Cisco Guard Configuration Guide (Software Version 3.08) - Overview [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Overview

What is DDoS?

The Cisco Guard

The Zone

Zone traffic Diversion

Zone Traffic Learning and Protecting

Zone Traffic Learning

Zone Traffic Protection

The Guard Protection Cycle

The Guard Protection system

The Guard Interactive Recommendations

The Guard Attack Reports

Overview

This chapter also provides a general overview what DDoS is and outlines the Guard structure and operation.

What is DDoS?

The Distributed Denial of Service (DDoS) attacks are attacks in which malicious individuals cause thousands of compromised computers ("zombies") to run automated scripts that cripple a protected server's (the Zone) network resources with spurious requests for service. The attacks can be, for example, a flood of bogus home page requests to a web server that shuts out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Such attacks share a number of distinguishing features. These features have important implications on DDoS defense methods:

•Distributed. Although often launched by an individual, the zombies actually executing the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations. These distributed attacks generate a volume of traffic that cannot be handled by the lower bandwidths available at a typical zone, including the largest corporations.

•Statistical. DDoS research points at the following facts:

–That DDoS zombies distribute in number and autonomous systems

–That there is a close integration between legitimate and bogus requests for service

–That DDoS scripts deliberately randomize their attacks (for example, in spoofed IP source addresses, or in the setting of TCP flags)

The above facts imply that DDoS attacks are a statistical phenomenon, and consequently require the formation of a detailed statistical traffic profile.

•Evolving and Accessible. DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive.

A DDoS defense system would, therefore, have to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network element.

The Cisco Guard

The Guard is Cisco Systems solution to the DDoS problem. The Guard is a system that allows a transparent zone traffic flow, constantly filters the traffic, and closely remains tuned to zone traffic characteristics to be on the alert for evolving attack patterns.

To accomplish the above-mentioned tasks the Cisco Guard employs the following components:

•Traffic diversion mechanisms that redirect (divert) the zone traffic to the Guard Learning and Protection systems and then return (inject) the legitimate traffic flow back to the zone. This is performed while preventing the obstruction of network traffic.

•An algorithm-based learning system that learns the Zone traffic, adopts itself to its particular characteristics, and supports the Protection system with references and protection instructions in the form of Thresholds and Policies.

•A protection system that distinguishes between the legitimate and the suspicious traffic and filters the malicious traffic. The Protection system performs its tasks while closely integrating with the Learning system for references and instructions. Only the legitimate traffic is then let to pass on to the Zone.

Integrating these components enables the Guard to assume its protective role upon demand while remaining in the background for the rest of the time.

The first component the Guard employs is the Zone traffic diversion. This is the basis that enables the other two components' operation.

The Zone

A zone is a network element protected by the Guard against DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company doing business using the Internet; an Internet Service Provider (ISP), or any combination of or variant on these. The Guard can protect different Zones simultaneously, as long as their network address ranges don't overlap.

A "zone" on the guard is the definition of a Zone element, configured so that the Guard can protect it from DDoS attacks. A Zone on the Guard is assigned with a name, and referred to by the assigned name.

Zone traffic Diversion

Diversion is a technique designed to redirect (divert) the attacked Zone's traffic from the main stream to the Guard and then to return (inject) the traffic to the main path to continue its route to its original destination.

Figure 1-1 The Diversion Concept

Zone Traffic Learning and Protecting

The Guard applies and integrates the Learning and Protecting in two successive phases. These consist of the Learning phase followed by the Protecting. Figure 1-2 displays the work phases and schematically demonstrates the Guard operation:

Figure 1-2 The Guard Operation

Zone Traffic Learning

At first the Guard learns the Zone's traffic characteristics to acquire a basis to which to compare Zone traffic and trace any abnormalities that might, in turn, become malicious. The Guard Learning phase begins with the Guard traffic diversion mechanisms that divert the Zone routine traffic (see Chapter 10, "Advanced Policy Procedures," for further details). Then the Learning system constructs the Guard protection policies that instruct the Guard Protection system as for how to regard the diverted Zone traffic flows. The above figure denotes the path (marked by a broken line in Figure 1-2) the traffic takes to the Learning system and then to the Guard traffic injection mechanisms that inject the traffic back to the Zone. This phase end-results are the protection policies. The Guard policies measure traffic flows and carry information regarding thresholds and which action should be taken upon a threshold violation (see Chapter 10, "Advanced Policy Procedures," for further details). Once the policies are produced the Learning system performs traffic tuning. In this procedure the Guard tunes to the Zone traffic to establish the policy thresholds whose violation would cause the policies to launch an action (see Chapter 10, "Advanced Policy Procedures," for further details).

Once the Learning phase is over the Guard is ready to assume protection over the Zone. Protection is launched upon a user-issued command.

Zone Traffic Protection

During Zone protection the diverted Zone traffic takes the path (marked by the whole line in Figure 1-2) to the Guard Protecting system. Once suspicious indicators (in the form of threshold violations) are sensed, the policies refer to and instruct the Protecting system to carry out an action. This action could range from merely notifying the user on a suspicious traffic to directing the traffic to various Guard anti-spoofing or anti-zombie mechanisms and even dropping traffic (see Chapter 9, "Advanced Filter Procedures," and Chapter 10, "Advanced Policy Procedures," for further details). To perform its protective role the Guard has an array of filters of different characteristics that are sensitively tuned. These filters enable the Guard and the user to efficiently filter out suspicious and malicious traffic together with enabling legitimate traffic to pass to the Zone. The Guard also has protection modules that follow up on traffic cleansing with their anti-spoofing mechanisms. These modules differ in the processes they perform on the traffic flows directed to them (see the "The Guard Protection system" section for further details). These modules together with the Guard filter system consist a Zone traffic protection formation. The Guard filter system and protection modules operate in a cyclic mode over the Zone traffic flow.

The Guard Protection Cycle

Figure 1-3 displays a general functional perspective of the Guard operation cycle:

Figure 1-3 The Guard protection Cycle

Once switched into protection, the Guard begins diverting the traffic and applying its policies. The Guard policies react when the measured traffic violates their threshold. The policies direct the Guard to produce appropriate filtering and the traffic is then directed to the protection modules. The latter operate their anti-spoofing and anti-zombie mechanisms to authenticate the traffic. The filtered and authenticated traffic then flows to the Recognition module for sampling. The traffic is then rate limited, and injected back to the Zone.

The Recognition module leads a closed loop feedback cycle to adjust the Guard protection measures to the dynamically changing Zone traffic characteristics. The Guard would then adopt the proper protection strategies to answer the changing DDoS attack types and traffic flows. When the DDoS attack is over and the traffic returns to normal the Guard transparently allows the Zone traffic to be injected back to the Zone. This state continues until the user ends the Zone's protection.

The Guard Protection system

The Guard protection system major components are the filter system and the protection modules. The Guard's filters are capable of tailoring to the Zone's traffic characteristics and enable the user to control their filtering to suit its most minute filtering requirements. Such filters are, for example, the Guard Flex and User filters. The Flex filter enables counting or dropping minutely discriminated packets while the User filters are user-configured and enable the user to decide on which protection measures to apply against specified traffic flows. The Guard also dynamically reacts to changing traffic patterns by applying its Dynamic filters (which are also open for user configuration). These measures, among others, provide a flexible and dynamically self-adopting DDoS defense (see Chapter 9, "Advanced Filter Procedures," for further details). The Guard's protection modules also assume an active role in the Zone's traffic protection by applying different processes over the traffic flows:

•The Analysis module—This module allows the traffic during protection, to flow monitored but unhindered as long as no abnormalities are traced. Once abnormalities are traced traffic flows are directed to the appropriate protection module.

•The Basic module—This module has anti-spoofing and anti-zombie mechanisms that authenticate traffic. These mechanisms generally inspect the suspicious traffic flow to verify its source.

•The Strong module—This module has severer anti-spoofing mechanisms. These authentication mechanisms inspect the flow packets to verify the flow legitimacy.

•The Drop module—This module drops malicious traffic.

•The Rate Limiting module—This module limits the rate of a desired traffic flow or an overall Zone traffic (see Chapter 9, "Advanced Filter Procedures," for further details).

In addition, the Guard has the Recognition module. This module coordinates between the Guard policies and the filter system. This module also samples the outgoing traffic for analysis.

All the above-mentioned array of protection measures and processes are integrated to ensure that the Zone is protected and its legitimate traffic flawlessly reaches its destination in an unobstructed way.

The Guard Interactive Recommendations

In the Interactive Recommendation mode the Guard enables the user to decide on the activation of the filters the policies launch. When in an interactive mode, the Guard enhances the user's control over the activation of the Guard's protective measures as a DDoS attack progresses. At a user's command, the Guard displays a report stating the status of a specific recommendation or a list of recommendations. The user is then able to examine the Guard's recommendations in detail and learn about the traffic anomalies that resulted in those recommendations. Then the user decides to accept, ignore, or timeout the filter's activation. In this way the Guard lets the user decide on the production of its protection measures in real time. The user may end the interactive mode of operation at any time and thus return to the automatic operation mode. The policies then resume their role of automatically producing and activating their filters (see Chapter 10, "Advanced Policy Procedures").

The Guard Attack Reports

The Guard provides the user with an attack report for each Zone to help in forming a clearer picture of an attacked Zone (or Zones). The Guard records the relevant details during an attack and organizes the data under a report (or reports) that is available for view and covers past and ongoing attacks. An attack report consists of the following categories:

•Attack Timing—The Attack Timing provides general information relating to attack timing

•Attack Statistics—This category provides a general analysis of the Guard received traffic flows together with the dropped and replied packets.

•Detected Anomalies—This category details the detected traffic anomalies.

•Mitigated Attacks—This category details the steps the Guard took to protect the zone.

The Guard enables the user to view a list of attack reports, an ongoing, or a specific attack report. The user views the anomalies and their responses in the form of mitigated actions and deduce important information relating to attack specifics such as: attack flows characteristics, attack size, etc.

	Cisco Guard Configuration Guide (Software Version 3.08)
	Overview
Cisco Guard Configuration Guide (Software Version 3.08) Preface Overview Initial Procedures Guard Configuration Zone Traffic Diversion Zone Configurations On-Demand Protection Routine Guard Procedures Guard Diagnostics and Maintenance Advanced Filter Procedures Advanced Policy Procedures Interactive Recommendations Mode Attack Reports Glossary Diversion Configuration Diversion Troubleshooting	Download this chapter Overview Download the complete book Cisco Guard User Guide (Software Version 3.0.8), Book-Length PDF (PDF - 4 MB) Table Of Contents Overview What is DDoS? The Cisco Guard The Zone Zone traffic Diversion Zone Traffic Learning and Protecting Zone Traffic Learning Zone Traffic Protection The Guard Protection Cycle The Guard Protection system The Guard Interactive Recommendations The Guard Attack Reports Overview This chapter also provides a general overview what DDoS is and outlines the Guard structure and operation. What is DDoS? The Distributed Denial of Service (DDoS) attacks are attacks in which malicious individuals cause thousands of compromised computers ("zombies") to run automated scripts that cripple a protected server's (the Zone) network resources with spurious requests for service. The attacks can be, for example, a flood of bogus home page requests to a web server that shuts out legitimate consumers, or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Such attacks share a number of distinguishing features. These features have important implications on DDoS defense methods: •Distributed. Although often launched by an individual, the zombies actually executing the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems, administered by multiple organizations. These distributed attacks generate a volume of traffic that cannot be handled by the lower bandwidths available at a typical zone, including the largest corporations. •Statistical. DDoS research points at the following facts: –That DDoS zombies distribute in number and autonomous systems –That there is a close integration between legitimate and bogus requests for service –That DDoS scripts deliberately randomize their attacks (for example, in spoofed IP source addresses, or in the setting of TCP flags) The above facts imply that DDoS attacks are a statistical phenomenon, and consequently require the formation of a detailed statistical traffic profile. •Evolving and Accessible. DDoS attacks continuously evolve as sophisticated hackers create damaging new exploits. In addition, their attack scripts are made widely available on the Internet and are routinely executed by individuals with minimal technical knowledge of networking. Thus, DDoS defense technology must be flexible and adaptive. A DDoS defense system would, therefore, have to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network element. The Cisco Guard The Guard is Cisco Systems solution to the DDoS problem. The Guard is a system that allows a transparent zone traffic flow, constantly filters the traffic, and closely remains tuned to zone traffic characteristics to be on the alert for evolving attack patterns. To accomplish the above-mentioned tasks the Cisco Guard employs the following components: •Traffic diversion mechanisms that redirect (divert) the zone traffic to the Guard Learning and Protection systems and then return (inject) the legitimate traffic flow back to the zone. This is performed while preventing the obstruction of network traffic. •An algorithm-based learning system that learns the Zone traffic, adopts itself to its particular characteristics, and supports the Protection system with references and protection instructions in the form of Thresholds and Policies. •A protection system that distinguishes between the legitimate and the suspicious traffic and filters the malicious traffic. The Protection system performs its tasks while closely integrating with the Learning system for references and instructions. Only the legitimate traffic is then let to pass on to the Zone. Integrating these components enables the Guard to assume its protective role upon demand while remaining in the background for the rest of the time. The first component the Guard employs is the Zone traffic diversion. This is the basis that enables the other two components' operation. The Zone A zone is a network element protected by the Guard against DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company doing business using the Internet; an Internet Service Provider (ISP), or any combination of or variant on these. The Guard can protect different Zones simultaneously, as long as their network address ranges don't overlap. A "zone" on the guard is the definition of a Zone element, configured so that the Guard can protect it from DDoS attacks. A Zone on the Guard is assigned with a name, and referred to by the assigned name. Zone traffic Diversion Diversion is a technique designed to redirect (divert) the attacked Zone's traffic from the main stream to the Guard and then to return (inject) the traffic to the main path to continue its route to its original destination. Figure 1-1 The Diversion Concept Zone Traffic Learning and Protecting The Guard applies and integrates the Learning and Protecting in two successive phases. These consist of the Learning phase followed by the Protecting. Figure 1-2 displays the work phases and schematically demonstrates the Guard operation: Figure 1-2 The Guard Operation Zone Traffic Learning At first the Guard learns the Zone's traffic characteristics to acquire a basis to which to compare Zone traffic and trace any abnormalities that might, in turn, become malicious. The Guard Learning phase begins with the Guard traffic diversion mechanisms that divert the Zone routine traffic (see Chapter 10, "Advanced Policy Procedures," for further details). Then the Learning system constructs the Guard protection policies that instruct the Guard Protection system as for how to regard the diverted Zone traffic flows. The above figure denotes the path (marked by a broken line in Figure 1-2) the traffic takes to the Learning system and then to the Guard traffic injection mechanisms that inject the traffic back to the Zone. This phase end-results are the protection policies. The Guard policies measure traffic flows and carry information regarding thresholds and which action should be taken upon a threshold violation (see Chapter 10, "Advanced Policy Procedures," for further details). Once the policies are produced the Learning system performs traffic tuning. In this procedure the Guard tunes to the Zone traffic to establish the policy thresholds whose violation would cause the policies to launch an action (see Chapter 10, "Advanced Policy Procedures," for further details). Once the Learning phase is over the Guard is ready to assume protection over the Zone. Protection is launched upon a user-issued command. Zone Traffic Protection During Zone protection the diverted Zone traffic takes the path (marked by the whole line in Figure 1-2) to the Guard Protecting system. Once suspicious indicators (in the form of threshold violations) are sensed, the policies refer to and instruct the Protecting system to carry out an action. This action could range from merely notifying the user on a suspicious traffic to directing the traffic to various Guard anti-spoofing or anti-zombie mechanisms and even dropping traffic (see Chapter 9, "Advanced Filter Procedures," and Chapter 10, "Advanced Policy Procedures," for further details). To perform its protective role the Guard has an array of filters of different characteristics that are sensitively tuned. These filters enable the Guard and the user to efficiently filter out suspicious and malicious traffic together with enabling legitimate traffic to pass to the Zone. The Guard also has protection modules that follow up on traffic cleansing with their anti-spoofing mechanisms. These modules differ in the processes they perform on the traffic flows directed to them (see the "The Guard Protection system" section for further details). These modules together with the Guard filter system consist a Zone traffic protection formation. The Guard filter system and protection modules operate in a cyclic mode over the Zone traffic flow. The Guard Protection Cycle Figure 1-3 displays a general functional perspective of the Guard operation cycle: Figure 1-3 The Guard protection Cycle Once switched into protection, the Guard begins diverting the traffic and applying its policies. The Guard policies react when the measured traffic violates their threshold. The policies direct the Guard to produce appropriate filtering and the traffic is then directed to the protection modules. The latter operate their anti-spoofing and anti-zombie mechanisms to authenticate the traffic. The filtered and authenticated traffic then flows to the Recognition module for sampling. The traffic is then rate limited, and injected back to the Zone. The Recognition module leads a closed loop feedback cycle to adjust the Guard protection measures to the dynamically changing Zone traffic characteristics. The Guard would then adopt the proper protection strategies to answer the changing DDoS attack types and traffic flows. When the DDoS attack is over and the traffic returns to normal the Guard transparently allows the Zone traffic to be injected back to the Zone. This state continues until the user ends the Zone's protection. The Guard Protection system The Guard protection system major components are the filter system and the protection modules. The Guard's filters are capable of tailoring to the Zone's traffic characteristics and enable the user to control their filtering to suit its most minute filtering requirements. Such filters are, for example, the Guard Flex and User filters. The Flex filter enables counting or dropping minutely discriminated packets while the User filters are user-configured and enable the user to decide on which protection measures to apply against specified traffic flows. The Guard also dynamically reacts to changing traffic patterns by applying its Dynamic filters (which are also open for user configuration). These measures, among others, provide a flexible and dynamically self-adopting DDoS defense (see Chapter 9, "Advanced Filter Procedures," for further details). The Guard's protection modules also assume an active role in the Zone's traffic protection by applying different processes over the traffic flows: •The Analysis module—This module allows the traffic during protection, to flow monitored but unhindered as long as no abnormalities are traced. Once abnormalities are traced traffic flows are directed to the appropriate protection module. •The Basic module—This module has anti-spoofing and anti-zombie mechanisms that authenticate traffic. These mechanisms generally inspect the suspicious traffic flow to verify its source. •The Strong module—This module has severer anti-spoofing mechanisms. These authentication mechanisms inspect the flow packets to verify the flow legitimacy. •The Drop module—This module drops malicious traffic. •The Rate Limiting module—This module limits the rate of a desired traffic flow or an overall Zone traffic (see Chapter 9, "Advanced Filter Procedures," for further details). In addition, the Guard has the Recognition module. This module coordinates between the Guard policies and the filter system. This module also samples the outgoing traffic for analysis. All the above-mentioned array of protection measures and processes are integrated to ensure that the Zone is protected and its legitimate traffic flawlessly reaches its destination in an unobstructed way. The Guard Interactive Recommendations In the Interactive Recommendation mode the Guard enables the user to decide on the activation of the filters the policies launch. When in an interactive mode, the Guard enhances the user's control over the activation of the Guard's protective measures as a DDoS attack progresses. At a user's command, the Guard displays a report stating the status of a specific recommendation or a list of recommendations. The user is then able to examine the Guard's recommendations in detail and learn about the traffic anomalies that resulted in those recommendations. Then the user decides to accept, ignore, or timeout the filter's activation. In this way the Guard lets the user decide on the production of its protection measures in real time. The user may end the interactive mode of operation at any time and thus return to the automatic operation mode. The policies then resume their role of automatically producing and activating their filters (see Chapter 10, "Advanced Policy Procedures"). The Guard Attack Reports The Guard provides the user with an attack report for each Zone to help in forming a clearer picture of an attacked Zone (or Zones). The Guard records the relevant details during an attack and organizes the data under a report (or reports) that is available for view and covers past and ongoing attacks. An attack report consists of the following categories: •Attack Timing—The Attack Timing provides general information relating to attack timing •Attack Statistics—This category provides a general analysis of the Guard received traffic flows together with the dropped and replied packets. •Detected Anomalies—This category details the detected traffic anomalies. •Mitigated Attacks—This category details the steps the Guard took to protect the zone. The Guard enables the user to view a list of attack reports, an ongoing, or a specific attack report. The user views the anomalies and their responses in the form of mitigated actions and deduce important information relating to attack specifics such as: attack flows characteristics, attack size, etc.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.