-
Cisco Guard Configuration Guide (Software Version 3.1(0))
-
Index
-
Preface
-
Introduction
-
Initializing the Guard
-
Configuring the Guard
-
Zone Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Interactive Recommendations Mode
-
Attack Reports
-
Guard Diagnostics and Maintenance
-
Analyzing Guard Mitigation
-
Diversion Configuration
-
Diversion Troubleshooting
-
Glossary
-
Table Of Contents
Flex Filter Configuration Examples
Configuring Zone Filters
This chapter describes how to configure Guard filter system and how you can adapt these filters to the Guard policies.
This chapter includes the following sections:
Overview
The zone's filters are the mechanism that directs the diverted traffic to the relevant protection modules. The Guard enables you to set filter configurations to design a variety of possibilities for customized traffic direction and anti-DDoS attack mechanisms.
Changes in the zone's filter configuration take effect immediately.
Figure 6-1 displays the Guard filter system.
Figure 6-1 Guard FIlter System
Once protection is activated, either by a user action or by a remote network-sensing DDoS element such as the Cisco Traffic Anomaly Detector, the Guard diverts the zone traffic. If abnormal or malicious traffic is not identified, traffic flows directly to the Analysis module, which analyses the zone traffic. You can configure the Guard to count or drop a specific flow by using the Flex filter. You can configure specific flows to bypass the Guard protection mechanism by using the Bypass filter.
A sample of the traffic flows to the Recognition module. The Guard passes the traffic to the Rate Limiter which drops traffic that exceeds the defined rate. The cleaned traffic is injected back to the zone.
The Recognition module leads a closed-loop feedback cycle to adjust the Guard protection measures to the dynamically changing zone traffic characteristics. The Guard adopts the proper protection strategies to answer the changing DDoS attack types and traffic flows.
The Recognition module consists of policies that constantly measure the traffic flows. The policies take action against a particular traffic flow if they identify the flow as malicious or abnormal. This occurs when the flow violates the policy threshold. The actions can range from merely issuing a notification, to creating new filters (Dynamic filters).
As a result, the Guard changes the flow of traffic within the Guard. The traffic flows into the comparator, as indicated by the broken line. The Comparator receives input from the following filters:
•
Dynamic filters—The Dynamic filters initially direct the Guard to follow the User filter protection guidelines. It continuously adapts this set of filters to the zone traffic and the type of the DDoS attack.
•
You can add both Dynamic filters and User filters during an attack.
The Comparator chooses the most severe protection measure suggested and directs the traffic to the relevant protection module to authenticate the traffic.
Dynamic filters have a limited life span and are erased after the attack has terminated. By default, the Guard will remain in protect mode until you deactivate it. You can set the Guard to deactivate protection if no Dynamic filters are in use and no new Dynamic filter has been added over a predefined period of time. See the "Defining Protection Termination" section for further details.
You can define your own protection preferences and configure the following filters:
•
•
•
Filter Traffic Flows
You must configure the flow the filters processes. Table 6-1 describes the filter's flow arguments.
See the "Configuring Bypass Filters", "Configuring User Filters" and "Configuring Dynamic Filters" sections for further details.
Table 6-2 describes fields of the filter show commands.
See the "Viewing the Bypass Filters", "Viewing the User Filters" and "Viewing Dynamic Filters" for further details.
The source IP address, source address mask, protocol number, and destination port may be non-specific. An asterisk (*) indicates that the filter acts on all field values, or that more than one value was matched for the filter.
Configuring the Flex Filter
A Flex filter is a Berkley Packet filter with very selective filtering capabilities. Use the Flex filter to drop, or count, a desired packet flow and to identify a specific malicious source of traffic. This filter has many parameters and is very flexible and enables you to define a specific traffic flow. However, you can only configure a single flex filter and it is resource consuming. We recommend that you use Flex filters cautiously as it might effect performance.
For a detailed explanation on the Berkley Packet filter configuration options see: http://www.freesoft.org/CIE/Topics/56.htm.
To configure the Flex filter, enter the following:
flex-filter {drop|count} parameters
To delete the Flex filter use the no form of the command.
The arguments and keywords are as follows:
•
•
•
See the "Flex Filter Configuration Examples" section for configuration examples.
Table 6-3 describes the optional Flex filter parameters.
Table 6-3 Optional Flex Filter Parameters
dst host host_ip_address
Traffic to a destination host IP address
src host host_ip_address
Traffic from a source host IP address
host host_ip_ address
Traffic to and from both source and destination host IP addresses
net net mask mask
Traffic to a specific network
net net/len
Traffic to a specific subnet
dst port destination_port_number
TCP or UDP traffic to a destination port number
src port source_port_number
TCP or UDP traffic from a source port number
port port_number
TCP or UDP traffic to and from both source and destination port numbers
less packet_length
greater packet_length
Packets with a length equal to or greater than the specific length in bytes
ip proto protocol
Packets with a protocol number of the following protocols: ICMP, UDP, and TCP.
ip broadcast
Broadcast IP packets
ip multicast
Multicast packets
ether proto protocol
Ether protocol packets of a specific protocol number or name such as IP, ARP or RARP.
expr relop expr
Traffic that complies with the specific expression. See Table 6-4 for further details.
Table 6-4 describes the Flex filter expression rules.
You can combine primitives using the following methods:
•
•
•
•
Negation has the highest precedence. Alternation and concatenation have equal precedence and associate left to right. Explicit and tokens, not juxtaposition, are required for concatenation. If you specify an identifier without a keyword, the most recent keyword is used.
Flex Filter Configuration Examples
The following example shows how to count only unfragmented datagram and fragment zero of fragmented datagrams. This filter is implicitly applied to the TCP and Udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment:
admin@GUARD-conf-zone-scannet# flex-filter count ip[6:2]&0x1fff=0The following example shows how to drop all TCP RST packets:
admin@GUARD-conf-zone-scannet# flex-filter drop tcp [13] & 4 != 0The following example shows how to count all ICMP packets that are not echo requests/echo reply (ping):
admin@GUARD-conf-zone-scannet# flex-filter count icmp[0] != 8 and icmp[0] != 0The following example shows how to count all TCP packets destined to port 80 that did not originate from port 1000:
admin@GUARD-conf-zone-scannet# flex-filter count tcp and dst port 80 and not src port 1000Viewing the Flex Filter
The Flex filter is part of the zone configuration. To view the Flex filter, use the show command or the show running-config command.
For example:
admin@GUARD-conf-zone-scannet# show...FLEX-FILTER: tcp and dst port 80 and not src port 1000FLEX-FILTER ACTION: countFLEX-FILTER COUNTER: 200...The Flex filter counter displays the number of packets that were handled by the filter.
Configuring Bypass Filters
The Bypass filter is a filter designed to support protection policy decisions that you think should not involve the Guard's protection mechanisms. Use bypass filters to prevent the Guard's Dynamic filters, protection modules, and Rate-limiter from handling specific traffic flows. For example, you may decide to allow a trusted traffic flow to bypass the Guard's protection modules, including the anti-spoofing and anti-zombie mechanisms. Using the Bypass filter, you can direct trusted traffic away from the Guard's protection mechanisms and forward it directly to the zone.
Note
To configure a Bypass filter, enter the following.
bypass-filter row-num src-ip [ip-mask] protocol dest-port [fragments-type]
Table 6-5 provides the arguments and keywords for the bypass-filter command.
Table 6-5 Arguments for the bypass-filter Command
Assign a unique number from 1 to 9999. The row-number identifies the filter and defines priority among the Bypass filters. The Guard operates the filters according to ascending row-number order.
See Table 6-1 for further details on src-ip, ip-mask, protocol, dest-port and fragments-type.
Note
Viewing the Bypass Filters
To view the Bypass filters, enter the following:
show bypass-filters
Table 6-6 describes the fields in the show bypass-filters command output.
Table 6-6 Field Descriptions for the show bypass-filters Command
Specifies the Bypass filter priority
See Table 6-2 for further details on Source IP, Source Mask, Proto, DPort, and Frg.
Specifies the current traffic rate, measured for this filter, in packets per second (pps).
Deleting Bypass Filters
To delete a Bypass filter perform the following steps:
Step 1
Step 2
no bypass-filter row-numThe argument row-num specifies the Bypass filter's row number. Enter * to delete all Bypass filters.
For example:
admin@GUARD-conf-zone-scannet# no bypass-filter 10
Configuring User Filters
The User filters are part of the zone configuration and define how to handle traffic flows suspected as DDoS attacks. The User filters offer the ability to customize the Guard protection. They enable you to set guiding rules to handle desired traffic flows when an attack is suspected and to direct a specified traffic flow to the relevant protection module, to a Guard anti-spoofing or anti-zombie mechanism, or to be dropped.
Table 6-7 describes the actions a User filter can take.
Zone configuration includes a default set of User filters that enable on-demand protection. The Guard continuously analyses traffic destined to the protected zone. It initializes its protection cycle once suspected traffic is identified, and uses the User filters to filter the suspected traffic.
The User filters are activated in ascending row-number order. Therefore, it is important, when adding a new User filter, to place it in the correct location in the list.
To configure a User filter, perform the following steps:
Step 1
Step 2
user-filter renumber [start [step]]Table 6-8 provides the arguments for the user-filter renumber command.
Step 3
user-filter row-num filter-action src-ip [ip-mask] protocol dest-port [fragments-type] [rate-limit rate burst units]Table 6-9 provides the arguments for the user-filter command.
Table 6-9 Arguments and Keywords for the user-filter Command
Assign a unique number from 1 to 9999. The row-number identifies the filter and defines priority among the User filters. The Guard operates the filters according to ascending row-number order.
Denotes the action the filter performs on the specific traffic type. See Table 6-6 for further details.
See Table 6-1 for further details on src-ip, ip-mask, protocol, dest-port and fragments-type.
An integer greater than 64 that specifies the rate limitation. The User filter limits the traffic to a specified rate. The units are specified by the units parameter. The default is not to limit the filter traffic rate. The rate limit can be up to ten times greater than the burst limit.
An integer greater than 64 that specifies the traffic burst limit. The units are bits, kilo-bits, kilo-packets, mega-bits, and packets in correspondence to the rate units. The burst limit can be up to eight times greater than the rate limit.
Specifies the rate limit units. The units can be:
•
•
•
•
•
The following example shows how to renumber the User filters starting from 10 in steps of 5 and how to add a User filter in row number 12, aimed at traffic coming from all source IP addresses of protocol 6 (TCP) flowing to destination port 25 (SMTP). The filter permits their flow but limits their flow rate to 600 packets per second (pps) and their burst size to 400 packets.
admin@GUARD-conf-zone-scannet# user-filter renumber 10 5admin@GUARD-conf-zone-scannet# user-filter 12 permit * 6 25 rate-limit 600 400 ppsViewing the User Filters
The User filters are part of the zone configuration. To view the User filters, use the show command or the show running-config command at the zone prompt.
Table 6-10 describes the User filter fields in the show command output
Table 6-10 Field Descriptions for User Filter fields in the show Command
Specifies the User filter priority
See Table 6-2 for further details on Source IP, Source Mask, Proto, DPort, and Frg.
Specifies the current traffic rate, measured for this filter, in packets per second (pps).
Specifies the action the filter performs on the specific traffic type. See Table 6-6 for further details.
Specifies the limit on the traffic rate the User filter can handle. The rate is displayed in the units specified by the Units field.
Specifies the traffic burst limit that the filter allows for the specific flow. The units are bits, kilo-bits, kilo-packets, mega-bits, and packets in correspondence to the units specified in the Units field.
Specifies the units by which the rate and the burst rate are displayed.
Deleting a User Filter
To delete a User filter perform the following steps:
Step 1
Step 2
no user-filter row-numThe argument row-num specifies the User filter's row number. Enter * to delete all User filters.
For example:
admin@GUARD-conf-zone-scannet# no user-filter *
Caution
Configuring Dynamic Filters
The Guard analyses the diverted zone traffic in search of traffic anomalies. It identifies an anomaly when the flow violates the policy threshold. When it detects a policy threshold violation, the Guard analyses results and creates a set of filters that continuously adapt to the zone traffic and type of DDoS attack. This filter set consists of the Dynamic filters.
The Guard creates an initial Dynamic filter that directs the traffic to the User filters until it finishes analyzing the flow and creating additional Dynamic filters to handle the anomaly. The Dynamic filters and the User filters are fed into the Comparator. The Comparator chooses the most severe protection measure suggested and directs the traffic to the relevant protection module to authenticate the traffic. See the "Overview" section for further details.
You can access the Dynamic filters and configure them to suit your own needs.
Table 6-11 describes the different actions Dynamic filters can take.
Once the Dynamic filter timeout expires, the Guard determines whether to deactivate the Dynamic filter. If the Guard decides not to deactivate the Dynamic filter, the filter's activation timeout resumes for another time span. See the "Deactivating Dynamic Filters" section for further details.
You can add or remove Dynamic filters and configure them to your needs.
To add a Dynamic filter, enter the following:
dynamic-filter action {exp-time|forever} src-ip [ip-mask] protocol dest-port [fragments-type]
Table 6-12 provides the arguments for the dynamic-filter command.
Table 6-12 Arguments and Keywords for the dynamic-filter Command
The action the filter performs on a specific traffic flow. See Table 6-10 for further details.
An integer from 1 to 3,000,000 that specifies the time, in seconds, for the filter to be active.
The filter will be active for an unlimited time. The filter will be removed when protection ends.
See Table 6-1 for further details on src-ip, ip-mask, protocol, dest-port and fragments-type.
Dynamic filters can be added only to a zone that is already protected. The Guard removes a zone's dynamic filters when the zone's protection ends.
For example:
admin@GUARD-conf-zone-scannet# dynamic-filter to-user-filters 600 192.128.30.45 255.255.255.252 6 88 no-fragmentsViewing Dynamic Filters
Use the show dynamic-filters command to view the Dynamic filters the Guard produced. This command provides the following options:
•
•
•
Note
Table 6-13 provides the arguments for the show dynamic-filters command.
Note
For example:
admin@GUARD-conf-zone-scannet# show dynamic-filters 876 details
Table 6-14 Field Descriptions for show dynamic-filters
CommandSpecifies the filter identification number.
Specifies the action the filter performs on the traffic flow. See Table 6-10 for further details.
Specifies the amount of time the filter will be active. After the time expires, the filter might be deleted according to the thresholds defined using the filter-termination command.
See Table 6-2 for further details on Source IP, Source Mask, Proto, DPort, and Frg.
Specifies the current traffic rate, measured for this filter, in packets per second (pps).
Table 6-14 describes the fields in the show dynamic-filters command output
Table 6-15 describes the fields in the show dynamic-filters details command output.
Table 6-15 Field Descriptions for show dynamic-filters details Command
Specifies the mitigated attack flow characteristics. The mitigated attack flow, displayed in the Dynamic Filters table, could have a wider range than the attack flow. For example, a non-spoofed attack on port 80 will block all TCP traffic from the originating source IP address and not only port 80. See Table 6-2 for further details on the flow fields.
Specifies the rate of the attack flow that violated a policy threshold.
Specifies the policy threshold that was violated by the attack flow.
Specifies the policy that produced the specific Dynamic filter. See "Configuring Policy Templates and Policies" for further details.
Deleting a Dynamic Filter
You can delete Dynamic filters. However, this is only effective for a limited period of time since when the Guard is in protect mode, it continues to configure new Dynamic filters to adapt its protection to the dynamically changing traffic state.
To delete a Dynamic filter perform the following steps:
Step 1
Step 2
no dynamic-filter dynamic-filter-idThe argument dynamic-filter-id specifies the Dynamic filter's ID. Enter * to delete all Dynamic filters.
For example:
admin@GUARD-conf-zone-scannet# no dynamic-filter 876
Note
•
•
Deactivating Dynamic Filters
Once the Dynamic filter timeout expires, the Guard determines whether to deactivate the Dynamic filter. If the Guard decides not to deactivate the Dynamic filter, the filter's activation timeout resumes for another time span. The dynamic filters will be inactivated if one of the following applies:
•
•
–
–
Note
To configure the zone malicious traffic threshold, enter the following:
filter-termination zone-malicious-rate threshold
The argument threshold specifies the zone malicious traffic threshold in packets per second units. This traffic consists of the sum of the spoofed and the dropped traffic. The default value is 50 pps.
To configure the dynamic filter termination threshold, enter the following:
filter-termination filter-rate threshold
The argument threshold specifies the Dynamic filter traffic threshold in packets per second units. The default value is 2 pps.
For example:
admin@GUARD-conf-zone-scannet# filter-termination zone-malicious-rate 200
admin@GUARD-conf-zone-scannet# filter-termination filter-rate 50
