Table Of Contents
Interactive Recommendations Mode
Activating the Interactive Recommendations Mode
Protecting Zones
This chapter describes how to use the Web-Based Management (WBM) to protect zones on the Cisco Guard.
You must first configure the Guard and the zone before you can start protecting the zones.
This chapter includes the following sections:
•
Interactive Recommendations Mode
Overview
Before activating protection for a zone, we recommend that you let the Guard study the zone's traffic patterns. The learning process allows the Guard to learn and analyze the traffic patterns of each zone before creating sets of recommended thresholds.
If there is an attack on the zone before the learning phases have been completed, and the Guard has not yet adopted its protection policy, the Guard can initiate on-demand protection. The zone protection quickly activates the Guard's anti-spoofing and anti-zombie mechanisms. The default thresholds that are configured for a new zone enable effective protection. Refer to the Cisco Guard User Guide for further details.
Once the Guard has learned the zone traffic characteristics, it is ready to protect the zone. You may wish to wait for an external indication of an attack, from the Cisco Traffic Anomaly Detector or any other means, before setting the Guard to protect the zone, or you can instruct the Guard to protect the zone as soon as zone configuration is completed. During zone protection, the Guard diverts the zone traffic and applies its protection policies.
When the protection policies detect threshold violations indicating abnormal or malicious traffic, they dynamically configure a set of filters to direct the traffic to the appropriate protection module according to the severity of the attack.
You can activate the Guard's protection in two ways:
•
•
You configure the operation mode for each zone separately. See the "Managing Zones" section for further details.
Note
Protecting the Zone
After learning the zone traffic characteristics, the Guard is ready to protect the zone. During zone protection, the Guard diverts the zone traffic and applies protection policies.
Activating Protection
To activate zone protection, perform one of the following:
•
•
Figure 7-1 Protection Menu
On-Demand Protection
You can protect a zone on-demand if the zone is under attack but the Guard has not completed its learning phase and so has not adopted its protection policy to suit the zone traffic. The system-defined zone templates include predefined protection policies and User filters for this purpose. The default thresholds of these templates are tuned so that the Guard's anti-spoofing mechanisms are activated quickly if the Guard identifies traffic abnormality in the zone's traffic.
Since the Guard has no knowledge of the zone traffic patterns, the thresholds used to block (drop) source IP addresses are set to relatively high values. This implies that on-demand protection requires user intervention when mitigating non-spoofed attacks. You must monitor the zone legitimate and malicious traffic rates and view the Guard mitigation actions.
To initiate on-demand protection, perform the following steps:
Step 1
Step 2
Step 3
Deactivating Protection
To deactivate the zone's protection, perform one of the following:
•
•
Verifying Zone Protection
You can view the zone status and verify that the protection process is functioning properly.
To view the zone counters, select Diagnostics > Counters from the zone main menu.
To verify whether an attack is in progress, check that the malicious traffic rate is greater than zero.
To verify that zone protection is functioning properly while an attack is in progress, check the following:
•
•
When there is no attack on the zone and no indications of suspicious traffic, the Guard considers all diverted traffic as legitimate traffic and forwards it to the zone. The Legitimate traffic counter would then be equal to the Received traffic counter. See "Zone Statistics and Diagnostics," for further details.
Dynamic Filters
The Guard analyses the diverted zone traffic in search of policy threshold violations. Once it detects a policy threshold violation, the Guard analyses the results and creates a set of filters that continuously adapt to the zone traffic and type of DDoS attack. This set of filters consists of the dynamic filters. Once abnormal traffic is detected, the Dynamic filter refers the Guard to the User filters to compare between the actions suggested by the User filters and the protection recommended by the Guard. You can access the dynamic filters and configure them to suit your own needs.
For a comprehensive overview of Dynamic filters, refer to the Cisco Guard User Guide.
To view the Dynamic filters, perform one of the following:
•
•
Figure 7-2 Dynamic Filters Table
The Dynamic filters table (Figure 7-2) displays the dynamic filters filtered according to the policy that created them and displays information about the ongoing attack. Table 7-1 describes the fields in the table.
Table 7-1 Field Descriptions for Dynamic Filters Table
Created by
The policy that created the filter. Click on the policy name to display the Policy details. See the "Zone Policies" section for further details.
Activation
The date and time the filter was activated.
Expiration
The filter expiration time. Once the filter expires, the Guard decides whether or not to deactivate the Dynamic filter that was produced by the policy according to the Dynamic filter termination criteria.
Src IP
The source IP address on which the Dynamic filter is applied.
Protocol
The protocol number on which the Dynamic filter is applied.
Dst Port
The destination port on which the Dynamic filter is applied.
Fragments
Indicates whether the attack stream contains fragmented packets.
Action
The action taken by the filter. The following actions apply for the Dynamic filters:
•
•
•
•
•
•
•
Rate (pps)
The approximate attack rate.
Details
Indicates whether additional information can be viewed for this filter. Click i for additional information.
A value of * for any of the parameters indicates one of the following:
•
•
To display detailed information on the filter click i in the details column.
See the "Dynamic Filter Details" section for further details.
Terminating Dynamic Filters
Once the Dynamic filter timeout expires, the Guard determines whether the Dynamic filter should be inactivated. If the Guard decides not to deactivate the Dynamic filter, the filter's activation timeout resumes for another time span. The dynamic filters will be inactivated if one of the following applies:
•
•
–
–
See the "Managing Zones" section for further details on threshold configuration.
Dynamic Filter Details
To display detailed information for the filter, click i in the details column in the Dynamic Filter table. Figure 7-3 appears.
Figure 7-3
Dynamic Filter Details Screen
The Dynamic filter details screen includes three tables:
•
•
Note
•
Configuring Dynamic Filters
You can add or delete Dynamic filters and configure them according to your needs.
The Guard removes a zone's Dynamic filters when the zone's protection ends.
Deleting a Dynamic Filter
To delete a Dynamic filter, select the check box next to the filter in the Dynamic Filters Details Table and click Delete.
You can remove all Dynamic filters. This is effective for a limited period of time since the Guard, when in protection mode, continues to configure new Dynamic filters to adapt its protection to the dynamically changing traffic state.
To prevent unwanted Dynamic filters from being reproduced, deactivate the policy that produces them. See the "Configuring Policies" section for further details. To find out which policy produced the unwanted Dynamic filters, see the sections about viewing Dynamic filters in this chapter. Alternately, you can perform one of the following:
•
•
Adding a Dynamic Filter
To add a Dynamic filter click Add in the Dynamic Filters Details Table (Figure 7-2) and enter the relevant information.
Table 7-3 describes the Dynamic filter fields.
Table 7-3 Field Descriptions for Dynamic Filters
Source IP
Directs traffic coming from a specific IP address to the Dynamic filter. Leave blank or enter * for any.
Source Subnet
Directs traffic coming from a specific subnet to the Dynamic filter. Choose the subnet from the drop-down list.
Protocol
Directs traffic from a specific protocol to the Dynamic filter. The protocol is denoted by the its well known number. Leave blank or enter * for any.
Dst Port
Directs traffic destined to a specific port to the Dynamic filter. Leave blank or enter * for any.
Fragments
Denotes specific traffic type for the filter to operate on. Possible values are:
•
•
•
Action
The action the filter performs on the specific traffic type. Possible values are:
•
•
•
•
•
•
•
Timeout (Sec)
The minimum time that the filter should be active. See the "Terminating Dynamic Filters" section for further details.
Enter an integer to specify the time, in seconds, or leave blank for unlimited time. Dynamic filters with unlimited time are also deleted once protection is aborted.
Interactive Recommendations Mode
In the Interactive Recommendation mode, the Guard enables you to decide on which filters the policies activate on launching. The Guard functions according to your decision and accepts or ignores the activating filter accordingly. In this way, the Guard lets you decide on protection measures in real time. In interactive mode, the Guard enhances your control over the activation of protective measures as a DDoS attack progresses.
The recommendations are a summary of the pending dynamic filters according to the policies that produced them. The information includes the policy name that recommended it, data on the traffic anomaly that resulted in policy activation, the number of pending filters and the recommended action.
For a comprehensive overview of the Interactive recommendations mode, refer to the Cisco Guard User Guide.
When the number of pending filters is greater than 1000, the newly added recommendations are recorded in Guard's log-file and then discarded. We recommend that you the following:
1.
2.
3.
Activating the Interactive Recommendations Mode
Operation mode is a characteristic of a zone.
To activate the interactive recommendations mode perform these steps:
Step 1
Step 2
Step 3
See the "Managing Zones" section section in for further details.
You can decide to end interactive mode of operation at any time and return to automatic operation mode. The Guard disregards any decisions made while in interactive mode. The policies resume their role of automatically producing and activating their filters and automatically accepting all pending Dynamic filters and recommendations.
Viewing New Recommendations
The following icon indicates that there are new recommendations.
The recommendations icon appears in the following locations:
•
•
•
•
When the Guard has new recommendations, the number of pending Dynamic filters is greater than zero. You can see this in the zone's status summary on the zone's home page under Pending Dynamic filters.
To view new recommendations, perform one of the following:
•
•
Figure 7-4 Recommendations
Table 7-4 describes the fields in the Recommendations table.
Table 7-4 Field Descriptions for Recommendations Table
An ID number for the protection recommendation.
Recommendation
The recommended action.
Created By
The policy that created the filter. Click on the policy name to display the Policy details. See the "Configuring Parameters" section for further details.
# of PFs
The number of pending Dynamic filters that constitute the recommendation. Each pending filter was created as a result of traffic flow that violated the policy threshold. Click on the number to view the pending dynamic filters that constitute the recommendation.
Attack flow
Information on the attack flow. The following information is provided:
•
•
•
•
Thr.
The policy threshold that was violated.
Min.
The minimum attack rate. The rate of the lowest pending filter is displayed for recommendations that include several pending filters.
Max.
The maximum attack rate. The rate of the highest pending filter is displayed for recommendations that include several pending filters.
Creation
The date and time the recommendation was created.
A value of * for any of the parameters indicates one of the following:
•
•
Deciding on Recommendations
The Guard enables you to decide how to act on its recommendations. Your decisions determine whether a pending filter will be activated, and for how long. You can also instruct the Guard to always automatically activate the pending filters of specific policy.The Guard will no longer display that policy's filters for you to decide on.
You can decide to instruct the Guard to prevent a policy from producing recommendations and their pending filters. To prevent a policy from producing recommendations, the policy should be disabled or inactivated. See the "Configuring Parameters" section for further details.
As the DDoS attack continues and changes its characteristics, the Guard's policies continue to produce recommendations for you to view and act on. You can opt to change the operation mode to automatic during the ongoing attack.
The Guard activates the Dynamic filters produced by the policies for at least the time that you defined (Filters timeout). See the "Dynamic Filters" section for further details.
Once the filter timeout expires, the Guard runs a checkout procedure in order to decide whether or not to deactivate the Dynamic filter that was produced by the policy. See the "Terminating Dynamic Filters" section for further details.
To decide on the Guard's recommendations, perform the following steps:
Step 1
Step 2
Step 3
Table 7-5 describes the possible actions you can take for a recommendation.
You can also decide to selectively accept pending dynamic filters instead of accepting the recommendation. See the "Pending Dynamic Filters" section for further details.
Note
Pending Dynamic Filters
The pending dynamic filters measure each flow that violated a threshold. Pending dynamic filters that were produced by the same policy appear as a single recommendation.
To view the pending dynamic filters, click on the number of pending filters ("# of PFs" column) in the recommendations table (Figure 7-5).
Figure 7-5 Pending Dynamic Filters
Table 7-6 Field Descriptions for Pending Dynamic Filters
Created by
The policy that created the filter. Click on the policy name to display the Policy details. See the "Zone Policies" section for further details.
Activation
The date and time the filter was created.
Src IP
The source IP address of the attack stream.
Protocol
The protocol number of the attack stream.
Dst Port
The destination port of the attack stream.
Fragments
Indicates whether the attack stream contains fragmented packets.
Action
The action taken by the filter.
Recent rate
The current attack rate measured by the filter.
Rate (pps)
The triggering rate. The approximate attack rate that triggered the production of the dynamic filter.
Details
Indicates whether additional information is available for this filter. Click i for additional information.
describes the fields in the pending dynamic filters table.
A value of * for any of the parameters indicates one of the following:
•
•
The Guard activates the Dynamic Filters produced by the policies for at least a user-defined time span (filter timeout).
Note
To selectively accept a pending Dynamic filter, perform these steps:
Step 1
Step 2
To display detailed information for the filter, click i in the details column. Figure 7-6 appears.
Figure 7-6 Pending Dynamic Filter Details
The pending dynamic filter details includes three tables:
•
•
•
