters" section in this chapter for further details) produced by the policies for the user-defined (Filters timeout) time span.

To decide on the Detector's recommendations:

1. Enter the filter's timeout, in the Filters timeout box.

2. Select the checkbox next to the recommendation.

3. Click the required action (Accept, Always accept, Always ignore).

The available actions are:

Accept	Accept the specific recommendation. The recommendations pending filters are activated.
Always Accept	Accept the specific recommendation. The decision applies automatically whenever the recommendation policy produces new recommendations. Note The Detector doesn't display the 'always-accept' recommendations.
Always Ignore	Ignore the specific recommendation. No dynamic filter or filters will be produced by the recommendation. The decision automatically applies to all future recommendations produced by the recommendation's policy. Note The future Dynamic filters will only be ignored for the current detection. To prevent a policy from producing recommendations, the policy should be disabled or inactivated.

You may also decide to selectively accept Pending Dynamic filters as opposed to accepting the recommendation. See the "Pending Dynamic Filters" section in this chapter for further details.

Pending Dynamic Filters

The pending Dynamic filters measure each flow that violated a threshold. Pending Dynamic filters that were produced by the same policy are shown as a single recommendation.

To view the Pending Dynamic filters:

Click on the number of pending filters ("# of PFs" column) in the recommendations table (see Figure 7-4).

Figure 7-5 Pending Dynamic Filters

The Pending Dynamic filters table (Figure 7-5) provides the following information:

Parameter	Description
Created by	Indicates the policy that created the filter. Clicking on the policy name will display the Policy details (See the "Zone Policies" section in "Zone Traffic Learning and Policy Construction," for further details.).
Activation	Indicates the date and time the filter was created.
Src IP	Indicates the source IP address of the attack stream.
Protocol	Indicates the protocol number of the attack stream.
Dst Port	Indicates the destination port of the attack stream.
Fragments	Indicates whether the attack stream contains fragmented packets.
Action	Indicates the action taken by the filter.
Recent rate	Indicates the current attack rate measured by the filter in pps.
Trig. Rate (pps)	Indicates the triggering rate. The approximate attack rate that triggered the production of the dynamic filter.
Details	Indicates whether additional information is available for this filter. Click i for additional information.

To selectively accept a pending Dynamic filter:

1. Select the checkbox next to the required filter.

2. Click Accept.

You may choose to define a timeout for the Dynamic filter.

Filters timeout—The Detector activates the Dynamic Filters (see the "Dynamic Filters" section in this chapter for further details) produced by the policies for the user-defined time span.

To display detailed information for the filter:

Click i in the details column.

See the "Pending Dynamic Filter Details" section for further details.

Pending Dynamic Filter Details

The pending Dynamic filter details includes three tables:

•Information on the policy that created the filter—as detailed above.

•Information on the attack flow—as detailed above.

•Information the trigger for the filter creation:

Parameter	Description
Policy Threshold	Indicates the threshold defined for the policy that was violated by the attack.
Triggering rate	Indicates the approximate attack rate that triggered the production of the dynamic filter.
Recent Rate	Indicates the Current rate measured by the filter in pps.

Figure 7-6 Pending Dynamic Filter Details