Table Of Contents
Zone Statistics and Diagnostics
Zone Counters
Traffic Analysis
Problem Analysis
Zone Protection Summary Report
Protection Graph
Total Attack Statistics
Per Attack Summary
Zone Attack Reports
General Details
Attack Statistics
Dropped/Bounced Packets
Detected Anomalies
Detected Anomalies Details
Mitigated Attacks
Mitigated Attack Details
HTTP Detected Zombies
HTTP Zombies
Zone Event Log
Zone Statistics and Diagnostics
This chapter describes how to perform tasks used for monitoring zones and displaying various zone statistics and diagnostics on the Cisco Guard using the Web-Based Management (WBM).
This chapter includes the following sections:
•
Zone Counters
•Zone Protection Summary Report
•Zone Attack Reports
•HTTP Zombies
•Zone Event Log
Zone Counters
The zone counters (Figure 8-1) enable you to analyze the zone's traffic in order to verify the zone's status and to determine whether the zone protection is functioning properly. The zone counters are graphically displayed for a configurable period of time and enable to view how the zone protection is evolving. The counter information relates to the current zone.
To view the zone counters:
From the Zone's main menu select Diagnostics > Counters.
The following Counters are displayed:
•Legitimate—Legitimate traffic forwarded by the Guard to the zone.
•Malicious—Malicious traffic, destined to the zone, handled by the Guard. Malicious traffic is the sum of dropped packets and spoofed packets (which also include the zombie packets).
•Received—Total packets received, destined to the zone, handled by the Guard. Received packets are the sum of legitimate traffic and malicious traffic.
•Dropped—Packets that were identified by the Guard as part of an attack, destined to the zone, and therefore dropped.
•Replied—Packets, destined to the zone, to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify if they are part of authentic traffic or part of an attack.
•Spoofed—Packets, destined to the zone, that were identified by the Guard as spoofed packets and therefore not forwarded to the zone. Spoofed packets are replied (bounced) packets (see Replied counter above for further details) for which no replies were received.
Zombie packets are also counted in the spoofed packets counter.
Figure 8-1 Zone Counters
For each of the counters, the following information is available:
•Shown in Graph—Specifies whether the counter will be shown in the graph below.
•Packets—Total amount of packets, destined to the zone, since last reload.
•Bits—Total amount of bits, destined to the zone, since last reload.
•pps—Current traffic rate, destined to the zone, measured in packets per second.
•bps—Current traffic rate, destined to the zone, measured in bits per second.
By default, legitimate and malicious traffic counters are displayed for a period of the past two hours and are measured in bits per second (bps).
To update the graph:
1. Select the check boxes next to the counters to be displayed.
2. Choose the period of time.
3. Choose the traffic rate units.
4. Click Update Graph.
Below the graph is a legend that identifies the counters. For each counter in the graph, the minimum, maximum and average rate are displayed for the period of time and rate units chosen.
Traffic Analysis
It is important to analyze the traffic flow in order to determine whether traffic is flowing properly to the zone. The following section provides guiding details to help you analyze the traffic flow and provide an indication on possible problems and their solutions.
Having Received and Legitimate (forwarded to the zone) packets greater than zero indicates a proper functioning of the Guard diversion mechanism.
A received packets number greater than the legitimate, and a malicious packets number greater than zero indicate proper protection functioning. This isn't an absolute indicator for fully traffic-tailored functioning and you may also wish to view the Dynamic filters.
A Received packets number greater than the legitimate packets number, and dynamic filters produced, provide an indication that the Guard has identified an attack.
You should observe the following in light of both work experience and traffic knowledge:
•If there are dropped packets, you should verify whether a trusted IP source is blocked by a Dynamic filter. You may wish to have that source IP bypass the Guard filters (see the "Bypass Filter Configuration" section in "Advanced Zone Procedures," for further details).
•If a policy has produced filters that drop too many IP flows, you should verify whether filters are blocking flows from source IP addresses that seem legitimate but are sending traffic in rates above the thresholds. In such a situation, you may wish to increase the policy's threshold or prevent its further production by deactivating it (see the "Zone Policies" section in "Zone Traffic Learning and Policy Construction," for further details).
•In case the Received packets current rate (pps and bps) = 0, or the number of legitimate packets stays constant for a long period of time, refer to the "Problem Analysis" section in this chapter.
Note that the counters (Packets or Bits) would display a constant number as they are accumulated. The graph and the legitimate traffic current rate (pps and bps), displayed in the legend, would display legitimate packets = 0 as they display the current traffic rate.
Problem Analysis
When the Received counters (Packets or Bits) or Legitimate counters (Packets or Bits) equals 0, this could indicate a problem. This problem could be either or both of the following:
•A case in which the Guard does not receive the packets destined to the zone (Received counters = 0)—This indicates a diversion problem or a network configuration problem. Refer to Appendix B, "Diversion Troubleshooting," in the Cisco Guard User Guide for further details.
•A case in which the Guard receives the zone's diverted traffic packets but blocks them from being forwarded to the zone (Received counters ¼ 0 and Legitimate current rate (pps or bps) = 0 across a period of time)—This may indicate legitimate traffic was falsely identified as malicious traffic and is being dropped.
The example shown in Figure 8-2 describes a situation in which almost all the traffic destined to the zone is dropped.
Figure 8-2 Problem analysis: Rcv ¼0, Legitimate = 0
•Erase the drop-action Dynamic filter.
•Deactivate the protection policy that produced the drop-action Dynamic filter so that no policies of the kind that produced the drop-action Dynamic filter would be reproduced (avoiding taking this action would result in the drop-action filter re-appearing).
Caution Deactivating the protection policy that produced the Dynamic filter compromises the zone protection.
The above-mentioned problem could occur in one of the following situations:
•The protected zone receives no traffic.
•All the traffic destined to the zone is identified by the Guard as malicious.
Tip These situations are likely to occur in a lab setup and are less likely to occur in real-world networks.
Zone Protection Summary Report
The Guard provides a protection summary report for each zone to help in forming a clearer picture of the detected attacks on the zone. It provides a summary of the DDoS attacks on the zone during a user-defined period of time. The Guard records the relevant details during attacks and organizes the data under the report categories. The report details the total number and intensity of the attacks. In addition, the report provides a list of the attacks with a short summary. The reports are accompanied with a graphical presentation of the data.
To view the zone Detection Summary report:
From the Zone's main menu, select Diagnostics > Attack Reports.
The zone protection summary report consists of data fields and tables. These are grouped in three sections:
•Protection Graph
•Total Attack Statistics
•Per Attack Summary
By default, the report is displayed for a period of the past month.
To change the report tables display settings:
1. Enter the required period of time (enter the Period from and to dates):
a. Click on the calendar icon (on the right side of each field).
b. Select a date.
2. Click Get Reports.
Protection Graph
The protection graph provides a graphical summary of the attacks during the user-defined period of time.
Figure 8-3 Zone Protection Summary Report - Protection Graph
The X-axis displays the time during which the attack occurred. The Y-axis displays the average attack rate in packets per second (pps). Each attack is represented by a bar. If you place your mouse cursor over any of the attack bars and hold it there for a few seconds, a small box (a ToolTip) appears displaying the average attack rate.
The bar also provides a link to the attack report.
To display the attack report:
Click on the attack bar.
Total Attack Statistics
The total attack statistics table (Figure 8-4) provides information on the number of attacks on the zone and the aggregated attack details during the user-defined period of time.
Figure 8-4 Zone Protection Summary Report—Total Attack Statistics
The following information is provided:
Parameter
|
Description
|
Attacks Mitigated
|
Indicates the number of attacks mitigated
|
Attacks Duration
|
Indicates the aggregated duration of the mitigated attacks
|
Max. Traffic Rate
|
Indicates the maximum amount of malicious traffic (measured in packets), destined to the zone, handled by the Guard
|
Total Rx
|
Indicates the total amount of traffic (measured in packets), destined to the zone, handled by the Guard
|
Total Blocked
|
Indicates the total amount of traffic (measured in packets), destined to the zone, that was dropped by the Guard
|
Legitimate vs. Malicious Traffic
|
A pie chart that displays the percentage of Malicious traffic (displayed in red), and Legitimate traffic (displayed in blue) within the total amount of zone traffic
|
Per Attack Summary
The Per Attack Summary provides a list of the DDoS attacks on the zone during the user-defined period of time.
Figure 8-5 Zone Protection Summary Report—Per Attack Summary
The table columns provide the following information on each attack:
Parameter
|
Description
|
#
|
Indicates the mitigated attack identification number (ID).
|
Start time
|
Indicates the mitigated attack date and time.
|
Duration
|
Indicates the mitigated attack duration in hours, minutes, and seconds.
|
Type
|
Indicates the mitigated attack type:
•Client Attack—All non-spoofed traffic anomalies
•Malformed Packets—All traffic anomalies identified as consisting of maliciously malformed packets
•Spoofed—Traffic anomalies identified as a DDoS attack coming from a spoofed source
•User Defined—All anomalies handled by the user filters. These could either function by default or be user configured
•Zombie—Traffic anomalies identified as originated by zombies
•Hybrid—An attack composed of several attacks with different characteristics
•Traffic Anomaly—An anomaly that was detected for a short period of time and therefore did not require mitigation
|
Peak (pps)
|
Indicates the maximum attack rate measured in packets per second.
|
Received Pkts
|
Indicates the Total amount of packets, destined to the zone, that was handled by the Guard during the attack.
|
Legitimate vs. Malicious Traffic
|
A pie chart that displays the percentage of Malicious traffic (displayed in red), and Legitimate traffic (displayed in blue) within the total amount of traffic during the attack.
|
Each field in the table provides a link to the attack report.
Zone Attack Reports
The Guard provides an attack report for each zone to help in forming a clearer picture of an attacked zone. The attack report details an attack that begins at the production of the first dynamic filter and ends at protection termination (either by a user decision or by the action of the Protection-end Timeout parameter). The Guard records the relevant details during an attack and organizes the data under the report category columns. The produced report (or reports) is available for view. Attack reports are available not only on past attacks but also on the current attack (termed as "Attack in progress").
To view the list of the zone attack reports:
From the Zone's main menu, select Diagnostics > Attack Reports.
To view the attack details, perform one of the following:
•In the Protection Graph, click on the attack bar.
•In the Per Attack Summary table, click on one of the fields of the required attack.
A shortcut to the current attack ("Attack in progress") details is also provided from the Zone's "home page".
To view the current attack details:
On the Zone's "home page", click Report.
The attack report consists of data fields and tables. These are grouped in three sections:
•General Details
•Attack Statistics
•Dropped/Bounced Packets
•Detected Anomalies
•Mitigated Attacks
•HTTP Detected Zombies
General Details
The general details section (Figure 8-6) provides information related to attack timing. It consists of information on the attack start time, the attack end time and the attack duration.
Figure 8-6 Attack Report—General Details
Note Counters that do not denote rate are specified by an integer. The units are bits, kilo-bits, kilo-packets, mega-bits, and packets in correspondence to the statistics units specified from the drop-down list.
To change the units by which the report is displayed:
1. Choose the units from the drop-down list.
2. Click Set units.
Attack Statistics
The attack statistics table (Figure 8-7) provides information on the following packet types:
•Received—Traffic, destined to the zone, received by the Guard.
•Forwarded—The clean and legitimate traffic forwarded to the zone.
•Replied—Traffic, sent to the client as part of the Guard's anti spoofing and anti-zombie mechanisms.
•Dropped—The total amount of packets, destined to the zone, dropped by the Guard.
Figure 8-7 Attack Report—Attack Statistics
The following information is provided on each packet type:
Parameter
|
Description
|
Total
|
Indicates the total amount of packets of the specified category
|
Max Rate
|
Indicates the maximum measured packet rate
|
Average Rate
|
Indicates the average packet rate
|
%
|
Indicates the percentage the packets make of the received packets
|
The traffic rate is displayed in the units selected from the drop-down list in the general details section.
Dropped/Bounced Packets
The Dropped/Bounced table (Figure 8-8) classifies packets that were identified as malicious traffic and therefore dropped or replied (bounced). The packets are categorized by the mechanism that identified them (the table rows). The table columns represent different quantification units.
Figure 8-8 Attack Report—Dropped/Bounced Packets
The table rows represent the following filters:
•Rate limiter—Packets dropped by the rate limiter or by filters for which a rate limit was configured. The rate limiter limits the traffic rate to the zone (see the "Zone Management" section in "Zone Creation and Configuration," for further details).
•Flex filter—Packets dropped by the Flex filter. The Flex filter is used to count or drop a specified packet flow (see the "Flex Filter Configuration" section in "Advanced Zone Procedures," for further details).
•User filter—Packets dropped by the User filter. The User filter is used to direct a specified traffic flow to the desired Guard protection modules (see the "User Filter Configuration" section in "Advanced Zone Procedures," for further details).
•Dynamic filter—Packets dropped by the Dynamic filter. Dynamic filters are created by the Guard as the result of the analysis of traffic flow (see the "Dynamic Filters" section in "Protecting Zones," for further details).
•Spoofed—Packets that were identified by the Guard as Spoofed packets or packets originated by zombies and therefore not forwarded to the zone. Spoofed packets are Replied (bounced) packets to which no replies were received.
•Malformed—Packets, destined to the zone, dropped because they were analyzed as malformed.
The following information is available on each packet quantification:
Parameter
|
Description
|
Total
|
Indicates the total amount of dropped/bounced packets
|
Max Rate
|
Indicates the maximum measured packet rate
|
Average Rate
|
Indicates the average packet rate
|
%
|
Indicates the percentage the packets make of the total dropped/bounced packets
|
The traffic is measured in the units selected by the drop-down list in the general details section.
Detected Anomalies
The Detected Anomalies table (Figure 8-9) details the traffic anomalies the Guard detected in the zone's traffic. The Guard classifies a flow as an anomaly when it requires the production of a Dynamic filter. These anomalies may be occasional or of the kind that turns into systematic DDoS attacks. The Guard clusters anomalies with identical type and flow parameters (such as source IP address, destination port) under one anomaly type.
Figure 8-9 Attack Report—Detected Anomalies
The following information is provided for each anomaly:
Field Name
|
Description
|
#
|
Indicates the detected anomaly identification number (ID).
|
Start time
|
Indicates the anomaly detection date and time.
|
Duration
|
Indicates the anomaly duration in hours, minutes, and seconds.
|
Type
|
Indicates the detected anomaly type:
•Tcp_connections—A detected flow with unusual number of TCP concurrent connections with or without data.
•HTTP—An unusual HTTP traffic flow.
•Tcp incoming—A detected flow attacking a TCP service when the zone is a server.
•Tcp outgoing—A detected attack flow in which the client seems to be the zone, such as SYN-ACK attacks on connections initiated by the zone, when the zone is the client.
•Unauthenticated tcp—A detected flow that the Guard anti-spoofing mechanisms haven't succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.
•DNS (Udp)—An attacking DNS-UDP protocol flow.
•DNS (Tcp)—An attacking DNS-TCP protocol flow.
•Udp—An attacking UDP protocol flow.
•Non tcp/udp protocols—A non TCP/UDP attacking protocol flow.
•Fragments—A detected flow with an unusual quantity of fragmented traffic.
•TCP ratio—A detected flow with an unusual ratio between different types of TCP packets (e.g. SYN packets versus FIN/RST packets).
•IP scan—A detected flow initiated from source IP address that tried to access many zone destination IP addresses.
•port scan—A detected flow initiated from source IP address that tried to access many zone ports.
•user detected—An anomaly flow detected by the user.
|
Triggering rate
|
Indicates the anomaly traffic rate that violated a policy threshold.
|
% Threshold
|
Indicates the percentage by which the triggering rate is above the policy threshold.
|
Anomaly Flow
|
Indicates the anomaly traffic flow. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow and the flow packet types.
If the anomaly flow is on a specified port, it is displayed as: dst=<ip address>:<port>
|
Details
|
Indicates whether additional information can be viewed for this filter. Click i for additional information.
|
A value of "*" for any of the parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly's parameter.
A value of "#" for any of the parameters indicates the number of values measured for that anomaly's parameter.
Detected Anomalies Details
The detected anomalies details table provides information on the dynamic filters, clustered according to the producing policy, that constitute the detected anomaly.
To display the detected anomalies details table:
From the details column in the detected anomalies table, click i.
The following information is provided:
Parameter
|
Description
|
Start time
|
Indicates the date and time the anomaly was detected.
|
End time
|
Indicates the expiration date and time of the Dynamic filter that was activated.
|
Rate (pps)
|
Indicates the rate measured in packets per second.
•Thresh—Indicates the policy threshold that was violated by the detected anomaly.
•Triggered—Indicates the anomaly traffic rate that violated a policy threshold.
|
Count
|
Indicates the number of packets that were handled by the Dynamic filter.
|
Detected flow
|
Provides information on the detected attack flow—the flow that caused the production of the Dynamic filter.
•Prot.—Indicates the detected flow protocol number.
•Src IP—Indicates the detected flow source IP.
•Src Port—Indicates the detected flow source port.
•Dst IP—Indicates the detected flow destination IP.
•Dst Port—Indicates the detected flow destination port.
•frag.—Indicates the fragmentation characteristics of the detected traffic flow.
•Type—Indicates the detected anomaly type. Refer to the "Detected Anomalies" section in Chapter 11, "Attack Reports," in the Cisco Guard User Guide for further details.
|
Action flow
|
Provides information on the action flow - the flow that was addressed by the Dynamic filter. The action flow could be of a wider range than the detected flow. For example, the detected flow could indicate a specific source port for a specific source IP whereas the action flow will indicate all source ports for the specified source IP. The columns represent the dynamic filter traffic data.
•Prot.—Indicates the detected flow protocol number.
•Src IP—Indicates the detected flow source IP.
•Src Port—Indicates the detected flow source port.
•Dst IP—Indicates the detected flow destination IP.
•Dst Port—Indicates the detected flow destination port.
•frag.—Indicates the fragmentation characteristics of the action flow.
|
Mitigated Attacks
The Mitigated Attacks table (Figure 8-10) details the actions the Guard took against the traffic anomalies (described in the Detected Anomalies table) that proved to be a hazard for the zone. These actions could take the form of anti-spoofing or anti-zombie mechanisms, user filters with a drop action, rate limit, etc. The Guard clusters mitigation actions with identical types and flow parameters and displays them under the same mitigation action.
Figure 8-10 Attack Report—Mitigated Attacks
The following information is provided on each mitigated attack:
Field Name
|
Description
|
#
|
Indicates the mitigated attack identification number (ID).
|
Start time
|
Indicates the mitigated attack date and time.
|
Duration
|
Indicates the mitigated attack duration in hours, minutes, and seconds.
|
Attack Type
|
Indicates the mitigated attack type:
•Spoofed—This type includes all traffic anomalies identified as a DDoS attack from a spoofed IP source.
•Client Attack—This type includes all traffic anomalies determined as a DDoS attack from an unauthenticated IP source.
•User Defined—This type includes DDoS attacks identified due to user filter definition. This includes all packets dropped due to user definitions such as anomalies handled by the user filters (see the "Zone Filter Configuration" section in "Advanced Zone Procedures," for further details).
•Zombie—This type includes all traffic anomalies identified as a DDoS attack originated by zombies
•Malformed Packets—This type includes all traffic anomalies determined as a DDoS attack consisting of maliciously malformed packets.
The protection modules basic or strong, are indicated in brackets.
For a comprehensive overview of the sub-types of each attack type, refer to Chapter 11, "Attack Reports," in the Cisco Guard User Guide.
|
Triggering rate
|
Indicates the mitigated attack traffic rate. The triggering rate is applicable only for client attacks or user defined attacks. It is not applicable for spoofed or malformed attacks.
|
% Threshold
|
Indicates the mitigated attack rate percentage of the policy threshold.
|
Anomaly Flow
|
Indicates the traffic flow of the anomaly that was mitigated. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow and the flow packet types.
|
Action flow
|
Indicates the traffic characteristics of the flow after the attack mitigation. The parameters of the common flow characteristics are displayed.
|
Dropped
|
Indicates the counter for traffic that was dropped during the attack mitigation.
|
Details
|
Indicates whether additional information can be viewed for this filter. Click i for additional information.
|
A value of "*" for any of the action flow or anomaly flow parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly's parameter.
A value of "#" for any of the action flow or anomaly flow parameters indicates the number of values measured for that mitigated attack's parameter.
Mitigated Attack Details
The mitigated attack details table provides information on the mechanisms that were used to mitigate the attack.
To display the mitigated attack details table:
From the details column in the mitigated attack table, click
The following information is provided:
Parameter
|
Description
|
Start time
|
Indicates the date and time the anomaly was detected.
|
End time
|
Indicates the expiration date and time of the Dynamic filter that was activated.
|
Rate (pps)
|
Indicates the rate measured in packets per second.
•Thresh—Indicates the policy threshold that was violated by the detected anomaly.
•Triggered—Indicates the anomaly traffic rate that violated a policy threshold.
|
Count
|
Indicates the number of packets that were handled by the Dynamic filter.
|
Detected flow
|
Provides information on the detected attack flow - the detected flow that was mitigated.
•Prot.—Indicates the detected flow protocol number.
•Src IP—Indicates the detected flow source IP.
•Src Port—Indicates the detected flow source port.
•Dst IP—Indicates the detected flow destination IP.
•Dst Port—Indicates the detected flow destination port.
•frag.—Indicates the fragmentation characteristics of the detected traffic flow.
•Type—Indicates the detected anomaly type. Refer to the Detected Anomalies section in Chapter 11, "Attack Reports," in the Cisco Guard User Guide for further details.
|
Action flow
|
Provides information on the action flow - the flow that was addressed by the mitigation mechanism. The action flow could be of a wider range than the detected flow. For example, the detected flow could indicate a specific destination port for a specific destination IP whereas the action flow will indicate all destination ports for the specified destination IP. The columns represent the dynamic filter traffic data.
•Prot.—Indicates the detected flow protocol number.
•Src IP—Indicates the detected flow source IP.
•Src Port—Indicates the detected flow source port.
•Dst IP—Indicates the detected flow destination IP.
•Dst Port—Indicates the detected flow destination port.
•frag.—Indicates the fragmentation characteristics of the action flow.
|
HTTP Detected Zombies
An indication of a detected HTTP zombie attack will appear in the General Details section (see Figure 8-11).
Figure 8-11 HTTP detected zombies
To view the list of detected HTTP zombies:
Click i, or click Show HTTP detected zombies.
The http zombie list is displayed.
See the "HTTP Zombies" section in this chapter for further details.
HTTP Zombies
The HTTP Zombies list (Figure 8-12) enables you to analyze the zone's traffic and view the list of zombies that initiated the attack. This provides the capability to take action against the zombies.
To view the list of HTTP Zombies:
From the Zone's main menu, select Diagnostics > HTTP Zombies.
Figure 8-12 HTTP Zombies list
The following information is provided on each Zombie:
Parameter
|
Description
|
IP
|
Indicates the zombie IP address
|
Start Time
|
Indicates the date and time the zombie connection was initially identified
|
Duration
|
Indicates the duration of the zombie attack
|
"get" Requests
|
Indicates the number of HTTP get requests sent by the zombie
|
Zone Event Log
The zone event log (Figure 8-13) displays monitoring and troubleshooting information that relate to the zone.
To view the zone event log:
From the Zone's main menu select Diagnostics > Event log.
Figure 8-13 Zone Event Log
The event severity levels are:
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
To filter the events according to their severity level:
1. Select the check boxes next to the requested severity levels.
2. Click Filter Events.
