Table Of Contents
Detecting Zone Traffic Anomalies
Understanding Zone Anomaly Detection
Configuring How the Detector Module Performs Zone Anomaly Detection
Configuring Guard-Protection Activation Methods
Activating Zone Anomaly Detection
Deactivating Zone Anomaly Detection
Activating Remote Guards to Protect a Zone
Activating Remote Guards Using Remote Guard Lists
Activating a Remote Guard and Synchronizing Zone Configuration
Configuring the Default Remote Guard List
Configuring the Zone Remote Guard Lists
Activating Remote Guards Offline
Activating Remote Guards Manually
Detecting Zone Traffic Anomalies
This chapter describes how to configure the Cisco Traffic Anomaly Detector Module (Detector module) to detect traffic anomalies.
This chapter refers to the Cisco Guard (Guard), the companion product of the Detector module. The Guard is a Distributed Denial of Service (DDoS) attack detection and mitigation device that cleans the zone traffic as the traffic flows through it, dropping the attack traffic and injecting the legitimate traffic back into the network. When the Detector module determines that the zone is under attack, it can activate the Guard attack mitigation services. The Detector module can also synchronize zone configurations with the Guard. For more information about the Guard, see the Cisco Anomaly Guard Module Configuration Guide or the Cisco Guard Configuration Guide.
This chapter contains the following sections:
•
Understanding Zone Anomaly Detection
•Configuring How the Detector Module Performs Zone Anomaly Detection
•Configuring Guard-Protection Activation Methods
•Activating Zone Anomaly Detection
•Deactivating Zone Anomaly Detection
•Activating Remote Guards to Protect a Zone
Understanding Zone Anomaly Detection
Zone anomaly detection refers to when the Detector module is actively monitoring a copy of the zone traffic and looking for indications of a DDoS attack on the zone. When a traffic anomaly triggers a policy action by exceeding the policy threshold (indicating an attack), the Detector module performs one of the following tasks:
•Activates a Guard that you define on the Detector module remote Guard lists to mitigate the attack.
•Sends you a notification.
Before you activate anomaly detection, observe the following requirement and recommendation:
•Configure port mirroring on the switch or connect the Detector module to a router using an optical splitter —You must use one of these methods to provide the Detector module with a copy of the zone traffic for analysis purposes.
•Perform the learning process—We recommend that you allow the Detector module to create a set of zone-specific policies and policy thresholds based on normal traffic characteristics. To perform the learning process, we recommend that you perform the following steps:
1. Activate the policy construction phase—The Detector module creates a set of policies based on the services that it detects in the zone traffic. See the "Activating the Policy Construction Phase" section on page 8-4 for more information.
2. Activate the detect and learn function—The Detector module performs the threshold tuning phase of the learning process while monitoring the traffic for anomalies using the last accepted policy thresholds. If the Detector module detects an attack on the zone, it stops the threshold tuning phase but continues to look for anomalies in the zone traffic. See the "Enabling the Detect and Learn Function" section on page 8-11 for more information.
Note Activate the detect and learn option only when you are sure that the zone is not under attack.
•Synchronize the zone configuration with the Guard—When you associate Guards with theDetector module to provide zone protection, you can synchronize the zone configuration on the Detector module with the zone configuration on a Guard. See the "Synchronizing Zone Configurations with a Guard" section on page 5-8 and the "Activating Remote Guards to Protect a Zone" section for more information.
•Define the anomaly detection characteristics—You can configure the following optional anomaly detection characteristics:
–Operation mode—Define how the Detector module performs zone anomaly detection (whether the Detector module detects anomalies in the zone traffic automatically or in an interactive manner in which you determine the actions that the Detector module executes). See the"Configuring How the Detector Module Performs Zone Anomaly Detection" section for more information.
–Guard-Protection activation methods—Define how the Detector module activates a remote Guard to protect the zone. The Detector module can activate the remote Guard to protect a partial zone that is a part of the entire zone (for example, a specific server that is part of a protected network environment) or activate the remote Guard to protect the entire zone.
Tip You can verify that the Detector module is receiving a copy of the zone traffic by waiting at least 10 seconds after initiating the policy construction phase and entering the show rates command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates that the Detector module is not receiving a copy of the zone traffic. Check the configuration of the port mirroring on the switch, or use an optical splitter to check the connection of the Detector module to the router.
Configuring How the Detector Module Performs Zone Anomaly Detection
During an attack on a zone, the Detector module creates dynamic filters that determine what actions the Detector module performs during the attack. You can configure the Detector module to execute the action associated with each dynamic filter automatically or wait until you decide whether or not to execute the proposed action. To control the execution of the dynamic filter actions, you configure the Detector module to perform anomaly detection in one of the following modes:
•Automatic protect mode—The Detector module activates the dynamic filter actions as soon as the Detector module creates the filter. This operation mode is the default.
•Interactive detect mode—The Detector module saves the dynamic filters as recommendations. You review the list of recommendations and decide which recommendations to accept, ignore, or direct to automatic activation.
Use the show command in zone configuration mode to display the current operation mode of the zone.
To enable the interactive detect mode, use the following command in zone configuration mode:
interactive
To disable the interactive detect mode and use the automatic detect mode, use the following command in zone configuration mode:
no interactive
See Chapter 10, "Using Interactive Detect Mode" for information about the following interactive protection operations:
•Enabling the interactive protect mode when you create a new zone.
•Managing the protection recommendations.
•Determining when you must switch to the automatic protect mode.
Configuring Guard-Protection Activation Methods
Guard-protection activation methods define how a remote Guard that you associate with the Detector activates zone protection. The activation methods focus on the zone protection requirements and save Guard module resources.
To activate a Guard-protection activation method, use the following command in zone configuration mode:
protect-ip-state {entire-zone | dst-ip-by-name | dst-ip-by-ip | policy-type}
The Guard-protection activation methods are as follows:
•entire-zone—Activates a Guard module to protect the entire zone when it detects an anomaly in the zone traffic. This method saves Guard module resources because it reduces the number of active zones that the Guard module protects. Use this method when the zone consists of related subzones.
•dst-ip-by-name—Activates a Guard module to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address. You can activate a Guard module to protect the attacked IP address but avoid diverting the traffic of the entire zone to the Guard module. If the Detector module cannot associate the traffic anomaly with a particular IP address, it does not activate a Guard module to protect the zone. Use this method when the zone consists of unrelated subzones.
•dst-ip-by-ip—Activates a Guard module to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address. The IP address must be in the address range of one of the zones that is defined on the Guard module. However, the zone name on the Detector module does not have to be identical to the zone name on the Guard module. The dst-ip-by-ip Guard-protection activation method is equivalent to using the protect ip-address command on the Guard module. Use this method when the zone names on the Detector module are not identical to the zone names on the Guard module or when the zone consists of unrelated subzones.
Note To ensure that the Guard module activates zone protection for the attacked IP address only and avoids diverting the traffic of the entire zone to itself, make sure that the zone is defined on the Guard module with an activation extent of ip-address-only.
•policy-type—Activates the Guard module to protect the entire zone or to protect a particular IP address within the zone address range according to the policy that caused the Detector module to activate the Guard module. The Detector module activates the Guard module to protect a particular IP address if it detects an anomaly in the zone traffic that is destined to that IP address (for example, if the policy that caused the remote activation has traffic characteristics of dst_ip). If the Detector module cannot associate the traffic anomaly with a particular IP address, it activates the Guard module to protect the entire zone (for example, if the policy that caused the remote activation has traffic characteristics of global). Use this method when the zone consists of related subzones so that you can prevent a targeted zone from causing damage to the entire zone.
The following example shows how to configure the Guard-protection activation method:
user@DETECTOR-conf-zone-scannet# protect-ip-state entire-zone
Activating Zone Anomaly Detection
You can activate zone anomaly detection by using the following command in zone configuration mode:
detect [learning]
The optional learning keyword enables the Detector module to detect anomalies in the zone traffic and tune the zone policy thresholds using the detect and learn function (see the "Enabling the Detect and Learn Function" section on page 8-11 for more information).
The following example shows how to activate anomaly detection for the zone scannet:
user@DETECTOR-conf-zone-scannet# detect
Deactivating Zone Anomaly Detection
You can deactivate zone anomaly detection by using one of the following commands in zone configuration mode:
•no detect—Ends zone anomaly detection. Ends zone anomaly detection. If you have the detect and learn function enabled when you enter the no detect command, the Detector module ends zone anomaly detection but continues with the policy threshold phase of the learning process (see the "Enabling the Detect and Learn Function" section on page 8-11 for more information).
•deactivate—Ends both zone anomaly detection and the threshold tuning phase of the learning process.
Activating Remote Guards to Protect a Zone
When the Detector module detects a zone traffic anomaly, it creates dynamic filters that can activate the Guard modules that you associate with the Detector module. If you do not associate any Guard modules with the Detector module, then the dynamic filters instruct the Detector module to log the event only.
You can use the Detector module to activate a remote Guard in one of the following ways:
•Using a remote Guard list—Use Secure Sockets Layer (SSL) to enable remote activation and zone synchronization, or use SSH to enable remote activation only.
•Activating offline—Configure the Detector module to issue a notification when an attack on the zone occurs.
•Activating manually—Create a dynamic filter to activate remote Guards.
You place the Detector module downstream from the Guard. When no attack is in progress, the Detector module sees all inbound traffic destined for the protected zone. During an attack when the Guard diverts traffic from the targeted zone for mitigation, the Detector module sees the legitimate traffic that the Guard forwards to the zone.
This section contains the following topics:
•Activating Remote Guards Using Remote Guard Lists
•Activating Remote Guards Offline
•Activating Remote Guards Manually
Activating Remote Guards Using Remote Guard Lists
You can configure the Detector module with a list of Guards (known as the remote Guard lists) that it activates to protect a zone. The Detector module maintains two types of remote Guard lists as follows:
•Zone remote Guard lists—The Detector module activates the Guards on this zone-specific list to protect the zone and may synchronize the zone configuration with the Guards.
•A Default remote Guard list—The Detector searches the default list only if the zone remote Guard list is empty or does not contain both SSL and Secure Shell communication methods.
Note If you add a Guard to the remote Guard lists, you must establish a communication channel with that remote Guard. See the "Establishing Communication with the Guard" section on page 4-16 for more information.
Each remote Guard list supports two communication methods:
•SSL—The Detector module communicates with the Guards using SSL. The Detector module can activate the Guards to protect the zone and synchronize the zone configuration with the remote Guards.
The Detector module can synchronize the zone configuration with the Guards on the remote Guard lists before activating the Guards to protect the zone. See the "Synchronizing Zone Configurations with a Guard" section on page 5-8 for more information.
•Secure Shell (SSH)—The Detector module communicates with the Guards using SSH. The Detector module can activate the Guards to protect the zone but cannot synchronize the zone configuration with the Guards.
The Detector module activates a Guard module in the default remote Guard list only if a Guard module with the same communication method was not defined in the zone remote Guard list.
Caution If you change the remote Guard lists, you must regenerate the SSL certificates that the Detector module uses for the communication channel with the remote Guards or the communication fails. See the
"Regenerating SSL Certificates" section on page 4-19 for more information.
Verify that the Detector module has at least one Guard defined in one of the remote Guard lists (the default remote Guard list or the zone remote Guard list). If no remote Guard is defined in any one of the remote Guard lists, the Detector module records the event in its log file.
This section contains the following topics:
•Activating a Remote Guard and Synchronizing Zone Configuration
•Configuring the Default Remote Guard List
•Configuring the Zone Remote Guard Lists
Activating a Remote Guard and Synchronizing Zone Configuration
To activate a remote Guard and synchronize zone configuration, perform the following steps:
Step 1 Create and configure a new zone using one of the Guard zone templates.
See the "Creating a New Zone" section on page 5-4.
Step 2 Add the remote Guard IP address to either of the following lists:
•Zone remote Guard list—A list of remote Guards that the Detector module activates to protect the zone.
See the "Configuring the Zone Remote Guard Lists" section for more information.
•Detector default remote Guard list—The default list of remote Guards. The Detector module activates these remote Guards if the zone remote Guard list is empty.
See the "Configuring the Default Remote Guard List" section for more information.
Step 3 Configure the communication channel with the remote Guard.
See the "Establishing Communication with the Guard" section on page 4-16 for more information.
Step 4 Configure the zone Guard-protection forms (protect-ip-state) to determine the method that the Detector module uses to activate a remote Guard.
See the "Configuring Guard-Protection Activation Methods" section for more information.
Step 5 Create a new zone on the remote Guard by using one of the following methods:
•Synchronize the zone configuration from the Detector module to the Guard using SSL.
See the "Synchronizing Zone Configurations with a Guard" section on page 5-8 for more information.
•Create a new zone on the remote Guard. The zone name on the Guard must be identical to the zone name on the Detector module unless you configure the Detector module to activate protection on the Guard based on the attacked IP address only by using the protect-ip-state dst-ip-by-ip command.
See the "Configuring Guard-Protection Activation Methods" section for more information about the protect-ip-state command.
Step 6 Configure the timer that the remote Guard uses to terminate zone protection by using the protection-end-timer command in the remote Guard. If the value of the protection-end-timer is forever, the remote Guard does not terminate zone protection when the attack ends.
Configuring the Default Remote Guard List
The Detector module activates a remote Guard in the default remote Guard list if both the following conditions apply:
•A zone remote Guard list is empty or does not contain Guard modules with both SSL and SSH communication methods.
•The remote Guard in the default list is configured with the communication method that is not defined in the zone-specific remote Guard list.
The Detector module activates all remote Guards with the same communication method.
To add a Guard to the default remote Guard list, use the following command in configuration mode:
remote-guard {ssh | ssl} remote-guard-address [description]
Table 9-1 provides the arguments and keywords for the remote-guard command.
Table 9-1 Arguments and Keywords for the remote-guard Command
Parameter
|
Description
|
ssh
|
Specifies the SSH communication method.
|
ssl
|
Specifies the SSL communication method.
|
remote-guard-address
|
Remote Guard IP address.
|
description
|
(Optional) Remote Guard description. The description can have a maximum of 63 alphanumeric characters.
|
The following example shows how to add a remote Guard to the default remote Guard list using an SSL communication method:
user@DETECTOR-conf# remote-guard ssl 192.168.100.33
To display the default lists of remote Guards, use the show remote-guards command in global or configuration mode.
Configuring the Zone Remote Guard Lists
The Detector module activates all the remote Guards that you define in the zone remote Guard lists.
To add a Guard to a zone remote Guard list, use the following command in zone configuration mode:
remote-guard {ssh | ssl} remote-guard-address [description]
Table 9-2 provides the arguments and keywords for the remote-guard command.
Table 9-2 Arguments for the remote-guard Command
Parameter
|
Description
|
ssh
|
Specifies the SSH communication method.
|
ssl
|
Specifies the SSL communication method.
|
remote-guard-address
|
IP address of the remote Guard.
|
description
|
(Optional) Description of the remote Guard.
The description can have a maximum of 63 alphanumeric characters.
|
The following example shows how to add a Guard to the zone remote Guard list using an SSL communication method:
user@DETECTOR-conf-zone-scannet# remote-guard ssl 192.168.100.33
To display the zone remote Guard lists, use the show remote-guards command in zone configuration mode.
Activating Remote Guards Offline
When the Detector module detects an anomaly in the zone traffic, it logs the event and may generate a Simple Network Management Protocol (SNMP) trap (see the "Enabling SNMP Traps" section on page 4-25). You can then manually activate a Guard to protect the zone.
To activate a Guard offline, perform the following steps:
Step 1 Configure the zone on both the Detector module and the Guard or synchronize the zone configuration offline.
See the "Creating a Zone for Synchronization" section on page 5-10 for more information.
Step 2 (Optional) Configure the timer that the remote Guard uses to terminate zone protection by using the protection-end-timer command in the remote Guard. If you configure the value of the protection-end-timer to forever, the remote Guard does not terminate zone protection when the attack ends.
Step 3 Activate the zone on the Cisco Anomaly Guard Module by using the protect command.
Activating Remote Guards Manually
From the Detector module, you can activate a remote Guard manually to protect the zone even before the Detector module detects an anomaly in the zone traffic.
To activate a remote Guard manually, perform the following steps on the Detector module:
Step 1 Add the remote Guard to the zone remote Guard list or to the default remote Guard list.
See the "Activating Remote Guards Using Remote Guard Lists" section for more information.
Step 2 Create a dynamic filter by entering the dynamic-filter remote-activate command.
See the "Adding Dynamic Filters" section on page 6-14 for more information.
Feedback
