Accepting the Policy Construction Phase Results Procedure
In this procedure the user ends the Policy Construction Phase. The Guard then stops the Policy Construction Phase and adopts the results (policies). The newly learned policies take the place of the former policies.
Action
This parameter defines the action type the policy assumes once its threshold is violated.
In the CLI, this column indicates the action taken (i.e. drop) by either a policy or a filter.
Analysis Module
This module is active during the Guard Protection mode of operation. When no DDoS attack signs are indicated the Guard directs the diverted Zone traffic to flow through this module. The analysis module lets the Zone traffic flow unobstructed. The module analyzes the flows, allowing the recognition module to sample them.
Any-fragments
In CLI, this denotes fragmented and non-fragmented traffic.
Attack Mitigation Verification Procedure
In this procedure the user verifies whether the Guard has mitigated the attack. This is done by issuing the show zone command. The user then checks the ratio between the received (RX) and the send (FRWD) packets, the status of the Dynamic filter, and the proper functioning of the Guard anti-spoofing mechanisms.
Attack Type Characterization Procedure
In this procedure the user characterizes an attack type as being a TCP or non-TCP to gain more information. The user performs this procedure via analyzing the User and the Dynamic filters.
B
Basic Module
This module is active during the Guard Protection mode of operation. This module utilizes the Guard initial Challenge-and-Response based anti-spoofing mechanisms. The Guard directs the traffic to the Strong protection module either in the case of an escalation or in certain cases which require the Strong anti-spoofing mechanisms to handle the suspected traffic flows.
block- unauthenticated
A policy action that directs traffic to an anti-spoofing mechanism that deals with unauthenticated traffic.
block-unauthenticated-basic
A Dynamic filter action that drops unauthenticated traffic flow that has not been authenticated by the Basic anti-spoofing mechanisms.
block-unauthenticated-strong
A Dynamic filter action that drops unauthenticated traffic flow that has not been authenticated by the Strong anti-spoofing mechanisms.
Burst/Burst-Size
The highest traffic peak (burst size rate) allowed to pass to the Zone. The burst-size units are: Kpps—Kilo packets per second; pps—Packets per second; Kbps—Kilo bits per second; Mbps—Mega Bits per second, and bps—Bits per second.
Burst
In the CLI, this column indicates the burst size the filter allows per specified flow.
Bypass filter
A filter designed to enable the user to direct desired traffic flows to bypass the Guard protection mechanisms. Thus, the user can better adopt the Guard to its protection policy.
C
Command group level
A group of commands that form a CLI hierarchy level. This group is accessed from a single prompt line.
Command Line Interface (CLI)
A prompt line interface from which the user performs its operations.
Comparator
A Guard module that compares between the input from the Guard Dynamic filters and the input from the Guard User filters. The Comparator then picks and executes the more severe protection means.
Concurrent connections
This policy template produces a group of policies related to TCP connection characteristics.
Constructor command group level
A group of commands that form a CLI hierarchy level. This group is accessed from the Constructor prompt line.
Copying Services Procedures
In this procedure the user is able to copy policy configuration from Zone to Zone. The user copies the data relevant to a service on a desired port, or a service on all its relevant ports, or all services on all their ports. The data includes all policies under the desired service with their operational parameters (threshold, action, and timeout).
D
Diagnostics command group level
A group of commands that form a CLI hierarchy level. This group is accessed from the Diagnostics prompt line.
Distributed Denial of Service (DDoS) Attack
A Denial of Service attack against a site or server launched from multiple sources. This is sometimes carried out by concealed exploiting servers to function as agents for transmitting the attacks. In many cases, the attacker will place client software on a number of unsuspecting remote computers and then use these computers to launch the attack. A Distributed Denial of Service attack is more effective than a simple Denial of Service attack, as the volume of traffic is considerably higher, and is more difficult to prevent. Examples of DDoS attacks are Syn flood, Smurf attack and Targa attack.
Diversion Problem
This problem occurs when the Guard does not receive any packets. As a result no packets are forwarded to the Zone.
Divert-from Router
A router from which the Guard diverts the traffic destined to a Zone.
Dns tcp
A policy template that produces a group of policies related to DNS-TCP protocol traffic.
Dns udp
A policy template that produces a group of policies related to DNS-UDP protocol traffic.
Dport
In the CLI, this is an abbreviation for Destination Port.
Drop
In CLI, this denotes the Drop module destination of the directed traffic.
Drop Module
This module is active during the Guard Protection mode of operation. When all other protection mechanisms are insufficient or when user-configured filters direct the diverted Zone traffic to the Drop protection module. This module drops the malicious Zone traffic directed by the Flex, User, and Dynamic filters.
Dst ip stat
In CLI, this policy section denotes a traffic characteristic designating traffic coming to the Zone IP address.
Dst port stat
In CLI, this policy section denotes a traffic characteristic designating traffic coming to a specific Zone port.
Dynamic filter
Dynamic filters are created by the Guard as the result of analysis of traffic flow. They are used to filter out DDoS attacks. This set of filters is continuously adapted to the Zone traffic and the type of the DDoS attack.
Dynamic Next Hop Diversion methods
In these methods the Guard dynamically learns of the changing next-hop router.
Dynamic filter number
In CLI, this denotes the dynamic filter number.
E
Event monitor
This CLI command displays the Guard activities on-line.
Exp time
In CLI, this denotes the time span for a filter to be active. In this case a specified time measured in seconds.
ExpTime
In the CLI, this is an abbreviation for Expiring Time.
F
Flex filter
The Flex filter is a Berkley Packet filter that facilitates the user with extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. It enables to use complex Boolean expressions. The Flex filter is used to count a specified packet flow.
Forever
In CLI, this denotes the time span for a filter to be active provided the Guard is in protection mode. In this case the time is unlimited.
Fragments
In CLI, this denotes fragmented traffic.
A policy template that produces a group of policies related to fragmented traffic.
Frg
In the CLI, this is an abbreviation for Fragments.
G
Global stat
A traffic characteristic designating a summation of all traffic flows of a group of policies.
Global command group level
A group of commands that form a CLI hierarchy level. This group is accessed from the most basic prompt line.
Greater
In CLI, this denotes a length equal or greater than specified length bytes.
Guard
A system designed to protect network elements against DDoS attacks.
Guard Default Gateway address
This usually is the Guard's adjacent router located between the Guard and the Internet. The Guard default Gateway address must be on the same network as one of the Guard interfaces' IP addresses.
Guard Diagnostics
A set of diagnostic operations the user performs via the Guard. These include: accessing the Guard ARP cache, displaying the Guard network connections, routing tables, interface statistics, a specified traced route, and pinging a specified network element.
Guard log
A log file containing the Guard activities, current events, performed actions and the protective measures it undertook. The Guard log file can be transferred to an FTP server.
Guard Network Interfaces
The Guard has an Out-of-Band 100BaseT ("Fast Ethernet") NIC for management and an In-Band Giga-Ethernet NIC for Zone traffic transmissions. The Guard may have up to two In-Band NICs. The In-Band (Eth1) is the physical layer interface on which the Virtual Local Area Networks (VLAN) and tunnels are configured.
Guard running-config file
A file containing the data of the Guard configurations. This file can be transferred to and from an FTP server.
Guard User community (level)
The Guard enables access levels to several groups of users (Show, Dynamic, Configuration, and Administrator). These are classified by their authority and hence their ability to perform a scope of operations. The highest and utmost privileged is the Administrator and the least privileged is the Show user level.
Guard Web Based Management (WBM)
A GUI over HTTP Guard interface that enables the user to manage the Guard protection and Zones (excluding Guard configuration procedures) via the web using a browser.
Guard-interface-routing-table
A routing table written on Juniper Routers to be used to route traffic coming back from the Guard.
H
Host
In CLI, this denotes a host IP address.
http
A policy template that produces a group of policies related to HTTP traffic flowing (by default) through port 80 (or other user-configured ports).
I
ID
In the CLI, this column indicates the filter serial designating number.
Incoming nodata connections
In CLI, this denotes a packet type. Packets of this type are packets of connection requests that bear no data.
Inject-to router
A router to which the Guard forwards the clean traffic destined to a Zone.
Interface command group level
A group of commands that form a CLI hierarchy level. This group is accessed from the Interface prompt line.
IP broadcast
In CLI, this denotes a broadcast IP packet.
IP multicast
In CLI, this denotes a multicast packet
IP proto
In CLI, this denotes an IP packet of the following protocols: icmp, udp, or tcp.
IP Traffic Diversion
A process consisting of transparently diverting the traffic of one or more Zones to the Guard, and returning the legitimate, cleaned traffic from the Guard to the original data path and on to the Zone. Traffic diversion is also performed for learning purposes.
IP-mask
In CLI, this denotes a mask IP address.
L
Layer 2 Forwarding Method
In this method the Guard resolves the MAC address of the Inject-to or the Next-hop routers and then forwards the traffic over to them. The Guard resolves the MAC address by issuing an ARP query.
Layer 2 Topology (L2)
In this network the Guard, the Layer 2 switch, the divert-from router, and the next-hop router to the Zone, are located in the same LAN. The Guard diverts the Zone traffic from the divert-from router and forwards the filtered traffic via the Layer 2 switch to the next-hop router.
Layer 3 Forwarding Methods
These layer 3 forwarding methods include: the Policy Based Routing (PBR) - PBR-DST (see Policy Based Routing (PBR) - PBR-DST), and the VRF (VPN Routing Forwarding) VRF-DST (see VRF (VPN Routing Forwarding) VRF-DST).
Layer 3 Topology (L3)
In this network topology the Guard directly connects to the divert-from router (see Divert-from Router) for Zone traffic diversion. The Guard would then return the filtered traffic back to the divert-from router. The latter then forwards the traffic to the Next-hop Router (see Next-hop Router).
Learning Phase Snapshot Procedure
In this procedure the user is able to save a snapshot of the learning parameters (services, thresholds and other policy related data) at any time of the Learning phase. The file containing the snapshot learning phase parameters together with the Zone configuration parameters is saved under a user defined zone name.
Learning Phase Verification Procedure
In this procedure the user verifies that the Learning phase has succeeded. This is performed via issuing the show command and verifying that the Guard is receiving and forwarding packets.
Less
In CLI, this denotes a byte length equal or less than specified length bytes.
M
Maximum Number of Services
This policy template parameter defines the maximum number of the services the Guard will produce with a specific policy template.
Maximum Transfer Unit (MTU)
The largest frame size that can be transmitted over the network. Messages longer than the MTU must be divided into smaller frames.
Minimum Threshold
This policy template parameter defines the minimum threshold of a traffic volume. Any traffic volume exceeding this parameter would be considered as an objective of the Guard protection policy and so produce policy groups relating to it.
N
Net
In CLI, this denotes a subnet IP address.
Network Time Protocol (NTP)
A protocol for synchronizing the Guard with a Time Synchronization Server.
Next-hop Discovery by Routing Protocols
In this method the Guard runs one or both IGP and BGP protocols and obtains the routing information from the Divert-from router. The Guard is then able to determine the next-hop to the Zone.
Next-hop Discovery by Telnet
In this method the Guard utilizes Telnet (if the attempt fails the Guard utilizes SSH) to connect to the Divert-from router and obtain the routing information. The Guard is then able to determine the next-hop to the Zone.
Next-hop Discovery Mechanism
The learning process by which the Guard learns the preferred next-hop to the zone.
Next-hop Discovery Methods
These are the methods the Guard utilizes to discover the Next-hop router. These methods consist of the Next-hop Discovery by Routing Protocols and by Telnet.
Next-hop router
A router, which is the next hop to the Zone according to the divert-from router.
No strong concurrent connections
This policy template produces a group of policies related to TCP connection characteristics. However, this policy template does not create policies with actions that direct traffic flows to the Strong protection module. This policy also creates actions that direct traffic flowing through the Basic protection module only to be either dropped or notified.
No strong tcp outgoing
This policy template produces a group of policies related to TCP connections initiated by the Zone. However, this policy template does not create policies with actions that direct traffic flows to the Strong protection module. This policy also creates actions that direct traffic flowing through the Basic protection module only to be either dropped or notified.
No strong tcp services
This policy template produces a group of policies when TCP services on especially dedicated ports (6660 to 6670, and ports 21 to 23) are traced. However, this policy template does not create policies with actions that direct traffic flows to the Strong protection module. This policy also creates actions that direct traffic flowing through the Basic protection module only to be either dropped or notified.
No-fragments
In CLI, this denotes non-fragmented traffic. The action the filter performs on the specified traffic type.
Non-spoofed attack
A DDoS attack coming from a valid IP address host.
O
On-Demand Protection
This protection is activated in a situation when the Zone is attacked while the Guard hasn't completed its Learning phases. As a result the Guard hasn't adopted its protection policies to the Zone traffic requirements.
Other protocols
This policy template produces a group of policies related to protocols untreated by other policy templates.
P
Packets
In the CLI, this column indicates the number of packets.
Permit
In CLI, this denotes the protection action of directing the traffic to bypass the Guard anti-spoofing mechanisms and on to the rate limiter.
Policy
In the CLI, this table column heading indicates a policy template name.
Policy Activate Procedures
In these procedures the user enables a deactivated policy to resume its functionality and operate on the traffic flow it learned and tuned to.
Policy Administrative Procedures
These procedures relate to policy template operations and policy configuration data.
Policy Based Routing (PBR) Forwarding Method
PBR-DST—In this Layer 3 forwarding method the user writes routing rules on the router's interface that connects to the Guard. These rules specify how all traffic from the Guard to the Zone is forwarded to the next-hop router.
Policy command group level
A group of commands that form a CLI hierarchy level. This group is accessed from the Policy prompt line.
Policy Construction Phase
In this phase the Guard, based on the Zone traffic characteristics, produces the policies with the aid of the Policy Templates.
Policy Deactivate Procedures
In these procedures the user configures the policy and enables it to tune and obtain its thresholds but the policy relates to the traffic flow but does not issue any actions. Thus, it does not perform its protective role. Activating would enable it to resume its full functionality.
Policy Disable Procedures
In these procedures the user avoids configuring the policy and so the policy doesn't relate to the traffic flow. This prevents the policy from tuning to the traffic flow and obtaining its thresholds. The user should run the learning phases again to allow the policy to resume its functionality.
Policy Operational Parameters
This is a set of parameters that relate to the policy operations. This set consists of the following: Threshold, Proxy-threshold, Timeout, and Action (see Threshold, Proxy-threshold, Timeout, and Action).
Policy Parameter File Comparison Procedure
In this procedure the user is able to compare between the Snapshot Learning parameters (see Learning Phase Snapshot Procedure) and any Zone Learning parameters. The comparison is held to trace differences in policies, services, and thresholds between the compared Zone files. The user is able to define the comparator's differing sensitivity.
Policy Production Procedure
In this two-phase procedure the Guard takes the Zone traffic characteristics (either default or user-configured) and policy templates as its input and constructs the groups of policies with their operational parameters as an output.
Policy Templates
The policy templates are a collection of policy constructing guiding rules and the output of each template after concluding the Policy Construction phase is a group of policies. The Policy Templates user-configured parameters are the Minimum Threshold and Maximum Services (see Minimum Threshold and Maximum Services). The Policy Templates construct the Guard policies Thresholds at the end of the Threshold Tuning phase.
Port
In CLI, this denotes both source and destination port numbers.
Possible Next-hop Routers
A group of routers that could function as a legitimate next-hop router. A next-hop router may change due to routing changes in a network.
Prot
In the CLI, this is an abbreviation for Protocol well known number.
Protection Policy
The Guard policies are the mechanisms that measure a particular traffic flow and take an action against the flow as a result of a threshold violation. A policy may, for example, direct the guard to produce a Dynamic filter that would direct a specific traffic to the Strong anti-spoofing mechanisms upon a violating a certain threshold (see Threshold, Dynamic filter, Strong, and anti-spoofing).
Proxy
The Guard functions as a proxy to enable the proxy mode anti-spoofing protection mechanisms.
Proxy-threshold
This parameter defines the traffic threshold for traffic sources identified as HTTP proxies. It enables the Guard and the user to better tailor the policy reaction to traffic volumes coming from HTTP proxy sources.
R
Rate
In the CLI, this column indicates the rate of which the packets were limited.
Rate-limit
The amount of traffic in units-per-second allowed to pass the Zone. The units are: kpps—Kilo packets per second, pps—Packets per second, kbps—Kilo bits per second, mbps—Mega bits per second, and bps—Bits per second.
Rate-Limiter
A Guard module that rate-limits Zone traffic. The Guard Rate-limiter does not consider the bypassed traffic bandwidth.
Recognition Module
The Guard's module that receives input from a sampling unit and analyses the Zone traffic. Based on its recommendations, the Guard constructs its protection measures.
Redirect
In CLI, this denotes the Basic Redirect anti-spoofing mechanism destination of the directed traffic.
Rejecting the Policy Construction Phase Procedure
In this procedure the user stops (rejects) the policy construction phase without enabling the Guard to undergo the entire process. This causes the Guard to stop the Policy Construction phase and use policies and thresholds it had prior to the Learning phase initialization.
Reset
In CLI, this denotes the Basic Reset anti-spoofing mechanism destination of the directed traffic.
Routine Guard Procedures
These procedures are the procedures designed to verify the proper Guard functioning and Zone traffic status.
Row
In the CLI, this column indicates the filter priority.
Row-num
In CLI, this denotes an integer to denote the filter and define priority among the User filters.
S
Sampler
The Guard's module that samples all traffic for the Guard Recognition module to configure protection measures.
Secured Shell (SSH) Management
The user may access the Guard via a Secured Shell (SSH) to enable controlling the Guard from any network.
Spoofed attack
A DDoS attack coming from a faked transmission address.
Src host
In CLI, this is an abbreviation for Source Host.
Src IP
In the CLI, this is an abbreviation for Source IP.
Src Mask
In the CLI, this is an abbreviation for Source Mask.
Src port
In CLI, this denotes a source port number.
Src ip stat
A traffic characteristic designating traffic coming to the Zone from a specific (source) IP address.
Src net_stat
A traffic characteristic designating traffic coming to the Zone from a specific subnet IP address.
Static Next-hop Diversion method
In this method the next-hop router is configured in the inject-to router. These are diversion methods that are applicable only when the next-hop router is static per zone.
Strong
In CLI, this denotes the Strong module anti-spoofing mechanisms destination of the directed traffic.
Strong Module
This module is active during the Guard Protection mode of operation. When a DDoS attack strengthens and the Guard analyses the current anti-spoofing mechanisms to be insufficient it directs the diverted Zone traffic to the Strong protection module. This module has more severe anti-spoofing mechanisms. In case of a further escalation the Guard operates the Drop protection module.
T
Tcp not auth
This policy template produces a group of policies related to TCP connections that haven't been authenticated by the Guard anti-spoofing mechanisms.
Tcp outgoing
This policy template produces sets of policies related to TCP initiated by the Zone.
Tcp services
This policy template produces a group of policies related to TCP services on ports other than HTTP and other policy template related.
Threshold
This parameter defies the threshold traffic rate for a specific policy. Once violated, the policy assumes an action to protect the Zone.
Threshold Tuning Phase
This is the stage in which the Guard further analyses the Zone traffic and defines threshold for the policies constructed in the Policy Construction phase.
Timeout
This parameter defines the time span for the policy action beyond that the policy terminates the action taken until that policy threshold is violated.
To user-filter
In CLI, this denotes a filter action of forwarding the traffic to the user-configured User filters.
Traffic BGP Diverting Method
A diversion method in which the Guard sends the divert-from router an EBGP (or an IBGP) announcement informing it that the next hop to the Zone is the Guard itself. In order for the BGP announcement to override any previous routing decision, the announcement goes out with a longer (more specific) prefix than the one representing the Zone in the router's routing table.
Traffic Blockage Problem
This problem occurs when the Guard receives the Zone's diverted packets but most of the good traffic isn't forwarded on to the Zone.
Traffic Characteristics
A set of attributes designating traffic flows for policy operation. For example, traffic flowing to a Zone from a specific IP address (src_ip_stat).
Traffic Diversion
The Guard operates diversion techniques to direct the Zone traffic to pass through its protection mechanisms for traffic learning and malicious traffic filtering. The traffic would then be injected back to continue its path to the Zone.
Tunnel Forwarding Method
In this method a tunnel is configured between the Guard and each of the possible next hop router. The guard sends the traffic on the tunnel that ends in the Next hop Router. This allows the Guard to change the Next-hop router to a specified Zone by changing a tunnel.
Type Of Service Policy Based Routing (TOS PBR) Forwarding Method
In this method a rule to forward a packet according to its TOS to a matching next-hop router is created. Then a TOS value is associated with each of the possible next-hop routers. The Guard marks packets using TOS values associated with the next-hop router to a specified Zone. This allows the Guard to change the next-hop router to a specified Zone by changing TOS values of the packets associated with this Zone.
U
Udp services
This template produces a group of policies related to UDP services.
Units
In the CLI, this column indicates the packet unit in packet per second (pps), i.e. Kpps.
User filter
A user-customized filter that enables the user to set guiding rules to handle desired traffic flows when an attack is suspected. The user can configure its preferred anti-spoofing mechanisms or decide to drop a specified traffic flow.
V
VLAN Policy Based Routing (VLAN PBR) Forwarding Method
In this method, a multiple VLAN (Virtual LAN, 802.1Q) is configured on the physical router's interface that connects to the Guard. Each of the VLANs, is associated with each of the possible next-hop routers. The Guard forwards the packets to the VLAN that is associated with the next-hop router of a specified Zone. This allows the Guard to change the next-hop router of a specified Zone by changing the VLAN that the packets are forwarded to.
VRF (VPN Routing Forwarding) VRF-DST Method
In this Layer 3 forwarding method two separate interfaces are configured on the physical interface between the router and the guard. The first interface (the NATIVE VLAN) is used to divert traffic from the router to the guard. The second VLAN is used to divert the returned traffic from the Guard to the router. An additional Virtual Routing and Forwarding table (VRF) is configured to be used only for routing traffic that comes on the router's interface that connects to the Guard.
Z
Zombie
A device that acts as an unaware participant in a distributed Denial of Service (DDoS) attack.
Zombie attack
A zombie attack is a type of attack that uses unaware participant machines to launch a DDoS attack. The attacker first spreads a Trojan to unsuspecting users that are not the final target, and may later instruct the Trojan to perform "legitimate" connections to the zone. This makes it difficult to identify the original source of the attacks.
Zone
The Guard-protected network element. Also, a Guard file with all data relating to the protected Zone (configurations, policies, filters, etc).
Zone Bandwidth
The amount of traffic bandwidth the Guard allows to pass to the Zone. The Zone bandwidth is configured from the Burst size and Rate-limit (see Burst-size and Rate-limit). The default Bandwidth value is 200.000 pps.
Zone Protection Verification Procedure
In this procedure the user verifies that the Zone protection is functioning properly. This is performed via issuing the show counters zone command to display the Zone status.
Zone running-config file
A file containing the data the Guard has of the Zone configurations. This file can be transferred to and from an FTP server.
