ACL's act as a basic method of limiting access to the network. They constitute sequential lists of permit and deny conditions. The lists define the connections permitted to pass through a device, usually a router.
Analysis Module
This module is active during the Guard Protection mode of operation. When no DDoS attack signs are indicated the Guard directs the diverted Zone traffic to flow through this module. The analysis module lets the Zone traffic flow unobstructed. The module analyzes the flows, allowing the recognition module to sample them.
Anti-Spoofing
A security feature designed to prevent unauthorized access to a network through the technique known as IP spoofing. See IP spoofing.
ARP Redirect Attack
An attack on a local subnet using the ARP protocol.
B
Bandwidth Saturation Flood
A flood of simple HTTP requests for static content targeted towards Web servers; stresses routers, firewalls, IDS, and load balancers. A failure in any of these nodes constitutes network's susceptibility.
basic/default
A User filter used when the user is not sure which action is to be chosen. The basic/default examines the flow and determines which action is to be taken. This User filter is used for UDP traffic.
basic/dns-proxy
A User filter used for authentication of TCP DNS applications.
basic/redirect
A User filter used for authentication of applications over http.
basic/reset
A User filter used for authentication of application over TCP, excluding http.
Basic Module
This module is active during the Guard Protection mode of operation. This module utilizes the Guard initial Challenge-and-Response based anti-spoofing mechanisms. The Guard directs the traffic to the Strong protection module either in the case of an escalation or in certain cases which require the Strong anti-spoofing mechanisms to handle the suspected traffic flows.
block- unauthenticated
A policy action that directs traffic to an anti-spoofing mechanism that deals with unauthenticated traffic.
block-unauthenticated-basic
A Dynamic filter action that drops unauthenticated traffic flow that has not been authenticated by the Basic anti-spoofing mechanisms.
block-unauthenticated-strong
A Dynamic filter action that drops unauthenticated traffic flow that has not been authenticated by the Strong anti-spoofing mechanisms.
block-unauthenticated-dns
A Dynamic filter action that drops unauthenticated traffic flows, flowing to DNS servers, that have not been authenticated by the DNS anti-spoofing mechanisms.
Burst/Burst-Size
The highest traffic peak (burst size rate) allowed to pass to the Zone. The burst-size units are: Kpps—Kilo packets per second; pps—Packets per second; Kbps—Kilo bits per second; Mbps—Mega Bits per second, and bps—Bits per second.
Bypass filter
A filter designed to enable the user to direct desired traffic flows to bypass the Guard protection mechanisms. Thus, the user can better adopt the Guard to its protection policy.
C
Client attack
Attacks from legitimate sources, which open half connections causing a server to exhaust.
Combination attack
Multi-platform DoS attack, which integrates BONK, JOLT, LAND, Nestea, Netear, SynDrop, and Winnuke—all into one attack. It is targeted at any/all network nodes (such as routers, firewalls, web servers, IDS systems).
Command Line Interface (CLI)
A prompt line interface from which the user performs its operations.
Comparator
A Guard module that compares between the input from the Guard Dynamic filters and the input from the Guard User filters. The Comparator then picks and executes the more severe protection means.
D
DDoS
See Distributed Denial of Service.
Denial of Service Attack (DoS)
Forms of computer network communication sabotage via exploitation of computer communication protocols. The purpose of the attack is overwhelming the target with spurious data in order to prevent legitimate connection attempts from succeeding. DoS attacks do not reveal sensitive data to the attacker in contrast to attacks whose purpose is to penetrate the target system. In these kinds of attacks, the skillful attacker tries to choke down networks and servers in vital network junctions. A successful attack may cause considerable revenue and resources loss. Examples of DoS attacks are SYN Flood, Tribal Flood Network (TFN), and ping of death.
Distributed Denial of Service (DDoS) Attack
A Denial of Service attack against a site or server launched from multiple sources. This is sometimes carried out by concealed exploiting servers to function as agents for transmitting the attacks. In many cases, the attacker will place client software on a number of unsuspecting remote computers and then use these computers to launch the attack. A Distributed Denial of Service attack is more effective than a simple Denial of Service attack, as the volume of traffic is considerably higher, and is more difficult to prevent. Examples of DDoS attacks are Syn flood, Smurf attack and Targa attack.
Divert-from Router
A router from which the Guard diverts the traffic destined to a Zone.
Diversion
To protect the target host (Zone) using the Cisco Guard, traffic destined to the host must be diverted to the Cisco Guard. This step includes traffic forwarding methods configuration per Zone's IP address. Zone diversion configuration is configured by the Guard routing configuration.
dns_tcp
A policy template that produces a group of policies related to DNS-TCP protocol traffic.
dns_udp
A policy template that produces a group of policies related to DNS-UDP protocol traffic.
DNS Attack
Flood of DNS requests causing a DNS server to saturate.
Drop Module
This module is active during the Guard Protection mode of operation. When all other protection mechanisms are insufficient or when user-configured filters direct the diverted Zone traffic to the Drop protection module. This module drops the malicious Zone traffic directed by the Flex, User, and Dynamic filters.
Dynamic filter
Dynamic filters are created by the Guard as the result of analysis of traffic flow. They are used to filter out DDoS attacks. This set of filters is continuously adapted to the Zone traffic and the type of the DDoS attack.
F
404 File Not Found Flood
Flood of valid HTTP requests for invalid content or files targeted directly at Web servers; used to validate both security policy and quantify effect on an end user.
filter/drop
An action (configured for a policy or a dynamic filter) that directs traffic to the Drop protection module to be dropped.
filter/strong
An action (configured for a policy or a dynamic filter) that directs traffic to the Strong protection module mechanisms.
Filters
The filters are the mechanism that directs the diverted traffic to the required protection modules. The Guard enables the user to set its preferred filter configurations and thus design a variety of possibilities for customized traffic direction and anti-DDoS attack mechanisms.
FIN Flood
Flood of connection resets from an invalid source to a targeted node; consumes network resources of an intended target. A FIN flood is also used to validate correct firewall/router policies.
Flex filter
The Flex filter is a Berkley Packet filter that facilitates the user with extremely flexible filtering capabilities such as filtering according to fields in the IP and TCP headers and filtering according to content bytes. It enables to use complex Boolean expressions. The Flex filter is used to count a specified packet flow.
Fraggle Attack
Sends UDP requests to a directed broadcast address. The forged source address of the request is the target of the attack. The recipients of the directed broadcast request respond to the request and flood the target's network. It is similar to the Smurf attack, but rather than ICMP uses UDP to broadcast address for amplification.
fragments
A policy template that produces a group of policies related to fragmented traffic.
Fragmentation Attack
See IP Fragmentation Attack.
G
Guard
A system designed to protect network elements against DDoS attacks.
Guard event log
A log file containing the Guard activities, current events, performed actions and the protective measures it undertook.
Guard User community (privilege domain)
The Guard enables access domains to several groups of users (Show, Dynamic, Configuration, and Administrator). These are classified by their authority and hence their ability to perform a scope of operations. The highest and utmost privileged is the Administrator and the least privileged is the Show user level.
GUI
Graphical user interface.
H
http
A policy template that produces a group of policies related to HTTP traffic flowing (by default) through port 80 (or other user-configured ports).
HTTP Connection Flood
Flood of HTTP half-requests targeted at the Web server connection resources. Also used to validate correct firewall policies (that is, limit connections per source). A Web server or OS network-level failure, also seen as connection failures on a client-side, constitutes network's susceptibility.
https
(Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a Web protocol, developed by Netscape, built into browsers, that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS is the use of Secure Socket Layer (SSL) as a sub-layer under its regular HTTP application layering. (HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.)
I
ICMP Redirect Attack
ICMP redirects can cause data overload to the system being targeted.
ICMP Unreachable Attack
The attacker sends ICMP unreachable packets from a spoofed address to a host. This causes all legitimate TCP connections on the host to the spoofed address to be torn down. This causes the TCP session to retry and as more ICMP unreachables are sent, a DoS condition occurs.
Inject-to router
A router to which the Guard forwards the clean traffic destined to a Zone.
Interactive
A Zone detection mode in which the user will activate the dynamic filters in an interactive manner. The Dynamic filters that the policies recommend will appear as recommendations, and the user will specify the action to be taken for each filter.
ip_scan
A policy template that produces a group of policies relating to IP scanning (A situation in which a source IP tries to access many destination IPs on the Zone). See IP scanning.
IP Fragmentation Attack
Flood of valid but heavily fragmented HTTP requests targeted at a Web server; stresses IDS. Used to quantify resilience and scalability of IDS systems.
IP Scanning
The act of sending systematic queries to hosts in a network in attempt to find hosts (IP addresses) through which an attacker can pass traffic. IP scanning is often used to find vulnerable targets for attack on the Internet.
IP Traffic Diversion
A process consisting of transparently diverting the traffic of one or more Zones to the Guard, and returning the legitimate, cleaned traffic from the Guard to the original data path and on to the Zone. Traffic diversion is also performed for learning purposes.
IRDP Attack
ICMP Router Discovery Protocol can be spoofed and cause fake routing entries to be entered into a Windows machine. IRDP has no authentication. Upon startup, a system running MS Windows95/98 will always send 3 ICMP Router Solicitation packets to the 224.0.0.2 multicast address. If the machine is NOT configured as a DHCP client, it ignores any Router Advertisements sent back to the host. However, if the Windows machine is configured as a DHCP client, any Router Advertisements sent to the machine will be accepted and processed.
L
Land Attack
The sent packets have the same Source and destination IP addresses causing a response to loop.
Looping UDP Ports Attack
The attack uses two UDP services. Chargen (port 19) and echo (port 7), that can be spoofed into sending data to each other.
M
Maximum Transfer Unit (MTU)
The largest frame size that can be transmitted over the network. Messages longer than the MTU must be divided into smaller frames.
N
Network Time Protocol (NTP)
A protocol for synchronizing the Guard with a Time Synchronization Server.
notify
A policy action that notifies the user of a policy threshold violation.
O
On-Demand Protection
This protection is activated in a situation when the Zone is attacked while the Guard hasn't completed its Learning phases. As a result, the Guard hasn't adopted its protection policies to the Zone traffic requirements.
Open/close Attack
The open/close attack opens and closes connections at a high rate to any port serviced by an external service through inetd. The number of connections allowed is hard-coded inside inetd.
other_protocols
A policy template that produces a group of policies relating to non TCP or UDP protocols.
P
Pending Dynamic filters
The pending dynamic are dynamic filters the user has not yet defined the action for (accept or ignore). Pending Dynamic filters are created only if the Zone is in interactive detection mode. A group of pending Dynamic filters constitute a recommendation. See Recommendations.
Ping Flood
Flood of ICMP echo requests; stresses routers, firewalls, load balancers, and Web servers. Poor end-user response time or failure to connect constitutes susceptibility.
Ping of death
ICMP packets greater than 65536. A ping of death attack can bring down a system.
Policy Construction Phase
In this phase the Guard, based on the Zone traffic characteristics, produces the protection policies with the aid of the Policy Templates. This phase consists of traffic flowing transparently through the Guard, enabling it to discover which services are used by the Zone.
Policy Operational Parameters
This is a set of parameters that relate to the policy operations. This set consists of the following: Threshold, Proxy-threshold, Timeout, and Action.
Policy Templates
The policy templates are a collection of policy constructing guiding rules and the output of each template after concluding the Policy Construction phase is a group of policies. The Policy Templates user-configured parameters are the Minimum Threshold and Maximum Services.
port_scan
A policy template that produces a group of policies relating to port scanning (A situation in which a source IP tries to access many ports on the Zone). See Port scanning.
Port Scanning
The act of sending systematic queries to hosts in an attempt to find open ports through which an attacker can pass traffic. Port scanning is often used to find vulnerable targets for attack on the Internet.
Protection Policy
The Guard policies are the mechanisms that measure a particular traffic flow and take an action against the flow as a result of a threshold violation. A policy may, for example, direct the guard to produce a Dynamic filter that would direct a specific traffic to the Strong anti-spoofing mechanisms upon violating a certain threshold.
Protection-end Timer
This parameter determines the timeout period after which if there are no filters in use and no new filter is added, the Guard will terminate the protection.
R
Rate-Limiter
A Guard module that rate-limits Zone traffic. The Guard Rate-limiter does not consider the bypassed traffic bandwidth.
Recognition Module
The Guard's module that receives input from a sampling unit and analyses the Zone traffic. Based on its recommendations, the Guard constructs its protection measures.
Recommendations
Recommendations are a mechanism that enables the user to decide on the activation of the filters the policies launch. They are created when a Zone is configured in interactive mode. The recommendations are a summary of the pending dynamic filters aggregated according to the policies that produced them.
S
Sampler
A Guard module that samples all traffic for the Guard Recognition module to configure protection measures.
Secured Shell (SSH) Management
The user may access the Guard via Secured Shell (SSH) to enable controlling the Guard from any network.
Smurf Flood
ICMP (Internet Control Message Protocol) ping requests to a directed broadcast address. The forged source address of the request is the target of the attack. The recipients of the directed broadcast ping request respond to the request and flood the target's network.
Snapshots
A Guard mechanism used to verify the learning process outcome.
Spoofed attack
A DDoS attack technique that inserts a false sender IP address into an Internet transmission in order to gain unauthorized access to a computer system. To the computer system the request will seem as though it came from a trusted source, although the packet cannot be routed back to the initial source. IP spoofing presents potential for unnecessary network congestion and possible denial of service.
Strong Module
This module is active during the Guard Protection mode of operation. When a DDoS attack strengthens and the Guard analyses the current anti-spoofing mechanisms to be insufficient, it directs the diverted Zone traffic to the Strong protection module. This module has more severe anti-spoofing mechanisms. In case of further escalation, the Guard operates the Drop protection module.
strong
A User filter used when strong authentication for a traffic flow is required. Authentication is performed for every connection. The Guard serves as a proxy, therefore, this filter is not to be used if the network is moderated according to IP addresses (such as using access lists).
SYN Flood
Flood of connection requests from an invalid source to a targeted node; consumes network resources of an intended target. Used also to validate correct firewall/router policies.
T
Targa Attack
Floods of invalid ICMP-, UDP- and TCP- packets.
tcp_connections
A policy template that produces a group of policies related to TCP connection characteristics.
TCP_NO_PROXY policy templates
A template designed for a Zone for which no TCP proxy is to be used. This template may be used if the Zone is moderated according to IP addresses such as an Internet Relay Chat (IRC) server-type Zone.
tcp_not_auth
A policy template that produces a group of policies related to TCP connections that haven't been authenticated by the Guard's anti-spoofing mechanisms.
tcp_outgoing
This policy template produces sets of policies related to TCP connections initiated by the Zone.
tcp_ratio
This policy template produces sets of policies related to ratios between different types of TCP packets (e.g. SYN packets versus FIN/RST packets).
tcp_services
A policy template that produces a group of policies related to TCP services on ports other than HTTP-related (such as ports 80, 8080, etc.).
tcp_services_ns
A policy template that produces a group of policies related to TCP services. By defaults the policy relates to IRC ports (666X), ssh and telnet. When the threshold is violated, the traffic is blocked.
TCP flood
When TCP communicates, each TCP allocates some resources to each connection. By repeatedly establishing a TCP connection and then abandoning it, a malicious host can tie up significant resources on a server.
TCP Segmentation
Flood of heavily segmented TCP packets targeted at a Web server or application server. This attack stresses both IDS and the target machine's TCP stack.
Teardrop Attack
Sends overlapping IP fragments.
Threshold Tuning Phase
This is the stage in which the Guard further analyses the Zone traffic and defines threshold for the policies constructed in the Policy Construction phase. In this phase, the policies are tuned to fit the Zone services traffic rates.
to-user-filters
An action (configured for a policy or a dynamic filter) that directs traffic to the user filters.
Traffic Diversion
The Guard operates diversion techniques to direct the Zone traffic to pass through its protection mechanisms for traffic learning and malicious traffic filtering. The traffic would then be injected back to continue its path to the Zone.
U
UDP Flood Attack
Flood of large numbers of raw UDP (User Datagram Protocol) packets targeted at routers, firewalls, load balancers, and IDS systems. The attack ties up network resources.
udp_services
A template that produces a group of policies related to UDP services.
UDP Reflectors Attack
All Web servers, DNS servers, and routers are reflectors, since they will return SYN acks or RSTs in response to SYN or other TCP packets; query replies in response to query requests; or ICMP Time Exceeded or Host Unreachable in response to particular IP packets. By spoofing IP addresses from slaves—a massive DDoS attack can be carried out.
URL attacks
URL attacks attempt to overload an http server via various methods: http bombing; continuous requests for the same homepage or large web page; requesting the page with REFRESH so as to bypass any proxy server. Many of these attacks are not zombie attacks but rather human executed, by hundreds simultaneously.
User filter
A user-customized filter that enables the user to set guiding rules to handle desired traffic flows when an attack is suspected. The user can configure its preferred anti-spoofing mechanisms or decide to drop a specified traffic flow.
V
VPN attacks
Using specially crafted GRE or IPIP packets to attack the destination address of a VPN.
W
WBM
See Web Based Management.
Web Based Management
A GUI over HTTP Guard interface that enables the user to manage the Guard protection and Zones (excluding Guard configuration procedures) via the web using a browser.
Z
Zombie
A device that acts as an unaware participant in a distributed Denial of Service (DDoS) attack.
Zombie attack
A zombie attack is a type of attack that uses unaware participant machines to launch a DDoS attack. The attacker first spreads a Trojan to unsuspecting users, that are not the final target, and may later instruct this Trojan to perform "legitimate" connections to the Zone.
Zone
The Guard-protected network element. Also, a Guard file with all data relating to the protected Zone (configurations, policies, filters, etc).
Zone Bandwidth
The amount of traffic bandwidth the Guard allows to pass to the Zone. The Zone bandwidth is configured from the Burst size and Rate-limit.
