-
Cisco Guard Configuration Guide (Software Version 5.1)
-
Index
-
Preface
-
Product Overview
-
Initializing the Guard
-
Configuring the Guard
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Protecting Zones
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using Guard Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Mitigation
-
Understanding Zone Traffic Diversion
-
Troubleshooting Diversion
-
Table Of Contents
Configuring Flex-Content Filters
Configuring the tcpdump-expression Syntax
Configuring the pattern-expression Syntax
Displaying Flex-Content Filters
Changing the State of a Flex-Content Filter
Preventing Production of Dynamic Filters
Configuring Zone Filters
This chapter describes how to configure the Cisco Guard (Guard) filters.
This chapter contains the following sections:
•
Configuring Flex-Content Filters
Overview
Zone filters define how the Guard handles a specific traffic flow. You can configure filters to customize the traffic flow and control the anti-DDoS protection operation.
Zone filters enable the Guard to perform the following functions:
•
•
•
•
The Guard has the following types of filters:
•
See the "Configuring User Filters" section for more information.
•
You can direct trusted traffic away from the Guard protection features, prevent the Guard from analyzing it, and forward it directly to the zone.
See the "Configuring Bypass Filters" section for more information.
•
See the "Configuring Flex-Content Filters" section for more information.
•
See the "Configuring Dynamic Filters" section for more information.
Figure 6-1 displays the Guard filter system.
Figure 6-1 Guard FIlter System
When zone protection is enabled, either by a user action or by a remote network-sensing DDoS element, such as the Cisco Traffic Anomaly Detector (Detector), the Guard analyzes zone traffic.
The Guard monitors the rate of the traffic that flows to the zone. It drops traffic that exceeds the defined rate and forwards the legitimate traffic to the zone. The Guard performs statistical analysis of zone traffic and leads a closed-loop feedback cycle to adjust the protection measures to the dynamically changing zone traffic characteristics and the changing DDoS attack types.
To perform statistical analysis of traffic flow, the Guard has definitions that handle specific types of traffic, which are called zone policies. The zone policies constantly measure traffic flows and take action against a particular traffic flow if they identify that flow as malicious or abnormal, which occurs when the flow exceeds the policy threshold.
When the Guard identifies anomalies traffic, it performs the following:
1.
2.
Dynamic filters have a limited life span and are deleted when the attack ends. By default, the Guard protects the zone until you deactivate zone protection.
Configuring Flex-Content Filters
Flex-content filters filter zone traffic based on fields in the packet header or patterns in the packet payload. You can identify attacks that are based on patterns that appear in the incoming traffic. These patterns can identify known worms or flood attacks that have a constant pattern.
Note
Use the flex-content filters to drop or count a desired packet flow and to identify a specific malicious source of traffic.
The flex-content filter applies the filtering criteria in the following order:
1.
2.
3.
This section contains the following topics:
•
•
•
Adding a Flex-Content Filter
Flex-content filters are activated in ascending order of the row numbers. When you add a new flex-content filter, make sure that you place it in the correct location in the list.
The Guard stops activating the flex-content filters when traffic matches a flex-content filter with a drop action.
To configure a flex-content filter, perform the following steps:
Step 1
See the "Displaying Flex-Content Filters" section for more information.
Step 2
flex-content-filter renumber [start [step]]Table 6-1 provides the arguments for the flex-content-filter renumber command.
Step 3
See the "Generating Attack Signatures from Packet-Dump Capture Files" section on page 12-30 for more information.
Step 4
flex-content-filter row-num {disabled | enabled} {drop | count} protocol port [start start-offset [end end-offset]] [ignore-case] expression tcpdump-expression pattern pattern-expressionTable 6-2 provides the arguments and keywords for the flex-content-filter command.
Table 6-2 Arguments and Keywords for the flex-content-filter
CommandUnique number from 1 to 9999 that identifies the filter and defines the priority among the flex-content filters. The Guard operates the filters in ascending row-number order.
disabled
Sets the filter state to disabled. The filter does not monitor traffic.
enabled
Sets the filter state to enabled. The Guard monitors traffic and performs the action (drop or count) on the flow that matches the filter.
This is the default state.
Drops the flow that matches the filter.
Counts the flow that matches the filter.
Traffic from a specific protocol. Use an asterisk (*) to indicate any protocol. Enter an integer from 0 to 255.
Review possible protocol numbers at the Internet Assigned Numbers Authority (IANA) website:
Traffic destined to a specific destination port. Enter an integer from 0 to 65535. To define a specific port number, you must define a specific protocol number.
Use an asterisk (*) to indicate any destination port. You can use an asterisk if you configure the protocol number to 6 (TCP) or 17 (UDP).
Review possible port numbers at the Internet Assigned Numbers Authority (IANA) website:
Offset, in bytes, from the beginning of the packet payload, where the pattern matching for the pattern-expression argument begins. The default is 0, which is the start of the payload. Enter an integer from 0 to 1800.
If you copy the pattern from the show packet-dump signatures command output, copy this argument from the Start Offset field in the command output.
end-offset
Offset, in bytes, from the beginning of the packet payload, where the pattern matching for the pattern-expression argument ends. The default is the packet length, which is the end of the payload. Enter an integer from 0 to 1800.
If you copy the pattern from the show packet-dump signatures command output, copy this argument from the End Offset field in the command output.
ignore-case
Defines the pattern-expression argument as case insensitive.
By default, the pattern-expression argument is case sensitive.
tcpdump-
expressionExpression that is matched with the packet. The expression is in Berkley Packet filter format. See the "Configuring the tcpdump-expression Syntax" section for more information and configuration examples.
If you use spaces in the expression, enclose the expression in quotation marks (" ").
To enter an empty expression, use double quotation marks ("").
To use a quotation mark in the expression, use the backslash escape character before the quotation mark (\").
Note
pattern-
expressionRegular expression data pattern that is to be matched with the packet payload. See the "Configuring the pattern-expression Syntax" section for more information.
You can activate the Guard to generate the signature by using the show packet-dump signatures command. See the "Generating Attack Signatures from Packet-Dump Capture Files" section on page 12-30.
If you use spaces in the expression, enclose the expression in quotation marks (" ").
To enter an empty expression, use double quotation marks (" ").
To use a quotation mark in the expression, use the backslash escape character before the quotation mark (\").
Note
You can change the filter state at any time. See the "Changing the State of a Flex-Content Filter" section for more information.
You can change the filter action at any time. See the "Deleting Flex-Content Filters" section for more information.
The following example shows how to configure the flex-content filter:
user@GUARD-conf-zone-scannet# flex-content-filter enabled count * * expression "ip[6:2] & 0x1fff=0" pattern "/ HTTP/1\.1\ x0D\0AAccept: .*/.*\x0D\x0AAccept-Language: en*\x0D\x0AAccept-Encoding: gzip, deflate\x0D\x0AUser-Agent: Mozilla/4\.0"This section contains the following topics:
•
•
Configuring the tcpdump-expression Syntax
The tcpdump-expression is in the Berkley Packet filter format and specifies the expression to be matched with the packet.
Note
The expression contains one or more elements. Elements usually consist of an ID (name or number) preceded by one or more qualifiers.
There are three types of qualifiers:
•
•
•
Table 6-3 describes the tcpdump-expression elements.
Table 6-3 tcpdump-expression Elements
dst host host_ip_address
Traffic to a destination host IP address.
src host host_ip_address
Traffic from a source host IP address.
host host_ip_ address
Traffic to and from both source and destination host IP addresses.
net net mask mask
Traffic to a specific network.
net net/len
Traffic to a specific subnet.
dst port destination_port_number
TCP or UDP traffic to a destination port number.
src port source_port_number
TCP or UDP traffic from a source port number.
port port_number
TCP or UDP traffic to and from both source and destination port numbers.
less packet_length
greater packet_length
Packets with a length equal to or greater than the specific length in bytes.
ip proto protocol
Packets with a protocol number of the following protocols: ICMP, UDP, and TCP.
ip broadcast
Broadcast IP packets.
ip multicast
Multicast packets.
ether proto protocol
Ether protocol packets of a specific protocol number or name such as IP, ARP, or RARP. The protocol names are also keywords. If you enter the protocol name you must use a backslash (\) as an escape character before the name.
expr relop expr
Traffic that complies with the specific expression. Table 6-4 describes the tcpdump-expression rules.
Table 6-4 describes the tcpdump-expression rules.
You can combine expression elements using the following methods:
•
Note
•
•
•
Negation has the highest precedence. Alternation and concatenation have equal precedence and are associated from left to right. Explicit and tokens, not juxtaposition, are required for concatenation. If you specify an identifier without a keyword, the most recent keyword is used.
For a detailed explanation of the Berkley Packet filter configuration options, go to this location:
http://www.freesoft.org/CIE/Topics/56.htm.
The following example shows how to count unfragmented datagrams and fragmented zeros of fragmented datagrams only. This filter is implicitly applied to the TCP and UDP index operations. For instance, tcp[0] always indicates the first byte of the TCP header, and never indicates the first byte of an intervening fragment as shown in this example:
user@GUARD-conf-zone-scannet# flex-content-filter enabled count * * expression ip[6:2]&0x1fff=0 pattern ""The following example shows how to drop all TCP RST packets:
user@GUARD-conf-zone-scannet# flex-content-filter enabled drop * * expression tcp[13]&4!=0 pattern ""The following example shows how to count all ICMP packets that are not echo requests/echo replies (ping):
user@GUARD-conf-zone-scannet# flex-content-filter enabled count * * expression "icmp [0]!=8 and icmp[0] != 0" pattern ""The following example shows how to count all TCP packets that are destined to port 80 and that did not originate from port 1000:
user@GUARD-conf-zone-scannet# flex-content-filter enabled count * * expression "tcp and dst port 80 and not src port 1000" pattern ""Configuring the pattern-expression Syntax
The pattern-expression is a regular expression that describes a string of characters. The pattern-expression describes a set of strings without actually listing its elements. This expression is made up of normal characters and special characters. Normal characters include all printable ASCII characters that are not considered to be special characters. Special characters are characters that have a special meaning and specify the type of matching that the Guard performs on the pattern-expression. The flex-content filter matches the pattern-expression with the content of the packet (the packet payload). For example, the three strings version 3.1, version 4.0, and version 5.2 are described by the following pattern: version .*\..*
Table 6-5 describes the special characters that you can use.
By default, the pattern-expression is case sensitive. To define the pattern-expression as case insensitive, use the flex-content-filter command with the ignore-case keyword. See the "Adding a Flex-Content Filter" section for more information.
The following example shows how to drop packets with a specific pattern in the packet payload. The pattern in the example was extracted from the Slammer worm. The protocol, port, and tcpdump-expression parameters are nonspecific.
user@GUARD-conf-zone-scannet# flex-content-filter enabled drop * * expression " " pattern \x89\xE5Qh\.dllhel32hkernQhounthickChGetTf\xB9ll Qh32\.dhws2_f\xB9etQhsockf\xB9toQhsend\xBE\x18\x10\xAEBDisplaying Flex-Content Filters
To display the flex-content filters, use the following command in zone configuration mode:
show flex-content-filters
Table 6-6 describes the fields in the show flex-content-filters command output.
Table 6-6 Field Descriptions for the show flex-content-filters
CommandSpecifies the flex-content filter priority.
Specifies the filter state (enabled or disabled).
Specifies the action that the filter performs on the specific traffic type.
Specifies the protocol number of the traffic that the filter processes.
Specifies the destination port of the traffic that the filter processes.
Specifies the offset, in bytes, from the beginning of the packet payload where the pattern matching begins. This offset applies to the pattern field.
Specifies the offset, in bytes, from the beginning of the packet payload where the pattern matching ends. This offset applies to the pattern field.
Specifies whether the pattern-expression that the filter matches is case sensitive or not case sensitive.
yes=case-sensitive no=case-insensitive
Specifies the tcpdump-expression to be matched with the packet in Berkley Packet filter format. See the "Configuring the tcpdump-expression Syntax" section for the information on the tcpdump-expression syntax.
Specifies the regular expression data pattern to be matched with the packet payload. See the "Configuring the pattern-expression Syntax" section for information on the pattern-expression syntax.
Specifies in packets per second the current traffic rate that is measured for this filter.
Deleting Flex-Content Filters
You can delete or disable a flex-content filter to prevent the Guard from filtering packets based on the filter expression. See the "Changing the State of a Flex-Content Filter" section for more information.
To delete a flex-content filter, perform the following steps:
Step 1
This example shows how to display the list of flex-content filters:
user@GUARD-conf-zone-scannet# show flex-content-filtersSee the "Displaying Flex-Content Filters" section for more information.
Step 2
The row-num argument specifies the flex-content filter row number to be deleted. To delete all flex-content filters, enter an asterisk (*) for the row-num argument.
This example shows how to delete a flex-content filter:
user@GUARD-conf-zone-scannet# no flex-content-filters 5
Changing the State of a Flex-Content Filter
You can disable a flex-content filter to prevent the Guard from filtering packets based on the filter expression and to prevent it from filtering specific types of traffic. (The filter will remain in the flex-content filter list.)
You can then set the Guard to filter the specified traffic again, without the need to reconfigure the filter, or you can delete a flex-content filter. See the "Deleting Flex-Content Filters" section for more information.
To change the state of a flex-content filter, perform the following steps:
Step 1
See the "Displaying Flex-Content Filters" section for more information.
Step 2
flex-content-filter row-num {disabled | enabled}The row-num argument specifies the flex-content filter row number.
This example shows how to disable a flex-content filter:
user@GUARD-conf-zone-scannet# flex-content-filters 5 disabledConfiguring Bypass Filters
The bypass filter supports protection policy decisions that should not involve the Guard protection functions, including the anti-spoofing and anti-zombie functions, and forwards the specified traffic directly to the zone.
Note
This section contains the following topics:
Adding a Bypass Filter
To add a bypass filter, use the following command in zone configuration mode:
bypass-filter row-num src-ip [ip-mask] protocol dest-port [fragments-type]
Table 6-7 provides the arguments for the bypass-filter command.
Note
Displaying Bypass Filters
To display the bypass filters, use the following command in zone configuration mode:
show bypass-filters
Table 6-8 describes the fields in the show bypass-filters command output.
The source IP address, source address mask, protocol number, and destination port may be nonspecific. An asterisk (*) indicates that the filter acts on all field values or that more than one value was matched for the filter.
Deleting Bypass Filters
To delete a bypass filter, perform the following steps:
Step 1
See the previous section, "Displaying Bypass Filters," for more information.
Step 2
no bypass-filter row-numThe row-num argument specifies the bypass filter row number to be deleted. To delete all bypass filters, enter an asterisk (*).
The following example shows how to delete a bypass filter:
user@GUARD-conf-zone-scannet# no bypass-filter 10Configuring User Filters
User filters apply the required protection level to the specified traffic flows or drop the traffic. They define the first actions that the Guard takes when it identifies abnormal or malicious traffic.
Zone configuration includes a default set of user filters that are configured for on-demand protection that can handle a wide range of attack types. You can modify user filters to customize the Guard protection capabilities and to set rules about how the Guard handles specific traffic flows when it suspects an attack.
The Guard continuously analyzes traffic destined to the zone. When it detects abnormal traffic patterns, it begins producing dynamic filters that define how to handle the attack. The Guard, by default, adds an initial dynamic filter that directs all traffic to the user filters. Until the Guard has had enough time to analyze the attack, the user filters provide the first line of defense against the evolving DDoS attack.
The Guard examines both the user filters and the dynamic filters before deciding how to handle the specific traffic flow. It compares the first user filter that matches the flow with the dynamic filters and chooses the most severe protection measure suggested. It applies the appropriate protection level to the traffic flow to authenticate the traffic. The dynamic filters and the user filters can take actions in these descending severity levels: drop, strong, basic, and permit. Dynamic filters with actions of redirect/zombie and block-unauthenticated are applied even if a user filter to handle the same type of traffic exists because they affect the Guard authentication mechanisms and do not directly affect the traffic flow.
User filters are activated in ascending row-number order. When you add a new user filter, it is important that you place it in the correct location in the list.
Table 6-9 describes the actions that a user filter can take.
Table 6-9 User Filter Actions
basic/default
Authenticates non-TCP traffic flows.
basic/dns-proxy
Authenticates TCP DNS traffic flows.
basic/redirect
Authenticates applications over HTTP.
basic/reset
Authenticates applications over TCP. We recommend that you use an action of basic/redirect for HTTP traffic flows.
basic/safe-reset
Authenticates TCP application traffic flows that are not tolerant of TCP connection reset. We recommend that you use an action of basic/redirect for HTTP traffic flows.
basic/sip
Authenticates VoIP1 applications that use SIP2 over UDP to establish the VoIP sessions and RTP/RTCP3 to transmit voice data between the SIP end points after sessions are established.
drop
Drops traffic flows.
permit
Prevents statistical analysis of the flow and to prevent the anti-spoofing or anti-zombie protection functions from handling this flow. We recommend that you set a rate and burst limit to this filter because it is not handled by other protection mechanisms.
strong
Enables strong authentication for a traffic flow. Use this filter when strong authentication is required or when the previous filters do not seem suitable for the application. Authentication is performed for every connection.
For TCP incoming connections, the Guard serves as a proxy. Do not use the strong authentication action for connections if you use ACLs4 , access policies, or load-balancing policies that are based on the incoming IP address in the network.
1 VoIP = Voice over IP
2 SIP = Session Initiation Protocol
3 RTP/RTCP = Real-Time Transport Protocol/Real-Time Control Protocol
4 ACL = Access Control List
This section includes the following topics:
Adding User Filters
To add a user filter, perform the following steps:
Step 1
Step 2
user-filter renumber [start [step]]Table 6-1 provides the arguments for the user-filter renumber command.
Step 3
user-filter row-num filter-action src-ip [ip-mask] protocol dest-port [fragments-type] [rate-limit rate burst units]Table 6-11 provides the arguments for the user-filter command.
Table 6-11 Arguments for the user-filter Command
Unique number from 1 to 1000 that identifies the filter and defines priority among the user filters. The Guard operates the filters according to ascending row-number order.
Action the filter performs on the specific traffic type. See Table 6-9 for more information.
Traffic from a specific IP address. Use an asterisk (*) to indicate any IP address.
(Optional) Traffic from a specific subnet. The subnet mask can contain only Class C values. The default subnet is 255.255.255.255.
Traffic from a specific protocol. Use an asterisk (*) to indicate any protocol.
Review possible protocol numbers at the Internet Assigned Numbers Authority (IANA) website:
Traffic to a specific destination port. Use an asterisk (*) to indicate any destination port.
Review possible port numbers at the Internet Assigned Numbers Authority (IANA) website:
(Optional) Type of traffic. The type can be one of the following:
•
•
•
The default is no-fragments.
Integer greater than 64 that specifies the rate limitation. The user filter limits the traffic to this rate. The units are specified by the units parameter. The default is not to limit the filter traffic rate. The rate limit can be up to 10 times greater than the burst limit.
Integer greater than 64 that specifies the traffic burst limit. The units are bits, kilobits, kilopackets, megabits, and packets that correspond to the units that are specified by the units parameter. The burst limit can be up to eight times greater than the rate limit.
Rate limit units. The units can be one of the following:
•
•
•
•
•
The following example shows how to renumber the user filters starting from 10 in steps of 5. This example also shows how to add a user filter in row 12 that is aimed at traffic that is received from all source IP addresses of protocol 6 (TCP) and flows to destination port 25 (SMTP). The user filter limits the traffic flow rate to 600 pps and the burst size to 400 packets.
user@GUARD-conf-zone-scannet# user-filter renumber 10 5user@GUARD-conf-zone-scannet# user-filter 12 permit * 6 25 rate-limit 600 400 ppsDisplaying User Filters
User filters are part of the zone configuration. To display user filters, use the show command or the show running-config command in zone configuration mode.
Tip
Table 6-12 describes the user filter fields in the show command output
Table 6-12 Field Descriptions for User Filter Fields in the show
CommandUser filter priority.
Source IP address of the traffic that the filter processes.
Source address mask of the traffic that the filter processes.
Protocol number of the traffic that the filter processes.
Destination port of the traffic that the filter processes.
Type of traffic the filter processes. The type can be one of the following:
•
•
•
Current traffic rate in pps that is measured for this filter.
Action that the filter performs on the specific traffic type. See Table 6-9 for more information.
Limit on the traffic rate the user filter can handle. The rate is displayed in the units specified by the Units field.
Traffic burst limit that the filter allows for the specific flow. The units are bits, kilobits, kilopackets, megabits, and packets, and correspond to the units specified in the Units field.
Units by which the rate and the burst rate are displayed.
The source IP address, source address mask, protocol number, and destination port may be nonspecific. An asterisk (*) indicates that the filter acts on all field values or that more than one value was matched for the filter.
Deleting User Filters
To delete a user filter, perform the following steps:
Caution
Step 1
Step 2
no user-filter row-numThe row-num argument specifies the user filter row number. Enter an asterisk (*) to delete all user filters.
The following example shows how to delete all user filters:
user@GUARD-conf-zone-scannet# no user-filter *Configuring Dynamic Filters
Dynamic filters apply the required protection level to traffic flow and define how to handle the attack. The Guard creates dynamic filters when it identifies an anomaly in the zone traffic, which occurs when the flow exceeds the zone policy thresholds, and continuously adapts this set of filters to zone traffic and the type of DDoS attack. The dynamic filters have a limited life span and are deleted when the attack ends. The Guard supports a maximum of 150,000 dynamic filters that are active concurrently in all zones.
The Guard, by default, creates an initial dynamic filter that directs all traffic to the user filters. Until the Guard has had enough time to analyze the attack, the user filters provide the first line of defense against the evolving DDoS attack.
The Guard examines both the user filters and the dynamic filters before deciding how to handle the specific traffic flow. It compares the first user filter that matches the flow with the dynamic filters and chooses the most severe protection measure suggested. It applies the appropriate protection level to the traffic flow to authenticate the traffic. The dynamic filters and the user filters can take actions in these descending severity levels: drop, strong, basic, and permit. Dynamic filters with actions of redirect/zombie and block-unauthenticated are applied even if a user filter to handle the same type of traffic exists because they affect the Guard authentication functions and do not directly affect the traffic flow.
You can add dynamic filters only when zone protection is enabled.
Table 6-13 describes the different actions dynamic filters can take.
Dynamic filters are configured to remain active for a specific amount of time. Depending on how the filter was created, the dynamic filter timeout parameter is configured in one of the following ways:
•
•
When the dynamic filter timeout expires, the Guard determines whether or not the dynamic filter should be deactivated based on current traffic conditions. If the Guard determines that the dynamic filter should not be deactivated, the filter remains active for another time span. See the "Deactivating Dynamic Filters" section for more information about deactivating dynamic filters.
This section includes the following topics:
•
Displaying Dynamic Filters
You can display the dynamic filters that the Guard created. This command provides the following options:
•
•
•
To display the pending dynamic filters, use the show recommendations command. See Chapter 10, "Using Interactive Protect Mode," for more information on pending dynamic filters.
Table 6-14 provides the arguments and keywords for the show dynamic-filters command.
Table 6-14 Arguments and Keywords for the show dynamic-filters Command
ID1 of the specific dynamic filter to display. This integer is assigned by the Guard. To identify the filter ID, display the complete list of dynamic filters.
Displays dynamic filters in detail. The details consist of additional information on the attack flow, the triggering rate, and the policy that produced it.
Displays dynamic filters by their action, ranging from the most severe (drop) to the least severe (notify).
Displays dynamic filters by their expiration time in ascending order.
Displays dynamic filters by ascending ID number.
Displays dynamic filters by the triggering rate, measured in pps, in ascending order.
1 ID = Identification Number
Note
The following example shows how to display a dynamic filter in detail:
user@GUARD-conf-zone-scannet# show dynamic-filters 876 detailsTable 6-15 describes the fields in the show dynamic-filters command output.
Table 6-15 Field Descriptions for show dynamic-filters
Command OutputSpecifies the filter identification number.
Specifies the action that the filter performs on the traffic flow. See Table 6-13 for more information.
Specifies the amount of time that the filter is active. After the time expires, the filter may be deleted according to the thresholds that you defined by using the filter-termination command.
Specifies the source IP address of the traffic that the filter processes.
Specifies the source address mask of the traffic that the filter processes.
Specifies the protocol number of the traffic that the filter processes.
Specifies the destination port of the traffic that the filter processes.
Specifies whether or not the filter processes fragmented traffic:
•
•
•
Specifies in pps, the current traffic rate that is measured for this filter.
The source IP address, source address mask, protocol number, and destination port may be nonspecific. An asterisk (*) indicates that the filter acts on all field values or that more than one value was matched for the filter.
Table 6-16 describes the additional fields in the show dynamic-filters details command output.
Table 6-16 Field Descriptions for show dynamic-filters details Command
Specifies the mitigated attack flow characteristics. The mitigated attack flow, displayed in the dynamic Filters table, might have a wider range than the attack flow. For example, a nonspoofed attack on port 80 blocks all TCP traffic from the originating source IP address, not from port 80 only. The attack flow contains the Source IP, Source Mask, Proto, DPort, and Frg fields that are described in table Table 6-15.
Specifies the rate of the attack flow that exceeded a policy threshold.
Specifies the policy threshold that was exceeded by the attack flow.
Specifies the policy that produced the dynamic filter. See Chapter 7, "Configuring Policy Templates and Policies," for more information.
Adding Dynamic Filters
During an attack on the zone, you can add a dynamic filter to manipulate zone protection.
To add a dynamic filter, use the following command in zone configuration mode:
dynamic-filter action {exp-time | forever} src-ip [ip-mask] protocol dest-port [fragments-type]
You can use multiple dynamic-filter commands to add multiple dynamic filters.
Table 6-17 provides the arguments for the dynamic-filter command.
Table 6-17 Arguments and Keywords for the dynamic-filter Command
Action that the filter performs on a specific traffic flow. See Table 6-13 for more information.
Integer from 1 to 3,000,000 that specifies the time (in seconds) for the filter to be active.
Activates the filter for an unlimited time. The filter is deleted when protection ends.
Traffic from a specific source IP address. Enter the IP address in dotted-decimal notation (for example, enter an IP address of 192.168.100.1). Use an asterisk (*) to indicate any IP address.
(Optional) Traffic from a specific subnet. Enter the subnet mask in dotted-decimal notation (for example, enter 255.255.255.0). The subnet mask can contain only Class C values. The default subnet is 255.255.255.255.
Traffic from a specific protocol. Use an asterisk (*) to specify any protocol.
Review possible protocol numbers at the Internet Assigned Numbers Authority (IANA) website:
Traffic that destined to a specific destination port. Use an asterisk (*) to specify any destination port.
Review possible port numbers at the Internet Assigned Numbers Authority (IANA) website:
(Optional) Traffic type that the filter acts on. There are three fragmented types:
•
•
•
The default is no-fragments.
The following example shows how to add a dynamic filter that directs the traffic to the user filters with an expiration time of 600 seconds:
admin@GUARD-conf-zone-scannet# dynamic-filter to-user-filters 600 192.128.30.45 255.255.255.252 6 88 no-fragmentsDeleting Dynamic Filters
When you delete dynamic filters, the deletion is effective for a limited period of time because the Guard continues to configure new dynamic filters when zone protection is enabled. See the "Preventing Production of Dynamic Filters" section for information on how to prevent the Guard from producing a dynamic filter.
To delete a dynamic filter, perform the following steps:
Step 1
See the previous section, "Displaying Dynamic Filters," for more information.
Step 2
no dynamic-filter dynamic-filter-idThe dynamic-filter-id argument specifies the dynamic filter ID. To delete all zone dynamic filters, use an asterisk (*).
The following example shows how to delete a dynamic filter:
user@GUARD-conf-zone-scannet# no dynamic-filter 876Preventing Production of Dynamic Filters
To prevent unwanted dynamic filters from being produced, perform one of the following actions:
•
•
•
Deactivating Dynamic Filters
When the dynamic filter timeout expires, the Guard determines whether or not the dynamic filter should be deactivated based on current traffic conditions. If the Guard determines that the dynamic filter should not be deactivated, the filter remains active for another time span.
Dynamic filters are deactivated if one of the following conditions applies:
•
•
–
–
Note
To configure the zone malicious traffic threshold, use the following command in zone configuration mode:
filter-termination zone-malicious-rate threshold
The threshold argument specifies the zone malicious traffic threshold for a zone in pps units. This traffic consists of the sum of the spoofed and the dropped traffic. The default value is 50 pps.
To configure the dynamic filter-rate termination threshold, use the following command in zone configuration mode:
filter-termination filter-rate threshold
The threshold argument specifies the dynamic filter traffic threshold in pps units. The default value is 2 pps.
The following example shows how to configure the dynamic filter termination rates:
user@GUARD-conf-zone-scannet# filter-termination zone-malicious-rate 200user@GUARD-conf-zone-scannet# filter-termination filter-rate 50
