Table Of Contents
Zone Statistics and Diagnostics
Zone Counters
Traffic Analysis
Zone Detection Summary Report
Detection Graph
Total Attack Statistics
Per Attack Summary
Zone Attack Reports
General Details
Attack Statistics
Detected Anomalies
Detected Anomalies Details
Zone Event Log
Zone Statistics and Diagnostics
This chapter describes how to perform tasks used for monitoring zones and displaying various zone statistics and diagnostics on the Cisco Traffic Anomaly Detector using the Web-Based Management (WBM).
This chapter includes the following sections:
•
Zone Counters
•Zone Detection Summary Report
•Zone Attack Reports
•Zone Event Log
Zone Counters
The zone counters (Figure 8-1) enable you to analyze the zone's traffic in order to verify the zone's status and to determine whether the zone detection is functioning properly. The zone counters are graphically displayed for a configurable period of time and thus enable you to view how the zone detection is evolving.
To view the zone counters:
From the Zone's main menu select Diagnostics > Counters.
Figure 8-1 Zone Counters
The Received counter provides information on the total packets received and handled by the Detector for the current zone.
The following information is available for the Received counter:
•Packets—Total amount of packets destined to the zone since last reload.
•Bits—Total amount of bits destined to the zone since last reload.
•pps—Current zone traffic rate measured in packets per second.
•bps—Current zone traffic rate measured in bits per second.
By default, Received packets are displayed for a period of the past two hours and are measured in bits per second (bps).
To update the graph:
1. Choose the period of time to be displayed.
2. Choose the traffic rate units.
3. Click Update Graph.
Below the graph is a legend that identifies the counters. The minimum, maximum and average rate of Received packets are displayed for the period of time and rate units chosen.
Traffic Analysis
It is important to analyze the traffic flow in order to determine whether traffic is flowing properly to the zone.
Having Received packets greater than zero indicates proper traffic flow to the zone.
In case the Received packets = 0, this could indicate one of the following:
•If the Received packets current rate (pps or bps) of the Detector (See Detector Summary) or of zones connected to the same port on the switch or router also equals zero, this could indicate a problem in one of the following:
–Configuration of port mirroring.
–Traffic destined to the zone or zones is blocked before it reaches the switch or router the Detector is connected to.
•If the Received packets current rate (pps or bps) of the Detector (See Detector Summary) or other zones connected to the same port on the switch or router is greater than zero, verify that a Bypass filter is not defined for the zone.
Zone Detection Summary Report
The Detector provides a Detection summary report for each zone to help in forming a clearer picture of the detected attacks on the zone. It provides a summary of the DDoS attacks on the zone during a user-defined period of time. The Detector records the relevant details during attacks and organizes the data under the report categories. The report details the total number and intensity of the attacks. In addition, the report provides a list of the attacks with a short summary. The reports are accompanied with a graphical presentation of the data.
To view the Zone Detection Summary report:
From the Zone's main menu, select Diagnostics > Attack Reports.
The zone detection summary report consists of data fields and tables. These are grouped in three sections:
•Detection Graph
•Total Attack Statistics
•Per Attack Summary
By default, the report is displayed for a period of the past month.
To change the report tables display settings:
1. Enter the required period of time (enter the Period from and to dates):
a. Click on the calendar icon (on the right side of each field).
b. Select a date.
2. Click Get Reports.
Detection Graph
The detection graph provides a graphical summary of the attacks during the user-defined period of time.
Figure 8-2 Zone Detection Summary Report—Detection Graph
The X-axis displays the time during which the attack occurred. The Y-axis displays the average attack rate in packets per second (pps). Each attack is represented by a bar. If you place your mouse cursor over any of the attack bars and hold it there for a few seconds, a small box (a ToolTip) appears displaying the average attack rate.
The bar also provides a link to the attack report.
To display the attack report:
Click on the attack bar.
Total Attack Statistics
The total attack statistics table (Figure 8-3) provides information on the number of attacks on the zone and the aggregated attack details during the user-defined period of time.
Figure 8-3 Zone Detection Summary Report—Total Attack Statistics
The total attack statistics table provides the following information:
Parameter
|
Description
|
Attacks Detected
|
Indicates the number of attacks detected
|
Attacks Duration
|
Indicates the aggregated duration of the detected attacks
|
Max. Traffic Rate
|
Indicates the maximum amount of malicious traffic (measured in packets), destined to the zone, handled by the Detector
|
Total Rx
|
Indicates the total amount of traffic (measured in packets), destined to the zone, handled by the Detector
|
Per Attack Summary
The Per Attack Summary provides a list of the DDoS attacks on the zone during the user-defined period of time.
Figure 8-4 Zone Detection Summary Report—Per Attack Summary
The table columns provide the following information on each attack:
Parameter
|
Description
|
#
|
Indicates the attack identification number (ID).
|
Start time
|
Indicates the attack detection date and time.
|
Duration
|
Indicates the attack duration in hours, minutes, and seconds.
|
Type
|
Indicates the detected attack type:
•Tcp connections—A detected flow with unusual number of TCP concurrent connections with or without data.
•HTTP—An unusual HTTP traffic flow.
•Tcp incoming—A detected flow attacking a TCP service when the Zone is a server.
•Tcp outgoing—A detected attack flow in which the client seems to be the Zone, such as SYN-ACK attacks on connections initiated by Zone when the Zone is the client.
•Unauthenticated tcp—A detected flow that the Detector anti-spoofing mechanisms haven't succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.
•DNS (Udp)—An attacking DNS-UDP protocol flow.
•DNS (Tcp)—An attacking DNS-TCP protocol flow.
•Udp—An attacking UDP protocol flow.
•Non tcp/udp protocols—A non TCP/UDP attacking protocol flow.
•Fragments—A detected flow with an unusual quantity of fragmented traffic.
•Hybrid—An attack composed of several attacks with different characteristics.
•IP scan—A detected flow initiated from source IP address that tried to access many zone destination IP addresses.
•port scan—A detected flow initiated from source IP address that tried to access many zone ports.
•user detected—An anomaly flow detected by the user.
|
Peak (pps)
|
Indicates the maximum attack rate measured in packets per second.
|
Received Pkts
|
Indicates the total amount of packets, destined to the zone, that was handled by the Detector during the attack.
|
Each field in the table provides a link to the attack report.
Zone Attack Reports
The Detector provides an attack report to help in forming a clearer picture of an attacked zone (or zones). The attack report details an attack that begins at the production of the first dynamic filter and ends either by a user decision or after a defined period of time that no new dynamic filters were added. The Detector records the relevant details during an attack and organizes the data under the report category columns. The produced report (or reports) is available for view and can cover not only past attacks but also the current attack (termed as "Attack in progress").
To view the list of the zone attack reports:
From the Zone's main menu, select Diagnostics > Attack Reports.
To view the attack details, perform one of the following:
•In the Detection Graph, click on the attack bar.
•In the Per Attack Summary table, click on one of the fields of the required attack.
A shortcut to the current attack ("Attack in progress") details is also provided from the Zone's "home page".
To view the current attack details:
On the Zone's "home page", click Report.
The attack report consists of data fields and tables. These are grouped in three sections:
•General Details
•Attack Statistics
•Detected Anomalies
General Details
The general details section (Figure 8-5) provides information related to attack timing. It consists of information on the attack start time, the attack end time and the attack duration.
Figure 8-5 Attack Report—General Details
Note Counters that do not denote rate are specified by an integer. The units are bits, kilo-bits, kilo-packets, mega-bits, and packets in correspondence to the statistics units specified from the drop-down list.
To change the units by which the report is displayed:
1. Choose the units from the drop-down list.
2. Click Set units.
Attack Statistics
The attack statistics (Figure 8-6) provides information on Received packets—The total amount of packets received by the Detector for the current zone.
Figure 8-6 Attack Report—Attack Statistics
The following information is provided for the Received packets:
Parameter
|
Description
|
Total
|
Indicates the total amount of attack packets
|
Max Rate
|
Indicates the maximum measured traffic
|
Average Rate
|
Indicates the average traffic rate
|
The traffic rate is displayed in the units selected from the drop-down list in the general details section.
Detected Anomalies
The Detected Anomalies table details the traffic anomalies the Detector detected. The Detector classifies a flow as an anomaly when it requires the production of a Dynamic filter. These anomalies may be occasional or of the kind that turns into systematic DDoS attacks. The Detector clusters anomalies with identical type and flow parameters (such as source IP address, destination port, etc.) under one anomaly type.
Figure 8-7 Attack Report—Detected Anomalies
The following information is provided for each anomaly:
Field Name
|
Description
|
Start time
|
Indicates the anomaly detection date and time.
|
Duration
|
Indicates the anomaly duration in hours, minutes, and seconds.
|
Type
|
Indicates the detected anomaly type:
•Tcp_connections—A detected flow with unusual number of TCP concurrent connections with or without data.
•HTTP—An unusual HTTP traffic flow.
•Tcp incoming—A detected flow attacking a TCP service when the zone is a server.
•Tcp outgoing—A detected attack flow in which the client seems to be the zone, such as SYN-ACK attacks on connections initiated by the zone, when the zone is the client.
•Unauthenticated tcp—A detected flow that the Detector anti-spoofing mechanisms haven't succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.
•DNS (udp)—An attacking DNS-UDP protocol flow.
•DNS (tcp)—An attacking DNS-TCP protocol flow.
•Udp—An attacking UDP protocol flow.
•Non tcp/udp protocols—A non TCP/UDP attacking protocol flow.
•Fragments—A detected flow with an unusual quantity of fragmented traffic.
•IP scan—A detected flow initiated from source IP address that tried to access many zone destination IP addresses.
•port scan—A detected flow initiated from source IP address that tried to access many zone ports.
•user detected—An anomaly flow detected by the user.
|
Triggering rate
|
Indicates the anomaly traffic rate that violated a policy threshold.
|
% Threshold
|
Indicates the percentage by which the triggering rate is above the policy threshold.
|
Anomaly Flow
|
Indicates the anomaly traffic flow. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow and the flow packet types. If the anomaly flow is on a specified port, it is displayed as: dst=<ip address>:<port>
|
Details
|
Indicates whether additional information can be viewed for this filter. Click i for additional information.
|
A value of "*" for any of the parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly's parameter.
A value of "#" for any of the parameters indicates the number of values measured for that anomaly's parameter.
Detected Anomalies Details
The detected anomalies details table provides information on the dynamic filters, clustered according to the producing policy, that constitute the detected anomaly.
To display the detected anomalies details table:
From the details column in the detected anomalies table, click i.
The following information is provided:
Parameter
|
Description
|
Start time
|
Indicates the date and time the anomaly was detected.
|
End time
|
Indicates the expiration date and time of the Dynamic filter that was activated.
|
Rate (pps)
|
Indicates the rate measured in packets per second.
•Thresh—Indicates the policy threshold that was violated by the detected anomaly.
•Triggered—Indicates the anomaly traffic rate that violated a policy threshold.
|
Count
|
Indicates the number of packets that were handled by the Dynamic filter.
|
Detected flow
|
Provides information on the detected attack flow—the flow that caused the production of the Dynamic filter.
•Prot.—Indicates the detected flow protocol number.
•Src IP—Indicates the detected flow source IP.
•Src Port—Indicates the detected flow source port.
•Dst IP—Indicates the detected flow destination IP.
•Dst Port—Indicates the detected flow destination port.
•frag.—Indicates the fragmentation characteristics of the detected traffic flow.
•Type—Indicates the detected anomaly type. Refer to the "Detected Anomalies" section in Chapter 8, "Attack Reports," in the Cisco Traffic Anomaly Detector User Guide for further details.
|
Action flow
|
Provides information on the action flow - the flow that was addressed by the Dynamic filter. The action flow could be of a wider range than the detected flow. For example, the detected flow could indicate a specific source port for a specific source IP whereas the action flow will indicate all source ports for the specified source IP. The columns represent the dynamic filter traffic data.
•Prot.—Indicates the detected flow protocol number.
•Src IP—Indicates the detected flow source IP.
•Src Port—Indicates the detected flow source port.
•Dst IP—Indicates the detected flow destination IP.
•Dst Port—Indicates the detected flow destination port.
•frag.—Indicates the fragmentation characteristics of the action flow.
|
Zone Event Log
The zone event log (Figure 8-8) displays monitoring and troubleshooting information that relate to the zone.
To view the zone event log:
From the Zone's main menu select Diagnostics > Event log.
Figure 8-8 Zone Event Log
The event severity levels are:
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
To filter the events according to their severity level:
1. Select the check boxes next to the requested severity levels.
2. Click Filter Events.
