Table Of Contents

Protecting Zones

Overview

Protecting the Zone

Activating Protection

Deactivating Protection

Zone Protection Verification

Dynamic Filters

Dynamic Filter Termination

Dynamic Filter Details

Dynamic Filter Configuration

Deleting a Dynamic Filter

Adding a Dynamic Filter

Interactive Recommendations Mode

Activating the Interactive Recommendations Mode

Viewing New Recommendations

Deciding on the Guard's Recommendations

Pending Dynamic Filters

Pending Dynamic Filter Details

Protecting Zones

---

This chapter describes how to perform tasks for protecting zones on the Cisco Guard using the Web-Based Management (WBM).

Processes described in this chapter must be performed after completing the Cisco Guard configuration and zone configuration described in the previous chapters of this guide.

This chapter includes the following sections:

•Overview

•Protecting the Zone (activate/deactivate protection)

•Dynamic Filters (View or add Dynamic filters during attack)

•Interactive Recommendations Mode (using the Guard's recommendations)

Overview

Before activating the Cisco Guard's protection for a zone, it is recommended to let the Guard study the zone's traffic patterns. The learning process allows the Cisco Guard to learn the traffic patterns of each zone and to create sets of recommended thresholds according to statistical analysis of the traffic.

In case of an attack on the zone prior to completion of the zone learning phases, when the Guard hasn't yet adopted its protection policy to suite the zone traffic, the Guard has its `On-Demand' protection. In such a situation, the zone protection activates the Guard's anti-spoofing and anti-zombie mechanisms quickly. The default thresholds configured for a new zone, enable effective `On-Demand' protection. Refer to Chapter 6, "On-Demand Protection," in the Cisco Guard User Guide for further details.

After learning the zone traffic characteristics, the Guard is ready to protect the zone. You may wish to wait for an external indication (from the Cisco Detector or any other means) of an attack before setting the Guard to protect the zone, or command the Guard to protect the zone right after completing the zone configuration. During the zone protection process, the Guard diverts the zone traffic and applies its protection policies.

When the Guard protection policies sense abnormal or malicious traffic (by means of threshold violation), they dynamically configure a set of filters (Dynamic Filters) to direct the traffic to the appropriate protection module according to the attack severity.

The Guard's protection can be activated in two operation modes:

•Automatic protection mode—Activation of the dynamic filters is carried out without user intervention.

•Interactive protection mode—Dynamic filters are activated manually, in an interactive mode. The Dynamic filters are grouped as recommendations that await user decision. You may review these recommendations and manually decide which of them to accept, ignore, or direct to automatic activation.

The operation mode is configured for each zone separately. See the "Creating Zones and Basic Zone Configuration" section in "Zone Creation and Configuration," for further details.

The Cisco Guard system provides a series of tools for adjusting a zone's protection mechanism while protection is active.

---

Note Before activating the Cisco Guard's protection, traffic diversion for the zone's traffic must be configured. For further information on zone diversion configuration, refer to Appendix A, "Diversion Configuration," in the Cisco Guard User Guide.

---

Protecting the Zone

After learning the zone traffic characteristics, the Guard is ready to protect the Zone. During the zone protection process, the Guard diverts the zone traffic and applies its protection policies.

Figure 7-1 Protection Menu

Activating Protection

To activate zone protection, perform one of the following:

•On the Zone's "home page", click Protect.

•From the Zone's main menu, select Protection > Protect.

---

Note The Guard has its `On-Demand' protection to answer the situation in which the zone is under attack while the Guard hasn't completed its learning phase and so hasn't adopted its protection policy to suite the zone traffic.

Refer to Chapter 6, "On Demand Protection," in the Cisco Guard User Guide for further details.

---

Deactivating Protection

To deactivate the zone's protection, perform one of the following:

•On the Zone's "home page", click Deactivate.

•From the Zone's main menu, select Protection > Deactivate.

Zone Protection Verification

You may wish, now, to view the zone status and verify that the protection process is functioning properly. View the zone counters.

To view the zone counters:

From the Zone main menu, select Diagnostics > Counters.

To verify whether an attack is in progress, check the following:

Malicious traffic rate is greater than zero.

To verify the zone protection is functioning properly while an attack is in progress, check the following:

•The number of active Dynamic filters (as can be viewed from the Zone's "home page") is greater than zero.

•Legitimate traffic rate is greater than zero.

In case there is no attack on the zone and no indications of suspicious traffic, the Guard designates all diverted traffic as legitimate traffic and forwards it on to the zone. The Legitimate traffic counter would then equal that of the Received traffic counter.

See "Zone Statistics and Diagnostics," for further details.

Dynamic Filters

The Guard analyses the diverted zone traffic in search of policy threshold violation. Once a policy threshold violation is observed, the Guard analyses results into a set of filters that are continuously adapted to the zone traffic and type of DDoS attack. This filter set consists of the Dynamic filters. Once abnormal traffic is detected, the Dynamic filter, by default, refers the Guard to the User filters to compare between the User filters suggested action and the Guard suggested protection. You may access the dynamic filters and configure them to your needs.

For a comprehensive overview of Dynamic filters, refer to Chapter 8, "Advanced Filter Procedures," in the Cisco Guard User Guide.

To view the Dynamic filters, perform one of the following:

•From the Zone's main menu, select Protection > Dynamic filters.

•On the Zone's "home page", click Active dynamic filters in the zone's status summary table.

Figure 7-2 Dynamic Filters Table

The Dynamic filters table (Figure 7-2) displays the dynamic filters filtered according to the policy that created them.

The information in the table is related to the ongoing attack. The table includes the following information:

Parameter	Description
Created by	Indicates the policy that created the filter. Clicking on the policy name will display the Policy details (see the "Zone Policies" section in "Zone Traffic Learning and Policy Construction," for further details).
Activation	Indicates the date and time the filter was activated.
Expiration	Indicates the filter expiration time. Once the filter expires, the Guard decides whether or not to deactivate the Dynamic filter that was produced by the policy according to the Dynamic filter termination criteria (see the "Dynamic Filter Termination" section for further details).
Src IP	Indicates the source IP address the Dynamic filter is applied on.
Protocol	Indicates the protocol number the Dynamic filter is applied on.
Dst Port	Indicates the destination port the Dynamic filter is applied on.
Fragments	Indicates whether the attack stream contains fragmented packets.
Action	Indicates the action taken by the filter. The following actions apply for the Dynamic filters: •to-user-filters—Forwards the specified traffic to the user configured User filters. •filter/strong—Applies Strong protection anti-spoofing mechanisms to the specified traffic. •filter/drop—Drops the traffic. •block-unauthenticated-basic—Drops unauthenticated traffic flow that has not been authenticated by the Basic anti-spoofing mechanisms. •block-unauthenticated-strong—Drops unauthenticated traffic flow that has not been authenticated by the Strong anti-spoofing mechanisms. •block-unauthenticated-dns—Drops unauthenticated traffic flow, flowing to DNS servers, that has not been authenticated by the DNS anti-spoofing mechanisms. •redirect/zombie—The policy adds a filter that enhances authentication for all User filters with an action of redirect.
Rate (pps)	Indicates the approximate attack rate.
Details	Indicates whether additional information can be viewed for this filter. Click i for additional information.

A value of "*" for any of the parameters indicates one of the following:

•The value is undetermined.

•More than one value was measured for the filter's parameter.

To display detailed information on the filter:

Click i in the details column.

See the "Dynamic Filter Details" section for further details.

Dynamic Filter Termination

Once the Dynamic filter timeout expires, the Guard determines whether the Dynamic filter is to be inactivated. If the Guard decides not to deactivate the Dynamic filter, the filter's activation timeout resumes for another time span. The dynamic filters will be inactivated when one of the following applies:

•The total zone Malicious traffic rate (equaling the sum of the spoofed and dropped traffic) is less than or equal to the Malicious-rate termination threshold.

•The Dynamic filter does not have an action of to-user-filter (the filter rate counter does not display N/A) and the Filter-rate termination threshold is equal to or greater than both the following:

–The Dynamic filter's current traffic rate

–The Dynamic filter's average traffic rate during a user-configured time span (defined by the policy's Timeout parameter)

See the "Creating Zones and Basic Zone Configuration" section in "Zone Creation and Configuration," for further details on threshold configuration.

Dynamic Filter Details

The Dynamic Filter Details provides detailed information on the dynamic filters.

To display the detected anomalies details table:

From the details column in the Dynamic Filter table, click i.

The Dynamic filter details screen (Figure 7-3) includes three tables:

•Information on the policy that created the filter, as detailed above.

•Information on the attack flow—Information on the attack that was mitigated, as detailed above.

---

Note The flow mitigated could be of a wider range than the detected attack flow. For example, a non-spoofed attack on port 80 will block all TCP traffic from the originating source IP and not only port 80.

---

•Information on the filter creation trigger:

Parameter	Description
Policy Threshold	Indicates the threshold defined for the policy that was violated by the attack.
Triggering rate	Indicates the approximate attack rate that triggered the production of the dynamic filter.

Figure 7-3 Dynamic Filter Details

Dynamic Filter Configuration

You may add or delete dynamic filters and configure them your needs.

---

Note You may access the Guard's Dynamic filters and configure them to fit your protection policy. However, you should note that dynamic filters are designed to meet dynamically changing protection needs and so the Guard assigns them a limited lifespan (Timeout). The implication is that user-configured dynamic filters that do not out-weight the Guard's Recognition decision will not be implemented. The user-configured dynamic filters are removed once the protection ends.

---

Deleting a Dynamic Filter

You may wish to delete a Dynamic filter.

To delete a Dynamic filter:

1. Select the check box next to the filter in the Dynamic Filters Details Table (see Figure 7-2).

2. Click Delete.

You may remove all Dynamic filters. The action is effective for a limited period of time since the Guard, being in Protection operation mode, continues to configure new Dynamic filters to adopt its protection to the dynamically changing traffic state.

---

Note To prevent undesired Dynamic filters from being reproduced, deactivate the policy that produces them (see the "Policy Configuration" section in "Zone Traffic Learning and Policy Construction," for further details). To find out which policy produced the undesired Dynamic filters see the sections about viewing Dynamic filters in this chapter. Alternatively, you may perform one of the following:

•Configure a Bypass filter for the desired traffic flow (see the "Bypass Filter Configuration" section in "Advanced Zone Procedures," for further details).

•Increase the Threshold of the policy that produced the undesired Dynamic filter (see the "Configuring the Policy Operational Parameters" section in "Zone Traffic Learning and Policy Construction," for further details).

---

Adding a Dynamic Filter

To add a Dynamic filter:

In the Dynamic Filters Details Table (see Figure 7-2), click Add.

The Dynamic Filter Form is displayed.

Enter the following information to configure the Dynamic filter:

Parameter	Description
Source IP	Directs traffic coming from a specified IP address to the Dynamic filter. Leave blank or enter * for `any'.
Source Subnet	Directs traffic coming from a specified subnet to the Dynamic filter. Choose the subnet from the drop-down list.
Protocol	Directs traffic from a specified protocol to the Dynamic filter. The protocol is denoted by the its well known number. Leave blank or enter * for `any'.
Dst Port	Directs traffic destined to a specified port to the Dynamic filter. Leave blank or enter * for `any'.
Fragments	Denotes specified traffic type for the filter to operate on. Choose from the drop-down list one of the following: •without—The Dynamic filter acts on non-fragmented traffic. •with—The Dynamic filter acts on fragmented traffic. •*—The Dynamic filter acts on fragmented and non-fragmented traffic.
Action	Indicates the action the filter performs on the specified traffic type. Choose the action from the drop-down list: •to-user-filters—Forwards the specified traffic to the user configured User filters •filter/strong—Applies Strong protection anti-spoofing mechanisms to the specified traffic. •filter/drop—Drops the traffic. •block-unauthenticated-basic—Drops unauthenticated traffic flow that has not been authenticated by the Basic anti-spoofing mechanisms. •block-unauthenticated-strong—Drops unauthenticated traffic flow that has not been authenticated by the Strong anti-spoofing mechanisms. •block-unauthenticated-dns—Drops unauthenticated traffic flow, flowing to DNS servers, that has not been authenticated by the DNS anti-spoofing mechanisms. •redirect/zombie—The policy adds a filter that enhances authentication for all User filters with an action of redirect.
Timeout (Sec)	Indicates the minimal time for the filter to be active (see the "Dynamic Filter Termination" section for further details). Enter an integer to specify the desired time measured in seconds. Leave Blank for unlimited time. Note Unlimited time Dynamic filters are also deleted once protection is aborted.

Interactive Recommendations Mode

In the Interactive Recommendation mode, the Guard enables you to decide on the activation of the filters the policies launch. The Guard functions in accordance with your decision to accept or ignore the filter's activation. In this way, the Guard lets you decide on the production of its protection measures in real time. The Guard in an interactive mode enhances your control over the activation of the Guard's protective measures as a DDoS attack progresses.

The recommendations are a summary of the pending dynamic filters aggregated according to the policies that produced them. The Guard recommendation data consists of the policy name that recommended it, data on the traffic anomaly that resulted in policy activation, the number of pending filters and the recommended action.

For a comprehensive overview of the Interactive recommendations mode, refer to Chapter 10, "Interactive Recommendations Mode," in the Cisco Guard User Guide.

---

Note Note that when the number of pending filters is higher than 1000, the newly added recommendations are recorded in Guard's log-file and then discarded. You are advised to perform the following:

1. Deactivate the zone (click Deactivate on the Zone's home page).

2. Change the operation mode to automatic (see the "Creating Zones and Basic Zone Configuration" section in "Zone Creation and Configuration," for further details).

3. Re-activate zone protection (click Protect on the Zone's home page).

---

Activating the Interactive Recommendations Mode

The operation mode is a characteristic of a zone.

To activate the interactive recommendations mode:

1. From the Zone's main menu select Configuration > General.

2. Click Config.

3. Set the operation mode to interactive.

4. Click OK.

See the "Creating Zones and Basic Zone Configuration" section in "Zone Creation and Configuration," for further details.

You may choose to end the interactive mode of operation at any time and thus return to the automatic operation mode. This results in the Guard disregarding the decisions made while in the interactive mode. The policies resume their role of automatically producing and activating their filters and automatically accept all pending Dynamic filters and recommendations.

Viewing New Recommendations

New recommendations are indicated by following icon.

The recommendations icon appears in the following locations:

•On the navigation pane, next to the zone's icon in the All Zones list

•On the navigation pane, next to the zone's icon in the Protected Zones list

•On the Zone's "home page", in the zone status bar

•In the Zone list table

When the Guard offers new recommendations, an additional indication is apparent in the form of a number of pending Dynamic filters that is greater than zero. This can be viewed in the Zone's status summary on the Zone's "home page" under Pending Dynamic filters.

To view new recommendations, perform one of the following:

•From the Zone's main menu select Protection > Recommendations.

•On the Zone's "home page", click Pending Dynamic filters in the zone's status summary.

Figure 7-4 Recommendations

The Recommendations table provides the following information:

Parameter	Description
ID	Indicates the protection recommendation ID number.
Recommendation	Indicates the recommended action.
Created By	Indicates the policy that created the filter. Click on the policy name to display the Policy details (see the "Configuring the Policy Operational Parameters" section in "Zone Traffic Learning and Policy Construction," for further details).
# of PFs	Indicates the number of pending Dynamic filters that constitute the recommendation. Each pending filter was created as a result of traffic flow that violated the policy threshold. Click on the number to view the pending dynamic filters that constitute the recommendation.
Attack flow	Provides Information on the attack flow: •Src IP—The source IP address of the attack stream •Protocol—The protocol number of the attack stream •Dst Port—The destination port of the attack stream •Dst IP—The destination IP address of the attack stream
Thr.	Indicates the policy threshold, in pps, that was violated.
Min.	Recent Rate: Minimum attack rate measured in pps. Note The rate of the lowest pending filter is displayed for Recommendations that aggregate several pending filters.
Max.	Recent Rate: Maximum attack rate measured in pps. Note The rate of the highest pending filter is displayed for Recommendations that aggregate several pending filters.
Creation	The date and time the recommendation was created.

A value of "*" for any of the parameters indicates one of the following:

•The value is undetermined.

•More than one value was measured for the filter's parameter. To display the different values constituting `*', view the complete list of pending filters.

Deciding on the Guard's Recommendations

The Guard enables you to decide on its policy's recommendations. Your decisions determine whether a pending filter will be activated, and for how long, or deactivated. You may also instruct the Guard to automatically, always activate, a specific policy's pending filters. This results in the Guard no longer displaying that policy's filters for you to decide on.

You may, alternatively, decide to instruct the Guard to prevent a policy from producing recommendations (and their pending filters). To prevent a policy from producing recommendations, the policy should be disabled or inactivated. See the "Configuring the Policy Operational Parameters" section in "Zone Traffic Learning and Policy Construction," for further details.

As the DDoS attack continues and changes its characteristics, so the Guard's policies continue to produce recommendations that you will have to view and decide on. Alternatively, you may change the operation mode to automatic during the ongoing attack.

The Guard activates the Dynamic Filters (see the "Dynamic Filters" section in this chapter for further details) produced by the policies for at least a user-defined (Filters timeout) time span.

---

Note Once the filter timeout expires, the Guard runs a checkout procedure in order to decide whether or not to deactivate the Dynamic filter that was produced by the policy (see the "Dynamic Filter Termination" section for further details).

---

To decide on the Guard's recommendations:

1. Enter the filter's timeout, in the Filters timeout box (the filter timeout is measured in seconds).

2. Select the checkbox next to the recommendation.

3. Click the required action (Accept, Always accept, Always ignore).

The available actions are:

Accept	Accept the specific recommendation. The recommendations pending filters are activated.
Always Accept	Accept the specific recommendation. The decision applies automatically whenever the recommendation policy produces new recommendations. Note The Guard doesn't display the `always-accept' recommendations.
Always Ignore	Ignore the specific recommendation. No dynamic filter or filters will be produced by the recommendation. The decision automatically applies to all future recommendations produced by the recommendation's policy. Note The future Dynamic filters will only be ignored for the current protection. To prevent a policy from producing recommendations, the policy should be disabled or inactivated.

You may also decide to selectively accept Pending Dynamic filters as opposed to accepting the recommendation. See the "Pending Dynamic Filters" section in this chapter for further details.

---

Note You may change an always-ignore decision made on a specific recommendation by changing the interactive-status of the policy that created the recommendation's pending filters.

---

Pending Dynamic Filters

The pending Dynamic filters measure each flow that violated a threshold. Pending Dynamic filters that were produced by the same policy are shown as a single recommendation.

To view the Pending Dynamic filters:

Click on the number of pending filters ("# of PFs" column) in the recommendations table (see Figure 7-4).

Figure 7-5 Pending Dynamic Filters

The Pending Dynamic filters table (Figure 7-5) provides the following information:

Parameter	Description
Created by	Indicates the policy that created the filter. Clicking on the policy name will display the Policy details (See the "Zone Policies" section in "Zone Traffic Learning and Policy Construction," for further details.).
Activation	Indicates the date and time the filter was created.
Src IP	Indicates the source IP address of the attack stream.
Protocol	Indicates the protocol number of the attack stream.
Dst Port	Indicates the destination port of the attack stream.
Fragments	Indicates whether the attack stream contains fragmented packets.
Action	Indicates the action taken by the filter.
Recent rate	Indicates the current attack rate measured by the filter in pps.
Rate (pps)	Indicates the triggering rate. The approximate attack rate that triggered the production of the dynamic filter.
Details	Indicates whether additional information is available for this filter. Click i for additional information.

A value of "*" for any of the parameters indicates one of the following:

•The value is undetermined.

•More than one value was measured for the filter's parameter.

Guard activates the Dynamic Filters (see the "Dynamic Filters" section in this chapter for further details) produced by the policies for at least a user-defined time span (filter timeout).

---

Note Once the filter timeout expires, the Guard runs a checkout procedure in order to decide whether or not to deactivate the Dynamic filter that was produced by the policy (see the "Dynamic Filter Termination" section for further details).

---

To selectively accept a pending Dynamic filter:

1. Enter the timeout in the Filters timeout box (the filter timeout is measured in seconds).

2. Select the checkbox next to the required filter.

3. Click Accept.

To display detailed information for the filter:

Click i in the details column.

See the "Pending Dynamic Filter Details" section for further details.

Pending Dynamic Filter Details

The pending Dynamic filter details includes three tables:

•Information on the policy that created the filter—as detailed above.

•Information on the attack flow—as detailed above.

•Information the trigger for the filter creation:

Parameter	Description
Policy Threshold	Indicates the threshold defined for the policy that was violated by the attack.
Triggering rate	Indicates the approximate attack rate that triggered the production of the dynamic filter.
Recent Rate	Indicates the Current rate measured by the filter in pps.

Figure 7-6 Pending Dynamic Filter Details