Table Of Contents
The Cisco Traffic Anomaly Detector
Introduction
This chapter provides an overview of the Cisco Traffic Anomaly Detector Web Based Management (WBM) interface. This chapter includes the following sections:
–
The Cisco Traffic Anomaly Detector
•
System Requirements
The Cisco Traffic Anomaly Detector Web Based Management (WBM) interface supports an Internet Browser, Microsoft Internet Explorer 5 or higher, that supports HTML, Tables, Cookies, JavaScript and Frames.
We recommend that you use a screen resolution of minimum of 1024 by 768 pixels.
No software installation is required.
Overview
What is DDos
The Distributed Denial of Service (DDoS) attacks are attacks in which malicious individuals cause thousands of compromised computers ("zombies") to run automated scripts that cripple a protected server's (the zone) network resources with spurious requests for service. The attacks can be, for example, a flood of bogus home page requests to a web server that shuts out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the zombies actually executing the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations.
DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive.
It must be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network element.
The Cisco Traffic Anomaly Detector
The Detector is Cisco Systems detection and protection activation component. The Detector is best suited to work alongside with the Cisco Guard but it can also operate as a separate DDoS detection and alarm component. The Detector gets a copy of the traffic either by using the port mirroring feature (such as SPAN) of a switch, or by using an optical splitter. Then it constantly filters the traffic, and closely remains tuned to zone traffic characteristics for evolving attack patterns.
To accomplish the above-mentioned tasks the Cisco Traffic Anomaly Detector employs the following components:
•
•
Integrating these components enables the Detector to assume its detection role while unobtrusively staying in the background.
Areas of the User Interface
The WBM provides access to various Detector configuration and management screens, allowing you to view statistics, and permitting you to graphically monitor system status.
The WBM allows configuring and monitoring the Detector's various detection mechanisms. It provides a subset of the CLI functionality and mostly deals with detected zone configuration, status, and reports. Configuration parameters, relating to procedures such as initial Detector setup procedure and network-level setup of the Detector are only accessible through the CLI and cannot be performed using the WBM. See the Cisco Traffic Anomaly Detector User Guide for further details.
Figure 1-1 displays the WBM user interface. The user interface is divided into three distinct areas as described in Table 1-1.
Figure 1-1 WBM User Interface
User Interface Conventions
Navigation
Navigation in the screen hierarchy can be performed either using the menus or by using the location view in the main area (area 3, as shown in the previous section).
When navigating using the location view, the black colored section indicates the current location.
The color of a selectable item turns grey when moving the mouse cursor over it.
Click on the grey item to display its page.
To navigate to one of the higher sections of the hierarchy, select the desired location and click the mouse.
For example, the location view: Home > Zone > Policies > Service indicates that the displayed location is Policy service configuration.
To navigate to the Policy menu list, select Policies.
To Navigate to the "home page" of the Detector or one of the zones, select a zone in the navigation pane (see Figure 1-2).
The item that is currently displayed in the main area is marked by a white frame.
Figure 1-2 Zone List
Tree Lists are displayed as shown in Figure 1-3. Click + on the left side of the item to navigate in the tree hierarchy. Once the lower level hierarchy is displayed, click - on the higher level to close the view of the lower levels. Click the item in the tree hierarchy to open its configuration window. For example, in Figure 1-3, click 53 to open the service configuration window for the dns_tcp template.
Figure 1-3 Tree List View
The i indicates that additional information is available. Click to display the additional information.
Configuration
Selection items in menus have a drop-down list. Selection items that are not available in the current view are grayed-out.
Configurable parameters appear in Forms. Parameters are configured in one of the following ways:
•
•
•
•
Be sure to click OK or Add to confirm the new settings once a configuration change has been made.
Lists are displayed as shown in Figure 1-4. To add an item to the list, click Add at the bottom of the screen.
To delete an item from the list, select the check box next to the desired item and click Delete.
Figure 1-4 List View
You may choose which items are to be displayed in system defined lists, such as the event log severity list. However, items cannot be added to or deleted from these lists.
WBM Screen Hierarchy
This section summarizes the screen hierarchy in the WBM, to provide you with a quick guide to finding the screen you want.
