Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0)
Activating Anomaly Detection and Zone Protection
Download this chapter
Activating Anomaly Detection and Zone ProtectionActivating Anomaly Detection and Zone Protection
Download the complete book
Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDFCisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Activating Anomaly Detection and Zone Protection

Anomaly Detection and Zone Protection Options

Guard Activation Options

Ondemand Protection by Guard Devices

Automatic and Interactive Zone Operation Modes

Learn Traffic with Detect or Protect Activated

Understanding Subzones Created by the Guard

Managing Anomaly Detection and Zone Protection

Activating Anomaly Detection (Detect) or Zone Protection (Protect)

Activating Ondemand Protection on a Guard

Protecting an IP Address When the Zone Name is Not Known

Verifying Activation of the Detect or Protect Operations

Deactivating Detect or Protect

Managing a Dynamic Filter

Displaying a List of Dynamic Filters

Displaying the Details of a Dynamic Filter

Adding a Dynamic Filter to Direct the Guard

Deleting a Dynamic Filter

Preventing the Creation of Unwanted Dynamic Filters

Managing Device Recommendations for Dynamic Filters

Displaying Device Recommendations

Acting on the Device Recommendations

Displaying the Pending Dynamic Filters of a Recommendation

Displaying Pending Dynamic Filter Details

Accepting a Pending Dynamic Filter

Changing Zone Operation Modes

Changing the Zone Operation Mode to Automatic

Changing the Zone Operation Mode to Interactive

Taking Action When the Number of Pending Dynamic Filters Exceeds 1000


Activating Anomaly Detection and Zone Protection

This chapter describes how to use the Cisco DDoS MultiDevice Manager (MDM) to activate the following device operations used to identify and mitigate attack traffic:

Detect—Activates anomaly detection on all of the Detectors that you have associated with the zone. Each Detector begins analyzing a copy of the zone traffic to look for traffic anomalies that indicate an attack on the zone. If an anomaly is detected, the Detector issues a syslog alert message and SNMP trap (if enabled) or activates a Guard.

Protect—Activates anomaly detection and zone protection (attack mitigation) on all of the Guards that you have associated with the zone. Each Guard diverts zone traffic to itself and begins analyzing the zone traffic by looking for traffic anomalies that would indicate an attack. If an anomaly is detected, the Guard begins mitigating the attack by dropping malicious traffic and injecting legitimate traffic back into the network.

Note This chapter refers to the Detector operation as anomaly detection and the Guard operation as zone protection.

In both operations, the Detector and Guard devices apply the zone configuration policies to the zone traffic. The policies allow each device to detect anomalies in normal zone traffic, which is traffic that does not exceed the limits established by the thresholds of each policy. A traffic anomaly is traffic that exceeds the threshold limit of one or more policies and causes the device to respond according to the actions of the policies.

Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.

This chapter contains the following sections:

Anomaly Detection and Zone Protection Options

Understanding Subzones Created by the Guard

Managing Anomaly Detection and Zone Protection

Managing a Dynamic Filter

Changing Zone Operation Modes

Anomaly Detection and Zone Protection Options

The MDM provides you with several options for activating anomaly detection or zone protection. For example, you can allow the device to manage all aspects of the anomaly detection or zone protection operation or you can monitor and direct the device during an attack.

This section contains the following topics:

Guard Activation Options

Ondemand Protection by Guard Devices

Automatic and Interactive Zone Operation Modes

Learn Traffic with Detect or Protect Activated

Guard Activation Options

Depending on how you configure the zone, the Guard performs zone protection based on the zone name or the information that it extracts from the traffic that you divert to it. The following Guard activation methods are possible:

Zone name—The Guard performs zone protection based on the zone name.

IP address—The Guard performs zone protection when it receives an external indication that consists of an IP address or subnet that is part of the zone.

Packet—The Guard performs zone protection when it receives packets for a zone that is in its database.

IP address or packet—The Guard performs zone protection when it receives traffic (packet) that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone address range.

For more information on configuring the protection activation methods, see the "Modifying the Zone General Configuration Attributes" section on page 5-9.

Ondemand Protection by Guard Devices

Ondemand protection uses the default policies and policy thresholds of a zone template to provide immediate zone protection by the Guard devices. Use ondemand protection when you know the zone is under attack but the policies and policy thresholds of the zone configuration are not adjusted (manually or using the learning process) to the characteristics of the zone traffic.

The default thresholds of the zone template policies are set to values that enable the Guard antispoofing features to activate quickly when the Guard identifies a traffic anomaly using the default policy thresholds. Because the Guard never learns the zone traffic when using ondemand protection, the Guard does not know the zone traffic patterns, which means that the thresholds used to block (drop) traffic from source IP addresses are set to relatively high values. Because the Guard does not know the zone traffic, ondemand protection requires user intervention when mitigating nonspoofed attacks. When you use ondemand protection, you should monitor the zone legitimate and malicious traffic rates and view the Guard mitigation actions.

For information on activating ondemand protection, see the "Ondemand Protection by Guard Devices" section.

Automatic and Interactive Zone Operation Modes

During an attack on the zone, the device operates in one of the following modes of operation:

Automatic operation mode—The device automatically activates the dynamic filters that it creates without any user intervention.

Interactive operation mode—You choose to activate or ignore the dynamic filters that the device recommends. Using the interactive zone operation mode, you decide on zone protection measures as the device continues to analyze the attack and create a queue of suggested dynamic filters.

When you define the zone configuration, you configure the zone operation mode. Using the MDM, you can change the setting of the zone operation mode when the zone is inactive. To change the mode setting when the zone is active and under attack, you must first deactivate the zone, make the mode change, and then reactivate the zone.

For information on setting the zone operation mode, see the "Changing Zone Operation Modes" section.

Learn Traffic with Detect or Protect Activated

The devices performs threshold tuning while monitoring the traffic for attacks on the zone if you activate the threshold tuning on the device that you configured to learn zone traffic with the Detect (Detector) or Protect (Guard) function.

For information on activating threshold tuning with the Detect or Protect operations, see the "Combining Learning with the Detect and Protect Operations" section on page 9-12.

Understanding Subzones Created by the Guard

The Guard automatically creates a subzone when it activates protection for a partial zone (a zone that does not include the complete IP address range of the source zone). The IP address range of the subzone is included in the address range of the source zone. The subzone configuration is identical to the configuration of the source zone except for the IP address and name.

The name of the subzone consists of the first 30 characters of the name of the source zone, the IP address, and the subnet, concatenated with underscores. If the subzone consists of a single IP address, the subnet is not added. For example, if the name of the source zone is scannet with an address range of 10.10.10.0 and a subnet of 255.255.255.0 and the Guard activates protect mode for an internal range of IP address 10.10.10.192 and subnet 255.255.255.252, the name of the subzone that the MDM displays in the navigation plane is as follows:

scannet_10.10.10.192_255.255.255.252.

The Guard receives the IP address and subnet of the subzone with the external indication or the IP address of the packet that triggered the Guard to activate protect mode.

Once protection for the subzone ends, the Guard erases the subzone. Subzone protection is terminated in the same manner that protection is terminated for a zone that you create (according to the activation method and the protection termination timeout).

Note The MDM does not manage subzones in the same manner that it manages a zone that you create. The MDM simply displays any subzone that a Guard creates and does not check for, or resolve, any zone configuration conflicts.

Managing Anomaly Detection and Zone Protection

The MDM allows you to manually activate and deactivate anomaly detection (Detect) and zone protection (Protect). The Detect and Protect operations depend on the type of devices that you have associated with the zone:

Zone with Detectors only—The MDM displays the Detect option only when you activate anomaly detection by all of the zone Detectors.

Zone with Guards only—The MDM displays the Protect option only when you activate zone protection by all of the zone Guards.

Zone with both Detectors and Guards—The MDM displays the Detect and Protect options. Typically, you activate Detect only and allow the Detectors to activate the zone Guards when they detect a traffic anomaly. You can, however, activate both operations simultaneously.

This section contains the following topics:

Activating Anomaly Detection (Detect) or Zone Protection (Protect)

Activating Ondemand Protection on a Guard

Protecting an IP Address When the Zone Name is Not Known

Verifying Activation of the Detect or Protect Operations

Deactivating Detect or Protect

Activating Anomaly Detection (Detect) or Zone Protection (Protect)

To activate the Detect or Protect operations, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone menu and the zone status screen appear.

Step 2 (Optional) Activate anomaly detection by the zone Detectors by using one of the following methods:

From the zone status screen, click Detect.

From the zone menu, choose Activation > Detect

The following actions occur:

The Detectors begin analyzing their copy of the traffic flow for anomalies.

The zone status icon changes from Inactive to Under Detection .

Step 3 (Optional) Activate zone protection by the zone Guards by using one of the following methods:

From the zone status screen, click Protect.

From the zone menu, choose Activation > Protect.

The following actions occur:

The Guards divert zone traffic to themselves and begin analyzing the traffic flow for anomalies. The legitimate traffic is injected back into the network by the Guards where it is forwarded to its intended destination. The Guards drop the malicious traffic.

The zone status icon changes from Inactive to Protection .

Activating Ondemand Protection on a Guard

Ondemand protection allows you to protect a zone before the Guard can learn the zone-specific traffic patterns and make the necessary modifications to the zone configuration's default set of policies and policy thresholds. When using ondemand protection, follow these guidelines:

Use the existing zone configuration to protect the zone—If the existing zone configuration has all of the default policies and policy thresholds of the zone template (no modifications have been made), use the zone configuration to provide ondemand protection.

Create a new zone to protect the zone—Create a new zone to handle the attack under the following circumstances:

You have not completed modifications to the zone configuration. If the zone has not completed the learning process when the attack occurs, you should suspend the learning process and create a new zone configuration to handle the attack with the default policies and thresholds.

You have not yet created a zone to protect the area of the network under attack.

To activate ondemand protection, follow these steps:

Step 1 (Optional) Create a new zone to handle the attack (see the "Creating a Zone Using a Zone Template" section on page 5-3).

Step 2 Choose the zone that you know is under attack. The zone menu and the zone status screen appear.

Step 3 Activate zone protection by using one of the following methods:

From the zone status screen, click Protect.

From the zone menu, choose Activation > Protect.

The following actions occur:

The Guard diverts zones traffic to itself and begins analyzing the traffic flow for anomalies. Legitimate traffic is injected back into the network by the Guard where it is forwarded to its intended destination. The Guard drops the malicious traffic.

The zone status icon changes from Inactive to Protection .

Step 4 While analyzing the zone traffic patterns, make any required modifications or decisions involving the dynamic filters that the Guard produces to mitigate the attack.

For information on viewing zone traffic patterns, see the "Displaying the Zone Counters" section on page 11-10.

For information on managing dynamic filters and recommendations, see the "Managing a Dynamic Filter" section and the "Managing Device Recommendations for Dynamic Filters" section.

After using ondemand protection to mitigate an attack that has terminated, you can adjust the policies and policy thresholds of the zone configuration using one of the following methods:

Manually by using the procedures in Chapter 8, "Managing Zone Policies."

Automatically by using the learning process procedures in Chapter 9, "Learning Zone Traffic and Taking Snapshots."

If you created a zone specifically to mitigate an attack and no longer need it, you can delete the zone (see the "Deleting a Zone" section on page 5-18).

Protecting an IP Address When the Zone Name is Not Known

You can activate protection for a specific IP address when you know the address is under attack, but you do not know which zone is responsible for protecting the address. When you initiate zone protection based on an IP address, the MDM distributes the command to all of the Guards. Each Guard that contains this IP in one of its zone configurations creates a subzone for the IP address and activates Protect for the subzone (see the "Understanding Subzones Created by the Guard" section).

To activate protection for a specific IP address, follow these steps:

Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.

Step 2 From the Network Summary menu, choose Main > Protect IP. The Protect IP screen appears.

Step 3 Enter the IP address that you want to protect as described in Table 10-1.

Table 10-1 Protect IP Screen Parameters 

Parameter
Description

IP address

Specific IP address within a zone address range. Enter the IP address in dotted-decimal notation. For example, enter 192.168.5.6.

IP mask

Subnet mask for which zone protection is activated. Enter the IP address in dotted-decimal notation. For example, enter 255.255.255.252.


Step 4 Click OK. The MDM activates protection for the IP address.

Verifying Activation of the Detect or Protect Operations

From the zone status screen, you can display the traffic counter and zone status information to verify that the zone devices are actively monitoring the zone traffic for anomalies.

Click an activated zone from the navigation pane to display the zone status screen. The zone devices provide anomaly detection and zone protection when the following items display in the zone status screen:

The Traffic Rate graph displays a bits per second (bps) traffic rate that is greater than zero. This graph indicates that the zone devices are processing zone traffic.

Master Receive Rate—Rate of the traffic received by the zone master device only. This rate displays only when you define a Detector defined as the zone master device. When you define the zone with a Guard master device, the Master Receive Rate does not display.

Legitimate Rate—Rate of the legitimate traffic that the Guard injects back into the network.

Malicious Rate—Rate of the attack traffic that the Guard drops.

The Zone Status table lists the following device status information:

Detectors State: under detection (1)

Guards State: under protection (1)

The number in the parentheses represents the number of the device that is associated with the operation.

When the zone is under attack, the Zone Status table displays an Active Dynamic Filter value that is greater than zero to indicate that the devices have detected a zone anomaly and are producing dynamic filters in response to the attack.

For information on viewing the current status of the zone devices, see Chapter 11, "Monitoring Zone and Device Operations."

Deactivating Detect or Protect

To deactivate the Detect or Protect operations, follow these steps:

Step 1 Choose an activated zone from the navigation pane. The zone menu and the zone status screen appears.

Step 2 From the zone status and attack reports screens, verify that the zone is not currently being attacked before deactivating either the Detect or Protect operation. When the attack has stopped, the Active Dynamic Filters field in the Zone Status table displays a value of zero (0).

Step 3 Display the Deactivate screen by using one of the following methods:

From the zone status screen, click Deactivate.

From the zone menu, choose Activation > Deactivate.

Note The Deactivate button and zone menu options will vary depending on whether you have Detect, Protect, or both operations activated.

Step 4 From the Deactivate screen, check the check box of the operation to deactivate. The options available from the Deactivate screen will vary depending on whether you have one or both operations activated at the time.

Stop Protection—Click Stop Protection to deactivate the zone protection operation on all of the zone Guards. The Guards stop traffic diversion.

Stop Detection—Click Detection to deactivate the anomaly detection operation of the zone Detectors.

Step 5 Click OK. The MDM deactivates the selected operations on the zone devices.

The following actions occur:

The Guards (if any) stop diverting zone traffic to themselves.

The zone status icons changes from Under Detection or Protection to Inactive.

Managing a Dynamic Filter

The device creates dynamic filters only after you activate Detect or Protect and the device detects a traffic anomaly. Dynamic filters are available only when the zone is under attack.

Guard dynamic filters are configured with a timeout value. Once the dynamic filter timeout expires, the device determines whether the dynamic filter should be deactivated. If the Guard decides not to deactivate the dynamic filter, the activation timeout of the filter resumes for another time span. The Guard deactivates the dynamic filter when one of the following conditions exists:

The total zone malicious traffic rate, which equals the sum of the spoofed and dropped traffic, is less than, or equal to, the malicious-rate termination threshold.

The dynamic filter does not have an action of to-user-filter (the filter rate counter does not display N/A) and the Filter-rate termination threshold is equal to, or greater than, both of the following conditions:

The dynamic filter current traffic rate

The dynamic filter average traffic rate during a user-configured time span

You use the MDM to manually control the actions of the zone devices during an attack by adding or deleting dynamic filters. When the device determines that the attack on the zone is over, it removes all of the dynamic filters in its queue.

This section contains the following topics:

Displaying a List of Dynamic Filters

Displaying the Details of a Dynamic Filter

Adding a Dynamic Filter to Direct the Guard

Deleting a Dynamic Filter

Preventing the Creation of Unwanted Dynamic Filters

Displaying a List of Dynamic Filters

To display a list of dynamic filters, follow these steps:

Step 1 Choose the zone under attack from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Display the list of dynamic filters by using one of the following methods:

From the zone menu, choose Activation > Dynamic filters.

From the zone status table on the zone status page, click Active dynamic filters.

The Dynamic Filters screen appears.

The Dynamic Filters table displays the dynamic filters according to the policy that created them and provides information about the ongoing attack. Table 10-2 describes the information displayed in the Dynamic Filters table.

Table 10-2 Field Descriptions for Dynamic Filters Table 

Field
Description

ID

Identification number that the device assigns to the filter.

Device Name

Name that you assigned the device.

Created by

Policy that created the filter. Click the policy name to display the Policy details screen, which displays the policy details from the device that created the dynamic filter (not from the master device). The MDM displays the policy details from the device that created the dynamic filter if you have the zone configured so that all of the devices learn the zone traffic (automatic synchronization is disabled).

Activation

Date and time that the filter was activated.

Expiration

Filter expiration time. Once the filter expires, the device decides whether to deactivate the dynamic filter according to the dynamic filter termination criteria. If the device still requires the dynamic filter, the remains active for another time period.

Src IP

Source IP address on which the dynamic filter is applied.

Protocol

Protocol number on which the dynamic filter is applied.

Dst Port

Destination port on which the dynamic filter is applied.

Fragments

Status whether the attack stream contains fragmented packets.

Action

Action taken by the filter. The following actions apply for the dynamic filters:

notify—(Detector and Guard) Issues a syslog message and SNMP trap (if enabled).

remote-activate(Detector only) Activates the Guards on the remote Guard list.

to-user-filters(Guard only) Forwards the traffic to the user filters. If you have modified the default user filters, you must make sure that there is a user filter that can handle these dynamic filters.

filter/strong(Guard only) Applies strong protection anti-spoofing mechanisms to the specific traffic.

filter/drop(Guard only) Drops the traffic.

block-unauthenticated-basic(Guard only) Enhances the basic antispoofing mechanisms so that they drop traffic flows that have not been authenticated.

block-unauthenticated-strong(Guard only) Enhances the strong antispoofing mechanisms so that they drop traffic flows that have not been authenticated.

block-unauthenticated-dns(Guard only) Drops traffic flows, flowing to DNS UDP servers (protocol=UDP, port=53), that the DNS antispoofing mechanisms defined as unauthenticated.

redirect/zombie(Guard only) Enhances authentication for all user filters with an action of basic/redirect.

Rate (pps)

Approximate attack rate in packets per second.

Details

Status of whether additional information can be displayed for this filter. Click i for additional information.


A value of * for any of the parameters indicates the following:

The value is undetermined.

More than one value was measured for the filter parameter.

See the "Displaying the Details of a Dynamic Filter" section for information on viewing the details of a specific dynamic filter.

Displaying the Details of a Dynamic Filter

To display detailed information for a specific dynamic filter, follow these steps:

Step 1 Choose the zone under attack from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Display the list of dynamic filters by using one of the following methods:

From the zone menu, choose Activation > Dynamic filters.

From the Zone Status table, click Active dynamic filters.

The Dynamic Filters screen appears.

Step 3 Click i in the Details column. The Dynamic Filter Details screen appears.

The Dynamic Filter Details screen includes three tables that describe the following attack information:

The policy that created the filter.

The attack that was detected by the Detector or mitigated by the Guards. The mitigated flow can have a wider range than the detected attack flow. For example, a nonspoofed attack on port 80 blocks all TCP traffic from the originating source IP and not only port 80.

The trigger that created the filter. Table 10-3 describes the trigger parameters.

Table 10-3 Field Descriptions for the Triggers Table 

Field
Description

Policy Threshold

Policy threshold that the attack traffic exceeded.

Triggering rate

Approximate attack rate that triggered the production of the filter.


Adding a Dynamic Filter to Direct the Guard

During an attack on the zone, you can add a dynamic filter to manipulate zone protection by the Guards.

To add a dynamic filter, follow these steps:

Step 1 Choose a zone under attack from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Use one of the following methods to view the list of dynamic filters:

From the zone menu, choose Activation > Dynamic filters.

From the Zone Status table, click Active dynamic filters.

The Dynamic Filters screen appears.

Step 3 Click Add. The Add Dynamic Filter Form screen appears. Define the parameters of the dynamic filter as described in Table 10-4.

Table 10-4 Field Descriptions for Dynamic Filters Form 

Field
Description

Source IP

Directs traffic from a specific IP address to the dynamic filter. Leave blank or enter * for any.

Source Subnet

Directs traffic from a specific subnet to the dynamic filter. Choose the subnet from the Source Subnet drop-down list.

Protocol

Directs traffic from a specific protocol to the dynamic filter. The protocol is denoted by its protocol number. Leave blank or enter * for any.

Dst Port

Directs traffic destined for a specific port to the dynamic filter. Leave blank or enter * for any.

Fragments

Denotes a specific traffic type for the filter to operate on. The traffic types are as follows:

without—The dynamic filter acts on nonfragmented traffic.

with—The dynamic filter acts on fragmented traffic.

*—The dynamic filter acts on fragmented and nonfragmented traffic.

Action

Action that the filter performs on the specific traffic type. The filter actions are as follows:

to-user-filters—Forwards the specific traffic to the user-configured user filters.

filter/strong—Applies Strong protection level to the traffic specified.

filter/drop—Drops the traffic.

block-unauthenticated-basic—Drops unauthenticated traffic flows that the Basic protection level has not authenticated.

block-unauthenticated-strong—Drops unauthenticated traffic flows that the Strong protection level has not authenticated.

block-unauthenticated-dns—Drops the unauthenticated traffic flows to DNS servers that have not been authenticated by the DNS antispoofing feature.

redirect/zombie—Adds a filter that enhances authentication for all user filters with an action of redirect.

Timeout (Sec)

Minimum time that the filter is active. The options are as follows:

Click the Forever check box for an infinite amount of time.

Check the Seconds check box and enter the amount of time in seconds.

To be applied to

Guard that is to receive the new dynamic filter. Check the check box next to the desired zone Guards.


Step 4 Click OK. The MDM saves the dynamic filter information to the Guards that you selected. The Guards activate the new dynamic filter.

Deleting a Dynamic Filter

You can delete a dynamic filter to prevent the device from applying the dynamic filter action on the traffic flow. Deleting a dynamic filter is only effective for a limited period of time because the device continues to configure new dynamic filters when there are changes in the attack traffic flow. To prevent the device from producing unwanted dynamic filters, see the "Preventing the Creation of Unwanted Dynamic Filters" section.

To delete a dynamic filter, follow these steps:

Step 1 Choose the zone under attack from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Display the dynamic filters by using one of the following methods:

From the zone menu, choose Activation > Dynamic filters.

From the Zone Status table, click Active dynamic filters.

The Dynamic Filters screen appears.

Step 3 Click the check box next to the desired dynamic filter to delete.

Step 4 Click Delete. The MDM removes the dynamic filter from the associated device.

Preventing the Creation of Unwanted Dynamic Filters

If the device is applying dynamic filters to traffic that you want to forward to the zone, you can prevent the device from producing unwanted dynamic filters by making one of the following modifications to the zone configuration:

Deactivate the policy that produces them (see the "Modifying a Policy Parameter" section on page 8-6). To display the list of dynamic filters and find out which policy produced the unwanted filters, see the "Displaying a List of Dynamic Filters" section.

Configure a Bypass filter for the desired traffic flow (see the "Managing a Bypass Filter" section on page 6-11).

Increase the threshold of the policy that produced the undesired dynamic filter (see the "Modifying a Policy Parameter" section on page 8-6).

If you rely on synchronization to disseminate changes to a master device zone configuration, you must deactivate the zone before making any configuration changes. When you complete the required configuration changes, synchronize the zone devices and then reactivate the zone.

If you do not use synchronization to disseminate changes to a master device zone configuration, you must manually modify the zone configuration in each of the zone devices using the device CLI to prevent the creation of unwanted dynamic filters.

Managing Device Recommendations for Dynamic Filters

When you perform zone protection in interactive operation mode, each zone device creates a queue of the dynamic filters that it creates during an attack. The queued dynamic filters are known as pending dynamic filters. A zone device groups the pending dynamic filters according to the policies that produced them and the MDM presents them to you as device recommendations. You can choose to act on a device recommendation (including all of the pending dynamic filters associated with it) or you can act on each pending dynamic filter separately.

This section contains the following topics:

Displaying Device Recommendations

Acting on the Device Recommendations

Displaying the Pending Dynamic Filters of a Recommendation

Displaying Pending Dynamic Filter Details

Accepting a Pending Dynamic Filter

Displaying Device Recommendations

The MDM displays the Dynamic Filter Recommendations icon when new recommendations are available. This icon appears in the following locations:

The navigation pane, next to the zone icon in the Zones list

The zone status screen in the zone status bar

The zone list table

When the zone devices have new recommendations, the number of pending dynamic filters that the Zone Status screen displays is greater than zero.

To display the list of device recommendations, follow these steps:

Step 1 Choose a zone under attack from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Display the list of recommendations by using one of the following methods:

From the zone menu, choose Activation > Recommendations.

From the Zone Status table, click the Pending Dynamic Filters field.

The Recommendations screen appears.

Table 10-5 describes the fields in the Recommendations table, located in the Recommendations screen.

Table 10-5 Field Descriptions for Recommendations Table

Field
Description

ID

Identification number that the device assigned to the recommendation.

Recommendation

Action that the device recommends.

Created By

Policy that created the filter. Click the policy name to display the policy details.

# of PFs

Number of pending dynamic filters associated with the recommendation. Each pending filter was created from a traffic flow that exceeded the policy threshold. Click the number to view the pending dynamic filters associated with the recommendation.

Attack flow

Attack flow information. The following information is provided:

Src IP—Source IP address of the attack stream

Protocol—Protocol number of the attack stream

Dst Port—Destination port of the attack stream

Dst IP—Destination IP address of the attack stream

Thr.

Policy threshold that the attack flow exceeded.

Min.

Minimum attack rate. The rate of the lowest pending dynamic filter is displayed for recommendations that include several pending filters.

Max.

Maximum attack rate. The rate of the highest pending dynamic filter is displayed for recommendations that include several pending filters.

Creation

Date and time that the recommendation was created.


A value of * for any of the parameters indicates one of the following conditions:

The device cannot determine the value.

The device measured more than one value for the filter parameter. To display the different values, display the complete list of pending dynamic filters.

Acting on the Device Recommendations

To view and act on the device recommendations, follow these steps:

Step 1 Choose the zone under attack from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Display the list of recommendations by using one of the following methods:

From the zone main menu, choose Activation > Recommendations.

From the Zone Status table, click Pending Dynamic filters.

The Recommendations screen appears.

Step 3 In the Filters Timeout box, enter the timeout value (in seconds) for the filter.

Step 4 Check the check box next to the desired recommendations.

Step 5 Choose one of the required actions:

accept—Accepts the specific recommendation. The device activates the pending dynamic filters associated with the recommendation.

always-accept—Always accepts the specific recommendation. This selection applies only to recommendations created by the master device. During the current attack period, the device automatically accepts the recommendations of the policy that produced the recommendation. The Guard does not display always-accept recommendations.

always-ignore—Always ignores the specific recommendation. This selection applies only to recommendations created by the master device. During the current attack, the device automatically ignores the recommendations of the policy that produced the recommendation. To prevent a policy from producing recommendations in future attacks, disable or deactivate the policy (see the "Modifying a Policy Parameter" section on page 8-6).

You can change an always-ignore decision made on a specific recommendation by changing the interactive-status of the policy that created the pending dynamic filters of the recommendation.

You can selectively accept pending dynamic filters instead of accepting all the dynamic filters associated with a recommendation. See the "Displaying the Pending Dynamic Filters of a Recommendation" section for more information.

Displaying the Pending Dynamic Filters of a Recommendation

To display the pending dynamic filters associated with a device recommendation, follow these steps:

Step 1 Choose the active zone under attack from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Display the list of recommendations by using one of the following methods:

From the zone menu, choose Activation > Recommendations.

From the Zone Status table, click Pending Dynamic filters.

The Recommendations screen appears.

Step 3 Click the numeric value listed in the # of PFs (Pending Filters) column of the desired recommendation. The Pending Dynamic Filters screen appears.

Table 10-6 describes the fields in the Pending Dynamic Filters table, located in the Recommendations screen.

Table 10-6 Field Descriptions for Pending Dynamic Filters Table 

Field
Description

Created by

Policy that created the filter. Click the policy name to display the Policy details. See Chapter 8, "Managing Zone Policies," for more information.

Activation

Date and time that the filter was created.

Src IP

Source IP address of the attack stream.

Protocol

Protocol number of the attack stream.

Dst Port

Destination port of the attack stream.

Fragments

Status of whether the attack stream contains fragmented packets.

Action

Action taken by the filter.

Recent rate

Current attack rate measured by the filter.

Rate (pps)

Triggering rate. The approximate attack rate that triggered the production of the dynamic filter.

Details

Status of whether additional information is available for this filter. Click i for additional information.


A value of * for any of the parameters indicates one of the following conditions:

The value is undetermined.

More than one value was measured for the filter parameter.

The Guard activates the dynamic filters produced by the policies for a user-defined time span (filter timeout).

Displaying Pending Dynamic Filter Details

To display the detailed information of a dynamic filter, follow these steps:

Step 1 Select a zone under attack from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Use one of the following methods to display the list of recommendations:

From the zone menu, choose Activation > Recommendations.

From the Zone Status table, click the Pending Dynamic filters field.

The Recommendations screen appears.

Step 3 Click the numeric value listed in the # of PFs (Pending Filters) column of the desired recommendation. The Pending Dynamic Filters screen appears.

Step 4 Click i in the details column of the desired pending dynamic filter. The Filter Details screen appears.

The pending dynamic filter details include three tables that provide the following information:

Policy that created the filter.

Attack flow.

Trigger for the filter creation. This table displays the policy threshold that the attack traffic exceeded and the approximate attack rate that triggered the production of the filter.

Accepting a Pending Dynamic Filter

To accept a pending dynamic filter, follow these steps:

Step 1 Choose the zone under attack from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Display the list of recommendations by using one of the following methods:

From the zone menu, choose Activation > Recommendations.

From the Zone Status table, click Pending Dynamic filters.

The Recommendations screen appears.

Step 3 Click the numeric value listed in the # of PFs (Pending Filters) column of the desired recommendation. The Pending Dynamic Filters screen appears.

Step 4 In the Filters Timeout box, enter the dynamic filter timeout value in seconds.

Step 5 Check the check box next to the desired pending dynamic filter or filters to activate.

Step 6 Click Accept. The MDM activates the selected pending dynamic filters.

Changing Zone Operation Modes

The operation mode in which the device operates when managing an attack on the zone determines how the dynamic filters are activated during the attack. You can configure the device to operate in either of the following operation modes:

Automatic operation mode—The device activates all dynamic filters as it creates them.

Interactive operation mode—You are required to act on the dynamic filter recommendations that the device produces during an attack. You can either activate or ignore a device recommendation.

Note The zone must be inactive for the MDM to synchronize changes to the operation mode setting with the other zone devices. You can change the mode setting of only the master device when the zone is active. If the zone is under attack and you want to change the operation mode setting, deactivate the zone, make the change, and then manually synchronize the zone devices. After synchronization is complete, you can reactivate the zone.

This section contains the following topics:

Changing the Zone Operation Mode to Automatic

Changing the Zone Operation Mode to Interactive

Taking Action When the Number of Pending Dynamic Filters Exceeds 1000

Changing the Zone Operation Mode to Automatic

To change the operation mode setting of a zone from interactive to automatic, follow these steps:

Step 1 Select a zone from the navigation pane. The zone menu and the zone status screen appear.

Step 2 From the zone menu, choose Configuration > General. The General Configuration screen appears.

Step 3 Click Config. The Zone Form displays.

Step 4 From the Operation Mode drop-down list, choose automatic.

Step 5 Click OK. The MDM updates the zone configuration with the new zone operation mode setting. If zone protection is currently active, the MDM automatically activates all pending and new dynamic filters.

Step 6 (Optional) Synchronize the new information with the other zone devices by using one of the following methods when the zone is inactive:

Manually by choosing Activation > Sync from the zone menu.

Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).

Changing the Zone Operation Mode to Interactive

To change the operation mode setting of a zone from automatic to interactive, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone menu and the zone status screen appear.

Step 2 From the zone menu, choose Configuration > General. The General Configuration screen appears.

Step 3 Click Config. The Zone Form screen displays.

Step 4 From the Operation Mode drop-down list, choose interactive.

Step 5 Click OK. The MDM updates the zone configuration with the new zone operation mode setting. If zone protection is currently active, the MDM produces recommendations when an attack is detected.

Step 6 (Optional) Synchronize the new information with the other zone devices by using one of the following methods when the zone is inactive:

Manually by choosing Activation > Sync from the zone menu.

Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).

Taking Action When the Number of Pending Dynamic Filters Exceeds 1000

When the number of pending dynamic filters exceeds 1000 for a single device, the device begins to discard any new recommendations after recording the recommendation information to the log file.We recommend that you change the zone operation mode to automatic when the number of pending dynamic filters exceeds 1000 filters. When operating in automatic operation mode, the MDM activates all dynamic filters as it creates them.

Note When the number of pending dynamic filters exceeds 1000 filters, you must first deactivate zone protection before making the recommended change to the operation mode. This is the only time that you are required to deactivate zone protection before changing the zone operation mode.

To change the zone operation mode to automatic when the number of pending dynamic filters exceeds 1000 filters, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone menu and the zone status screen appear.

Step 2 Click Deactivate. The MDM stops zone protection and deletes all pending dynamic filters.

Step 3 From the zone menu, choose Configuration > General. The General Configuration screen appears.

Step 4 Click Config. The Zone Form screen displays.

Step 5 From the Operation Mode drop-down list, choose automatic.

Step 6 Click OK. The MDM updates the zone configuration with the new operation mode setting.

Step 7 Click Protect. The MDM begins zone protection and activates all dynamic filters as it creates them.