Cisco Guard Configuration Guide (Software Version 5.1) - Product Overview [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Product Overview

Understanding the Cisco Guard

Understanding DDoS

Understanding Zones

Understanding How the Guard Operates

Understanding the Learning Process

Understanding the Zone Policies

Understanding How the Guard Performs Zone Protection

Understanding the Protect and Learn Function

Understanding On-Demand Protection

Understanding Attack Reports

Understanding the Protection Process

Understanding the Protection Cycle

Product Overview

This chapter provides a general overview of the Cisco Guard (Guard) and describes its components and how it works. The chapter contains the following sections:

•Understanding the Cisco Guard

•Understanding DDoS

•Understanding Zones

•Understanding How the Guard Operates

•Understanding the Protection Process

•Understanding the Protection Cycle

Understanding the Cisco Guard

The Cisco Guard (Guard) is an active Distributed Denial of Service (DDoS) attack mitigation device that diverts and processes suspect traffic to drop attack packets and forward legitimate transactions.

The Guard protects a network element, the zone, against DDoS attacks. The Guard receives the diverted traffic from the attacked targets, identifies and removes specific attack packets, and forwards legitimate traffic packets to their original destination. See the "Understanding Zones" section for more information.

Typically, you deploy the Guard in a distributed upstream configuration at the backbone level. When the Guard detects an attack, it diverts only traffic of the attacked zone to itself. Traffic of other zones continues to flow unhindered. The Guard analyzes the packets and removes the DDoS components so that clean traffic packets can flow to the intended zone.

The Guard constantly filters the traffic and stays on the alert for evolving attack patterns.

The Guard has these features:

•Traffic diversion mechanisms that divert the zone traffic to the learning and protection processes and then return the legitimate traffic flow back to the zone while preventing interference to network traffic.

•An algorithm-based learning system that learns the zone traffic, adapts itself to its particular characteristics, and supports the protection processes with references and protection instructions in the form of thresholds and policies. In addition, the Guard has on-demand protection to answer situations in which the zone is under attack, but the Guard has not yet completed the learning process and has not finished tuning to the zone traffic.

•Protection processes that can distinguish between legitimate and suspicious traffic and can filter the malicious traffic so that only the legitimate traffic is allowed to pass on to the zone.

Integrating these components enables the Guard to assume its protective role when there is an attack, but to remain unobtrusively in the background for the rest of the time. When there are no suspected attacks you do not need to activate the diversion process, and the Guard does not see the traffic.

Understanding DDoS

The primary goal of DDoS attacks, is to deny legitimate users access to a specific computer or network resource. These attacks are originated by individuals who send malicious requests to targets that degrade service, disrupt network services on computer servers and network devices, and saturate network links with unnecessary traffic.

DDoS attacks occur when malicious users compromise hundreds or thousands of hosts (zombies) over the Internet and place a Trojan in the system. A Trojan is a nonreplicating program that is disguised as a harmless application, which takes a harmful action that the user does not expect. Trojans take instructions from a master server controller by the attacker on when and how to launch a coordinated attack. Zombies run automated scripts that hinder a protected server's network resources with spurious requests for service. The attacks can be a flood of spurious home page requests to a web server that shuts out legitimate users or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the compromised computers that actually execute the attacking code may number in the hundreds of thousands and are distributed over multiple autonomous systems and may be administered by multiple organizations. These distributed attacks generate a traffic volume that cannot be handled by the lower bandwidths available at a typical zone. See the "Understanding Zones" section for information about zones.

Understanding Zones

The Guard protects a zone against DDoS attacks. A zone can be one of the following elements:

•A network server, client, or router

•A network link or subnet or an entire network

•An individual Internet user or a company

•An Internet Service Provider (ISP)

•Any combination of these elements

The Guard can protect different zones simultaneously if their network address ranges do not overlap.

When you define a zone, you configure the network addresses and the policies that the Guard uses for zone protection. You assign a name to the zone, and use this name to refer to it.

Understanding How the Guard Operates

To protect the target host (zone), the Guard diverts the zone traffic to itself. You can wait for an external indication, such as from a Cisco Traffic Anomaly Detector, of an attack before setting the Guard to protect the zone, or you can instruct the Guard to protect the zone as soon as you complete configuring the zone. The Guard analyzes the data flow, blocks all DDoS elements, removes the malicious packets from the diverted stream, and returns the clean traffic to the main data path so that it continues flowing to the intended zone. Figure 1-1 describes the protection operation.

The diversion is configured globally, using the Guard routing configuration. See "," for further details.

Figure 1-1 Cisco Guard Operation

The Guard learns the zone traffic characteristics so that it can form a basis on which to compare zone traffic and trace any anomalies that might become malicious.

These sections contain the following topics:

•Understanding the Learning Process

•Understanding the Zone Policies

•Understanding How the Guard Performs Zone Protection

•Understanding the Protect and Learn Function

•Understanding On-Demand Protection

•Understanding Attack Reports

Understanding the Learning Process

When no current attack is occurring on the network, the learning process creates a baseline of normal traffic patterns that the Guard uses as a reference point to help detect the existence of anomalies. These reference points are called Policies.

The learning process consists of the following two phases:

•Policy Construction Phase—Creates the zone policies. The policy templates provide the rules that the Guard uses to construct the zone policies. The traffic flows transparently through the Guard, which allows it to discover the main services that the zone uses.

•Threshold Tuning Phase—Tunes the zone policies to fit the traffic rates of the zone services. The traffic flows transparently through the Guard, which enables the Guard to tune the thresholds for the services that it discovered during the policy construction phase.

Understanding the Zone Policies

The zone policies are the building blocks of the Guard and are the basis to which the Guard compares the zone traffic in order to trace any anomalies that might become malicious. When the traffic flow exceeds a policy threshold, the Guard identifies the traffic as abnormal or malicious and configures a set of filters (dynamic filters) dynamically to apply the appropriate protection level to the traffic flow according to the severity of the attack.

See Chapter 5, "Configuring Zones," for more information on traffic learning. See Chapter 7, "Configuring Policy Templates and Policies," for more information on zone policies.

Understanding How the Guard Performs Zone Protection

You can activate the Guard protection in the following ways:

•Automatic protect mode—The dynamic filters are activated automatically.

•Interactive protect mode—The dynamic filters are activated manually, interactively. The dynamic filters are grouped as recommended actions for you to complete. You can review these recommendations and decide whether to accept, ignore, or direct these recommendations to automatic activation.

See "Using Interactive Protect Mode," for more information.

Understanding the Protect and Learn Function

You can activate the threshold tuning phase and activate zone protection simultaneously (the protect and learn function) to enable the Guard to learn the zone policy thresholds and at the same time monitor the policy thresholds for traffic anomalies. When the Guard detects an attack, it stops the learning process but continues zone protection. This process prevents the Guard from learning malicious traffic thresholds. The Guard resumes the learning process when the attack ends. See the "Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously" section for more information.

Understanding On-Demand Protection

You can use system-defined zone templates to protect a zone without enabling the Guard to learn the zone traffic characteristics. The predefined policies and filters in the zone template can protect a zone that has traffic characteristics that are unknown to the Guard. See the "Activating On-Demand Protection" section on page 9-3 for more information.

Understanding Attack Reports

The Guard provides an attack report for every zone so that you can display the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. See "Using Attack Reports," for more information.

Understanding the Protection Process

The Guard uses four types of filters to direct the zone traffic to the required protection level. You can configure these filters to customize the traffic flow and control the anti-DDoS protection operation.

The Guard uses the following types of filters:

•User Filters—Apply the required protection level to the specified traffic flows.

•Bypass filters—Prevent the Guard from handling specific traffic flows.

•Flex-Content filters—Count or drop a specified traffic flow. The Flex-Content filter provides extremely flexible filtering capabilities and can filter according to fields in the IP and TCP headers and according to content bytes.

•Dynamic filters—Apply the required protection level to the specified traffic flows. The Guard creates dynamic filters based on its analysis of the traffic flow. The Guard continuously adapts this set of filters to the zone traffic and the type of the DDoS attack. dynamic filters have a limited life span and are erased after the attack ends.

The Guard has three protection levels in which it applies different processes to the traffic flows:

•Analysis protection level—The Guard allows the traffic to flow monitored, but unhindered, during zone protection if no anomalies are traced. Once the Guard traces anomalies, it directs the traffic to the appropriate protection level.

•Basic protection level—The Guard activates anti-spoofing and anti-zombie functions to authenticate the traffic by inspecting the suspicious traffic flow to verify its source.

•Strong protection level—The Guard activates severe anti-spoofing functions that inspect the traffic flow packets to verify the legitimacy of the flow.

The Guard analyzes the traffic and coordinates between the zone policies, that monitor the zone traffic for anomalies and the zone filters. In addition, it limits the rate of traffic that it injects on to the zone to prevent traffic overflow.

Understanding the Protection Cycle

The Guard protection cycle applies the zone filters, the zone policies, and the Guard protection levels to the traffic flow to clean the zone traffic and inject legitimate traffic only to the zone. Figure 1-2 illustrates the Guard protection cycle.

Figure 1-2 Guard Protection Cycle

Once zone protection is activated, the zone policies monitor the zone traffic flow. The policies take action against a particular traffic flow when the flow exceeds the policy threshold. The actions can range from issuing a notification to creating new filters (dynamic filters) that direct the diverted traffic to the relevant protection levels. The Guard uses several types of authentication methods to authenticate the traffic. The Guard analyzes the traffic flow, drops the traffic that exceeds the defined rate that the zone can handle, and then injects the legitimate traffic back to the zone.

The Guard leads a closed-loop feedback cycle to adjust the Guard protection measures to the dynamically changing zone traffic characteristics. The Guard adopts the proper protection strategies to answer the changing DDoS attack types and traffic flows. The Guard stops zone protection if no dynamic filters are in use, the traffic to the zone has not been dropped, or new dynamic filters have been added, over a predefined period of time.

	Cisco Guard Configuration Guide (Software Version 5.1)
	Product Overview
Cisco Guard Configuration Guide (Software Version 5.1) Index Preface Product Overview Initializing the Guard Configuring the Guard Configuring Traffic Diversion Configuring Zones Configuring Zone Filters Configuring Policy Templates and Policies Learning the Zone Traffic Characteristics Protecting Zones Using Interactive Protect Mode Understanding Attack Reports Using Guard Diagnostics Tools Performing Maintenance Tasks Analyzing Guard Mitigation Understanding Zone Traffic Diversion Troubleshooting Diversion	Download this chapter Product Overview Download the complete book Cisco Guard Configuration Guide (Software Version 5.1), Book-Length PDF (PDF - 5 MB) Table Of Contents Product Overview Understanding the Cisco Guard Understanding DDoS Understanding Zones Understanding How the Guard Operates Understanding the Learning Process Understanding the Zone Policies Understanding How the Guard Performs Zone Protection Understanding the Protect and Learn Function Understanding On-Demand Protection Understanding Attack Reports Understanding the Protection Process Understanding the Protection Cycle Product Overview This chapter provides a general overview of the Cisco Guard (Guard) and describes its components and how it works. The chapter contains the following sections: •Understanding the Cisco Guard •Understanding DDoS •Understanding Zones •Understanding How the Guard Operates •Understanding the Protection Process •Understanding the Protection Cycle Understanding the Cisco Guard The Cisco Guard (Guard) is an active Distributed Denial of Service (DDoS) attack mitigation device that diverts and processes suspect traffic to drop attack packets and forward legitimate transactions. The Guard protects a network element, the zone, against DDoS attacks. The Guard receives the diverted traffic from the attacked targets, identifies and removes specific attack packets, and forwards legitimate traffic packets to their original destination. See the "Understanding Zones" section for more information. Typically, you deploy the Guard in a distributed upstream configuration at the backbone level. When the Guard detects an attack, it diverts only traffic of the attacked zone to itself. Traffic of other zones continues to flow unhindered. The Guard analyzes the packets and removes the DDoS components so that clean traffic packets can flow to the intended zone. The Guard constantly filters the traffic and stays on the alert for evolving attack patterns. The Guard has these features: •Traffic diversion mechanisms that divert the zone traffic to the learning and protection processes and then return the legitimate traffic flow back to the zone while preventing interference to network traffic. •An algorithm-based learning system that learns the zone traffic, adapts itself to its particular characteristics, and supports the protection processes with references and protection instructions in the form of thresholds and policies. In addition, the Guard has on-demand protection to answer situations in which the zone is under attack, but the Guard has not yet completed the learning process and has not finished tuning to the zone traffic. •Protection processes that can distinguish between legitimate and suspicious traffic and can filter the malicious traffic so that only the legitimate traffic is allowed to pass on to the zone. Integrating these components enables the Guard to assume its protective role when there is an attack, but to remain unobtrusively in the background for the rest of the time. When there are no suspected attacks you do not need to activate the diversion process, and the Guard does not see the traffic. Understanding DDoS The primary goal of DDoS attacks, is to deny legitimate users access to a specific computer or network resource. These attacks are originated by individuals who send malicious requests to targets that degrade service, disrupt network services on computer servers and network devices, and saturate network links with unnecessary traffic. DDoS attacks occur when malicious users compromise hundreds or thousands of hosts (zombies) over the Internet and place a Trojan in the system. A Trojan is a nonreplicating program that is disguised as a harmless application, which takes a harmful action that the user does not expect. Trojans take instructions from a master server controller by the attacker on when and how to launch a coordinated attack. Zombies run automated scripts that hinder a protected server's network resources with spurious requests for service. The attacks can be a flood of spurious home page requests to a web server that shuts out legitimate users or efforts that compromise the availability and accuracy of Domain Name System (DNS) servers. Although often launched by an individual, the compromised computers that actually execute the attacking code may number in the hundreds of thousands and are distributed over multiple autonomous systems and may be administered by multiple organizations. These distributed attacks generate a traffic volume that cannot be handled by the lower bandwidths available at a typical zone. See the "Understanding Zones" section for information about zones. Understanding Zones The Guard protects a zone against DDoS attacks. A zone can be one of the following elements: •A network server, client, or router •A network link or subnet or an entire network •An individual Internet user or a company •An Internet Service Provider (ISP) •Any combination of these elements The Guard can protect different zones simultaneously if their network address ranges do not overlap. When you define a zone, you configure the network addresses and the policies that the Guard uses for zone protection. You assign a name to the zone, and use this name to refer to it. Understanding How the Guard Operates To protect the target host (zone), the Guard diverts the zone traffic to itself. You can wait for an external indication, such as from a Cisco Traffic Anomaly Detector, of an attack before setting the Guard to protect the zone, or you can instruct the Guard to protect the zone as soon as you complete configuring the zone. The Guard analyzes the data flow, blocks all DDoS elements, removes the malicious packets from the diverted stream, and returns the clean traffic to the main data path so that it continues flowing to the intended zone. Figure 1-1 describes the protection operation. The diversion is configured globally, using the Guard routing configuration. See "," for further details. Figure 1-1 Cisco Guard Operation The Guard learns the zone traffic characteristics so that it can form a basis on which to compare zone traffic and trace any anomalies that might become malicious. These sections contain the following topics: •Understanding the Learning Process •Understanding the Zone Policies •Understanding How the Guard Performs Zone Protection •Understanding the Protect and Learn Function •Understanding On-Demand Protection •Understanding Attack Reports Understanding the Learning Process When no current attack is occurring on the network, the learning process creates a baseline of normal traffic patterns that the Guard uses as a reference point to help detect the existence of anomalies. These reference points are called Policies. The learning process consists of the following two phases: •Policy Construction Phase—Creates the zone policies. The policy templates provide the rules that the Guard uses to construct the zone policies. The traffic flows transparently through the Guard, which allows it to discover the main services that the zone uses. •Threshold Tuning Phase—Tunes the zone policies to fit the traffic rates of the zone services. The traffic flows transparently through the Guard, which enables the Guard to tune the thresholds for the services that it discovered during the policy construction phase. Understanding the Zone Policies The zone policies are the building blocks of the Guard and are the basis to which the Guard compares the zone traffic in order to trace any anomalies that might become malicious. When the traffic flow exceeds a policy threshold, the Guard identifies the traffic as abnormal or malicious and configures a set of filters (dynamic filters) dynamically to apply the appropriate protection level to the traffic flow according to the severity of the attack. See Chapter 5, "Configuring Zones," for more information on traffic learning. See Chapter 7, "Configuring Policy Templates and Policies," for more information on zone policies. Understanding How the Guard Performs Zone Protection You can activate the Guard protection in the following ways: •Automatic protect mode—The dynamic filters are activated automatically. •Interactive protect mode—The dynamic filters are activated manually, interactively. The dynamic filters are grouped as recommended actions for you to complete. You can review these recommendations and decide whether to accept, ignore, or direct these recommendations to automatic activation. See "Using Interactive Protect Mode," for more information. Understanding the Protect and Learn Function You can activate the threshold tuning phase and activate zone protection simultaneously (the protect and learn function) to enable the Guard to learn the zone policy thresholds and at the same time monitor the policy thresholds for traffic anomalies. When the Guard detects an attack, it stops the learning process but continues zone protection. This process prevents the Guard from learning malicious traffic thresholds. The Guard resumes the learning process when the attack ends. See the "Tuning Zone Policy Thresholds and Enabling Zone Protection Simultaneously" section for more information. Understanding On-Demand Protection You can use system-defined zone templates to protect a zone without enabling the Guard to learn the zone traffic characteristics. The predefined policies and filters in the zone template can protect a zone that has traffic characteristics that are unknown to the Guard. See the "Activating On-Demand Protection" section on page 9-3 for more information. Understanding Attack Reports The Guard provides an attack report for every zone so that you can display the zone status. The attack report provides details of the attack, starting with the production of the first dynamic filter, and ending with protection termination. See "Using Attack Reports," for more information. Understanding the Protection Process The Guard uses four types of filters to direct the zone traffic to the required protection level. You can configure these filters to customize the traffic flow and control the anti-DDoS protection operation. The Guard uses the following types of filters: •User Filters—Apply the required protection level to the specified traffic flows. •Bypass filters—Prevent the Guard from handling specific traffic flows. •Flex-Content filters—Count or drop a specified traffic flow. The Flex-Content filter provides extremely flexible filtering capabilities and can filter according to fields in the IP and TCP headers and according to content bytes. •Dynamic filters—Apply the required protection level to the specified traffic flows. The Guard creates dynamic filters based on its analysis of the traffic flow. The Guard continuously adapts this set of filters to the zone traffic and the type of the DDoS attack. dynamic filters have a limited life span and are erased after the attack ends. The Guard has three protection levels in which it applies different processes to the traffic flows: •Analysis protection level—The Guard allows the traffic to flow monitored, but unhindered, during zone protection if no anomalies are traced. Once the Guard traces anomalies, it directs the traffic to the appropriate protection level. •Basic protection level—The Guard activates anti-spoofing and anti-zombie functions to authenticate the traffic by inspecting the suspicious traffic flow to verify its source. •Strong protection level—The Guard activates severe anti-spoofing functions that inspect the traffic flow packets to verify the legitimacy of the flow. The Guard analyzes the traffic and coordinates between the zone policies, that monitor the zone traffic for anomalies and the zone filters. In addition, it limits the rate of traffic that it injects on to the zone to prevent traffic overflow. Understanding the Protection Cycle The Guard protection cycle applies the zone filters, the zone policies, and the Guard protection levels to the traffic flow to clean the zone traffic and inject legitimate traffic only to the zone. Figure 1-2 illustrates the Guard protection cycle. Figure 1-2 Guard Protection Cycle Once zone protection is activated, the zone policies monitor the zone traffic flow. The policies take action against a particular traffic flow when the flow exceeds the policy threshold. The actions can range from issuing a notification to creating new filters (dynamic filters) that direct the diverted traffic to the relevant protection levels. The Guard uses several types of authentication methods to authenticate the traffic. The Guard analyzes the traffic flow, drops the traffic that exceeds the defined rate that the zone can handle, and then injects the legitimate traffic back to the zone. The Guard leads a closed-loop feedback cycle to adjust the Guard protection measures to the dynamically changing zone traffic characteristics. The Guard adopts the proper protection strategies to answer the changing DDoS attack types and traffic flows. The Guard stops zone protection if no dynamic filters are in use, the traffic to the zone has not been dropped, or new dynamic filters have been added, over a predefined period of time.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.