Cisco Guard Configuration Guide (Software Version 5.0) - Product Overview [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Product Overview

Understanding the Cisco Guard

Understanding DDos

Understanding Zones

Understanding How the Guard Operates

Understanding the Learning Process

Understanding the Zone Policies

Understanding How the Guard Performs Zone Protection

Understanding the Protect and Learn Function

Understanding On-Demand Protection

Using Attack Reports

Understanding the Protection Process

Understanding the Protection Cycle

Product Overview

This guide provides instructions for the Cisco Guard (Guard). It describes how to perform administration tasks, the general operations needed for the Guard operation and explains how to use Guard.

This chapter provides a general overview of the Cisco Guard (Guard) and describes its components and how it works. The chapter contains the following sections:

•Understanding the Cisco Guard

•Understanding DDos

•Understanding Zones

•Understanding How the Guard Operates

•Understanding the Protection Process

•Understanding the Protection Cycle

Understanding the Cisco Guard

The Cisco Guard (Guard) is a high-performance denial-of-service (DoS) protection network device.

The Guard protects a network element, the zone, against DDoS attacks. The Guard receives the diverted traffic from the attacked targets, identifies and removes specific attack packets, and forwards legitimate traffic packets to their original destination. See the "Understanding Zones" section for more information.

Typically, you deploy the Guard in a distributed upstream configuration at the backbone level. When the Guard detects an attack, it diverts only traffic of the attacked zone to the Guard. Traffic of other zones continues to flow unhindered. The Guard analyzes the packets and removes the DDoS components so that clean traffic packets can flow to the intended zone.

The Guard constantly filters the traffic and stays on the alert for evolving attack patterns.

To Guard has these features:

•Traffic diversion mechanisms that divert the zone traffic to the learning and protection processes and then return the legitimate traffic flow back to the zone while preventing interference to network traffic.

•An algorithm-based learning system that learns the zone traffic, adapts itself to its particular characteristics, and supports the protection processes with references and protection instructions in the form of thresholds and policies. In addition, the Guard has on-demand protection to answer situations in which the zone is under attack, but the Guard has not yet completed the learning process and has not finished tuning to the zone traffic.

•Protection processes that can distinguish between legitimate and suspicious traffic and can filter the malicious traffic so that only the legitimate traffic is allowed to pass on to the zone.

Integrating these components enables the Guard to assume its protective role when there is an attack, but to remain unobtrusively in the background for the rest of the time. When there are no suspected attacks you do not need to activate the diversion process, and the Guard does not see the traffic.

Understanding DDos

Distributed Denial of Service (DDoS) attacks occur when malicious users cause thousands of compromised computers (zombies) to run automated scripts that hinder a protected server's network resources with spurious requests for service. The attacks can be a flood of spurious home page requests to a Web server that shuts out legitimate users or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the compromised computers that actually execute the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems and may be administered by multiple organizations. These distributed attacks generate a traffic volume that cannot be handled by the lower bandwidths available at a typical zone. See the "Understanding Zones" section for information about zones.

A DDoS defense system has to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network.

Understanding Zones

The Guard protects a network element, known as z zone, against DDoS attacks. A zone can be one of the following elements:

•A network server, client, or router

•Anetwork link or subnet or an entire network

•An individual Internet user or a company

•An Internet Service Provider (ISP)

•Any combination

The Guard can protect different zones simultaneously as long as their network address ranges do not overlap.

When you define a zone, you configure parameters such as the network addresses and the policies that the Guard uses for zone protection. You assign a name to the zone, and use this name to refer to it.

Understanding How the Guard Operates

To protect the target host (zone), the Guard diverts the zone traffic to itself. You can wait for an external indication, such as from a Cisco Traffic Anomaly Detector, of an attack before setting the Guard to protect the zone, or you can instruct the Guard to protect the zone as soon as you complete configuring the zone. The Guard analyses the data flow, blocks all DDoS elements, removes the malicious packets from the diverted stream, and returns the clean traffic to the main data path so that it continues flowing to the intended zone. Figure 1-1 describes the protection operation.

The diversion is configured globally, using the Guard routing configuration. See "Understanding Zone Traffic Diversion" for further details.

Figure 1-1 Cisco Guard Operation

The Guard learns the zone traffic characteristics so that it can form a basis on which to compare zone traffic and trace any anomalies that might become malicious.

This sections contains the following topics:

•Understanding the Learning Process

•Understanding the Zone Policies

•Understanding How the Guard Performs Zone Protection

•Understanding the Protect and Learn Function

•Understanding On-Demand Protection

•Using Attack Reports

Understanding the Learning Process

The learning process consists of the following two phases:

•Policy Construction Phase—Creates the zone policies. The policy templates provide the rules that the Guard uses to construct the zone policies. The traffic flows transparently through the Guard which allows it to discover the main services that the zone uses.

•Threshold Tuning Phase—Tunes the zone policies to fit the traffic rates of the zone services. The traffic flows transparently through the Guard, which enables the Guard to tune the thresholds for the services that it discovered during the policy construction phase.

Understanding the Zone Policies

The zone policies are the building blocks of the Guard and are the basis to which the Guard compares the zone traffic in order to trace any anomalies that might become malicious. When the traffic flow exceeds a policy threshold, the Guard identifies the traffic as abnormal or malicious and configures a set of filters (dynamic filters) dynamically to apply the appropriate protection level to the traffic flow according to the severity of the attack.

See "Configuring Zones" for more information on traffic learning. See "Configuring Policy Templates and Policies" for more information on zone policies.

Understanding How the Guard Performs Zone Protection

You can activate the Guard protection in the following ways:

•Automatic protect mode—The Dynamic filters are activated automatically.

•Interactive protect mode—The Dynamic filters are activated manually, interactively. The Dynamic filters are grouped as recommended actions for you to complete. You can review these recommendations and decide whether to accept, ignore, or direct these recommendations to automatic activation.

See "Using Interactive Protect Mode" for more information.

Understanding the Protect and Learn Function

You can activate the threshold tuning phase and activate zone protection simultaneously (the protect and learn function) to enable the Guard to learn the zone policy thresholds and at the same time monitor the policy thresholds for traffic anomalies. When the Guard detects an attack, it stops the learning process but continues zone protection. This process prevents the Guard from learning malicious traffic thresholds. The Guard resumes the learning process when the attack ends. See the "Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously" section for more information.

Understanding On-Demand Protection

You can also protect a zone without enabling the Guard to learn the zone traffic characteristics by using the system-defined zone templates that include predefined policies and filters that are suitable for protecting a zone of which the Guard does not know the traffic characteristics. See the "Enabling On-Demand Protection" section for more information.

Using Attack Reports

The Guard provides an attack report for every zone so that you can display the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. See "Understanding Attack Reports," for more information.

Understanding the Protection Process

The Guard uses four types of filters to direct the zone traffic to the required protection level. You can configure these filters to customize the traffic flow and control the anti-DDoS protection operation.

The Guard uses the following types of filters:

•User Filters—Apply the required protection level to the specified traffic flows.

•Bypass filters—Prevent the Guard from handling specific traffic flows.

•Flex-Content filters—Count or drop a specified traffic flow. The Flex-Content filter provides extremely flexible filtering capabilities and can filter according to fields in the IP and TCP headers and according to content bytes.

•Dynamic filters—Apply the required protection level to the specified traffic flows. The Guard creates Dynamic filters based on its analysis of the traffic flow. The Guard continuously adapts this set of filters to the zone traffic and the type of the DDoS attack. Dynamic filters have a limited life span and are erased after the attack ends.

The Guard has three protection levels in which it applies different processes to the traffic flows:

•Analysis protection level—The Guard allows the traffic to flow monitored, but unhindered, during zone protection if no anomalies are traced. Once the Guard traces anomalies, it directs the traffic to the appropriate protection level.

•Basic protection level—The Guard activates anti-spoofing and anti-zombie functions to authenticate the traffic by inspecting the suspicious traffic flow to verify its source.

•Strong protection level—This Guard activates severe anti-spoofing functions that inspect the traffic flow packets to verify its legitimacy.

The Guard performs statistical analysis of the traffic and coordinates between the zone policies, that monitor the zone traffic for anomalies, and the zone filters. In addition, it limits the rate of traffic that it injects on to the zone to prevent traffic overflow.

Understanding the Protection Cycle

The Guard protection cycle applies the zone filters, the zone policies and the Guard protection levels to the traffic flow to clean the zone traffic and inject legitimate traffic only to the zone. Figure 1-2 illustrates the Guard protection cycle.

Figure 1-2 The Guard Protection Cycle

Once zone protection is activated, the zone policies monitor the zone traffic flow. The policies take action against a particular traffic flow when the flow exceeds the policy threshold. The actions can range from issuing a notification to creating new filters (Dynamic filters) that direct the diverted traffic to the relevant protection levels. The Guard uses several types of authentication methods, dependant on the protection level, to authenticate the traffic. The Guard analyses the traffic flow, drops the traffic that exceeds the defined rate that the zone can handle, and then injects the legitimate traffic back to the zone.

The Guard leads a closed-loop feedback cycle to adjust the Guard protection measures to the dynamically changing zone traffic characteristics. The Guard adopts the proper protection strategies to answer the changing DDoS attack types and traffic flows. The Guard stops zone protection if no Dynamic filters are in use, the traffic to the zone has not been dropped, or new Dynamic filters have been added, over a predefined period of time.

	Cisco Guard Configuration Guide (Software Version 5.0)
	Product Overview
Cisco Guard Configuration Guide (Software Version 5.0) Index Preface Product Overview Initializing the Guard Configuring the Guard Configuring Traffic Diversion Configuring Zones Configuring Zone Filters Configuring Policy Templates and Policies Using Interactive Protect Mode Understanding Attack Reports Using the Guard Diagnostics Tools Performing Maintenance Tasks Analyzing Guard Mitigation Configuring Traffic Diversion Troubleshooting Diversion	Download this chapter Product Overview Download the complete book Cisco Guard Configuration Guide (Software Version 5.0), Book-Length PDF (PDF - 4 MB) Table Of Contents Product Overview Understanding the Cisco Guard Understanding DDos Understanding Zones Understanding How the Guard Operates Understanding the Learning Process Understanding the Zone Policies Understanding How the Guard Performs Zone Protection Understanding the Protect and Learn Function Understanding On-Demand Protection Using Attack Reports Understanding the Protection Process Understanding the Protection Cycle Product Overview This guide provides instructions for the Cisco Guard (Guard). It describes how to perform administration tasks, the general operations needed for the Guard operation and explains how to use Guard. This chapter provides a general overview of the Cisco Guard (Guard) and describes its components and how it works. The chapter contains the following sections: •Understanding the Cisco Guard •Understanding DDos •Understanding Zones •Understanding How the Guard Operates •Understanding the Protection Process •Understanding the Protection Cycle Understanding the Cisco Guard The Cisco Guard (Guard) is a high-performance denial-of-service (DoS) protection network device. The Guard protects a network element, the zone, against DDoS attacks. The Guard receives the diverted traffic from the attacked targets, identifies and removes specific attack packets, and forwards legitimate traffic packets to their original destination. See the "Understanding Zones" section for more information. Typically, you deploy the Guard in a distributed upstream configuration at the backbone level. When the Guard detects an attack, it diverts only traffic of the attacked zone to the Guard. Traffic of other zones continues to flow unhindered. The Guard analyzes the packets and removes the DDoS components so that clean traffic packets can flow to the intended zone. The Guard constantly filters the traffic and stays on the alert for evolving attack patterns. To Guard has these features: •Traffic diversion mechanisms that divert the zone traffic to the learning and protection processes and then return the legitimate traffic flow back to the zone while preventing interference to network traffic. •An algorithm-based learning system that learns the zone traffic, adapts itself to its particular characteristics, and supports the protection processes with references and protection instructions in the form of thresholds and policies. In addition, the Guard has on-demand protection to answer situations in which the zone is under attack, but the Guard has not yet completed the learning process and has not finished tuning to the zone traffic. •Protection processes that can distinguish between legitimate and suspicious traffic and can filter the malicious traffic so that only the legitimate traffic is allowed to pass on to the zone. Integrating these components enables the Guard to assume its protective role when there is an attack, but to remain unobtrusively in the background for the rest of the time. When there are no suspected attacks you do not need to activate the diversion process, and the Guard does not see the traffic. Understanding DDos Distributed Denial of Service (DDoS) attacks occur when malicious users cause thousands of compromised computers (zombies) to run automated scripts that hinder a protected server's network resources with spurious requests for service. The attacks can be a flood of spurious home page requests to a Web server that shuts out legitimate users or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the compromised computers that actually execute the attacking code may number in the hundreds of thousands, and are distributed over multiple autonomous systems and may be administered by multiple organizations. These distributed attacks generate a traffic volume that cannot be handled by the lower bandwidths available at a typical zone. See the "Understanding Zones" section for information about zones. A DDoS defense system has to be capable of detecting an upcoming DDoS attack, differentiate between malicious and legitimate traffic, and perform those tasks without hindering the traffic flow of the attacked network. Understanding Zones The Guard protects a network element, known as z zone, against DDoS attacks. A zone can be one of the following elements: •A network server, client, or router •Anetwork link or subnet or an entire network •An individual Internet user or a company •An Internet Service Provider (ISP) •Any combination The Guard can protect different zones simultaneously as long as their network address ranges do not overlap. When you define a zone, you configure parameters such as the network addresses and the policies that the Guard uses for zone protection. You assign a name to the zone, and use this name to refer to it. Understanding How the Guard Operates To protect the target host (zone), the Guard diverts the zone traffic to itself. You can wait for an external indication, such as from a Cisco Traffic Anomaly Detector, of an attack before setting the Guard to protect the zone, or you can instruct the Guard to protect the zone as soon as you complete configuring the zone. The Guard analyses the data flow, blocks all DDoS elements, removes the malicious packets from the diverted stream, and returns the clean traffic to the main data path so that it continues flowing to the intended zone. Figure 1-1 describes the protection operation. The diversion is configured globally, using the Guard routing configuration. See "Understanding Zone Traffic Diversion" for further details. Figure 1-1 Cisco Guard Operation The Guard learns the zone traffic characteristics so that it can form a basis on which to compare zone traffic and trace any anomalies that might become malicious. This sections contains the following topics: •Understanding the Learning Process •Understanding the Zone Policies •Understanding How the Guard Performs Zone Protection •Understanding the Protect and Learn Function •Understanding On-Demand Protection •Using Attack Reports Understanding the Learning Process The learning process consists of the following two phases: •Policy Construction Phase—Creates the zone policies. The policy templates provide the rules that the Guard uses to construct the zone policies. The traffic flows transparently through the Guard which allows it to discover the main services that the zone uses. •Threshold Tuning Phase—Tunes the zone policies to fit the traffic rates of the zone services. The traffic flows transparently through the Guard, which enables the Guard to tune the thresholds for the services that it discovered during the policy construction phase. Understanding the Zone Policies The zone policies are the building blocks of the Guard and are the basis to which the Guard compares the zone traffic in order to trace any anomalies that might become malicious. When the traffic flow exceeds a policy threshold, the Guard identifies the traffic as abnormal or malicious and configures a set of filters (dynamic filters) dynamically to apply the appropriate protection level to the traffic flow according to the severity of the attack. See "Configuring Zones" for more information on traffic learning. See "Configuring Policy Templates and Policies" for more information on zone policies. Understanding How the Guard Performs Zone Protection You can activate the Guard protection in the following ways: •Automatic protect mode—The Dynamic filters are activated automatically. •Interactive protect mode—The Dynamic filters are activated manually, interactively. The Dynamic filters are grouped as recommended actions for you to complete. You can review these recommendations and decide whether to accept, ignore, or direct these recommendations to automatic activation. See "Using Interactive Protect Mode" for more information. Understanding the Protect and Learn Function You can activate the threshold tuning phase and activate zone protection simultaneously (the protect and learn function) to enable the Guard to learn the zone policy thresholds and at the same time monitor the policy thresholds for traffic anomalies. When the Guard detects an attack, it stops the learning process but continues zone protection. This process prevents the Guard from learning malicious traffic thresholds. The Guard resumes the learning process when the attack ends. See the "Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously" section for more information. Understanding On-Demand Protection You can also protect a zone without enabling the Guard to learn the zone traffic characteristics by using the system-defined zone templates that include predefined policies and filters that are suitable for protecting a zone of which the Guard does not know the traffic characteristics. See the "Enabling On-Demand Protection" section for more information. Using Attack Reports The Guard provides an attack report for every zone so that you can display the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. See "Understanding Attack Reports," for more information. Understanding the Protection Process The Guard uses four types of filters to direct the zone traffic to the required protection level. You can configure these filters to customize the traffic flow and control the anti-DDoS protection operation. The Guard uses the following types of filters: •User Filters—Apply the required protection level to the specified traffic flows. •Bypass filters—Prevent the Guard from handling specific traffic flows. •Flex-Content filters—Count or drop a specified traffic flow. The Flex-Content filter provides extremely flexible filtering capabilities and can filter according to fields in the IP and TCP headers and according to content bytes. •Dynamic filters—Apply the required protection level to the specified traffic flows. The Guard creates Dynamic filters based on its analysis of the traffic flow. The Guard continuously adapts this set of filters to the zone traffic and the type of the DDoS attack. Dynamic filters have a limited life span and are erased after the attack ends. The Guard has three protection levels in which it applies different processes to the traffic flows: •Analysis protection level—The Guard allows the traffic to flow monitored, but unhindered, during zone protection if no anomalies are traced. Once the Guard traces anomalies, it directs the traffic to the appropriate protection level. •Basic protection level—The Guard activates anti-spoofing and anti-zombie functions to authenticate the traffic by inspecting the suspicious traffic flow to verify its source. •Strong protection level—This Guard activates severe anti-spoofing functions that inspect the traffic flow packets to verify its legitimacy. The Guard performs statistical analysis of the traffic and coordinates between the zone policies, that monitor the zone traffic for anomalies, and the zone filters. In addition, it limits the rate of traffic that it injects on to the zone to prevent traffic overflow. Understanding the Protection Cycle The Guard protection cycle applies the zone filters, the zone policies and the Guard protection levels to the traffic flow to clean the zone traffic and inject legitimate traffic only to the zone. Figure 1-2 illustrates the Guard protection cycle. Figure 1-2 The Guard Protection Cycle Once zone protection is activated, the zone policies monitor the zone traffic flow. The policies take action against a particular traffic flow when the flow exceeds the policy threshold. The actions can range from issuing a notification to creating new filters (Dynamic filters) that direct the diverted traffic to the relevant protection levels. The Guard uses several types of authentication methods, dependant on the protection level, to authenticate the traffic. The Guard analyses the traffic flow, drops the traffic that exceeds the defined rate that the zone can handle, and then injects the legitimate traffic back to the zone. The Guard leads a closed-loop feedback cycle to adjust the Guard protection measures to the dynamically changing zone traffic characteristics. The Guard adopts the proper protection strategies to answer the changing DDoS attack types and traffic flows. The Guard stops zone protection if no Dynamic filters are in use, the traffic to the zone has not been dropped, or new Dynamic filters have been added, over a predefined period of time.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.