Embed Size (px)
Citation preview
Lessons I nt r o-9
Instructors Guide
Intro # S l i d e D es c r i p t i o n
1.
1© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Mitigating D D o S U s ing G u ar d and T r af f ic A no m al y D e te c to r
Introduction
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: W el c o m e t o t h e c l a ss. H i g h l ev el o v er v i ew .
I n t h e b o o k : N / A
Mi s c :
2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—2
Learner Skills and Knowledge
• Interconnecting Cisco Network Devices (ICND).• F o u n d a t i o n -l e v e l n e t w o r k k n o w l e d g e a n d s k i l l s n e c e s s a r y t o i n s t a l l , c o n f i g u r e , o p e r a t e a n d t r o u b l e s h o o t n e t w o r k d e v i c e s a n d a p p l i c a t i o n s .
• B a s i c k n o w l e d g e o f Ci s c o IO S n e t w o r k i n g a n d c o n c e p t s . • F o u n d a t i o n -l e v e l n e t w o r k s e c u r i t y k n o w l e d g e a n d s k i l l s n e c e s s a r y t o i n s t a l l , c o n f i g u r e , o p e r a t e a n d t r o u b l e s h o o t n e t w o r k s e c u r i t y d e v i c e s a n d a p p l i c a t i o n s , i n c l u d i n g f i r e w a l l s , IDS a n d IPS s y s t e m s .
• U n d e r s t a n d i n g o f r o u t i n g p r o t o c o l s a n d f u n c t i o n a l i t y i n c l u d i n g t h e B G P r o u t i n g p r o t o c o l .
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss ex p ec t ed p r e-r eq u i si t es t h a t a r e n ec essa r y i n o r d er t o g et t h e m o st o u t o f t h e c l a ss.
I n t h e b o o k : T h e t ex t st a t es t h i s c o u r se c o v er s t h e sk i l l s r eq u i r ed f o r b a si c d ep l o y m en t . T h er e a r e a d v a n c ed G& D t o p i c s n o t c o v er ed i n t h i s c l a ss.
Mi s c :
3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3
C ou rse F low
Lesson 9:Cisco Guard and Detector Blades for the 6500’s.Lab 3 : Config uring Z ones.
Course W rap U p and E v aluations.Lesson 4 : Div erting T raffic.
O p tional Lab ex ercises.
Lab 7 : U nderstanding Guard and Detector R ep orts.Lab 2 : S etting U p the Cisco Guard and Detector.
LunchLesson 3 : Config uring Z ones.
Lesson 7 : U nderstanding Guard and Detector R ep orts.Lesson 2 : Getting started w ith the Cisco Guard and Cisco T raffic A nom aly Detector.
Lab 6: M itig ation at W ork .Lesson 1 : M itig ating DDoS A ttack s.
Lesson 8 : M ulti-Dev ice M anag er.Lunch
Lab 4 and 5: Config uring Div ersion and I nj ection.
Lesson 5: Config uring I nj ection.
Lesson 6: M itig ation at W ork .Course I ntroductionDay 2Day 1
AM
PM
�
Ty p e: S p ec i a l
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o ex p l a i n h o w t i m e w i l l b e sp en t w i t h r eg a r d s t o l esso n s a n d l a b s f o r t h e d u r a t i o n o f t h e c o u r se. P r o v i d es a g o o d o p p o r t u n i t y f o r t h e I n st r u c t o r t o set ex p ec t a t i o n s c o n c er n i n g c l a ss f l o w . I n t h e b o o k : N / A
Mi s c :
4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4
Cisco Icons and Symbols
Cisco Guard
Cisco T raf f ic A n om al y D e t e ct or
L ap t op
F il e S e rv e r
R out e r
M ul t il ay e r S w it ch
N e t w ork Cl oud
Guard O n l y
D e t e ct or O n l y
Guard & D e t e ct or
U p st re am R out e r
I n j e ct -t o R out e r
Guard & D e t e ct or
�
Ty p e: Gr a p h i c
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o g i v e a n o v er v i ew o f t h e sy m b o l s a n d i c o n s t h a t a r e u sed r ep ea t ed l y t h r o u g h o u t t h e en t i r e c o u r se a n d l a b s.
I n t h e b o o k : Y o u h a v e a l i st o f r ef er en c es, m a n y a v a i l a b l e o n C C O f o r a d d i t i o n a l i n f o r m a t i o n o n G& D a n d DDo S i n g en er a l .
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 3
# S l i d e D es c r i p t i o n
5 .
�
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s.
I n t h e b o o k : N / A
Mi s c :
�
L e s s on 1 # S l i d e D es c r i p t i o n
1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Mitigating D D o S A ttac k s
Mitigating DDoS Using Cisco Guard and T raf f ic A nom al y De te ctor
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l ev el o v er v i ew o f c h a p t er .
I n t h e b o o k : N / A
Mi s c :
2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-2
Outline• Overview.• W h a t I s a D D o S A t t a c k ? • I m p a c t o f D D o S A t t a c k s . • T y p es o f D D o S A t t a c k s . • D ef ic ien c ies o f C o m m o n D D o S D ef en s es .• D es ig n in g a C o m p l et e D D o S P ro t ec t io n P ro g ra m .• C is c o G u a rd F ea t u res a n d B en ef it s .• C is c o T ra f f ic A n o m a l y D et ec t o r F ea t u res a n d B en ef it s .
• D et ec t io n a n d M it ig a t io n Overview.• S u m m a ry .
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l i g h t t h e m a j o r p o i n t s t h a t w i l l b e d i sc u ssed i n t h e l esso n .
I n t h e b o o k : N / A
Mi s c :
3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-3
W h a t I s a D D o S A tta c k ?
ASAS
AS
P e e r i n gP o i n t
H a c k e r s Ac t i v a t eZ o m b i e s o n
I n n o c e n t C o m p u t e r s
I n f r a s t r u c t u r e -L e v e lD D o S At t a c k s ,
I n c l u d i n g R o u t e r sa n d D N S Se r v e r s
B a n d w i d t h -L e v e lD D o S At t a c k s ,I n c l u d i n g
W o r m St o r m sE n t e r p r i s e
W e bSe r v e r
Se r v e r -L e v e l D D o S At t a c k s , I n c l u d i n gH T T P , D N S, a n dO t h e r Se r v i c e s
At t a c k e d Se r v e r
I SP B a c k b o n e
X
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h e t er m i n o l o g y , t y p es o f a t t a c k s, a n d p o ssi b l e m i t i g a t i o n i m p l em en t a t i o n si t es.
I n t h e b o o k : Z o m b i es, “ sl eep er c o d e” , DN S r o o t ser v er a t t a c k s i n 2 0 0 2
Mi s c :
4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-4
D is ting uis h ing F ea tur es o f D D o S A tta c k s
• Accessible
• E v o lv in g
• S t a t ist ica l
• D ist r ibu t edD D o S a t t a c k s a re:
T o o ls a r e r ea d ily a v a ila ble.—
E v er y d ef en se is q u ick ly co u n t er ed w it h a n ew st r a t eg y .
—
At t a ck er s ‘r a n d o m iz e’ t h eir a t t a ck scr ip t s t o m ix w it h leg it im a t e t r a f f ic.
—
Ar m ies o f z o m bies a n d bo t s t a k en o v er by o n e a t t a ck er .
—
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l i g h t t h e t h r ea t t h a t ex i st s f r o m DDo s a t t a c k s.
I n t h e b o o k : Di st r i b u t ed c a n b e 1 0 0 s o f t h o u sa n d s, sp o o f ed I P a d d r ess, c o n st a n t l y ev o l v i n g a t t a c k s
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 5
# S l i d e D es c r i p t i o n
5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-5
I m p a c t o f D D o S• On Service Providers
– Sit e p erf orm a nce is severel y com p rom ised.– SL A s a re com p rom ised.– R ep u t a t ion is da m a g ed.– F ru st ra t ed cu st om ers sw it ch t o com p et it ors, resu l t ing in l ost
revenu e a nd m a rk et sh a re.– I T a nd op era t iona l ex p enses increa se.
• On a n E nt erp rise– F ru st ra t ed cu st om ers a nd st a f f .– L ost e-com m erce a nd a dvert ising revenu e.– C ost of t ech nica l su p p ort t o rest ore a n a t t a ck ed sit e.– L ost p rodu ct ivit y .– L ost b ra nd eq u it y or m a rk et sh a re.
• E x a m p l es– T C P/ SY N A t t a ck s – F eb 20 0 0 – Sl a m m er W orm – J a n 20 0 3
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e i m p a c t o f DDo s a t t a c k s t o t h e ser v i c e p r o v i d er s a n d E n t er p r i se en v i r o n m en t s. A sk “ w h a t i s t h e c o st o f d o w n t i m e? ” a n d d i sc u ss t h e r et u r n o n i n v est m en t . I n t h e b o o k : C i t es d o l l a r f i g u r es a s j u st i f i a b l e r ea so n t o i n v est i n DDo S m i t i g a t i o n t ec h n o l o g y . A t t a c k s o f F eb r u a r y 2 0 0 2 c o st b i l l i o n s o f d o l l a r s. S l a m m er w o r m ex a m p l e a l so . Mi s c :
6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-6
B a s ic T y p es o f D D o S A tta c k s
• B a n d wid t h a t t a c k s– Consum e ne tw ork b andw idth or e q uip m e nt re source s w ith a h igh v ol um e of p ack e ts.
– Can cause targe te d route rs, se rv e rs, and f ire w al l s to f ail .– E x am p l e : p ack e t-f l ooding attack .
• A p p l ic a t io n a t t a c k s– Consum e com p utational re source s w ith a h igh v ol um e of p rotocol e rrors.
– E x am p l e : H T T P h al f -op e n and H T T P e rror attack s.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Det a i l t h e c h a r a c t er i st i c s o f t h e t w o m o st c o m m o n DDo S a t t a c k s.
I n t h e b o o k : Det a i l s c h a r a c t er i st i c s t h a t c a t o r g i z e o n e a t t a c k f r o m t h e o t h er .
Mi s c :
7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-7
D ef ic ienc ies o f C o m m o n D D o S D ef ens es
• B l a c k h o l in g l o s es g o o d a n d b a d t ra f f ic .• R o u t er A C L s c a n n o t c o p e wit h c o m p l ex a t t a c k s .• F irewa l l s a re f u n c t io n a l l y in a p p ro p ria t e f o r u s e in D D o S d ef en s e ro l es . T h o u g h t h ey h a ve s o m e D D o S c a p a b il it ies , f irewa l l s c a n n o t s c a l e a g a in s t m a s s ive a t t a c k s .
• I D S c a n n o t d et ec t D D o S a t t a c k s t h a t u s e va l id p a c k et s .
• I P S s y s t em s a re ea s il y o verwh el m ed .• M a n u a l res p o n s es a re in a d eq u a t e a n d o f t en t o o l a t e.
• Over-p ro vis io n in g b a n d wid t h is c o s t l y .�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T h i s i s a v er y i m p o r t a n t , b y h i g h l i g h t i n g t h e d ef i c i en c i es i n o t h er DDo s d ef en se st r a t eg i es, t h e v a l u e o f t h e C i sc o Gu a r d a n d Det ec t o r c a n b e seen .
I n t h e b o o k : Det a i l s p r o b l em s w i t h o t h er DDo S m i t i g a t i o n st r a t eg i es. U sef u l t o sh o w a d v a n t a g e o f Gu a r d a n d Det ec t o r .
Mi s c :
8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-8
P r inc ip les f o r C o m p lete D D o S P r o tec tio n
A c o m p l e te s o l u tio n:• D et ec t s a n d m it ig a t es t h e ef f ec t s o f a n a t t a c k .• D is t in g u is h es g o o d t ra f f ic f ro m b a d .• P ro t ec t s a l l p o in t s o f vu l n era b il it y .• P ro vid es rel ia b l e a n d c o s t -ef f ec t ive s c a l a b il it y .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: F ea t u r es o f t h e Gu a r d a n d Det ec t o r , a n d set t h e ex p ec t a t i o n o f w h a t a c o m p l et e DDo S p r o t ec t i o n so l u t i o n sh o u l d p r o v i d e.
I n t h e b o o k : L i st o f b u l l et p o i n t s.
Mi s c :
6 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-9
C o m p lete D D o S P r o tec tio n inc lud es :
• I m m ed ia t e res p o n s e t o D D o S a t t a c k s .• P ro vid es c o m p l et e verif ic a t io n c a p a b il it ies .• D el ivers b eh a vio r-b a s ed a n o m a l y d et ec t io n .• I d en t if ies a n d b l o c k s in d ivid u a l s p o o f ed p a c k et s .• Of f ers m ec h a n is m u n a f f ec t ed b y h u g e vo l u m e o f D D o S a t t a c k s .
• E n a b l es o n -d em a n d d ep l o y m en t .• P ro c es s es o n l y s u s p ec t t ra f f ic s t rea m s .• U s es s t a n d a rd p ro t o c o l s f o r a l l c o m m u n ic a t io n s .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o ex p l a i n t h e f ea t u r es r eq u i r ed i n a DDo S so l u t i o n . T h ese w i l l b e m a t c h ed t o t h e Gu a r d a n d Det ec t o r s c a p a b i l i t i es l a t er o n .
I n t h e b o o k : T h i n g s t o l o o k f o r i n a g o o d DDo S so l u t i o n . Gu a r d a n d Det ec t o r f i t t h ese c r i t er i a .
Mi s c :
10 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-10
C is c o D D o S S o lutio n
C isco G u a rd
2. A c t i v a t e s C i s c o G u a r d ( A u t o / M a n u a l )
3 . B G P a n n o u n c e m e n t t o d i v e r t t r a f f i c d e s t i n e d f o r t a r g e t
C isco T ra f f ic A nom a l y D et ect or
T a r g e t
1 . D e t e c t s a b n o r m a l b e h a v i o r
4 . S u s p e c t t r a f f i c i s c l e a n e d b y t h e G u a r d a n d i n j e c t e d b a c k i n t o t h e d a t a s t r e a m
�
Ty p e: Di a g r a m
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T h i s i s t h e f i r st t i m e t h a t t h e st u d en t sees t h e p r o c ess b y w h i c h t h e Gu a r d a n d d et ec t o r f u n c t i o n . T h i s i s a g o o d o p p o r t u n i t y t o p r o v i d e t h e st u d en t s w i t h t h ei r f i r st st ep b y st ep p r o c ess i n t o h o w t h e Gu a r d a n d Det ec t o r f u n c t i o n . I n t h e b o o k : G a n d D c a n c o n c u r r en t l y p r o t ec t m u l t i p l e p o t en t i a l t a r g et s – DN S ser v er s, w eb ser v er s, r o u t er s, a n d B a n d w i d t h .
Mi s c :
11.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-11
A p p lia nc e a nd M o d ule o f f er ing s
Cisco Guard X T 5 6 5 0 b uil t on I B M Se rv e r
Cisco A nom al y Guard Modul e
�
Ty p e: M a r k et i n g
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e st u d en t s t h e f o r m f a c t o r s t h e Gu a r d i s a v a i l a b l e i n . M en t i o n d i f f er en c es i n b l a d e v s a p p l i a n c e w h i c h w i l l b e c o v er ed i n m o r e d et a i l l a t er .
I n t h e b o o k : Det a i l ed sp ec i f i c a t i o n s o f b o t h t h e a p p l i a n c e a n d t h e m o d u l e.
Mi s c :
12 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-12
Cisco Guard: K e y F e at ure s an d B e n e f it s• Multiverification p roces s
– D y nam ic filtering and active verification tech nolog ies .• Per-s o u rc e, p er-d es t i n a t i o n , a n d a n t i -s p o o f i n g p ro c es s es
– P rofile-b as ed anom aly recog nition eng ine.– P rotocol analy s is and rate lim iting .– 1 5 0 , 0 0 0 tim e b as ed d y nam ic filters .
• Multig ig ab it p erform ance– D ed icated netw ork p roces s ors . – C lus tering arch itecture.
• Multilevel m onitoring and rep orting– I ntuitive w eb -b as ed G U I .– D etailed real-tim e and h is torical rep orting features .– I nteractive m od e recom m end ations .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o h i g h l i g h t t h e f ea t u r es o f t h e C i sc o Gu a r d .
I n t h e b o o k : M V P a r c h i t ec t u r e, GU I c o n f i g u r a t i o n a n d m a n a g em en t a b i l i t i es, a n d p er f o r m a n c e a t Gi g a b i t r a t es.
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 7
# S l i d e D es c r i p t i o n
13 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-13
A p p lia nc e a nd M o d ule o f f er ing s
Cisco T raf f ic De te ctor X T 5 6 5 0 b uil t on I B M Se rv e r
Cisco A nom al y T raf f ic De te ctor Modul e
�
Ty p e: M a r k et i n g
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e st u d en t s t h e f o r m f a c t o r s t h e d et ec t o r i s a v a i l a b l e i n . M en t i o n t h e d i f f er en c e b et w een B l a d e a n d a p p l i a n c e w h i c h w i l l b e c o v er ed i n m o r e d et a i l l a t er . I n t h e b o o k : Det a i l ed sp ec i f i c a t i o n s o f b o t h t h e a p p l i a n c e a n d t h e m o d u l e.
Mi s c :
14 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-14
Cisco Traffic Anomaly Detector: K ey F eatu res and B enefits
• R e cognition and l e arning– Monitors traf f ic p atte rns to b uil d p rof il e s of norm al b e h av ior. – A utom ate d l e arning re cogniz e s ne w ty p e s of attack s and autom atical l y up date s p rof il e s.– De te cts l ow -rate , l arge -scal e , and se ssion-ab usiv e attack s.
• H igh p e rf orm ance– Monitors attack f l ow s at f ul l gigab it rate s.– Mul tistage anal y sis of f ul l y m irrore d traf f ic p rov ide s f ast re cognition of attack s.
• R e p orting and m anage m e nt– I ntuitiv e w e b -b ase d GUI .– Mul tip l e re al -tim e and h istorical re p orting l e v e l s.– Can b e conf igure d to p roactiv e l y se nd al e rts.– SN MP MI B .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o o u t l i n e t h e f ea t u r es o f t h e Det ec t o r .
I n t h e b o o k : M en t i o n s t h a t 1 d ev i c e c a n n o t p er f o r m j o b o f b o t h Gu a r d a n d Det ec t o r .
Mi s c :
15 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-15
D etec tio n P r o c es s
DetectorDetecti on O p ti on 1
C i s coG u a rd
P e e r i n g E d g e
P r o v i d e r E d g e
C u s t o m e r E d g e
SP AN t r a f f i c
2D e t e c t o r d e t e c t s a n o m a l y b a s e d o n SP AN t r a f f i c
3D e t e c t o r a c t i v a t e s G u a r d
Di rty tra f f i c
G u a rd A cti v a ti on v i a S S H
1 At t a c k l a u n c h e d
�
Ty p e: E x a m p l e
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e st ep b y st ep p r o c ess o f a t t a c k m i t i g a t i o n .
I n t h e b o o k : Gr a p h i c o n l y w i t h n u m b er ed st ep s.
Mi s c :
16 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-16
M itig a tio n P r o c es s
DetectorDetecti on O p ti on 1
P e e r i n g E d g e
P r o v i d e r E d g e
C u s t o m e r E d g e
SP AN T r a f f i c
C l ea n ed tra f f i c
G u a rd A cti v a ti on v i a S S H
Di rty tra f f i c
C i s coG u a rd
3Guard scrubs di rt y t raf f i c
1Guard se n ds o ut B GP an n o un ce m e n t t o di v e rt t raf f i c t o C i sco Guard2
D i rt y t raf f i c g e t s di v e rt e d t o Guard
4C l e an t raf f i c i s i n j e ct e d back i n t o t h e dat a p at h
5D e t e ct o r co n t i n uo usl y m o n i t o rs t raf f i c
�
Ty p e: E x a m p l e
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o p r o v i d e t h e st u d en t s w i t h a d et a i l ed r ev i ew o f t h e st ep s t a k en b y t h e Gu a r d a n d Det ec t o r w h en f r o m w h en a n a t t a c k i s f i r st d et ec t ed u n t i l i t h a s b een m i t i g a t ed a g a i n st . I n t h e b o o k : Gr a p h i c o n l y w i t h n u m b er ed st ep s.
Mi s c :
8 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
17 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-17
DDoS Protection Solution Overview
Network Foundation Protection
Anti-s p o o f ing , a no m a l y r e c o g nitio n, p a c k e t ins p e c tio n,
c l e a ning a nd s c r u b b ing o f " d ir ty " tr a f f ic
D iv e r t " d ir t " tr a f f ic t o th e c l e a ning c e nte r to b e
" s c r u b b e d " , inj e c t c l e a n t r a f f ic b l o c k b a c k t o t h e D D o S ta r g e te d
h o s t
I d e ntif y a nd c l a s s if y a tta c k s b a s e d o n a no m a l y c h a r a c te r is tic s
MitigationD iv e r s ion/ I nj e c tionD e te c tion
Netw
ork M
anag
emen
t
Customer Premi se
Ci sc o I S R
A c c ess/ A g g reg a ti on
Prov i d er E d g e R outers L 2
A g g reg a torD etec tor
D etec tor D etec torD etec tor
D etec tor
D etec tor
Ci sc o I S R
Core
P P
Cl ea n i n g Cen terG ua rd ( s)
H osti n g I D C
Ca rri er Peeri n g
A S B R
Peeri n g E d g e/ A l t I S P Prov i d er
P
P P
�
Ty p e: Di a g r a m
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o o u t l i n e t h e F o u n d a t i o n C o n c ep t o f S ec u r i t y . C o m p l et e n et w o r k sec u r i t y i s a m u l t i l a y er ed a p p r o a c h r eq u i r i n g f i r ew a l l s, I P S , a n d a v a r i et y o f o t h er sec u r i t y d ev i c es i n c l u d i n g DDo S p r o t ec t i o n . I n t h e b o o k : Def i n i t i o n o f t h e f o u n d a t i o n p r o j ec t a n d w h er e t o l o o k f o r m o r e i n f o r m a t i o n o n i t .
Mi s c :
18 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-18
Summary
• DDoS defenses must differentiate between malicious and leg itimate traffic and detect attack s before th ey do damag e, with out affecting network p erformance.
• DDoS attack s are costly to businesses in terms of lost rev enue, damag ed rep utations, lost confidence, p otential litig ation, and ov erall increased costs.
• DDoS attack s fall into two basic categ ories: bandwidth attack s, wh ich consume network resources, and ap p lication attack s, wh ich consume comp utational resources.
• DDoS attack s are becoming increasing ly sop h isticated.• T h e most common DDO S meth ods are inadeq uate to defend ag ainst most attack s.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
19 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—1-19
Summary (Cont.)
• A complete DDoS protection scheme not only d etects sophistica ted a ssa u lts b u t mitig a tes the ef f ects of the a tta ck to ensu re b u siness continu ity a nd resou rce a v a ila b ility.
• T he G u a rd a nd Detector a pplia nces a re b u ilt u pon specia lly mod if ied I B M serv ers.
• C isco Anoma ly G u a rd & T ra f f ic Anoma ly Detector M od u les a re a v a ila b le f or the C a ta lyst 6 5 0 0 / 7 6 0 0 .
• T here a re three core processes on the G u a rd : per-d estina tion a na lysis, a nti-spoof ing , a nd per-sou rce a na lysis.
• T he Detector ca n b e conf ig u red to remotely a ctiv a te one or more G u a rd a pplia nces.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
2 0 .
�
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s
I n t h e b o o k : N / A
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 9
Lesson 2 # S l i d e D es c r i p t i o n
1.
DDoS v2.0—2-1© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Mitigating D D o S U s ing C is c o G u ar d and T r af f ic A no m al y D e te c to r
G etting Sta rted with th e C is co G ua rd a nd T ra f f ic A nom a ly Detector
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l ev el o v er v i ew o f c h a p t er .
I n t h e b o o k : N / A
Mi s c :
2 .
DDoS v2.0—2-2© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Outline• O v e r v i e w• P h y s i c al C h ar ac te r is tic s o f th e C is c o G u ar d and D e te c to r • I ntr o d u c tio n to th e C L I• A c c e s s ing th e G u ar d and D e te c to r• C o nf igu r ing U s e r A c c o u nts• C o nf igu r ing th e C is c o G u ar d and D e te c to r I nte r f ac e s• R e l o ad , R e b o o t, and P o w e r d o w n c o m m and s• E nab l ing C i s c o G u ar d and C is c o D e te c to r S e r v ic e s• S u m m ar y• L ab E x e r c i s e
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l i g h t t h e m a j o r p o i n t s t h a t w i l l b e d i sc u ssed i n t h e l esso n .
I n t h e b o o k : N / A
Mi s c :
3 .
DDoS v2.0—2-3© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Cisco Guard and Cisco Traffic Anomaly D e t e ct or F ront and R e ar P ane ls
Guard and Detector Front Panel
Guard and Detector R ear Panel�
Ty p e: Di a g r a m
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e p h y si c a l f ea t u r es o f t h e Gu a r d a n d Det ec t o r a p p l i a n c es.
I n t h e b o o k : Det a i l ed sc h em a t i c o f Gu a r d a n d Det ec t o r a p p l i a n c es.
Mi s c :
4 .
DDoS v2.0—2-4© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Cisco Guard and Cisco Traffic Anomaly D e t e ct or CL I • The Guard and Detector use a “C i sco” C L I :
– C L I i s hi erarchi cal w i th sub com m ands f or z ones, i nterf aces, etc.
– C onf i g urati on m odes are denoted b y the p rom p t.
– U se “?” or p ress < tab > < tab > to see com m and op ti ons.
– Tab f or a com p l eti on of p arti al w ords.– The e x i t com m and m ov es one l ev el up i n C L I .– The e n d com m and b ri ng s the user to up p er l ev el .
• The Guard and Detector are b ui l t on L i nux . Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h e f u n c t i o n a l i t y o f t h e Gu a r d a n d Det ec t o r C L I , a n d h o w i t i s d i v i d ed i n t o m u l t i p l e C L I m o d es, ea c h m a p p ed t o u ser p r i v i l eg e l ev el s.
I n t h e b o o k : d esc r i p t i o n o f t h e u se o f t a b , ex i t , “ ? ” k ey s.
Mi s c : “ q ” st o p s o u t p u t o n t h e sc r een
1 0 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
5 .
DDoS v2.0—2-5© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Using the “S ho w ” C o m m a nd
admin@guard# s h o w runadmin@guard# s h o wadmin@guard-c o nf ig# s h o wadmin@guard-c o nf ig-if -giga1 # s h o wadmin@guard-c o nf ig-z o ne -f t p s e rv e rs # s h o wadmin@guard# s h o w | ?• begin : Begin with the line that matches• ex clu d e : E x clu d e lines that match• inclu d e : I nclu d e lines that match
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o g i v e a b a si c o v er v i ew o f t h e u ses o f t h e “ sh o w ” c o m m a n d s. T h e “ sh o w ” c o m m a n d p r o v i d es a c c ess t o m o n i t o r i n g a n d d i a g n o st i c s o p er a t i o n s o n l y .
I n t h e b o o k : h i g h l i g h t s t h e g r ep o p t i o n s o f b eg i n , ex c l u d e, a n d i n c l u d e.
Mi s c :
6 .
DDoS v2.0—2-6© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
B a sic S etu p T a sk sT as k : C o nf igure D e v ic e p ro p e rt ie s• Hostname.• U ser A c c ou nts.T as k : C o nf igure int e rf ac e s• E th 0 , E th 1 , G i g a1 , G i g a0 .• C onf i g u r e p r ox y ad d r esses f r om g i g a1 or g i g a0 su b net. • C onf i g u r e a d ef au l t g atew ay .T as k : C o nf igure s e rv ic e s• B y d ef au l t al l ser v i c es ar e tu r ned of f ex c ep t S S H.• E nab l e ser v i c es su c h as N T P , S N M P , W B M , etc .• E nab l e ac c ess f or c onf i g u r ed ser v i c es.
Guard O n l y
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: O v er v i ew o f t h e b a si c t a sk s n eed ed f o r i n i t i a l set u p a n d c o n f i g u r e t h e Gu a r d a n d Det ec t o r .
I n t h e b o o k : N / A
Mi s c :
7 .
DDoS v2.0—2-7© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
I nitia l A c c ess to the C isc o G u a r d a nd the C isc o T r a f f ic A no m a l y D etec to r
Cisco Guard Version 5.1(4)GU A R D l og in: adm inP assw ord: not displayedL ast l og in: F ri A p r 2 0 17 : 48 : 19 on t t y S 0adm in@ GU A R D #adm in@ GU A R D #conf ig ureadm in@ GU A R D -conf #h ost nam e M Y GU A R Dadm in@ M Y GU A R D -conf #
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n h o w t o l o g i n t o t h e Gu a r d a n d Det ec t o r f o r t h e f i r st t i m e. U p o n f i r st l o g i n , u ser w i l l b e p r o m p t ed t o c h a n g e t h e p a ssw o r d s f o r r o o t a c c o u n t , a d m i n a c c o u n t , r i v er h ea r d a c c o u n t . I n t h e b o o k : M en t i o n s d ef a u l t p a ssw o r d o f “ r h a d m i n ”
Mi s c :
8 .
DDoS v2.0—2-8© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Configuring User Accounts and Privilege Levels
All the global command group show commandsS how ( s how )
Acces s to show commands , protect and learni ng related commands , and F lex and dy nami c f i lter conf i gurati on
D y nami c ( dy nami c)
F ull acces s to all command groups ex cept the commands relati ng to us er def i ni ti on, deleti on, and modi f i cati on
C onf i gurati on ( conf i g)F ull acces s to all command groupsAdmi ni s trator ( admi n)C ommand G roupU s er P ri v i lege L ev el
admin@Guard-0 1 2 -c o nf # us e r j o h ndo e ?adminc o nf igdy namics h o w
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n v a r i o u s u ser r o l l s a n d a b i l i t i es o n t h e d ev i c e.
I n t h e b o o k : d et a i l ed i n f o r m a t i o n a b o u t a d m i n , c o n f i g , d y n a m i c , a n d sh o w l ev el a c c o u n t s.
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 1 1
# S l i d e D es c r i p t i o n
9 .
DDoS v2.0—2-9© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Config uring use r account s ( Cont . )
admin@GUARD-c o nf # u s e r name Ro b b in c o nf ig s anf r an1 2 3Us e r Ro b b in w as adde d s u c c e s s f u l l yadmin@GUARD-c o nf #
admin@GUARD-c o nf #username username {ad mi n| c o nf i g | d y nami c | sh o w } [ p assw o rd ] • Adds a user to the Cisco Guard local database
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n h o w t o c o n f i g u r e a u ser n a m e a n d p a ssw o r d c o m b i n a t i o n
I n t h e b o o k : Det a i l s a b o u t p a ssw o r d l en g t h . “ S h o w u ser s” c o m m a n d . … “ n o u ser n a m e” t o d el et e a u ser .
Mi s c :
10 .
DDoS v2.0—2-10© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Riverhead User Account
• Riverhead–Used to the detector to dynamically alert the G u ard.
Note – B oth th e G u a r d a n d D etec tor c a n f u n c ti on a s A A A c l i en ts w i th C i s c o A C S f or A u th en ti c a ti on , A u th or i z a ti on a n d A c c ou n ti n g s er v i c es .
Note – I f y ou a r e u s i n g C i s c o A C S A A A S er v er to p er f or m a u th en ti c a ti on f or th e G u a r d a n d D etec tor , y ou m u s t d ef i n e th e R i v er h ea d u s er a c c ou n t on th e A A A S er v er .
Guard & D e t e c t o r
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h e sp ec i a l p u r p o se o f t h e R i v er h ea d a c c o u n t . T h i s est a b l i sh es r em o t e c o n n ec t i o n t o t h e g u a r d .
I n t h e b o o k : S p ec i a l c a r e i f y o u a r e u si n g A A A f o r a u t h en t i c a t i o n .
Mi s c :
11.
DDoS v2.0—2-1 1© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Ch ang ing p assw ords
admin@GUARD#admin@MYGUARD#p as s w o r dO l d P as s w o r d: N YC 1 4 9 2N e w P as s w o r d: c is c o 1 2 3Re t y p e N e w P as s w o r d: c is c o 1 2 3f inis h e d s u c c e s s f u l l yadmin@MYGUARD#
• Chan g e y our ow n p assw ord on the Cisco Guard local database
admin@GUARD#
N o t e : T h e c o mmand is no t a c o nf ig u r at io n mo de c o mmand.
• Chan g e p assw ord of an other user on the Cisco Guard local database
ad mi n@ G U A R D # p assw o rd username-p assw o rdGuard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n h o w t o c h a n g e p a ssw o r d f r o m C L I a n d W B M .
I n t h e b o o k : F r o m t h e C L I c h a n g i n g p a ssw o r d i s f r o m g l o b a l p r o m p t .
Mi s c :
12 .
DDoS v2.0—2-1 2© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Out-o f -B a n d M a n a g e m e n t
Z o n e T r a f f i c T r a n s m i s s i o n
Cisco Guard and Cisco Traffic Anomaly D e t e ct or P h ysical I nt e rface s
Gig a1 S ock et
E th0 S ock et
E th1 S ock et
Gig a0 S ock et
�
Ty p e: Di a g r a m
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Desc r i b e t h e 4 n et w o r k i n t er f a c es ( E t h 0 & E t h 1 o u t -o f -b o u n d , Gi g a 0 & Gi g a 1 i n b o u n d .)
I n t h e b o o k : T h e r u l e t h a t y o u m u st u se Gi g a 1 i n t er f a c e. T h e Gi g a i n t er f a c es c a n b e c o n f i g u r ed w i t h v i r t u a l i n t er f a c es i e … t u n n el s a n d d o t 1 Q v l a n s
Mi s c :
1 2 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
13 .
DDoS v2.0—2-13© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
I nterf ace C onf ig uration
Guidelines for configuring all physical and v irt ual int erfaces:• E ach interf ace needs an I P address and an I P su b net mask .– Exception: Giga interfaces on the Detector do not receive an IP address.
• A ctiv ate each interf ace u sing the n o s h u t d o w ncommand.
• R eload the C isco G u ard and A nomaly D etector af ter g ig ab it interf ace conf ig u ration chang es.
• D isp lay the conf ig u ration w ith the s h o w r u n n i n g -c o n f i g command.
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: O v er v i ew o f c o n f i g u r i n g t h e i n t er f a c es, h i g h l i g h t i n g t h e “ i n t er f a c e” , “ n o sh u t d o w n ” , a n d “ sh o w r u n n i n g -c o n f i g ” c o m m a n d s.
I n t h e b o o k : y o u m u st “ r el o a d ” t h e g u a r d o r d et ec t o r a f t er c h a n g es t o t h e g i g a i n t er f a c es.
Mi s c :
14 .
DDoS v2.0—2-1 4© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Configuring a Physical Interface
Step 1: Enter interface configuration mode.
admin@GUARD-c o nf -if -e t h 0 # ip addr e s s 1 0 . 1 0 . 1 0 . 3 32 5 5 . 2 5 5 . 2 5 5 . 2 5 2
Step 2 : Set th e interface I P addres s .
admin@GUARD-c o nf # int e r f ac e e t h 0admin@GUARD-c o nf -if -e t h 0 #
Step 3: Define the interface MTU (optional). Step 4 : A ctiv ate the interface w ith “no s hu td ow n.”Step 5 : R eload the d ev ice w ith “reload ” (for g ig a interfaces only .)
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n h o w t o c o n f i g u r e t h e p h y si c a l i n t er f a c es, n o t i n g t h a t sh o u l d n o t c o n f i g u r e t w o p h y si c a l i n t er f a c es o n t h e sa m e su b n et .
I n t h e b o o k : H o w t o set M T U … st r a i g h t f o r w a r d .
Mi s c :
15 .
DDoS v2.0—2-1 5© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Configuring the D efault G atew ay
Guard D e t e c t o r192.168.100.20
admin@GUARD-c o nf # de f au l t -g at e w ay 1 9 2 . 1 6 8 . 1 0 0 . 1
Internet
Eth0
D e f a u l t G a te w a y
Eth0
Eth0
192.168.100.10
192.168.100.1
G i g a 1 G i g a 1
Z o n e S e rv e rs
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C o m m a n d sy n t a x f o r c o n f i g u r i n g d ef a u l t g a t ew a y .
I n t h e b o o k : N o t e t h a t t h e d ef a u l t g a t ew a y m u st b e o n t h e sa m e n et w o r k a s o n e o f t h e a c t i v e i n t er f a c es, a n d sh o u l d n o t b e a ssi g n ed w h i l e z o n e i s i n p r o t ec t i o n . I f a d ef a u l t g a t ew a y i sn ’ t a ssi g n ed , t h e Gu a r d / Det ec t o r m a y n o t b e a c c essi b l e. Mi s c :
16 .
DDoS v2.0—2-1 6© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Cisco Guard Routing Tables
There are two types of routing tables on the Guard:• Table 1 : R outes for M anagem ent.
– Used for all administrative functions.– V iew via th e n e t s t a t command in C L I .
• Table 1 0 0 : R outes for Traffic I nj ec tion.– O nly on th e G uard.– Used for traffic inj ection.– V iew w ith in Z eb ra router config uration.– s h o w i p r o u t e command in Z eb ra router sh ow s th e static routes for T ab le 1 0 0 .
Guard & D e t e c t o r
Guard O n l y
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h a t t h er e a r e 2 r o u t i n g t a b l es o n t h e Gu a r d . O n e f o r M a n a g em en t a n d 1 f o r t h e d i v er si o n p r o c ess.
I n t h e b o o k : S y n t a x o f t h e st a t i c r o u t e c o m m a n d .
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 1 3
# S l i d e D es c r i p t i o n
17 .
DDoS v2.0—2-1 7© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Routing Table 1Active Internet connections (w/o servers)P roto R ecv-Q S end -Q L oca l Ad d ress F oreig n Ad d ress S ta tetcp 0 0 l oca l h ost: 7 1 0 3 l oca l h ost: 5 2 0 2 2 T IM E _ W AITtcp 0 0 l oca l h ost: 8 2 0 0 l oca l h ost: 3 2 8 8 0 E S T AB L IS H E Dtcp 0 0 l oca l h ost: 5 2 0 2 3 l oca l h ost: 8 2 0 0 T IM E _ W AITtcp 3 4 2 0 l oca l h ost: 3 2 8 8 3 l oca l h ost: 1 1 1 1 E S T AB L IS H E Dtcp 0 0 l oca l h ost: 3 2 8 7 9 l oca l h ost: 1 1 1 1 E S T AB L IS H E Dtcp 0 0 3 0 . 0 . 0 . 1 0 : 3 3 0 2 7 3 0 . 0 . 0 . 3 : b g p E S T AB L IS H E DActive U N IX d om a in sock ets (w/o servers)u nix 1 4 [ ] D G R AM 4 7 4 /d ev/l ogu nix 2 [ ] D G R AM 4 5 5 5 1u nix 2 [ ] D G R AM 4 5 5 5 0u nix 2 [ ] D G R AM 4 5 5 4 9u nix 3 [ ] S T R E AM C O N N E C T E D 4 5 5 2 1 /tm p /. z servu nix 3 [ ] S T R E AM C O N N E C T E D 4 5 5 2 0u nix 3 [ ] S T R E AM C O N N E C T E D 4 5 5 0 9 /tm p /. z servu nix 3 [ ] S T R E AM C O N N E C T E D 4 5 5 0 7u nix 2 [ ] D G R AM 3 1 9 1 7u nix 2 [ ] D G R AM 2 9 1 7 2g u a rd @ G U AR D #
Guard & D e t e c t o rViewed with the “n ets ta t” c o m m a n d
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T h i s c o m m a n d sh o w s m a n a g em en t c o n n ec t i o n s. T h i s i s r o u t i n g t a b l e 1 .
I n t h e b o o k : N / A
Mi s c :
18 .
DDoS v2.0—2-1 8© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Routing Table 1 (Cont.)guard@GUARD#sh i p ro ut e5 0 . 0 . 0 . 2 v i a 3 0 . 0 . 0 . 3 de v gi ga11 1 . 1 1 . 1 1 . 0 / 3 0 de v gre 1 p ro t o k e rn e l sc o p e l i n k src1 1 . 1 1 . 1 1 . 11 2 7 . 0 . 0 . 0 / 8 de v l o sc o p e l i n k src 1 2 7 . 0 . 0 . 1guard@GUARD#
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T h i s a l so sh o w s r o u t es f o r t a b l e 1 . N o t e t h e p r o m p t … sh o w i p r o u t e i s ex ec t u t e f r o m a “ g u a r d ” p r o m p t .
I n t h e b o o k : N / A
Mi s c :
19 .
DDoS v2.0—2-1 9© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Routing Table 10 0guard@GUARD-c o n f # ro ut e rH e l l o , t h i s i s z e b ra ( v e rs i o n 0 . 9 3 b ) .C o p y ri gh t 1 9 9 6 -2 0 0 2 K un i h i ro I s h i guro .ro ut e r> e nro ut e r# s h i p ro ut eC o de s : G - Guard ro ut e , C - c o n n e c t e d, S - s t at i c , R - RI P , O -O S P F ,
B - B GP , > - s e l e c t e d ro ut e , * - F I B ro ut eC > * 1 1 . 1 1 . 1 1 . 0 / 3 0 i s di re c t l y c o n n e c t e d, gre 1C > * 3 0 . 0 . 0 . 0 / 8 i s di re c t l y c o n n e c t e d, gi ga1C > * 3 0 . 0 . 0 . 1 0 0 / 3 2 i s di re c t l y c o n n e c t e d, l oS > * 4 0 . 0 . 0 . 0 / 8 [ 1 / 0 ] v i a 1 1 . 1 1 . 1 1 . 2 , gre 1C > * 1 0 0 . 0 . 0 . 0 / 8 i s di re c t l y c o n n e c t e d, e t h 0C > * 1 2 7 . 0 . 0 . 0 / 8 i s di re c t l y c o n n e c t e d, l oro ut e r# s h o w t ab l et ab l e 1 0 0
Guard O n l y
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T h i s c o m m a n d sh o w s t h e en t r i es f o r r o u t i n g t a b l e 1 0 0 , u sed f o r d i v er si o n
I n t h e b o o k : T h i s sh o w i p r o u t e i s ex ec u t ed f r o m t h e Z eb r a R o u t er p r o m p t . N o t e sh o w t a b l e.
Mi s c :
2 0 .
DDoS v2.0—2-20© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
C is c o G uar d P r ox y A d d r es s es• D ep en din g o n a n ti-s p o o f in g m o de, the C is c o G u a r d
m ig ht p r o x y c o n n ec tio n s to wa r d the z o n e:– D u r in g p r o x y o p er a tio n the c l ien t “s ees ” o n l y z o n e
a ddr es s .– C is c o G u a r d u s es the p r o x y ip a ddr es s ( n o t the
c l ien t ip a ddr es s ) f o r tr a f f ic f o r wa r ded to the z o n e.– C is c o G u a r d a c ts l ik e a p r o x y ; c o n n ec tio n is
o p en ed o n l y a f ter s o u r c e is a u then tic a ted.• O p er a to r c a n def in e u p to 6 0 p r o x y I P a ddr es s es .
– C is c o r ec o m m en ds c o n f ig u r in g o n l y 2 0 p r o x y I P a ddr es s es du e to p er f o r m a n c e is s u es .
– A m in im u m o f 1 p r o x y I P a ddr es s is r eq u ir ed b y the G u a r d to f u n c tio n .
Guard O n l y
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e n eed o f P r o x y I P i n o r d er f o r Gu a r d p r o x y m o d e a n t i -sp o o f i n g w h er e Gu a r d ser v es a s a z o n e f a c i n g p r o x y .
I n t h e b o o k : E a c h p r o x y c a n h a n d l e 6 4 0 0 0 c o n n ec t i o n s. U sed f o r st r o n g m o d e f i l t er s. Y o u m u st c o n f i g u r e a t l ea st 1 p r o x y a d d r ess o n t h e g u a r d .
Mi s c :
1 4 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
2 1.
DDoS v2.0—2-21© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Configuring a Proxy Address
admin@GUARD-c o nf # p r o x y 1 0 0 . 0 . 1 0 . 1 9admin@GUARD-c o nf #
admin@GUARD-c o nf #
proxy ip-a d d r e s s
• Configures a proxy address on the Cisco Guard.
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h e c o m m a n d n eed ed t o c o n f i g u r e t h e p r o x y a d d r ess. N o t e i s f o r Gu a r d o n l y .
I n t h e b o o k : Y o u c a n h a v e u p t o 6 0 p r o x y I P a d d r esses, b u t i t i s r ec o m m en d ed y o u c o n f i g u r e n o m o r e t h a n 2 0 . P r o x y I p a d d r ess d o esn ’ t r esp o n d t o p i n g s. Mi s c :
2 2 .
DDoS v2.0—2-22© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Next Hop
Guard in-l ine w it h o ut p ro x y c o unt e rm e as ure s
D i v er t F r om R ou ter
Z on e G u a r d
I n ter n et
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: S h o w t r a f f i c f l o w w i t h o u t u si n g st r o n g m o d e p r o t ec t i o n .
I n t h e b o o k : N / A
Mi s c :
2 3 .
DDoS v2.0—2-23© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Guard in-l ine w it h p ro x y c o unt e rm e as ure s
Next Hop
D i v e r t F r om R ou ter
Z on e G u a r d
I n te r n et
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: S h o w t r a f f i c f l o w u si n g st r o n g m o d e p r o t ec t i o n .
I n t h e b o o k : N / A
Mi s c :
2 4 .
DDoS v2.0—2-24© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Enabling Cisco Guard and Cisco Traffic Anomaly D e t e ct or S e rv ice s
admin@GUARD-c o nf # s e r v ic e s nmp -s e r v e radmin@GUARD-c o nf # s e r v ic e s nmp -t r apadmin@GUARD-c o nf # p e r mit s nmp -s e r v e r 1 9 2 . 1 6 8 . 1 0 . 3 5admin@GUARD-c o nf # s nmp c o mmu nit y c is c o 1 2 3admin@GUARD-c o nf # s nmp t r ap -de s t 1 2 8 . 5 . 5 . 1
admin@GUARD-c o nf # s e r v ic e ?internode-c om m : D etec tor-G u a rd c om m u nic a tion c h a nnelntp : N etw ork T im e P rotoc ols nm p -s erv er : S N M P eng ines nm p -tra p : S N M P T ra p g enera torw b m : W eb B a s ed M a na g em ent
admin@GUARD-c o nf #Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c t i o n t o t h e ser v i c es o n t h e Gu a r d a n d Det ec t o r . S er v i c e a c t i v a t i o n m u st b e c o n f i g u r ed b y t h e u ser . T h ese ser v i c es a r e v er y i m p o r t a n t f o r p r o p er f u n c t i o n o f t h e Gu a r d a n d Det ec t o r . I n t h e b o o k : A l i st o f ea c h ser v i c es a n d a d esc r i p t i o n o f w h a t i t i s u sed f o r .
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 1 5
# S l i d e D es c r i p t i o n
2 5 .
DDoS v2.0—2-25© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Enabling Cisco Guard and Cisco Traffic Anomaly D e t e ct or S e rv ice s ( Cont . )
admin@GUARD-c o nf # nt p s e r v e r 1 2 8 . 5 . 5 . 1admin@GUARD-c o nf # p e r mit nt p 1 9 2 . 1 6 8 . 1 0 . 3 5admin@GUARD-c o nf # t ime z o ne Africa/Timbuktu
admin@GUARD-c o nf # p e r mit ?int e r no de -c o mm : De t e c t o r -Gu ar d c o mmu nic at io n c h anne lnt p : N e t w o r k T ime P r o t o c o ls nmp -s e r v e r : S N M P e ng ines s h : S e c u r e s h e l lw b m : W e b B as e d M anag e me nt
admin@GUARD-c o nf #
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: S h o w s a n d ex a m p l e o f c o n f i g u r i n g t h e N T P ser v i c e. T h e c o n f i g u r a t i o n o f m o st ser v i c es i s si m i l a r .
I n t h e b o o k : S S H ser v i c e d o es n o t n eed t o b e t u r n ed o n . I t i s o n b y d ef a u l t .
Mi s c :
2 6 .
DDoS v2.0—2-26© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Configuring S y s l og
admin@GUARD-c o nf # l o g g ing h o s t 1 9 7 . 2 3 . 4 . 6 7
admin@GUARD-c o nf # l o g g ing t r ap ?al e r t s : I mme diat e ac t io n ne e de d ( s e v e r it y = 1 )c r it ic al : C r it ic al c o ndit io ns ( s e v e r it y = 2 )de b u g g ing : De b u g g ing me s s ag e s ( s e v e r it y = 7 )e me r g e nc ie s : S y s t e m is u nu s ab l e ( s e v e r it y = 0 )e r r o r s : E r r o r c o ndit io ns ( s e v e r i t y = 3 )inf o r mat io nal : I nf o r mat io nal me s s ag e s ( s e v e r it y = 6 )no t if ic at io ns : N o r mal b u t s i g nif ic ant c o ndit io ns ( s e v e r it y = 5 )w ar ning s : W ar ning c o ndit io ns ( s e v e r it y = 4 )
admin@GUARD-c o nf #
admin@GUARD-c o nf #
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss c o n f i g u r i n g S y sl o g , a n d t h e i n f o r m a t i o n c o n t a i n ed t h er ei n . T h e Gu a r d a n d Det ec t o r u se t h e st a n d a r d l ev el s o f sy sl o g c l a ssi f i c a t i o n … a l er t s, w a r n i n g s, i n f o r m a t i o n a l et c … I n t h e b o o k : N / A
Mi s c :
2 7 .
DDoS v2.0—2-27© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
R e l oa d Com m a nd
• You can reload the configuration without rebooting the m achine by us ing the reload com m and.
• F or the following changes to tak e effect, y ou m us t ex ecute the reload com m and:– S y nchroniz ing the with an N T P s erv er.– A ctiv ating or D eactiv ating a gigabit interface us ing the “( no) s hutdown” com m and.
– B urning a new flas h.
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e i ssu es t o b e a w a r e o f f o r u si n g t h e “ r el o a d ” c o m m a n d .
I n t h e b o o k : “ r el o a d i n g i n i t i a l i z es a l l d a t a st r u c t u r es a n d r est a r t s n et w o r k ser v i c es.”
Mi s c :
2 8 .
DDoS v2.0—2-28© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Reload Command (Cont.)admin@GUARD# r e l o adAr e y o u s u r e y o u w ant t o r e l o ad? T y p e ' y e s ' t o r e l o ady e sr e l o ading . . .K il l ing r o u t ing dae mo ns . . . Do neS h u t t ing do w n int e r f ac e g ig a0 : [ O K ]S h u t t ing do w n int e r f ac e g ig a1 : [ O K ]admin@GUARD#
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e sy n t a x o f t h e c o m m a n d .
I n t h e b o o k : N / A
Mi s c :
1 6 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
2 9 .
DDoS v2.0—2-29© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Reboot and P ow er dow n C om m ands
admin@GUARD# r e b o o tAr e y o u s u r e y o u w ant t o r e b o o t ? T y p e ' y e s ' t o r e b o o ty e s
Reboot
Guard & D e t e c t o r
admin@GUARD# p o w e r o f fadmin@GUARD#
• Safely shuts down processes.
P oweri ng down the dev i ce.
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e sy n t a x o f t h ese c o m m a n d s.
I n t h e b o o k : a d d i t i o n a l c o m m a n d s f o r set t i n g z o n e a c t i v a t i o n a f t er r eb o o t . N ev er j u st p o w er d o w n t h e Gu a r d o r Det ec t o r b y c u t t i n g t h e p o w er .
Mi s c :
3 0 .
DDoS v2.0—2-30© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
S u mmar y
• The Cisco Guard and Cisco Traffic Anomaly Detector share the same chassis w ith the same interfaces and controls.
• The CL I is similar to the Cisco I O S router CL I .• S etting up the Guard and Detector req uires the config uration
of interfaces, serv ices, and access. • Config uring p hysical interfaces req uires entering the
config uration mode, setting I P addresses, and activ ating the interface.
• Generally sp eak ing a default g atew ay must b e config ured to enab le remote administration.
• TCP p rox y addresses are needed to ensure op erab ility.• B asic serv ices can b e activ ated j ust lik e on a router.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
3 1.
�
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s
I n t h e b o o k : N / A
Mi s c :
�
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 1 7
Lesson 3 # S l i d e D es c r i p t i o n
1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
M itig ating DDoS U sing Cisco Guard and Traffic Anomaly Detector
Conf i g u r i ng Z ones
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l ev el o v er v i ew o f c h a p t er .
I n t h e b o o k : N / A
Mi s c :
2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-2
O u tli ne• Overview.• T h e Z o n e C o n f ig u ra t io n P ro c es s .• C rea t in g t h e Z o n e.• Overview o f T ra f f ic D ivers io n a n d I n j ec t io n .
• C o n f ig u rin g R em o t e A c t iva t io n o f C is c o G u a rd .
• L ea rn in g Z o n e T ra f f ic C h a ra c t eris t ic s . • S u m m a ry .
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: O v er v i ew o f t h e Z o n e c o n f i g u r a t i o n p r o c ess. R ev i ew t h e d ef i n i t i o n o f a Z o n e a s a n et w o r k el em en t t h e Gu a r d u ses t o p r o t ec t a g a i n st DDo S a t t a c k s. I n t h e b o o k : N / A
Mi s c :
3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-3
T h e Z one Conf i g u r ati on P r oc es s
Create the Zone
P erf orm Zone L earni ng
Cisco Guard
P erf orm Zone L earni ng
Conf i g u re D i v ers i on and I nj ec ti on
T raf f ic A n om al y D e t e ct or
Conf i g u re Zone F i l ters (Optional)
Conf i g u re Zone F i l ters (Optional)
Conf i g u re R em ote G u ard A c ti v ati on
Create the Zone Create the Zone
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e Z o n e c o n f i g u r a t i o n p r o c ess. A Gu a r d c a n p r o t ec t d i f f er en t z o n es si m u l t a n eo u sl y a s l o n g a s n et w o r k r a n g es d o n o t o v er l a p . Z o n es a r e a ssi g n ed r ef er en c e n a m es. I n t h e b o o k : A d esc r i p t i o n o f ea c h o n e o f t h e p h a ses l i st ed i n t h e sl i d e. S ee n o t e a b o u t “ z o n e f i l t er s.”
Mi s c :
4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-4
T h e Z one Conf i g u r ati on P r oc es s
Create the Zone
P erf orm Zone L earni ng
Cisco Guard
P erf orm Zone L earni ng
Conf i g u re D i v ers i on and I nj ec ti on
T raf f ic A n om al y D e t e ct or
Conf i g u re Zone F i l ters (Optional)
Conf i g u re Zone F i l ters (Optional)
Conf i g u re R em ote G u ard A c ti v ati on
Create the Zone Create the Zone
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e p r o c ess o f c r ea t i n g a z o n e: c r ea t e z o n e, c o n f i g u r e n a m e a n d d esc r i p t i o n .
I n t h e b o o k : Z o n es a r e i n i t i a l l y c r ea t ed f r o m t em p l a t es t o p r o v i d e a d ef a u l t set o f f i l t er s, p o l i c i es a n d t h r esh o l d s. T h i s c a n b e a l t er ed b y “ l ea r n i n g .”
Mi s c :
1 8 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-5
Cr eati ng th e Z one
Step 1: Create a zone.Step 2 : D ef i ne th e zone I P ad d res s ( es ) .Step 3 : ( O pti onal ) D ef i ne rate l i m i ts f or th e zone.Step 4 : ( O pti onal ) A d d a zone d es c ri pti on.
Guard & D e t e c t o r
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o d ef i n e t h e b a si c st ep s f o r c r ea t i n g a Z o n e.
I n t h e b o o k : N / A
Mi s c :
6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-6
Step 1: Create a Zoneadmin@DEVICE-c o nf #zone new-z o ne-na m e [ t em p l a t e ] [i nt er a c t i v e]• Creates a new zone from the system-d efi ned zone
temp l ates.a d m i n@ G U A R D -c onf # zone s c a nnet i nt er a c t i v ea d m i n@ G U A R D -c onf -zone-s c a nnet #
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e C L I sy n t a x f o r c r ea t i n g a z o n e.
I n t h e b o o k : T h ey m en t i o n t h a t t h e ex a m p l e c r ea t es a z o n e u si n g t h e d ef a u l t Gu a r d t em p l a t e b ec a u se n o o t h er t em p l a t e w a s sp ec i f i ed . T em p l a t es set d ef a u l t c o n f i g u r a t i o n f o r t h e z o n e t h a t i s c r ea t ed . A l so n o t e “ i n t er a c t i v e” o p t i o n . Mi s c :
7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-7
Step 1: Create a Zone ( Cont. )Guard and Detector Zone Templates• DE F A U L T• TC P _ N O _ P R O X Y ( Guard O nly )• B andw i dth -li mi ted li nk templates
– L i nk _ 1 2 8 K– L i nk _ 5 1 2 K– L i nk _ 1 M– L i nk _ 4 M
• GU A R D_ V O I P ( Guard O nly )• Detector_ W O R M ( Detector O nly )
a d m i n@ G U A R D -c onf # zone s c a ns er v er T C P _ N O _ P R O X Ya d m i n@ G U A R D -c onf -zone-s c a ns er v er #
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o h i g h l i g h t p r ed ef i n ed t em p l a t es t h a t c o m e o n t h e Gu a r d . M en t i o n i ssu es w i t h p o l i c y c o n st r u c t i o n a n d “ o n d em a n d ” b a n d w i d t h t em p l a t es. Di sc u ss T C P _ N O _ P R O X Y a n d w h y . A l so , ex p l a i n w h y Det ec t o r h a s a l l t em p l a t es, b u t Gu a r d o n l y h a s Gu a r d t em p l a t es. I n t h e b o o k : Desc r i p t i o n s o f t h e v a r i o u s t em p l a t es t h a t a r e a v a i l a b l e.
Mi s c :
8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-8
Step 1: Create a Zone ( Cont. )
• U se from the g l ob al c onfi g u rati on p romp t.
• U se from the zone c onfi g u rati on p romp t for an ex i sti ng zone.
admin@DEVICE-c o nf #zone new-z o ne-na m e c op y -f r om b a s e-z o ne-na m e
zone new-z o ne-na m e c op y -f r om -t h i sadmin@DEVICE-c o nf -z o ne - e x i s t i n g _ z o n e _ n a m e #
admin@G U A R D -c o nf # z o ne s c ans e r v e r c o p y f r o m s c anne tadmin@G U A R D -c o nf -z o ne -s c ans e r v e r #
admin@D E T E C T O R -c o nf -z o ne -s c anne t # z o ne mail s e r v e r c o p y -f r o m-t h isadmin@D E T E C T O R -c o nf -z o ne -mail s e r v e r #
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T h i s v a r i o u s C L I o p t i o n s f o r c r ea t i n g a z o n e b y c o p y i n g i t . Y o u w o u l d d o t h i s so t h a t y o u r n ew z o n e w o u l d h a v e t h e sa m e p o l i c i es a s t h e o n e y o u h a v e c o p i ed . T h i s b a si c a l l y m a k es t h e “ c o p i ed z o n e” t h e t em p l a t e. Di sc u ss t h e c o m m a n d s t o c r ea t e a z o n e f r o m a n ex i st i n g z o n e. P o l i c i es o f a n ew z o n e a r e m a r k ed a s n o t t u n ed . I n t h e b o o k : Z o n e n a m es c a n b e 6 3 c h a r a c t er s l o n g .
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 1 9
# S l i d e D es c r i p t i o n
9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-9
S tep 1 : Cr eate a Z one (Cont.)
Guard O n l y�
Ty p e: Gr a p h i c
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e p r o c ess o f c r ea t i n g a z o n e u si n g t h e w eb i n t er f a c e.
I n t h e b o o k : N o t e t h e d i f f er en c es b et w een Gu a r d a n d Det ec t o r Z o n e c o n f i g u r a t i o n f o r m s. T h i s i s d u e t o ea c h o n es r esp ec t i v e f u n c t i o n .
Mi s c :
10 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 0
S tep 1 : Cr eati ng a Z one (Cont.)
Guard & D e t e c t o r
�
Ty p e: Gr a p h i c
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss u si n g t h e W B M f o r c r ea t i n g a n ew Z o n e F o r m .
I n t h e b o o k : N / A
Mi s c :
11.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 1
S tep 2 : D ef i ne th e Z one I P A ddr es sadmin@DEVICE-c o nf -z o ne - n e w -z o n e -n a m e #ip address ip-a d d r [ip-m a s k ]
• D ef i nes the I P ad d res s or s u b net I P ad d res s f or the new z one.• T he d ef au l t m as k i s 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 .
adm in @ G U A R D -c o n f -z o n e-sc an n et # ip address 1 9 2 . 1 6 8 . 1 0 0 . 3 4 2 5 5 . 2 5 5 . 2 5 5 . 2 5 2adm in @ G U A R D -c o n f -z o n e-sc an n et # ip address 2 0 0 . 2 0 0 . 1 . 1adm in @ G U A R D -c o n f -z o n e-sc an n et # ip address 1 7 2 . 1 8 . 0 . 0 2 5 5 . 2 5 5 . 0 . 0
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e c o m m a n d s f o r d ef i n i n g t h e z o n e I P a d d r ess. N o t e m u st c o n f i g u r e a t l ea st o n e i n c l u d ed I P a d d r ess.
I n t h e b o o k : S ee t h e n o t e a b o u t t h e f i r st I P a d d r ess. / 3 2 i s t h e d ef a u l t m a sk .
Mi s c :
12 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 2
Step 3 : D ef i ne R ate L i m i ts f or th e Zone ( O pti onal )admin@G U A R D -c o nf -z o ne - n e w -z o n e -n a m e #r a t e-l i m i t { no-l i m i t | r a t e b u r s t -s i z e r a t e-u ni t s }
• D efi nes the b and wi d th al l owed to p ass to the new zone ( op ti onal )
• R ate-u ni ts i nc l u d e:–bps: bits per second. – k b ps: k i lo b i ts per second.– k pps: k i lo pack ets per second.–mb ps: meg ab i ts per second.–pps: pack ets per second.
a d m i n@ G U A R D -c onf -zone-s c a nnet # r a t e-l i m i t 1 0 0 0 2 3 0 0 p p sa d m i n@ G U A R D -c onf -zone-s c a nnet #
Guard O n l y
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h e c o m m a n d s f o r d ef i n i n g t h e r a t e l i m i t s f o r t h e Z o n e. T h e r a t e sp ec i f i es t h e a m o u n t o f t r a f f i c t o p a ss, u n i t s sp ec i f i ed b y r a t e-u n i t s r a t e l i m i t c a n b e u p t o 1 0 t i m es t h e b u r st l i m i t . I n t h e b o o k : Desc r i p t i o n o f t h e C L I p a r a m et er s.
Mi s c :
20 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
13 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 3
Step 4: Add a Zone Description (Optional)admin@GUARD-c o nf -z o ne -new-z o ne-na m e#description string
• Defines a description to identify the new zone ( optional )
a dm in@ G U A R D -conf -z one-sca nnet# description T h is z one is u sed f or dem onstra tion pu rposesa dm in@ G U A R D -conf -z one-sca nnet#
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Desc r i b e t h e w eb a n d C L I p r o c esses f o r a d d i n g a z o n e d esc r i p t i o n . U sef u l w h er e t h er e a r e m u l t i p l e z o n es.
I n t h e b o o k : B a si c c o n c ep t … 8 0 c h a r a c t er st r i n g .
Mi s c :
14 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 4
The Zone Configuration Process
Create the Zone
P erf orm Zone L earni ng
Cisco Guard
P erf orm Zone L earni ng
Conf i g u re D i v ers i on and I nj ec ti on
T raf f ic A n om al y D e t e ct or
Conf i g u re Zone F i l ters (Optional)
Conf i g u re Zone F i l ters (Optional)
Conf i g u re R em ote G u ard A c ti v ati on
Create the Zone Create the Zone
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e z o n e c o n f i g u r a t i o n p r o c ess f o r Di v er si o n a n d I n j ec t i o n .
I n t h e b o o k : Di v er si o n n o t n ec essa r y f o r t h e Det ec t o r .
Mi s c :
15 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 5
Configuring Zone Traffic Diversion and InjectionLayer 2 Topology
T ota lN etw orkT ra f f ic
L a y er 2S w itch
D iv ertedZ one T ra f f ic
R 1
R 2
Z one
I n t ern et
1 9 2 .1 6 8 .8 . 1 / 2 4
1 9 2 .1 6 8 .8 .8 / 2 4
C i s c o G u ard
1 9 2 .1 6 8 .8 .8 / 2 4
Layer 3 Topology
T ota lN etw orkT ra f f ic D iv erted
Z one T ra f f icR 1
R 2
Z one
I n t ern et
1 9 2 .1 6 8 .8 . 1 / 2 4 C i s c o G u ard
Guard O n l y
�
Ty p e: Di a g r a m
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T r a f f i c d i v er si o n i s t o p o l o g y i n d ep en d en t . C o n f i g u r a t i o n p r o c ed u r es f o r l a y er 2 a n d 3 a r e i d en t i c a l .
I n t h e b o o k : N / A
Mi s c :
16 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 6
Configuring Zone Traffic Diversion and Injection
•Traffic diversion and injection mechanisms must b e config ured p rior to initiating the l earning p rocess on the C isco G uard.•The concep ts of traffic diversion and injection w il l b e covered in more detail in the fol l ow ing chap ters.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Gi v e a h i g h l ev el d ef i n i t i o n o f t r a f f i c d i v er si o n a n d i n j ec t i o n . T h ese a r e c o v er ed i n t h e f o l l o w i n g c h a p t er s.
I n t h e b o o k : N / A
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 21
# S l i d e D es c r i p t i o n
17 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 7
T h e Zone C onf ig u ration P rocess
Create the Zone
P erf orm Zone L earni ng
C isco G u ard
P erf orm Zone L earni ng
Conf i g u re D i v ers i on and I nj ec ti on
T raffic A nom al y Detector
Conf i g u re Zone F i l ters (Optional)
Conf i g u re Zone F i l ters (Optional)
Conf i g u re R em ote G u ard A c ti v ati on
Create the Zone Create the Zone
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T h e n ex t st ep i n t h e p r o c ess i s t o c o n f i g u r e r em o t e a c t i v a t i o n .
I n t h e b o o k : N / A
Mi s c :
18 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 8
Configuring R em ote A ctiv ation of Cisco G uard
To enable Detector activation of remote G u ard d evices :1. C o n f i g u r e t h e z o n e o n b o t h t h e G u a r d a n d t h e
D e t e c t o r .– Z o n e n a m e s m u s t b e i d e n t i c a l .– C o n f i g u r e z o n e G u a r d p r o t e c t i o n f o r m s ( O p t i o n a l , b u t r e c o m m e n d e d ) .
2 . C o n f i g u r e t h e r e m o t e G u a r d l i s t s :– D e f a u l t .– Z o n e -s p e c i f i c .
3 . C o n f i g u r e t h e G u a r d a c t i v a t i o n c o n n e c t i o n .
Detector OnlyDetector Only
Detector Only
G u a rd & Detector
G u a rd & Detector
G u a rd & Detector
G u a rd & Detector – T h i s m u s t b e d one on b oth d ev i ces , h ow ev er, th e com m a nd s a re u ni q u e f or ea ch d ev i ce d u e to ea ch d ev i ces res p ecti v e role.
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e st ep s f o r c o n f i g u r i n g r em o t e a c t i v a t i o n . C o n f i g u r a t i o n i s n ec essa r y o n b o t h d ev i c es, b u t t h er e a r e d i f f er en t c o m m a n d s.
I n t h e b o o k : T h e d i f f er en c e b et w een Z o n e S p ec i f i c a n d Def a u l t Gu a r d l i st s. A l so see n o t e i f n o Gu a r d i s sp ec i f i c ed .
Mi s c :
19 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-1 9
Configuring Zone G uard -Protection F orm s
admin@DETECTOR-c o nf -z o ne -zone-na m e#protect-i p-s ta te { en ti re-z on e | d s t-i p-b y -i p | d s t-i p-
b y -n a m e | pol i cy -ty pe}• Activate zone Guard-p rotection f orm on th e D etector.
Detector Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e o p t i o n s f o r p r o t ec t i o n . Def a u l t i s “ E n t i r e Z o n e.”
I n t h e b o o k : A d esc r i p t i o n o f w h a t ea c h o n e d o es.
Mi s c :
2 0 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-20
Configuring the R em ote G uard L ists
admin@DETECTOR-c o nf #rem ote-g u a rd [ s s h , s s l ] remote-g u a rd -a d d res s
• C onf ig ure th e def aul t rem ote Guard l is t on th e D etector.
admin@DETECTOR-c o nf -z o ne -zone-na m e#rem ote-g u a rd [ s s h , s s l ] remote-g u a rd -a d d res s
• C onf ig ure a zone-s p ecif ic rem ote Guard l is t on th e D etector.
Detector Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e sy n t a x f o r d ef i n i n g r em o t e Gu a r d l i st s. N o t e d i f f er en c e i n p r o m p t – g l o b a l v s. z o n e c o n f i g u r a t i o n m o d e. Di sc u ss d i f f er en c es b et w een S S L ( u sed f o r i n t er n o d e-c o m m ) a n d S S H . I n t h e b o o k : U se o f “ sh o w d et ec t o r ” c o m m a n d .
Mi s c :
22 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
2 1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-21
Configuring the Remote Guard Activation Connection
admin@DETECTOR-c o nf # r e mo t e -g u ar d s s h 1 0 0 . 0 . 0 . 2 3admin@DETECTOR-c o nf # k e y g e ne r at eK e y s w e r e s u c c e s s f u l y g e ne r at e d. P l e as e u s e " k e y p u b l is h " t o u p dat e r e mo t e -g u ar dadmin@DETECTOR-c o nf # k e y p u b l is h *Th e au t h e nt ic it y o f h o s t ' 1 0 0 . 0 . 0 . 2 3 ( 1 0 0 . 0 . 0 . 2 3 ) ' c an' t b e e s t ab l is h e d.RS A k e y f ing e r p r int is 8 f : 4 9 : 8 5 : 4 1 : d7 : 3 5 : f a: 9 5 : 1 5 : 7 c : e 5 : 3 9 : 9 a: df : 2 9 : 2 1 .r iv e r h e ad@1 0 0 . 0 . 0 . 2 3 ' s p as s w o r d: <password>admin@DETECTOR-c o nf #
Detector Only
The < pa s s w ord > m u s t b e eq u a l t o t he v a l u e i n t he “R i v er hea d ”u s er a c c o u n t c o n f i g u r ed o n t he r em o t e G u a r d .
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e st ep s f o r su c c essf u l k ey ex c h a n g e.
I n t h e b o o k : T h e k ey c a n b e a d d ed m a n u a l l y w i t h t h e “ k ey a d d ” c o m m a n d . K ey s c a n b e v i ew ed w i t h t h e “ sh o w h o st k ey s” c o m m a n d .
Mi s c :
2 2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-22
The Zone Configuration Process
Create the Zone
P erf orm Zone L earni ng
Cisco Guard
P erf orm Zone L earni ng
Conf i g u re D i v ers i on and I nj ec ti on
T raf f ic A n om al y D e t e ct or
Conf i g u re Zone F i l ters (Optional)
Conf i g u re Zone F i l ters (Optional)
Conf i g u re R em ote G u ard A c ti v ati on
Create the Zone Create the Zone
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e Z o n e l ea r n i n g p r o c ess o n t h e Gu a r d a n d t h e Det ec t o r , w h er e t h e l ea r n i n g p r o c ess c r ea t es a b a sel i n e o f n o r m a l t r a f f i c w h en n o a t t a c k i s r u n n i n g o n t h e n et w o r k . I n t h e b o o k : N / A
Mi s c :
2 3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-23
L earning Zone Traffic Characteristics
• Z on e div e rsion m e ch an ism s m ust b e con f ig ure d p rior t o in it iat in g t h e l e arn in g p roce ss.
Guard Z on e S t at e s: • Inactive.• P r o tect M o d e.
– A u to P r o tectio n.– Inter active P r o tectio n.
• P r o tect & L ear n M o d e.– L ear ning P o l icy C o ns tr u ctio n.
– L ear ning T h r es h o l d T u ning .
D e t e ct or Z on e S t at e s:• Inactive.• D etect M o d e.
– A u to D etectio n.– Inter active D etectio n.
• D etect & L ear n M o d e.– L ear ning P o l icy C o ns tr u ctio n.
– L ear ning T h r es h o l d T u ning .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: R ev i ew t h e l ea r n i n g Z o n e t r a f f i c c h a r a c t er i st i c s. T h e l ea r n i n g p r o c ess c o n si st s o f t w o p h a ses, p o l i c y c o n st r u c t i o n a n d t h r esh o l d t u n i n g .
I n t h e b o o k : Desc r i p t i o n o f P o l i c y C o n st r u c t i o n v s. T h r esh o l d t u n i n g .
Mi s c :
2 4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-24
L earning Zone Traffic Characteristics ( Cont. )
During learning, a packet is dropped if one of th e follow ing fields eq uals z ero: • S ource I P addre ss.• P rot ocol n um b e r.• U D P source or de st in at ion p ort .• T CP source or de st in at ion p ort .
Guard & D e t e c t o r
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: S l i d e st a t es a f a c t a b o u t t r a f f i c d u r i n g l ea r n i n g .
I n t h e b o o k : N o t e a b o u t b ei n g a t t a c k ed w h i l e l ea r n i n g .
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 23
# S l i d e D es c r i p t i o n
2 5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-25
U nders tanding the P rotect and L earn F unction
• U s ers can activate th e th res h ol d tuning p h as e and zone p rotection s im ul taneous l y .
• W h en th e Guard detects an attack , it s top s th e l earning p roces s es and p rotects th e zone.
• O nce it determ ines th at th e attack h as s ub s ided, it res um es th e l earning p roces s es .
• P re-def ined zone tem p l ates can b e us ed to p rotect a zone w ith out underg oing th e l earning p roces s .
G u a rd Only
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o i n t r o d u c e t h e P r o t ec t a n d l ea r n f u n c t i o n .
I n t h e b o o k : Y o u m u st d o P o l i c y c o n st r u c t i o n f i r st . M en t i o n s “ l ea r n i n g -p a r a m s” c o m m a n d s.
Mi s c :
2 6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-26
U nd erstand ing D etect and L earn F unction• Af ter initial l earning p roces s of cons tructing p ol icies , th e l earn and detect m ode can b e enab l ed s im ul taneous l y .
• T h e D etector tunes th e p ol icy th res h ol ds and m onitors th e p ol icy th res h ol ds f or traf f ic anom al ies .
• T h e detect and l earn f unction enab l es th e D etector to detect anom al ies in th e zone traf f ic, cons tantl y up date th e p ol icy th res h ol ds b as ed on th e zone traf f ic ch aracteris tics , and p revents th e D etector f rom l earning m al icious traf f ic th res h ol ds .
• B ef ore activating th e detect and l earn f unction, th e D etector can b e conf ig ured to accep t w h en and h ow th e res ul ts of th e l earning p roces s b y conf ig uring th e l earning p aram eters .
Detector Only
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c es t h e Det ec t a n d l ea r n f u n c t i o n .
I n t h e b o o k : Y o u m u st d o P o l i c y c o n st r u c t i o n f i r st . M en t i o n s “ l ea r n i n g -p a r a m s” c o m m a n d s. Det ec t o r p o l l s t h e Gu a r d t o d et er m i n e i f a n a t t a c k i s p r esen t l y t a k i n g p l a c e. Mi s c :
2 7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-27
Constructing Zone Pol icies
• U s e th e g l ob al conf ig uration p rom p t to cons truct p ol icies f or al l zones or a g roup of zones , w h ere * is a w il dcard.
admin@G U A RD-c o nf #l ea rn i n g pol i cy -con s tru cti on *
• U s e th e zone conf ig uration p rom p t to cons truct th e p ol icy f or a s p ecif ic zone.
l ea rn i n g pol i cy -con s tru cti onadmin@G U A RD-c o nf -z o ne -zone_ na m e#
G u a rd & Detector
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e C L I sy n t a x t o en a b l e p o l i c y c o n st r u c t i o n . Z o n e v s. Gl o b a l c o n f i g u r a t i o n m o d es.
I n t h e b o o k : V er i f y w i t h t h e sh o w r a t es d et a i l s c o m m a n d .
Mi s c :
2 8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-28
Constructing Zone Pol icies ( Cont. )
• U s e the z one c onf i g u rati on p rom p t to term i nate p ol i c y c ons tru c ti on f or a s i ng l e z one.
• U s e the accept arg u m ent to ac c ep t new l y c ons tru c ted p ol i c i es , or u s e the r ej ect arg u m ent to retu rn to p rev i ou s ( or d ef au l t) c onf i g u rati on.
admin@GUARD-c o nf -z o ne -zone_name#n o l ear n i n g accept| r ej ect
• U s e the g l ob al p rom p t to term i nate p ol i c y c ons tru c ti on f or al l z ones or a g rou p of z ones w here * i s a w i l d c ard .
admin@GUARD-c o nf #n o l ear n i n g * accept| r ej ect
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e C L I sy n t a x t o st o p P o l i c y c o n st r u c t i o n a n d ei t h er a c c ep t o r r ej ec t t h e i n f o r m a t i o n .
I n t h e b o o k : S h o w p o l i c i es st a t i st i c s c o m m a n d t o v i ew l ea r n i n g b ef o r e a c c ep t i n g .
Mi s c :
24 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
2 9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-29
Tuning Pol icy Threshol d s
• U s e th e g l ob al conf ig uration p rom p t to tune p ol icy th res h ol ds f or al l zones or a g roup of zones w h ere * is a w il dcard.
l ea rn i n g th res h ol d -tu n i n g *admin@G U A RD-c o nf #
• U s e th e zone conf ig uration p rom p t to tune th e p ol icy th res h ol ds f or a s p ecif ic zone.
l ea rn i n g th res h ol d -tu n i n gadmin@G U A RD-c o nf -z o ne -zone_ na m e#
G u a rd & Detector
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e C L I sy n t a x t o en a b l e t h r esh o l d t u n i n g . Z o n e v s. Gl o b a l c o n f i g u r a t i o n m o d es.
I n t h e b o o k : N / A
Mi s c :
3 0 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-30
Tuning Pol icy Threshol d s ( Cont. )
• U se t h e z on e con f ig urat ion p rom p t t o t e rm in at e t h re sh ol d t un in g f or a sin g l e z on e .
• U se t h e accept arg um e n t t o acce p t n e w l y con st ruct e d p ol icie s, or use t h e r ej ect arg um e n t t o re t urn t o p re v ious ( or de f aul t ) con f ig urat ion .
admin@GUARD-c o nf -z o ne -zone_name#n o l ear n i n g accept| r ej ect
• U se t h e g l ob al con f ig urat ion p rom p t t o t e rm in at e t h re sh ol d t un in g f or al l z on e s or a g roup of z on e s w h e re * is a w il dcard.
admin@GUARD-c o nf #n o l ear n i n g * accept| r ej ect
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e C L I sy n t a x t o st o p T h r esh o l d t u n i n g a n d ei t h er a c c ep t o r r ej ec t t h e i n f o r m a t i o n .
I n t h e b o o k : S h o w p o l i c i es st a t i st i c s c o m m a n d t o v i ew l ea r n i n g b ef o r e a c c ep t i n g .
Mi s c :
3 1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-31
Policy Construction / Verification / Acceptance
• L e arn in g —Con st ruct p ol icie s.
admin@GUARD-c o nf -z o ne -e c o m1 s e r v e r # l e ar ning p o l ic y -c o ns t r u c t io nadmin@GUARD-c o nf -z o ne -e c o m1 s e r v e r # s h o w r at e s de t ail s
p p s b p s L e g it imat e t r af f ic : 2 4 3 1 8 1 4 3 6 6 3 1 6M al ic io u s t r af f ic : 0 0Re c e iv e d t r af f ic : 2 4 3 1 8 1 4 3 6 6 3 1 6F o r w ar de d t r af f ic : 2 4 3 1 8 1 4 3 6 6 3 1 6Dr o p p e d t r af f ic : 0 0Re p l ie d t r af f ic : 0 0I nv al id z o ne : 0 0admin@GUARD-c o nf -z o ne -e c o m1 s e r v e r # no l e ar ning ac c e p tadmin@GUARD-c o nf -z o ne -e c o m1 s e r v e r # Guard &
D e t e c t o r
Guard O n l y : “R e c e i v e d t raf f i c ” i s t h e o n l y c o un t e r di s p l ay e d o n t h e D e t e c t o r. A l l c o m m an ds are t h e s am e .
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C L I c o m m a n d s u sed t o en a b l e v er i f y a n d a c c ep t P o l i c y c o n st r u c t i o n .
I n t h e b o o k : N / A
Mi s c :
3 2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-32
T h resh old -tuning / Verification / Acceptance
• L e arn in g —T un e p ol icy t h re sh ol ds.
admin@GUARD-c o nf -z o ne -e c o m1 s e r v e r # l e ar ning t h r e s h o l d-t u ningadmin@GUARD-c o nf -z o ne -e c o m1 s e r v e r # s h o w r at e s de t ail s
p p s b p s L e g it imat e t r af f ic : 2 3 2 3 9 1 4 3 6 5 2 3 7M al ic io u s t r af f ic : 0 0Re c e iv e d t r af f ic : 2 3 2 3 9 1 4 3 6 5 2 3 7F o r w ar de d t r af f ic : 2 3 2 3 9 1 4 3 6 5 2 3 7Dr o p p e d t r af f ic : 0 0Re p l ie d t r af f ic : 0 0I nv al id z o ne : 0 0admin@GUARD-c o nf -z o ne -e c o m1 s e r v e r # no l e ar ning ac c e p tadmin@GUARD-c o nf -z o ne -e c o m1 s e r v e r #
Guard O n l y : “R e c e i v e d t raf f i c ” i s t h e o n l y c o un t e r di s p l ay e d o n t h e D e t e c t o r. A l l c o m m an ds are t h e s am e .
Guard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C L I c o m m a n d s u sed t o en a b l e v er i f y a n d a c c ep t T h r esh o l d t u n i n g .
I n t h e b o o k : N / A
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 25
# S l i d e D es c r i p t i o n
3 3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-33
Snapshots
• Zone policies can be copied from snapshots• Y ou can compare the learning resu lts of tw o snapshots or tw o z ones to trace the differences in policies, serv ices, and thresholds.
• S napshots can be created from learning parameters ( serv ices, thresholds, and other policy -related data) at any stag e du ring the learning process.
• T he learning parameters or tw o z ones or tw o snapshot policies for a z one can be compared.
• R ecommendation: T ak e a snapshot ev ery few hou rs du ring learning process.
Guard & D e t e c t o r
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e c o n c ep t o f “ sn a p sh o t s.”
I n t h e b o o k : T h e C L I sy n t a x o f t h e c o m m a n d w i t h d et a i l s o f p a r a m et er s. “ Di f f sn a p sh o t ” c o m m a n d .
Mi s c : S n a p sh o t s c a n b e t a k en f r o m t h e GU I a l so .
3 4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-34
S y nchroniz ation• Used to synchronize complete zone configuration between D etector and G uard using the S S L protocol.
• D etector learns on behalf of the G uard.• G uidelines:
– C reate a new zone on the D etector using the G uard zone templates.
– E nsure the D etector sees the traffic the G uard will div ert.– D etector configuration files will contain G uard and D etector zones, mak ing D etector a central configuration P oint.
– C hanging a G uard or D etector’s I P address or host name req uires regenerating the S S L certificate.
Detector Only
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e c o n c ep t o f S y n c h r o n i z a t i o n b et w een t h e Gu a r d a n d Det ec t o r . T h i s u ses t h e ser v i c e “ i n t er n o d e-c o m m ” a n d t h e p r o t o c o l S S L .
I n t h e b o o k : Gu a r d t em p l a t es o n t h e Det ec t o r . Det ec t o r b ec o m es t h e si n g l e p o i n t o f c o n f i g u r a t i o n . L ea r n i n g i s n o l o n g er n eed ed o n t h e Gu a r d .
Mi s c :
3 5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-35
Summary
• Basic zone configuration includes creating a zone and configuring th e follow ing: zone nam e and descrip tion, th e zone netw ork address, op eration definitions, and b asic netw ork ing ch aracteristics such as th e zone b andw idth .
• Z one div ersion and inj ection m ech anism s m ust b e configured p rior to initiating th e learning p rocess on th e C isco G uard.
• W h en configuring th e D etector to enab le rem ote activ ation of th e G uard, use zone G uard-p rotection form s to conserv e G uard resources and enab le b etter focus on th e zone detection and p rotection req uirem ents.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
3 6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—3-36
Summary (Cont.)• During the learning process, the Guard and/or Detector creates the z one policies and adj usts the policy thresholds according to the ob serv ed traf f ic characteristics.
• T he sy stem tem plate that w as selected during z one creation determ ines w hich policy tem plates are used to construct the z one policies during the learning phase.
• T hreshold tuning is recom m ended af ter policy construction is com pleted or if z one traf f ic patterns change.
• S napshots and S y nchroniz ation are additional tools that assist in policy construction, tuning, and im plem entation.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
26 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
3 7 .
�
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s.
I n t h e b o o k : N / A
Mi s c :
�
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 27
Lesson 4 # S l i d e D es c r i p t i o n
1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Mitigating D D o S U s ing C is c o G u ar d and T r af f ic A no m al y D e te c to r
Diverting Traffic
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l ev el o v er v i ew o f c h a p t er .
I n t h e b o o k : N / A
Mi s c :
2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-2
O u tl ine
• Overview.• W h a t I s I P T ra f f ic D ivers io n ?• D ivers io n T erm in o l o g y .• C o n f ig u rin g T ra f f ic D ivers io n wit h B G P .• T h e “R ed is t rib u t e G u a rd ” C o m m a n d .• S u m m a ry .
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l i g h t t h e m a j o r p o i n t s t h a t w i l l b e d i sc u ssed i n t h e l esso n .
I n t h e b o o k : N / A
Mi s c :
3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-3
What Is IP Traffic Diversion?
Task 1: D i v e r t t r af f i c f o r o n e o r m o r e z o n e s t o t h e G u ar d w i t h o u t o b st r u c t i n g t h e i r f l o w .
Task 2 : R e t u r n l e g i t i m at e an d c l e an e d t r af f i c t o t h e o r i g i n al d at a p at h t o b e f o r w ar d e d o n t o t h e z o n e .
R1
R2
Z o n e
N e t w o r kT r a f f i c
Forwarded Clean Z one T raf f i c
D i v ert ed Z one T raf f i c
Guard Only
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Def i n e I P T r a f f i c Di v er si o n , a n d h o w t h e Gu a r d d i v er t s, c l ea n s, a n d r et u r n s t r a f f i c .
I n t h e b o o k : O v er v i ew – u se o f n o -ex p o r t a n d n o a d v er t i se
Mi s c :
4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-4
Diversion Terminology
Next-h o p r o u terR 2 -P o s s i b l e Next-h o p r o u ter ( l o n g i n j ec ti o n v i a tu n n el i n ter f a c es )
R 3 -
I n j ec t-to r o u terR 2 -D i v er t-f r o m r o u terR 1 -
Note: A router may assume more than one function and may be referred to in more than one term.
The Guard appliance uses BGP to create a div ersion!
R 1
R 2
R 3
Z one
I nternet
G uard
Upstream Router
I n j ec t-to Router
Note: T he AG M l ev erag es the sup erv isor eng ine to create the div ersion.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h e v a r i o u s t er m s u sed i n Di v er si o n .
I n t h e b o o k : Def i n i t i o n s o f w h a t ea c h t er m m ea n s.
Mi s c :
28 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-5
C o nfigu ring Z o ne Traffic Divers io nLayer 2 Topology
TotalN e tw or kTr af f i c
L ay e r 2S w i tc h
D i v e r te dZ on e Tr af f i c
R 1
R 2
Z on e
I n t ern et
1 9 2 . 1 6 8 . 8 . 1 / 2 4
1 9 2 . 1 6 8 . 8 . 8 / 2 4
C i s c o G u ard
1 9 2 . 1 6 8 . 8 . 8 / 2 4
Layer 3 Topology
TotalN e t w or kTr af f i c
D i v e r te dZ on e Tr af f i c
R 1
R 2
Z on e
I n t ern et
1 9 2 . 1 6 8 . 8 . 1 / 2 4 C i s c o G u ard
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h e m o d el f o r t r a f f i c d i v er si o n . N o t e t h a t t r a f f i c d i v er si o n i s t o p o l o g y i n d ep en d en t , c o n f i g u r a t i o n p r o c ed u r es f o r l a y er 2 a n d 3 a r e i d en t i c a l . I n t h e b o o k : Di f f er en c es b et w een L 2 a n d L 3 t o p o l o g i es. “ T h e L o n g est M a t c h ” r u l e. N o t e a s t o u se i B GP o r eB GP f o r d i v er si o n .
Mi s c :
6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-6
B G P A nnou ncem ent E x am p l e
4908G-L 3# s h o w i p r o u t eC o d e s : C - c o n n e c t e d , S - s t a t i c , I - I GR P , R - R I P , M - m o b i l e , B - B GP
D - E I GR P , E X - E I GR P e x t e r n a l , O - O S P F , I A - O S P F i n t e r a r e aN 1 - O S P F N S S A e x t e r n a l t y p e 1 , N 2 - O S P F N S S A e x t e r n a l t y p e 2E 1 - O S P F e x t e r n a l t y p e 1 , E 2 - O S P F e x t e r n a l t y p e 2 , E - E GPi - I S -I S , L 1 - I S -I S l e v e l -1 , L 2 - I S -I S l e v e l -2 , * - c a n d i d a t e d e f a u l tU - p e r -u s e r s t a t i c r o u t e , o - O D R
Ga t e w a y o f l a s t r e s o r t i s n o t s e tC 1 92 . 1 6 8. 1 2 8. 0/ 2 4 i s d i r e c t l y c o n n e c t e d , Gi g a b i t E t h e r n e t 5C 1 92 . 1 6 8. 1 0. 0/ 2 4 i s d i r e c t l y c o n n e c t e d , Gi g a b i t E t h e r n e t 8
1 0. 0. 0. 0/ 2 4 i s s u b n e t t e d , 1 s u b n e t sC 1 0. 0. 0. 0 i s d i r e c t l y c o n n e c t e d , Gi g a b i t E t h e r n e t 3O 1 92 . 1 6 8. 3. 0/ 2 4 [ 1 1 0/ 1 1 ] v i a 1 0. 0. 0. 3, 2 w 1 d , Gi g a b i t E t h e r n e t 3
R o u t i n g t ab l e o f u p st r e am r o u t e r b e f o r e B G P an n o u n c e m e n t :
U p s t re am R o ut e r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: U sed t o c o n t r a st w i t h t h e n ex t sl i d e.
I n t h e b o o k : N / A
Mi s c :
7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-7
B G P A nno u ncem ent E x am p l e ( C o nt. )
4908G-L 3 # s h o w i p r o u t eC o d e s : C - c o n n e c t e d , S - s t a t i c , I - I GR P , R - R I P , M - m o b i l e , B - B GP
D - E I GR P , E X - E I GR P e x t e r n a l , O - O S P F , I A - O S P F i n t e r a r e aN 1 - O S P F N S S A e x t e r n a l t y p e 1 , N 2 - O S P F N S S A e x t e r n a l t y p e 2E 1 - O S P F e x t e r n a l t y p e 1 , E 2 - O S P F e x t e r n a l t y p e 2 , E - E GPi - I S -I S , L 1 - I S -I S l e v e l -1 , L 2 - I S -I S l e v e l -2 , * - c a n d i d a t e d e f a u l tU - p e r -u s e r s t a t i c r o u t e , o - O D R
Ga t e w a y o f l a s t r e s o r t i s n o t s e tC 1 92 . 1 6 8. 1 2 8. 0/ 2 4 i s d i r e c t l y c o n n e c t e d , Gi g a b i t E t h e r n e t 5C 1 92 . 1 6 8. 1 0. 0/ 2 4 i s d i r e c t l y c o n n e c t e d , Gi g a b i t E t h e r n e t 8
1 0. 0. 0. 0/ 2 4 i s s u b n e t t e d , 1 s u b n e t sC 1 0. 0. 0. 0 i s d i r e c t l y c o n n e c t e d , Gi g a b i t h E t h e r n e t 3
1 92 . 1 6 8. 3 . 0/ 2 4 i s v a r i a b l y s u b n e t t e d , 2 s u b n e t s , 2 m a s k sO 1 92 . 1 6 8. 3 . 0/ 2 4 [ 1 1 0/ 1 1 ] v i a 1 0. 0. 0. 3 , 2 w 1 d , Gi g a b i t E t h e r n e t 3B 1 92 . 1 6 8. 3 . 1 2 8/ 3 2 [ 2 0/ 0] v i a 1 0. 0. 0. 4, 00: 00: 1 7 , Gi g a b i t E t h e r n e t 3
R o u ting tab l e o f u p s tr e am r o u te r af te r B G P anno u nc e m e nt:
Upstream Router�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T h e Gu a r d sen d s a n et w o r k p r ef i x l o n g er t h a n a l r ea d y l i st ed i n t h e r o u t er ’ s r o u t i n g t a b l es t o d i v er t t r a f f i c . T h e n et w o r k p r ef i x i s a n a c t i v e z o n e’ s c o n f i g u r ed n et w o r k p r ef i x su b n et t ed i n h a l f i f g r ea t er / 3 2 . I n t h e b o o k : N / A
Mi s c :
8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-8
BGP Configuration Guidelines
• If you are setting up an eB G P c onnec tion use an easil y rec ogniz ab l e autonom ous system num b er.
• C onfigure th e G uard to: – D rop inc om ing B G P routing inform ation.– S et B G P c om m unity attrib utes to no-ex port and no-ad v ertise.
• U se th e s o f t -r e c o n f i g u r a t i o n i n b o u n d c om m and for easy troub l esh ooting and to al l ow easy restoration of th e B G P routing tab l e.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e B GP c o n f i g u r a t i o n g u i d el i n es u sed f o r t h e Gu a r d .
I n t h e b o o k :U se o f “ S h o w i p B GP ” c o m m a n d .
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 29
# S l i d e D es c r i p t i o n
9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-9
Guard BGP Configuration
• Don’t f or g e t t o s a v e y ou r c onf i g u r a t i on w i t h a “w r i t e m e m or y . ”• I f y ou h a v e not s a v e d t h e Z e b r a r ou t e r c onf i g u r a t i on a nd y ou e x e c u t e a “r e l oa d ” on t h e G u a r d , y ou r c onf i g u r a t i on w i l l b e l os t .
admin@GUARD-c o nf # r o u te r
H e l l o , th is is z e b r a r o u te r ( v e r s io n 0 . 9 3 b ) .C o p y r ig h t 1 9 9 6 -2 0 0 2 K u nih ir o I s h ig u r o .
r o u te r > e nab l er o u te r # c o nf ig tr o u te r ( c o nf ig ) # r o u te r b g p ?< 1 -6 5 5 3 5 > AS nu mb e r
r o u te r ( c o nf ig ) # r o u te r b g p 6 4 5 5 5r o u te r ( c o nf ig -r o u te r ) # Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss b a si c B GP c o n f i g u r a t i o n f o r t h e Gu a r d ’ s Z eb r a r o u t er .
I n t h e b o o k : C o n f i g u r e d i v er si o n w h i l e t h e z o n e i s i n st a n d b y m o d e. S t ep s t o a c c ess t h e z eb r a r o u t er .
Mi s c :
10 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-1 0
Guard BGP Configuration ( Cont. )• Configure BGP routing on the Guard.
router bgp 64555 bgp router-i d 1 9 2 . 1 68 . 8 . 8 red i s tri bute gua rd n ei gh bor 1 9 2 . 1 68 . 8 . 1 rem ote-a s 1 00 n ei gh bor 1 9 2 . 1 68 . 8 . 1 d es c ri pti on d i v ert-f rom router n ei gh bor 1 9 2 . 1 68 . 8 . 1 s of t-rec on f i gura ti on i n boun d n ei gh bor 1 9 2 . 1 68 . 8 . 1 d i s tri bute-l i s t n oth i n g-i n i n n ei gh bor 1 9 2 . 1 68 . 8 . 1 route-m a p G ua rd -out out ! a c c es s -l i s t n oth i n g-i n d en y a n y ! route-m a p G ua rd -out perm i t 1 0 s et c om m un i ty 1 00: 64555 n o-ex port n o-a d v erti s e
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h a t y o u w a n t t o en su r e t h e Gu a r d ’ s r o u t es a r en ’ t r ed i st r i b u t ed t o o t h er i n t er n a l a n d ex t er n a l B GP n ei g h b o r s.
I n t h e b o o k : S t a n d a r d B GP r o u t er c o n f i g u r a t i o n . Y o u c a n u se “ ? ”
Mi s c : S a v e t h e Z eb r a r o u t er s c o n f i g u r a t i o n w i t h t h e w r m em c o m m a n d .
11.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-1 1
T h e U p s tre am R oute r’s BGP Configuration
router bgp 1 00 bgp l og-n ei gh bor-c h a n ges n ei gh bor 1 9 2 . 1 68 . 8 . 8 rem ote-a s 64555 n ei gh bor 1 9 2 . 1 68 . 8 . 8 d es c ri pti on G ua rd n ei gh bor 1 9 2 . 1 68 . 8 . 8 s of t-rec on f i gura ti on i n boun d n ei gh bor 1 9 2 . 1 68 . 8 . 8 d i s tri bute-l i s t routes T oG ua rd out n ei gh bor 1 9 2 . 1 68 . 8 . 8 route-m a p G ua rd -i n i n n o s y n c h ron i z a ti on ! i p bgp-c om m un i ty n ew -f orm a t i p c om m un i ty -l i s t ex ten d ed G ua rd perm i t 1 00: 64555 n o-ex port n o-a d v erti s e ! route-m a p G ua rd -i n perm i t 1 0 m a tc h c om m un i ty G ua rd ex a c t m a tc h! i p a c c es s -l i s t s ta n d a rd routes T oG ua rd
d en y a n y
U p s t re am R o ut e r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C o n f i g u r e t h e u p st r ea m r o u t er t o m a t c h t h e Gu a r d ’ s Z eb r a r o u t er .
I n t h e b o o k : T h e p u r p o se o f “ n o sy n c h r o n i z a t i o n ” c o m m a n d .
Mi s c :
12 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-1 2
“S h o w I P B G P S u m m a r y ” f r o m B G P N e i g h b o r
R 1 # s h i p bgp s um m a ryB G P router i d en ti f i er 1 9 2 . 1 68 . 8 . 8 , l oc a l A S n um ber 1 0B G P ta bl e v ers i on i s 57 , m a i n routi n g ta bl e v ers i on 57N ei gh bor V A S M s gR c v d M s gS en t T bl V er I n Q O utQ U p/ D ow n S ta te/ P f x R c d1 9 2 . 1 68 . 8 . 8 4 1 0 48 49 4 48 48 4 0 0 0 00: 00: 1 9 I d l eR 1 #
Before Guard has been configured.
A ft er Guard has been configured.5w 5d : % B G P -5-A D J C H A N G E : n ei gh bor 1 9 2 . 1 68 . 8 . 8 U pR 1 # s h i p bgp s um m a ryB G P router i d en ti f i er 1 9 2 . 1 68 . 8 . 8 , l oc a l A S n um ber 1 0B G P ta bl e v ers i on i s 57 , m a i n routi n g ta bl e v ers i on 57
N ei gh bor V A S M s gR c v d M s gS en t T bl V er I n Q O utQ U p/ D ow n S ta te/ P f x R c d1 9 2 . 1 68 . 8 . 8 4 1 0 48 49 7 48 48 8 57 0 0 00: 00: 2 5 0R 1 #
U p s t re am R o ut e r
U p s t re am R o ut e r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e c h a n g e i n o u t p u t o n t h e n ei g h b o r i n g r o u t er f o r sh o w i p B GP su m m a r y b ef o r e a n d a f t er t h e g u a r d h a s b een c o n f i g u r ed .
I n t h e b o o k : N / A
Mi s c :
30 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
13 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-1 3
S h ow I P BGP S um m ary ( Cont. )After BGP Routes/Prefixes have been sent by the Guard.R1#sh i p b g p su m m a r yB G P r o u t e r i d e n t i f i e r 19 2 . 16 8 . 8 . 8 , l o c a l A S n u m b e r 10B G P t a b l e v e r si o n i s 5 9 , m a i n r o u t i n g t a b l e v e r si o n 5 92 n e t w o r k e n t r i e s u si n g 2 0 2 b y t e s o f m e m o r y2 p a t h e n t r i e s u si n g 9 6 b y t e s o f m e m o r y1 B G P p a t h a t t r i b u t e e n t r i e s u si n g 112 b y t e s o f m e m o r y1 B G P c o m m u n i t y e n t r i e s u si n g 2 4 b y t e s o f m e m o r y2 B G P r o u t e -m a p c a c he e n t r i e s u si n g 6 4 b y t e s o f m e m o r y0 B G P f i l t e r -l i st c a c he e n t r i e s u si n g 0 b y t e s o f m e m o r yB G P u si n g 4 9 8 t o t a l b y t e s o f m e m o r yB G P a c t i v i t y 3 0 / 2 8 p r e f i x e s, 3 2 / 3 0 p a t hs, sc a n i n t e r v a l 6 0 se c sN e i g hb o r V A S M sRc v d M sS e n t T b l V e r I n Q O u t Q U p / D o w n S t a t e / P f x Rc d19 2 . 16 8 . 8 . 8 4 10 4 8 5 0 6 4 8 4 9 4 5 9 0 0 0 0 : 0 6 : 0 3 2R1#
Upstream Router
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e o u t p u t o f “ sh o w I P B GP su m m a r y ” o n t h e U p st r ea m R o u t er a f t er t h e Gu a r d h a s sen t i t r o u t es
I n t h e b o o k : N / A
Mi s c :
14 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-1 4
“S h o w I P R o u t e ” f r o m B G P N e i g h b o r
Gateway of last resort is not setC 5 0 . 0 . 0 . 0 / 8 is d irec tly c onnec ted , F astE th ernet0 / 5C 2 0 . 0 . 0 . 0 / 8 is d irec tly c onnec ted , F astE th ernet0 / 4O 4 0 . 0 . 0 . 0 / 8 [ 1 1 0 / 2 ] v ia 5 0 . 0 . 0 . 2 , 4 w2 d , F astE th ernet0 / 5C 1 0 . 0 . 0 . 0 / 8 is d irec tly c onnec ted , F astE th ernet0 / 3C 3 0 . 0 . 0 . 0 / 8 is d irec tly c onnec ted , F astE th ernet0 / 1R 1 #
Gateway of last resort is not setC 5 0 . 0 . 0 . 0 / 8 is d irec tly c onnec ted , F astE th ernet0 / 5C 2 0 . 0 . 0 . 0 / 8 is d irec tly c onnec ted , F astE th ernet0 / 4
4 0 . 0 . 0 . 0 / 8 is v ariab ly su b netted , 3 su b nets, 2 m ask sB 4 0 . 0 . 0 . 0 / 9 [ 2 0 0 / 0 ] v ia 3 0 . 0 . 0 . 1 0 , 0 0 : 0 0 : 0 7O 4 0 . 0 . 0 . 0 / 8 [ 1 1 0 / 2 ] v ia 5 0 . 0 . 0 . 2 , 4 w2 d , F astE th ernet0 / 5B 4 0 . 1 2 8 . 0 . 0 / 9 [ 2 0 0 / 0 ] v ia 3 0 . 0 . 0 . 1 0 , 0 0 : 0 0 : 0 7C 1 0 . 0 . 0 . 0 / 8 is d irec tly c onnec ted , F astE th ernet0 / 3C 3 0 . 0 . 0 . 0 / 8 is d irec tly c onnec ted , F astE th ernet0 / 1R 1 #
Before BGP Routes have been sent by the Guard.
A fter BGP Routes have been sent by the Guard.
Upstream Router
Upstream Router
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o c o n t r a st t h e d i f f er en c e b et w een t h e r o u t i n g t a b l e o n t h e u p st r ea m r o u t er b ef o r e a n d a f t er t h e Gu a r d h a s sen t i t r o u t es.
I n t h e b o o k : N / A
Mi s c : N o t i c e t h e / 8 v s. / 9 p r ef i x es.
15 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-1 5
R edistrib ute GuardRo u t e r # sho w i p r o u t eC o d e s: G – G u a r d r o u t e , C – c o n n e c t e d , S – st a t i c , M – RM P , R – RI P , O – O S P F , B – B G P , > - se l e c t e d r o u t e , # - F I B r o u t e S > * 0 . 0 . 0 . 0 / 0 [ 1/ 0 ] v i a 2 12 . 19 9 . 2 6 . 3 9 , e t h1C > * 12 7 . 0 . 0 . 0 / 8 i s d i r e c t l y c o n n e c t e d , l oG > * 19 2 . 118 . 4 4 . 0 / 2 3 i s d i r e c t l y c o n n e c t e d , l oG > * 19 2 . 118 . 4 6 . 0 / 2 3 i s d i r e c t l y c o n n e c t e d , l oG > * 2 12 . 117 . 13 0 . 0 / 2 5 i s d i r e c t l y c o n n e c t e d , l oG > * 2 12 . 19 9 . 4 2 . 0 / 2 5 i s d i r e c t l y c o n n e c t e d , l oG > * 2 12 . 19 9 . 4 2 . 12 8 / 2 5 i s d i r e c t l y c o n n e c t e d , l o
• T h e “R ed istrib ute G uard ” c om m and tak es th e entries w ith G attrib ute and announc es th em to th e neigh b or v ia B G P .
G uard O n l y
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o i n t r o d u c e t h e p u r p o se o f t h e “ r ed i st r i b u t e g u a r d ” c o m m a n d i n t h e z eb r a r o u t er s B GP c o n f i g u r a t i o n .
I n t h e b o o k : Det a i l s t h e “ C ” “ G” “ S ” a t t r i b u t es.
Mi s c :
16 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—4-1 6
S um m ary• The Guard diverts, cleans and returns leg itim ate traf f ic to z o nes.
• The Guard uses the B GP ro uting p ro to co l to anno unce itself as the b est p ath f o r z o ne traf f ic to its B GP neig hb o rs.
• The Guard’s Z eb ra ro uter ap p licatio n is co nf ig ured using standard B GP co m m and sy ntax .
• The “R edistrib ute Guard” co m m and allo w s the Guard to advertise ro utes f o r z o nes via the Z eb ra ro uter ap p licatio n using B GP .
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 31
# S l i d e D es c r i p t i o n
17 .
�
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s.
I n t h e b o o k : N / A
Mi s c :
�
32 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
Lesson 5 # S l i d e D es c r i p t i o n
1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Mitigating D D o S U s ing C is c o G u ar d and T r af f ic A no m al y D e te c to r
Injecting Traffic
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l ev el o v er v i ew o f c h a p t er .
I n t h e b o o k : N / A
Mi s c :
2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-2
Outline
• Overview.• W h a t I s I P T ra f f ic I n j ec t io n ?• C o m m o n T ra f f ic I n j ec t io n M et h o d s .• L a y er 2 F o rwa rd in g I n j ec t io n M et h o d .• V P N R o u t in g a n d F o rwa rd in g M et h o d .• P o l ic y -B a s ed R o u t in g M et h o d .• T u n n el D ivers io n M et h o d .• S u m m a ry .
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l i g h t t h e m a j o r p o i n t s t h a t w i l l b e d i sc u ssed i n t h e l esso n .
I n t h e b o o k : N / A
Mi s c :
3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-3
Common Traffic Injection Methods
Layer 2 topology:• The Guard, the divert-f ro m ro uter, an d the n ex t-ho p ro uter are o n the s am e L A N .
• The divert-f ro m ro uter an d an in j ec t-to ro uter are tw o dif f eren t devic es .
• The n ex t-ho p ro uter an d the in j ec t-to ro uter are the s am e devic e.
Layer 3 topology:• The divert-f ro m an d in j ec t-to ro uters are the s am e devic e.• To avo id m al ic io us ro utin g l o o p s , the Guard us es V R F -D S T, P o l ic y B as ed R o utin g o r GR E tun n el in g .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: Det a i l s d i f f er en c es i n L 2 v s. L 3 i n j ec t i o n m et h o d s.
I n t h e b o o k : L 3 c a n u se GR E , V R F -DS T , o r P B R t o a v o i d r o u t i n g l o o p s.
Mi s c :
4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-4
Layer 2 Injection Method
• The divert-f ro m ro u ter, the n ex t-ho p ro u ters a n d the G u a rd a re o n the s a m e L A N .
• I n L 2 the divert-f ro m ro u ter a n d in j ec t-to ro u ter a re dif f eren t devic es .
• I n L 2 the n ex t-ho p ro u ter is the s a m e a s the in j ec t-to ro u ter.
• The G u a rd u s es a n A R P q u ery to f in d the n ex t-ho p ro u ter.
TotalN e tw or kTr af f i c
L ay e r 2S w i tc h
D i v e r te dZ on e tr af f i c
F or w ar d e d C le an Z on e Tr af f i c
R 1
R 2
Z on e
I n tern et
C i s c o G u ar d
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I ssu es w i t h st a n d a r d L 2 i n j ec t i o n s.
I n t h e b o o k : T h e u se o f A R P . I t i s p o ssi b l e t o f o r w a r d d i r ec t l y t o t h e p r o t ec t ed d ev i c e.
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 33
# S l i d e D es c r i p t i o n
5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-5
Configuring L a y e r 2 T ra ffic F orw a rd ing ( L 2 F )Total
N e tw or kTr af f i c
L ay e r 2S w i tc h
D i v e r te dZ on e tr af f i c
F or w ar d e d C le an Z on e Tr af f i c
R 1
R 2
Z on e
Internet1 9 2 . 1 6 8 . 8 . 1 / 2 4
1 9 2 . 1 6 8 . 2 5 0 . 1 / 2 4
1 9 2 . 1 6 8 . 8 . 8 / 2 4
1 9 2 . 1 6 8 . 2 4 0 . 1 / 2 4
1 9 2 . 1 6 8 . 2 4 0 . 2 / 2 4
Step 1: C o n f i g u r e th e G i g a 1 i n ter f a c e.Step 2 : C o n f i g u r e B G P . Step 3 : C o n f i g u r e tr a f f i c i n j ec ti o n .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: S t ep s t o c o n f i g u r e L 2 F
I n t h e b o o k : T h e u se o f A R P . I t i s p o ssi b l e t o f o r w a r d d i r ec t l y t o t h e p r o t ec t ed d ev i c e.
Mi s c :
6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-6
Configure L a y e r 2 T ra ffic F orw a rd ing ( Cont . )
admin@GUARD-c o nf # int e r f ac e g ig a1 admin@GUARD-c o nf -if -g ig a1 # ip addr e s s 1 9 2 . 1 6 8 . 8 . 8 2 5 5 . 2 5 5 . 2 5 5 . 0
S t ep 1 : C o n f ig u re t h e G u a rd ’s G ig a 1 in t erf a c e
S t ep 2 : C o n f ig u re B G Pr o u t e r b g p 6 4 5 5 5 r e dis t r ib u t e g u ar d ne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 r e mo t e -as 1 0 0 ne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 de s c r ip t io n u p s t r e am_ r o u t e rne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 dis t r ib u t e -l is t no t h ing -in in ne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 s o f t -r e c o nf ig u r at io n inb o u nd ne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 r o u t e -map f il t -o u t o u t ! r o u t e -map f il t -o u t p e r mit 1 0 s e t c o mmu nit y 1 0 0 : 6 4 5 5 5 no -adv e r t is e no -e x p o r t! ac c e s s -l is t no t h ing -in de ny any Guard Only
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: R ev i ew o f t h e B GP c o n f i g u r a t i o n n eed ed f o r t r a f f i c d i v er si o n .
I n t h e b o o k : N / A
Mi s c :
7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-7
Configuring Layer 2 Traffic Forwarding (Cont.)
r o u t e r # c o nf ig u r e t e r minal r o u t e r ( c o nf ig ) # ip r o u t e 1 9 2 . 1 6 8 . 2 4 0 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 9 2 . 1 6 8 . 8 . 2 5 0
S t ep 3 : C o n f ig u re t ra f f ic in j ec t io n o n t h e G u a rd
TotalN e tw or kTr af f i c
L ay e r 2S w i tc h
D i v e r te dZ on e Tr af f i c
F or w ar d e d C le an Z on e Tr af f i c
R 1
R 2
Z on e
Internet1 9 2 . 1 6 8 . 8 . 1 / 2 4
1 9 2 . 1 6 8 . 8 . 2 5 0 / 2 4
1 9 2 . 1 6 8 . 8 . 8 / 2 4
1 9 2 . 1 6 8 . 2 4 0 . 1 / 2 4
1 9 2 . 1 6 8 . 2 4 0 . 2 / 2 4Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e st a t i c r o u t e c o n f i g u r ed i n t h e Z eb r a r o u t er t o b e u sed f o r t r a f f i c i n j ec t i o n . T h i s i s t a b l e 1 0 0 .
I n t h e b o o k : N / A
Mi s c :
8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-8
V P N R ou ting and F ow arding - D estinationTotal
N e tw or kTr af f i cR 1
R 2
Z on e
V R F
D i v e r s i on F lowR ou ti n g Tab le N A TI V E V L A N
V L A N 5I n j e c ti on F low
• Traffic is diverted from R1 and injected back to R1.• To p revent an endl ess rou ting l oop , V RF -D S T creates anoth er rou ting tabl e on th e inject-to rou ter ( R1) .
• Th e V RF Tabl e on R1 rou tes traffic on th e V L A N 5 interface th at faces th e G u ard.
• Tw o V L A N interfaces are req u ired:– Th e native V L A N is u sed for diversion.– Th e second V L A N is u sed for injection.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o i n t r o d u c e t h e c o n c ep t o f V P N R o u t i n g a n d F o r w a r d i n g .
I n t h e b o o k : Det a i l s o f h o w V R F -DS T f u n c t i o n s.
Mi s c :
34 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-9
V R F -D S T C o nf ig ur a tio n G uid elines C o n f ig u re t wo l o g ic a l in t erf a c es ( V L A N s ) o n t h e G u a rd : • Native VLAN interface:
– B G P anno u ncem ents are s ent o n th is interface to d ivert traffic to th e G u ard .
– T raffic is fo rw ard ed to th e G u ard acco rd ing to th e d ivert-fro m ro u ter’s g l o b al ro u ting tab l e.
• S eco nd VLAN interface:– T h i s interface is u s ed b y th e G u ard to inj ect th e “cl eaned ”traffic to th e inj ect-to ro u ter.
– T h e inj ect-to ro u ter u s es a VR F tab l e to fo rw ard th e inj ected traffic to th e z o ne’s ap p ro p riate nex t-h o p I P ad d res s .
– T h e VR F tab l e o n th e inj ect-to ro u ter h as a s tatic ro u te th at d efines th e z o ne’s nex t-h o p I P ad d res s .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o ex p l a i n i ssu es w i t h c o n f i g u r i n g t w o i n t er f a c es f o r V F R .
I n t h e b o o k : N / A
Mi s c :
10 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-1 0
Config u ring V R F -D S T Injection
Step 1: C o n f i g u r e a N a ti v e V L A N o n th e G u a r d i n b o u n d i n ter f a c e.
Step 2 : C o n f i g u r e a s ec o n d V L A N o n th e G u a r d i n b o u n d i n ter f a c e.
admin@GUARD-c o nf # interface giga1admin@GUARD-c o nf -if -g ig a1 # ip ad d res s 19 2 . 16 8 . 8 . 8
2 5 5 . 2 5 5 . 2 5 5 . 0
admin@GUARD-c o nf # interface giga1. 5admin@GUARD-c o nf -if -g ig a1 . 5 # ip ad d res s 19 2 . 16 8 . 5 . 8
2 5 5 . 2 5 5 . 2 5 5 . 0Z on e
Cisco G u a r d
T ot a l N e t w or k T r a f f ic
192.168.8.1 192.168.8.8/ 24R 1
R 2
192.168.5 .1 V L A N 5
N A T I V E V L A N
192.168.5 .8/ 24
D i v e r s i o n F l o w
Step 3 : C o n f i g u r e i n j ec ti o n f r o m th e G u a r d to th e z o n e u s i n g a s ta ti c r o u te th r o u g h th e n ex t-h o p r o u ter u s i n g V L A N 5 .
r o u t e r # co nfigu re term inal r o u t e r ( c o nf ig ) # ip ro u te 19 2 . 16 8 . 2 4 0 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0
19 2 . 16 8 . 5 . 1
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T h i s sl i d e sh o w s t h e C L I c o m m a n d s u sed t o c o n f i g u r e t h e i n t er f a c es f o r V R F . 8 0 2 .1 Q i s u sed o n t h e “ 2 nd ” i n t er f a c e.
I n t h e b o o k : I S L i s n o t su p p o r t ed . T h e n a t i v e V l a n i s n o t t a g g ed .
Mi s c :
11.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-1 1
Step 4 : C o n f i g u r e th e V R F ta b l e o n th e i n j ec t-to r o u ter .ip v rf G u ard -v rf
rd 10 0 : 1
Step 5 : C o n f i g u r e th e N a ti v e V L A N o n th e d i v er t-f r o m r o u ter .interface fas tE th ernet1/ 0 . 1
encap s u l atio n d o t1Q 1 nativ ed es crip tio n < < V L A N T O G U A R D -D I V E R S I O N > >ip ad d res s 19 2 . 16 8 . 8 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0no ip d irected -b ro ad cas t
Step 6 : C o n f i g u r e th e V L A N 5 i n ter f a c e o n th e i n j ec t-to r o u ter .interface fas tE th ernet 1/ 0 . 5
encap s u l atio n d o t1Q 5d es crip tio n < < V L A N T O R E C E I V E G U A R D -I N J E C T I O N > >ip v rf fo rw ard ing G u ard -v rfip ad d res s 19 2 . 16 8 . 5 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0
Config u ring V R F -D S T Injection ( Cont. )I nj e c t -t o R o ut e r
I nj e c t -t o R o ut e r
D i v e rt -f ro m R o ut e r
“I nj e c t -t o ” and “D i v e rt -f ro m ”R o ut e rs are t h e s am e de v i c e .
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e n ec essa r y c o n f i g u r a t i o n o n t h e r o u t er f o r V R F i n j ec t i o n .
I n t h e b o o k : N / A
Mi s c :
12 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-1 2
Config u ring V R F -D S T Injection ( Cont. )
Cisco G u a r d
T ot a l N e t w or k T r a f f ic
192.168.8.1
Z on e
1 9 2 . 1 6 8 . 2 4 0 . 1 / 2 4
1 9 2 . 1 6 8 . 2 4 0 . 0 / 2 4
192.168.8.8/ 24R 1
R 2
V R FT r a f f i c I n j e c t i o n U s i n g V R F
1 9 2 . 1 6 8 . 2 5 0 . 1 / 2 4
1 9 2 . 1 6 8 . 2 5 0 . 2 / 2 4
192.168.5 .1 V L A N 5
N A T I V E V L A N
192.168.5 .8/ 24
D i v e r s i o n F l o w
Step 7 : C o n f i g u r e th e r o u ter i n ter f a c e to th e z o n e.
interface fas tE th ernet 2 / 0d es crip tio n < < L I N K T O Z O N E > >ip ad d res s 19 2 . 16 8 . 2 5 0 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0
Step 8 : C o n f i g u r e s ta ti c V R F o n th e i n j ec t-to r o u ter .
ip ro u te v rf G u ard -v rf 19 2 . 16 8 . 2 4 0 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 19 2 . 16 8 . 2 5 0 . 0 gl o b al
I nj e c t -t o R o ut e r
I nj e c t -t o R o ut e r�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e n ec essa r y c o n f i g u r a t i o n o n t h e r o u t er f o r V R F i n j ec t i o n .
I n t h e b o o k : E x p l a n a t i o n o f st ep 8 , t h e c o n f i g u r a t i o n o f t h e “ 2 nd” r o u t i n g t a b l e a n d t h e f u n c t i o n o f t h e “ g l o b a l ” k ey w o r d .
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 35
# S l i d e D es c r i p t i o n
13 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-13
P o lic y -B a s ed R o uting —D es tina tio n
R 1
R 2
T o talNetw o rkT raffic
Z o ne
D ivertedZ o ne T raffic
P B R : Z o neT raffic-to -R 2
F o rw ard edC l ean Z o ne T raffic
U s ing P B R
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o p r o v i d e a n d o v er v i ew o f P B R i n j ec t i o n m et h o d .
I n t h e b o o k : Det a i l o f t r a f f i c f l o w s.
Mi s c :
14 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-14
C o nf ig ur ing P B R I nj ec tio n M eth o d• C o n f ig u re S t a n d a rd B G P D ivers io n o n G u a rd
r o u t e r b g p 6 4 5 5 5b g p r o u t e r -id 1 9 2 . 1 6 8 . 8 . 8r e dis t r ib u t e g u ar dne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 r e mo t e -as 1 0 0ne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 de s c r ip t io n div e r t -f r o m r o u t e rne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 s o f t -r e c o nf ig u r at io n inb o u ndne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 dis t r ib u t e -l is t no t h ing -in inne ig h b o r 1 9 2 . 1 6 8 . 8 . 1 r o u t e -map Gu ar d-o u t o u t!ac c e s s -l is t no t h ing -in de ny any!r o u t e -map Gu ar d-o u t p e r mit 1 0s e t c o mmu nit y 1 0 0 : 6 4 5 5 5 no -e x p o r t no -adv e r t is e!ip r o u t e 1 9 2 . 1 6 8 . 2 4 0 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 1 9 2 . 1 6 8 . 8 . 1
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: R ev i ew o f n ec essa r y B GP c o n f i g u r a t i o n i n t h e Gu a r d .
I n t h e b o o k : N / A
Mi s c :
15 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-15
C o nf ig ur ing P B R I nj ec tio n M eth o d ( C o nt. )• C o n f ig u re P B R o n I n j ec t -t o R o u t err o u t e r ( c o nf ig ) # s h o w r o u t e r c o nf ig. . . . . . . . . int e r f ac e F as t E t h e r ne t 0 / 2 de s c r ip t io n I nt e r f ac e c o nne c t e d t o t h e Gu ar d ip addr e s s 1 9 2 . 1 6 8 . 8 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0 no ip dir e c t e d-b r o adc as t ip p o l ic y r o u t e -map Gu ar dP b r ! ip ac c e s s -l is t e x t e nde d z o ne -A p e r mit ip any h o s t 1 9 2 . 1 6 8 . 2 4 0 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 ! r o u t e -map Gu ar dP b r p e r mit 1 0 mat c h ip addr e s s z o ne -A s e t ip ne x t -h o p 1 9 2 . 1 6 8 . 2 5 0 . 0! r o u t e -map Gu ar dP b r p e r mit 2 0 de s c r ip t io n l e t t h r u al l o t h e r p ac k e t s w it h o u t mo dif y ing ne x t -h o p
I nj e c t -t o R o ut e r
I nj e c t -t o R o ut e r
“I nj e c t -t o ” and “D i v e rt -f ro m ”R o ut e rs are t h e s am e de v i c e .
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o h i g h l i g h t t h e n ec essa r y r o u t er c o m m a n d s o n t h e i n j ec t t o r o u t er f o r P B R i n j ec t i o n .
I n t h e b o o k : N / A
Mi s c :
16 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-1 6
• Guard ConfigurationG R E / IP IP Injection E x amp l e
interface giga1ip ad d res s 19 2 . 16 8 . 8 . 8 2 5 5 . 2 5 5 . 2 5 5 . 0m tu 15 0 0no s h u td o w nex itinterface gre1ip ad d res s 19 2 . 16 8 . 12 1. 1 2 5 5 . 2 5 5 . 2 5 5 . 0tu nnel s o u rce 19 2 . 16 8 . 8 . 8tu nnel d es tinatio n 19 2 . 16 8 . 2 5 0 . 2
ip ro u te 19 2 . 16 8 . 2 5 0 . 2 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 19 2 . 16 8 . 8 . 8 giga1
G u ard ’s Z eb ra C o nfigu ratio n – T ab l e 10 0ip ro u te 0 . 0 . 0 . 0 / 0 19 2 . 16 8 . 12 1. 2
G R E / I P I P I D1 9 2 . 1 6 8 . 1 2 1 . 1
G R E / I P I P I D1 9 2 . 1 6 8 . 1 2 1 . 2
G R E / I P I PS ou r ce
1 9 2 . 1 6 8 . 8 . 8
1 9 2 . 1 6 8 . 8 . 1
G R E / I P I PD e st in a t ion1 9 2 . 1 6 8 . 2 5 0 . 2
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o p r o v i d e a n d o v er v i ew o f t h e c o n f i g u r a t i o n n eed ed o n t h e Gu a r d f o r t u n n el i n j ec t i o n .
I n t h e b o o k : N / A
Mi s c : T h i s i s t h e m et h o d c o n f i g u r ed i n t h e l a b .
36 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
17 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-17
S um m a r y• T h e G u a rd d ivert s , c l ea n s a n d in j ec t s l eg it im a t e t ra f f ic t o z o n es .
• T ra f f ic f o rwa rd in g m et h o d s va ry a c ro s s L 2 a n d L 3 t o p o l o g ies .
• I n L 2 F t h e G u a rd , t h e d ivert -f ro m ro u t er, a n d t h e in j ec t -t o ro u t er a re a l l o n t h e s a m e I P n et wo rk a n d t h e d ivert -f ro m ro u t er a n d t h e in j ec t -t o ro u t er a re d if f eren t d evic es .
• V R F -D S T a l l o ws t h e c o n f ig u ra t io n o f a n o t h er ro u t in g a n d f o rwa rd in g t a b l e o n t h e in j ec t -t o ro u t er. T h e d ivert -f ro m ro u t er a n d in j ec t -t o ro u t er a re t h e s a m e d evic e.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
18 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-1 8
Summary (Cont.)
• PBR provides a method for the inject-to rou ter to appl y a different nex t-hop for traffic received on the interface facing the G u ard than w hat is defined in the g l ob al rou ting tab l e. I n PBR the divert-from and inject-to rou ters are the same device.
• T he tu nnel forw arding method u ses a G RE or I P in I P tu nnel b etw een the G u ard and the nex t-hop rou ter.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
19 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—5-19 �
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s.
I n t h e b o o k : N / A
Mi s c :
�
Lesson 6 # S l i d e D es c r i p t i o n
1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-1
M itig ating D D o S U s ing C is co G u ard and T raffic Ano m al y D etecto r
M itig a tio n a t W o r k
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l ev el o v er v i ew o f c h a p t er .
I n t h e b o o k : N / A
Mi s c :
2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-2
Outline• M V P A rc h it ec t u re• C is c o G u a rd I n t ern a l A rc h it ec t u re• M o d es o f P ro t ec t io n
– A n a l y s is– B a s ic– S t ro n g– D ro p
• A n t i S p o o f in g M ec h a n is m• D y n a m ic F il t ers• S u m m a ry
�
Ty p e: O u t l i n e
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: H i g h l i g h t t h e m a j o r p o i n t s t h a t w i l l b e d i sc u ssed i n t h e l esso n .
I n t h e b o o k : N / A
Mi s c :
3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-3
DynamicF il t e r s
A nt i-S p o o f ing
S t at is t icalA nal ys is
L aye r 7A nal ys is
T r af f ic L imit ing& S h ap ing
Cisco GuardMulti-V e r if ic a tio n P r o c e s s ( MV P ) A r c h ite c tur e
Dynamically insert sp ecif ic f ilters
&ad j u st anti-sp o o f ing
lev els
…o r ap p ly p er-f lo w q u eu es and ag g reg ate rates
I d entif y p recise attack f lo w s: analyz e
b eh av io r v s. b aselineB lo ck sp o o f ed p ack ets ( T C P ,
H T T P , DN S , etc. )
F ilter no n-essential traf f ic ( e. g . I C M P )
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e c o n c ep t o f m i t i g a t i o n t h r o u g h t h e M V P a r c h i t ec t u r e.
I n t h e b o o k : Det a i l ed ex p l a n a t i o n o f d y n a m i c f i l t er s, a n t i -sp o o f i n g , st a t i st i c a l a n a l y si s, l a y er 7 a n a l y si s, a n d r a t e l i m i t i n g .
Mi s c :
4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-4
RateL i m i ter
Sampler
Flex Fi lt er
B y p a s s Fi lt er
Classifier:S t at ic & D y n am ic F ilt ers A n a l y s i s
B a s i cS t r o n g
A n o m aly R ec o g n it i o n E n g in e
Policy D a t a b a s e
I n s e r t f ilt e r s
A n t i -S p o o f i n g M o d u les
C o n tr o l & A n al y s i s P l an e
D ata P l an e
D r o p P a c k et s
A S R ep li es
M a n a g em en t
Guard Architecture - O v erv iew
C on n e ct ion s & A u t h e n t ica t e d C lie n t s
�
Ty p e: Di a g r a m
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: P r o v i d es a f l o w c h a r t o f t r a f f i c a s i t f l o w s t h r o u g h t h e Gu a r d .
I n t h e b o o k : N / A
Mi s c :
38 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-5
Modes of Protection• Analysis
– U s e d b y t h e G u a r d f o r a c t i v e m o n i t o r i n g o f p a c k e t f l o w s . N o a c t i o n i s t a k e n u n l e s s a n o m a l i e s a r e f o u n d .
• B asic– P e r f o r m s A n t i -S p o o f i n g a n d t r a f f i c a n a l y s i s a c c o r d i n g t o b a s i c
p o l i c i e s a n d t h r e s h o l d s .• S t r o ng
– P e r f o r m s m o r e s t r i n g e n t A n t i -S p o o f i n g a u t h e n t i c a t i o n a n d a n a l y s i s t h a n t h e B a s i c m o d e . D e p l o y s T C P p r o x y f u n c t i o n a l i t y o n t r a f f i c f o r t h e z o n e i t i s p r o t e c t i n g .
• D r o p– P a c k e t s f r o m a S o u r c e I P a d d r e s s a r e d r o p p e d p e r p r o t o c o l .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e m o d es o f p r o t ec t i o n u sed b y t h e Gu a r d . Z o n e f i l t er s d ef i n e h o w t h e Gu a r d h a n d l es sp ec i f i c t r a f f i c f l o w s a n d c a n b e c o n f i g u r ed t o c u st o m i z e t r a f f i c f l o w a n d c o n t r o l a n t i -DDo S o p er a t i o n . I n t h e b o o k : Desc r i p t i o n o f v a r i o u s p r o t ec t i o n m o d es a n d m o d u l es.
Mi s c :
6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-6
A na ly s is M o d e• T h e G u a rd d et ec t s a n a n o m a l y o n c e a t h res h o l d h a s b een ex c eed ed in t h e a p p l ic a b l e a n a l y s is p o l ic y .
• U s u a l l y , t h is is f o r ‘g l o b a l ’ ra t es o f t ra f f ic . Of t en ref erred t o a s p er-d es t in a t io n a n a l y s is .
• W h en a n A n a l y s is P o l ic y ’s t h res h o l d is ex c eed ed , t h e G u a rd in s ert s a d y n a m ic “t o u s er” f il t er s en d in g t h e a p p ro p ria t e f l o w t h ro u g h t h e U s er-L is t .
• On t h e D et ec t o r, A n a l y s is m o d e p o l ic y vio l a t io n s c a n res u l t in rem o t e G u a rd a c t iva t io n .
• T h e a c t io n f o r a n y p o l ic y c a n b e m o d if ied .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: B u l l et p o i n t s n o t i n g A n a l y si s m o d e o p er a t i o n .
I n t h e b o o k : N / A
Mi s c :
7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-7
B as ic M o de
• Performs Anti-S p oofing .• T h e G u a rd h a s a set of d efa u l t p ol ic ies th a t w ere
d efined w h en a z one w a s c rea ted . T h ese p rov id e a set of u ser fil ters th a t ma tc h a l l ty p es of tra ffic .
• B a sic T h resh ol d s v iol a tions a re a ssoc ia ted w ith v a riou s a c tions.
• O nc e a sou rc e is a u th entic a ted a l l su b seq u ent tra ffic from th a t sou rc e I P a d d ress ma y fl ow to th e z one p rov id ed th ere a re no tra ffic a noma l ies.
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: B u l l et p o i n t s n o t i n g B a si c m o d e o p er a t i o n .
I n t h e b o o k : N / A
Mi s c :
8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-8
S tro n g M o de
• S trong fil ters a re a l most a l w a y s a p p l ied p er sou rc e.• Performs a nti-sp oofing p er fl ow a nd p er serv ic e.• U su a l l y S trong mod e is u sed in T C P – to d isting u ish if th ere is a mix of g ood a nd b a d tra ffic w ith th e sa me sou rc e I P.
• G u a rd fu nc tions a s a p rox y for a l l T C P c onnec tions from a sou rc e.
• S trong fil ters a re u sed to a u th entic a te D N S tra ffic .• W h en mu l tip l e d y na mic fil ters a p p l y to th e sa me fl ow , th e ‘strong er’ d y na mic fil ter w ins.
• T o p rotec t a z one w ith ou t u sing S trong mod e fil ters, c rea te th e z one u sing th e T C P_ N O _ PR O X Y temp l a te.
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: B u l l et p o i n t s n o t i n g S t o n g m o d e o p er a t i o n .
I n t h e b o o k : N / A
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 39
# S l i d e D es c r i p t i o n
9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-9
D r o p M o d e
• D ro p f il t ers a re a l wa y s a p p l ied p er s o u rc e.• D ro p f il t ers a re t h e s t ro n g es t f il t ers .• A l l t ra f f ic f ro m “b l a c k -l is t ed ” s o u rc e I P a d d res s es wil l b e d ro p p ed .
• D ro p f il t er t im ers a re ref res h ed a s l o n g a s t ra f f ic c o n t in u es t o h it t h em .
• D ro p f il t ers a re l o g g ed , a n d s h o w u p in d et a il ed rep o rt s .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: B u l l et p o i n t s n o t i n g Dr o p m o d e o p er a t i o n .
I n t h e b o o k : N / A
Mi s c :
10 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-1 0
W h a t is A nti-S p oofing ?
• Spoofing – s e nd ing I P t r a ffic u s ing a “b ogu s ”Sou r c e I P a d d r e s s .
• A nt i-Spoofing – a m e c h a nis m t h a t id e nt ifie s a nd d is t ingu is h e s b e t w e e n r e a l a nd s poofe d I P s ou r c e a d d r e s s e s .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o d ef i n e “ S p o o f i n g ” a n d “ A n t i -S p o o f i n g ”
I n t h e b o o k : T h e Gu a r d u ses t h e T C P 3 w a y h a n d sh a k e t o h el p a u t h en t i c a t e sessi o n s.
Mi s c :
11.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-11
A nti-S p o o f ing in th e G ua r d
• A n t i-S p o o f in g o p era t es in t h e “B a s ic ” a n d “S t ro n g ” p ro t ec t io n l evel s .
• A n t i-S p o o f in g c a t eg o riz es s o u rc e I P a d d res s es a s– A u t h en t ic a t ed .– N o n -A u t h en t ic a t ed .
• S p o o f ed t ra f f ic is d ro p p ed a n d is n o t f o rwa rd ed t o t h e z o n e.
• S p o o f ed t ra f f ic is n o t c o u n t ed f o r t h res h o l d c a l c u l a t io n .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o i n t r o d u c e h o w t h e Gu a r d A n t i -S p o o f i n g f u n c t i o n a l i t y o p er a t es. T r a f f i c c l a ssi f i c a t i o n s o f a u t h en t i c a t ed a n d n o n -a u t h en t i c a t ed t r a f f i c .
I n t h e b o o k : N / A
Mi s c :
12 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-12
T y p es o f A nti-S p o o f ing tr a f f ic
• A n t i-s p o o f in g f u n c t io n s f o r t h e f o l l o win g p ro t o c o l s .– T C P t ra f f ic .– D N S ( U D P / T C P ) t ra f f ic .
• T h ere is a l s o A n t i-S p o o f in g b y a s s o c ia t io n .– A s o u rc e I P wil l b ec o m e a u t h en t ic a t ed wh en s en d in g t ra f f ic u s in g o t h er p ro t o c o l s if it wa s a u t h en t ic a t ed in p a ra l l el o r b ef o reh a n d b y t h e a c t ive A n t i-S p o o f in g m ec h a n is m s .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n w h a t t y p es o f t r a f f i c A n t i -sp o o f i n g i s a p p l i c a b l e t o . T h i s i s so m e t y p es o f DN S t r a f f i c a n d T C P b a sed t r a f f i c .
I n t h e b o o k : N / A
Mi s c :
4 0 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
13 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-1 3
Anti-S p o o f ing D e ta il s
• The User-l i st p i c k s a n a l g o ri t hm .• The p u rp o se o f t hese a l g o ri t hm s a re t o v eri f y t ha t t he
so u rc e I P sen d i n g t he p a c k et i s a rea l so u rc e I P .• S o m e t ra f f i c c a n n o t b e A n t i -S p o o f ed .
–UD P Tra f f i c ( o t her t ha n D N S ) w i t h n o TC P ‘c o n t ro l ’sessi o n .
– E x i st i n g TC P f l o w s a t t i m e o f a c t i v a t i o n .– N o n TC P / UD P t ra f f i c ( ex a m p l e: I C M P ) .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h a t d ep en d i n g o n t h e t y p e o f t r a f f i c t h e Gu a r d w i l l sel ec t o n e o f t h e f o l l o w i n g m ec h a n i sm s f o r a u t h en t i c a t i n g t h e u ser t r a f f i c .
I n t h e b o o k : N / A
Mi s c :
14 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-1 4
The TCP 3 Way Handshake
SIP, Source IP � ���
����� � � ���������� ��� � � � ����� � � � ���
Z on e
� �! �"�# $&% ��' (
�
Ty p e: S p ec i a l
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: R ev i ew st a n d a r d T C P 3 w a y h a n d sh a k e o p er a t i o n s.
I n t h e b o o k : Det a i l ed ex p l a n a t i o n o f h o w st ep s i n a T C P t h r ee w a y h a n d sh a k e a n d p o ssi b l e v u l n er a b i l i t i es.
Mi s c :
15 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-1 5
Basic http au t h e n t icat io n
SIP, Source IPG ua rd) * +-, . /10
Hash-f u n c t i o n ( S I P , p o r t , t )2�3�4�5 3 6�7 8 6!9 =
:<; =1> ? ;�@ A B @ CED F CHG
I�JLK!M�N�O�P N1Q<R S T Q<R UVLW�X�Y Z�[�\ ]
^ _�`&a _�b�c d e�fhg i b fEg j
Z o n e
SIP
V e r i f i e d c o n n e c t i o n s
k lnmLo1p q�r p sut k s�v
wnx�y
�
Ty p e: S p ec i a l
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o sh o w h o w t h e Gu a r d ’ s A n t i -sp o o f i n g o p er a t i o n h a n d l es h t t p t r a f f i c .
I n t h e b o o k : S t ep s i n t h e p r o c ess.
Mi s c :
16 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-1 6
Basic other T C P au t h e n t icat io n
SIP, Source IPG ua rdz {�|L} ~ �&�
Hash-f u n c t i o n ( S I P , p o r t , t )�1� ��� � ��� � �n� =
�L� ��� � �<� � �1�
���!�!��� ��� ���H� � � � � ��!�1 �¡ ¢�£¥¤ ¦
§ ¨�©Lª ¨�« ¬ ®�¯¥° ± « ¯²° ³
Z o n eSIP
V e r i f i e d c o n n e c t i o n s
´ µL¶1·�¸ ¹�º ¸ »½¼ ´ »�¾
�
Ty p e: S p ec i a l
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o sh o w h o w t h e Gu a r d ’ s A n t i -sp o o f i n g o p er a t i o n h a n d l es st a n d a r d n o n h t t p T C P b a sed t r a f f i c .
I n t h e b o o k : C o m p a r e a n d c o n t r a st t o st a n d a r d h t t p st ep s.
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 4 1
# S l i d e D es c r i p t i o n
17 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-1 7
Antispoofing only w h e n u nd e r a tta c kAu th e ntic a te sou r c e on initia l q u e r yS u b se q u e nt q u e r ie s v e r ifie d
Antispoofing only w h e n u nd e r a tta c kAu th e ntic a te sou r c e on initia l q u e r yS u b se q u e nt q u e r ie s v e r ifie d
DNS Authentication����� � � � � � � ����� �����
������ �����
� ��!#" $
%'&(#)+*,#- .�/ -�021 3 0 45#6 7 8 6#9;: < 9 =
> ?�@�A BRepeated IP - U D P
Authenticated IP
Client G u a r d T a r g et
C'D�E F+G#HJI K L�MON�P�Q R�S�TU;V W X Y�Z\[ ]+^ _a`+b�c d e�f
�
Ty p e: S p ec i a l
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o sh o w h o w t h e Gu a r d ’ s A n t i -sp o o f i n g o p er a t i o n h a n d l es DN S t r a f f i c .
I n t h e b o o k : DN S t r a f f i c c a n u se ei t h er T C P o r U DP .
Mi s c :
18 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-1 8
Basic safe reset T C P au t h e n t icat io n
S I P , S o u r c e I PG u a r dg�h�i'j k l�m
Hash-f u n c t i o n ( S I P , p o r t , t )n o�p q r�s#t =
u�v+wx�y z#{ y�|~} � � |�} ��+��#� ����� �
� �#� � ��� � � ���2� � � � ��
Z o n eSIP
V e r i f i e d c o n n e c t i o n s
��� �#� � �~� � � ���
Retra
nsmiss
ionDe
lay
�
Ty p e: S p ec i a l
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o ex p l a i n t h e Gu a r d ’ s “ sa f e r eset ” a u t h en t i c a t i o n m et h o d o f a u t h en t i c a t i o n .
I n t h e b o o k : P u r p o se i s f o r a p p l i c a t i o n s t h a t d o n o t r esp o n d w el l t o t h e R S T c o m m a n d … l i k e m a n y S M T P a p p l i c a t i o n s.
Mi s c :
19 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-1 9
Strong TCP AuthenticationS IP, S o ur ce IP
G uar d �¡�¢¤£ ¥ ¦'§
¨© ª « © ¬� ® ¬�¯°�±² ³�´ µ ¶#·
¸#¹+º»�¼ ½�¾ ¼�¿ÁÀ  à ¿ÁÀ ÄÅ Æ�Ç È Æ < É 8 6 9;: < 92Ê =Z o ne
Ë Ì�ÍÎ#Ï Ð�Ñ Ï Ò2Ó Ë Ò�Ô
Õ Ö�× Ø Ö�Ù Ú Û Ü�ÝßÞ à Ù ÝßÞáâ�ã�ä å ã�æ;ç è æ'é
�
Ty p e: S p ec i a l
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o i l l u st r a t e t h e t r a f f i c f l o w w h en t h e g u a r d a c t s a s a p r o x y f o r t r a f f i c u si n g “ st r o n g m o d e” f i l t er s.
I n t h e b o o k : S t ep s i n t h e t r a f f i c f l o w . T h e Gu a r d d o esn ’ t m a i n t a i n c o n n ec t i o n s st a t es. W h i l e a c t i n g a s a p r o x y r et u r n t r a f f i c f l o w s t h r o u g h t h e g u a r d a s w el l .
Mi s c :
2 0 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-20
Flex Fi lt er
B y p a s sFi lt er
A n a l y s i sp o li c i es
D y n a m i cFi lt er Us
er
Filte
rsStr
ong
Drop
R a t eL i m i t
Ty p es of F il ters – R ecap
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c t i o n o f t h e t y p es o f f i l t er s a v a i l a b l e o n t h e Gu a r d .
I n t h e b o o k : A d esc r i p t i o n o f ea c h o f t h e f i l t er s.
Mi s c :
42 I n s t r u c t o r S l i d e R e f e r e n c e ( D D O S ) v 2. 0 © 20 0 7 C i s c o S y s t e m s , I n c .
# S l i d e D es c r i p t i o n
2 1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-21
U s er F il ters ( s tatic) . v s . D y nam ic F il ters
• Dynamic filters are added for limited time.• U ser filters let th e u ser ap p ly th e p rotection mech anism once mov ed from analysis ( du e to recog nition) .
• W h en dynamic filter and u ser filter ap p ly to th e same flow , th e strong er action w ins. ( b asic/ strong / drop )– Y ou can tell w h ich is in u se b y th e cou nter statistic.
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o c o n t r a st U ser a n d Dy n a m i c f i l t er s.
I n t h e b o o k : U ser f i l t er s d ef i n e h o w a b n o r m a l t r a f f i c i s 1 st h a n d l ed i n t h e Gu a r d . U ser f i l t er s c a n b e m o d i f i ed a n d c o n f i g u r ed . Dy n a m i c f i l t er s a r e c r ea t ed b a sed o n t h e Gu a r d s a n a l y si s o f t h e t r a f f i c . Mi s c :
2 2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-22
What Are Zone Filters?
In the Cisco Guard:• Zone filters direct the path of traffic flows within the Guard to the relev ant protection m odules.
• T here are four ty pes of filters: F lex , b y pass, user, and dy nam ic filters.
In the Cisco T raf f ic A nom al y D etector:• Zone filters direct the path of traffic flows within the D etector to the relev ant detection m odules and tak e action according to what anom alies are detected.
• T here are three ty pes of filters: F lex , b y pass and dy nam ic filters.
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: F u r t h er d ef i n i t i o n o f a v a i l a b l e f i l t er s a n d t h ei r p u r p o se i n t h e Gu a r d a n d Det ec t o r .
I n t h e b o o k : Def i n es F l ex , b y p a ss, u ser a n d d y n a m i c f i l t er s.
Mi s c :
2 3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-23
C isc o G u ard Filter S y stem
DivertedT ra f f ic
F l exF il ter
B y p a s sF il ters
Dy n a m i cF il ters
Rec o g n itio na n d
Sta tis tic s
Dro pMo du l e
Stro n gMo du l e
An a l y s isMo du l e
B a s icMo du l e
C o m p a ra to r
Dro p T oZ o n e
Dro pU s erF il ters
T ra f f icRa te-Lim iter S
AMPLER
�
Ty p e: Di a g r a m
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o ex p l a i n t h e f i l t er s a v a i l a b l e i n t h e Gu a r d a n d t h ei r a c t i o n s. T o m i t i g a t e a g a i n st a b n o r m a l t r a f f i c .
I n t h e b o o k : Det a i l s o f F l ex , b y p a ss, a n d u ser f i l t er s. I f t w o f i l t er s a r e a p p l i c a b l e t o t h e sa m e t r a f f i c f l o w , t h e st r o n g er f i l t er w i n s. Z o n es a r e c r ea t ed w i t h a d ef a u l t set o f u ser f i l t er s. Mi s c :
2 4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-24
C isc o T raf f ic Anom aly D etec tor Filter S y stem
N o tif i c a tio n / Rem o teG u a rd Ac tiva tio n
F l ex F il ter
B y p a s s F il ters
Dy n a m i cF il ters
An a l y s is Mo du l e SAMPLER An a l y z ed
T ra f f i c is Dis c a rded
B y p a s s ed T ra f f icMirro red/ Sp l itT ra f f i c
Rec o g n itio na n d
Sta tis tic s
�
Ty p e: Di a g r a m
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o ex p l a i n t h e f i l t er s a v a i l a b l e i n t h e Det ec t o r a n d t h ei r a c t i o n s. T o a l er t t h e Gu a r d t o m o v e i n l i n e.
I n t h e b o o k : O n l y F l ex a n d b y p a ss f i l t er s a r e c o n f i g u r a b l e o n t h e d et ec t o r . U ser f i l t er s a r en ’ t a s t h ey “ a c t ” o n t r a f f i c . T h e d et ec t o r c a n ’ t d i sc a r d o r r a t e l i m i t t r a f f i c a s i t o n l y sees a c o p y o f i t . Mi s c :
�
© 20 0 7 C i s c o S y s t e m s , I n c . I n s t r u c t o r ’ s G u i d e 43
# S l i d e D es c r i p t i o n
2 5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-25
The Flex Filter
• A single Berkley Packet filter.• U sed to d ro p ( C isco G u ard o nly) o r co u nt a d esired p acket flo w .
• E asily tailo red to v ery sp ecific flo w s.• R eso u rce intensiv e—m ay affect p erfo rm ance.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e u se f o r F l ex f i l t er : c o u n t o r d r o p sp ec i f i c t r a f f i c f l o w s b a sed p a r a m et er s su c h a s f i el d s i n t h e I P a n d T C P h ea d er s, p a y l o a d c o n t en t , a n d B o o l ea n ex p r essi o n . I n t h e b o o k : T h ei r u se i s d i sc o u r a g ed d u e t o p er f o r m a n c e h i t t a k en b y t h e b o x .
Mi s c : O f t en t i m es n et w o r k I P S i s b et t er su i t ed f o r t h i s p u r p o se.
2 6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-26
B y p a s s FiltersBypass filters on the G u ard :• Allow specified traffic to b y pass th e D y n am ic filters, protection m odu les, an d R ate-L im iter.
• U sed for tru sted traffic flows.
Bypass filters on the D etec tor:• U sed to prev en t h an dlin g of specific flows.
• M irrored copy of traffic is dropped.
FlexFi lt er
B y p a s sFi l t er s
D y n a m i cFi l t er s
Rec o g n i t i o na n d
St a t i s t i c s
D r o pM o d u le
St r o n gM o d u le
An a l y s i sMo d u le
B a s i cM o d u le
C o m p a r a t o r
D r o pD r o pU s erFi l t er s
T r a f f i cRa t e-Li m i t e r S
AMPLER
D i v er t edT r a f f i c
Cisco Guard
Flex Fi l t er
An a l y s i s Mo d u le SAMPLER
Rec o g n i t i o na n d
St a t i s t i c s
An a l y z ed T r a f f i c i s D i s c a r d ed
B y p a s s ed T r a f f i cM i r r o r ed / Sp l i tT r a f f i c
N o t i f i c a t i o n o r Rem o t e G u a r d Ac t i v a t i o n
D y n a m i cFi lt er s
B y p a s s Fi lt er s
Cisco T raf f ic A n om al y D e t e ct or
�
Ty p e: Di a g r a m
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e u se f o r B y p a ss f i l t er s; t o p r ev en t t h e Gu a r d f r o m h a n d l i n g sp ec i f i c f l o w s, a n d d i r ec t t r u st ed t r a f f i c a w a y f r o m Gu a r d p r o t ec t i o n f ea t u r es a n d p r ev en t t h e Gu a r d f r o m a n a l y z i n g i t . I n t h e b o o k : Do n e f o r k n o w n g o o d f l o w s o f t r a f f i c .
Mi s c :
2 7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-27
bypass-f i l t e r row-n u m s rc -i p [ i p -m a s k ] p rot oc ol d e s t -p ort [ f ra g m e n t s -t y p e ]
admin@DEVICE-c o nf -z o ne -zone-na m e#
• C on fig u res a B y pass filter on th e G u ard or D etector.
C o n f ig u rin g a B y p a s s Filter
bypass-f i l t e r 1 0 1 0 0 . 0 . 0 . 9 9 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 6 8 0admin@DET ECT O R -c o nf -z o ne -s c anne t #
• C on fig u res a B y pass filter on th e D etector to b y pass all T C P traffic from I P address 1 0 0 . 0 . 0 . 9 9 to destin ation port 8 0 .
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n t h e m et h o d s f o r c o n f i g u r i n g a B y p a ss f i l t er . Gu a r d f o r w a r d s t r a f f i c m a t c h i n g b y p a ss f i l t er s t o t h e z o n e w i t h o u t a p p l y i n g t h e p o l i c i es, d y n a m i c o r u ser f i l t er s, o r r a t e l i m i t i n g t o t h em . I n t h e b o o k : T a b l e d et a i l i n g p a r a m et er s.
Mi s c :
2 8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-28
V iew in g the B y p a s s Filters
admin@GUARD-c o nf -z o ne -s c anne t # s h o w b y p as s -f il t e r s . . . . . . . . .**** B Y P AS S F I L T E RS ****
Ro w S o u r c e I P S o u r c e M as k P r o t o Dp o r t F r g Rx Rat e( p p s )
1 0 65 . 3 8 . 1 5 0 . 1 5 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 6 2 5 no 1 9 32 0 * 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 6 5 3 no 2 3 0
admin@DE T E C T O R-c o nf -z o ne -s c anne t # s h o w b y p as s -f il t e r s . . . . . . . . .
**** B Y P AS S F I L T E RS ****
Ro w S o u r c e I P S o u r c e M as k P r o t o Dp o r t F r g Rx Rat e( p p s )
1 0 65 . 3 8 . 1 5 0 . 1 5 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 6 2 5 no 1 9 32 0 * 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 6 5 3 no 2 3 0
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: R ev i ew t h e c o m m a n d f o r d i sp l a y i n g t h e B y p a ss f i l t er s.
I n t h e b o o k : T a b l e d et a i l i n g v a r i o u s o u t p u t f i el d s.
Mi s c :
44 I n s t r u c t o r S l i d e R e f e r e n c e ( D D O S ) v 2. 0 © 20 0 7 C i s c o S y s t e m s , I n c .
# S l i d e D es c r i p t i o n
2 9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-29
R em o v in g a B y p a s s Filter
n o bypass-f i l t e r { row-n u m | * }
• Removes a Bypass filter on the Cisco Guard or T raffic A nomaly D etector.
admin@DEVICE-c o nf -z o ne -zone-na m e#
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e m et h o d s f o r r em o v i n g a b y p a ss f i l t er .
I n t h e b o o k : Det a i l ed ex a m p l es.
Mi s c : U se o f “ * ” w i l d c a r d w o u l d r em o v e a l l b y p a ss f i l t er s.
3 0 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-3 0
User Filters
• Used to c u stom i z e C i sc o G u a r d p r otec ti on .
• C a n p r ov i de sp ec i a l r u l es f or h a n dl i n g tr a f f i c du r i n g a n a tta c k .
• C a n b e c on f i g u r ed du r i n g a n a tta c k .
FlexFi lt er
B y p a s sFi lt er s
D y n a m i cFi lt er s
Rec o g n i t i o na n d
St a t i s t i c s
D r o pMo d u le
St r o n gMo d u le
An a ly s i sMo d u le
B a s i cMo d u le
C o m p a r a t o r
D r o pD r o p
U s erFi lt er s
T r a f f i cRa t e-Li m i t er S
AMPLER
D i v er t edT r a f f i c
ToZ on e
Cisco Guard
�
Ty p e: Di a g r a m
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e u se a n d p u r p o se o f U ser f i l t er s. A p p l y r eq u i r ed p r o t ec t i o n l ev el t o sp ec i f i ed t r a f f i c f l o w .
I n t h e b o o k : L i st t w o b u l l et p o i n t r ea so n s w h y y o u w a n t t o c r ea t e a u ser f i l t er s. T h en a sp ec i f i c ex a m p l e.
Mi s c :
3 1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-3 1
u se r -f i l t e r row-n u m f i l t e r-a c t i on s rc -i p [ i p -m a s k ]p rot oc ol d e s t -p ort [ f ra g m e n t s -t y p e ] [r at e -l i m i t ra t e b u rs tu n i t s ]
admin@G U A R D-c o nf -z o ne -zone-na m e#
• C on fig u res a U ser filter on th e C isco G u ard.
C o n f ig u rin g a U s er Filter
u se r -f i l t e r 1 0 pe r m i t * 6 2 5 r at e -l i m i t 6 0 0 4 0 0 ppsadmin@G U A R D-c o nf -z o ne -s c anne t #
• C on fig u res a U ser filter on th e C isco G u ard to perm it all T C P traffic flowin g to destin ation port 2 5 ( S M T P ) , an d applies rate-lim itin g of 6 0 0 pps with a b u rst siz e of 4 0 0 pack ets.
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: Di sc u ss t h e m et h o d s u sed f o r c o n f i g u r i n g a U ser f i l t er o n t h e Gu a r d . T h e d ef a u l t s a r e a n t i -sp o o f i n g a n d r a t e l i m i t i n g , u ser f i l t er s c a n b e m o d i f i ed . I n t h e b o o k : Det a i l ed t a b l e o f p a r a m et er s.
Mi s c : E x p l a n a t i o n a p p l i es t o C L I ex a m p l e. S c r een sh o t sh o w s f i el d s f o r GU I c o n f i g u r a t i o n o n l y .
3 2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-3 2
Summary• The MVP process integrates a purification process that consists of F il tering, A ctiv e v erification, A nom al y recognition, Protocol anal y sis, and R ate l im iting.
• There are four ty pes of Protection m od es, A nal y sis, B asis, S trong, and D rop.
• The G uard d epl oy s its v arious protection m od ul es b ased on v iol ations of z one pol icies.
• B asic and S trong Mod ul es use v arious A nti-S poofing m echanism s to authenticate the source I P ad d ress of traffic trav el ing to the z one.
• The “stronger” action tak es preced ence w hen U ser and D y nam ic fil ters are appl ied to the sam e z one traffic.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
�
© 20 0 7 C i s c o S y s t e m s , I n c . I n s t r u c t o r ’ s G u i d e 45
# S l i d e D es c r i p t i o n
3 3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-3 3
Summary
• The Cisco Guard and the Cisco Traffic Anomaly Detector p rov ide the same typ es of filters, ex cep t for U ser filters, w hich are av ailab le only on the Guard.
• The F lex filter on the Guard and Detector p rov ides ex tremely detailed filtering of p ack et contents that allow s you to count or drop malicious traffic that carries a distinctiv e p attern. H ow ev er, the F lex filter is resource-consuming and should b e used cautiously.
• The B yp ass filter on the Guard and Detector allow s you to b yp ass p rotection measures for k now n g ood traffic.
• The U ser filters on the Guard allow you to define w hich p rotection p olicies to use for traffic using custom ( non-default) serv ices.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
3 4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—6-3 4 �
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s.
I n t h e b o o k : N / A
Mi s c :
�
Lesson 7 # S l i d e D es c r i p t i o n
1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1
Mitigating D D o S U s ing C is c o G u ar d and A no m al y T r af f ic D e te c to r
Understanding Cisco G u ard and T raf f ic A nom al y D etector R ep orts
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l ev el o v er v i ew o f c h a p t er .
I n t h e b o o k : N / A
Mi s c :
2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-2
O u tl ine
• Overview.• C is c o G u a rd a n d T ra f f ic A n o m a l y D et ec t o r A t t a c k R ep o rt s .
• I n t erp ret in g C is c o G u a rd A t t a c k R ep o rt s .• V iewin g D ro p p ed T ra f f ic S t a t is t ic s .• S u m m a ry .
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l i g h t t h e m a j o r p o i n t s t h a t w i l l b e d i sc u ssed i n t h e l esso n .
I n t h e b o o k : N / A
Mi s c :
3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-3
Cisco Guard and Traffic Anomaly Detector Attack R ep orts
Attack Timing
Attack S tatis tics
D r o p p e d / R e p l ie d P acke ts
D e te cte d Ano mal ie s
M itigate d Attacks
( G u ar d O nl y )
( G u ar d O nl y )
( D e te cto r r e p o r t o nl ys h o w s R e ce iv e d )
�
Ty p e: S p ec i a l
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: R ev i ew t h e f o r m a t o f t h e Det ec t o r A t t a c k r ep o r t f o r m a t . Def i n e t er m s, a t t a c k t i m i n g , st a t i st i c s, d r o p p ed / r ep l i ed p a c k et s, d et ec t ed a n o m a l i es, a n d m i t i g a t ed a t t a c k s. I n t h e b o o k : E x p l a n a t i o n o f t h e v a r i o u s f i el d s i n t h e r ep o r t . U se o f “ sh o w z o n e r ep o r t s d et a i l s” a n d “ sh o w z o m b i es” c o m m a n d s.
Mi s c :
4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-4
Attack Timing F ields
Attack Start : D e c 3 0 2 0 0 3 1 6 : 2 8 : 0 6Attack E n d : Attack i n p ro g re s sAttack D u rati o n : 0 0 : 0 8 : 3 4
�
Ty p e: S p ec i a l
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T h i s sec t i o n g i v es i n f o r m a t i o n o n t h e I D o f t h e a t t a c k , a t t a c k st a r t t i m e a n d d a t e, a t t a c k en d t i m e a n d d a t e, a n d a t t a c k d u r a t i o n .
I n t h e b o o k : T a b l e d en o t i n g f i el d s. S t r a i g h t f o r w a r d .
Mi s c :
�
© 20 0 7 C i s c o S y s t e m s , I n c . I n s t r u c t o r ’ s G u i d e 47
# S l i d e D es c r i p t i o n
5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-5
Attack Statistics
Attack Statistics Table
Guard Only
�
Ty p e: S p ec i a l
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Def i n es h o w t r a f f i c w a s h a n d l ed d u r i n g a n a t t a c k . T h i s i s i n P P S a n d P er c en t a g es.
I n t h e b o o k : T a b l e d ef i n i n g f i el d s o f r ep o r t
Mi s c :
6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-6
Dropped/Replied Packets
Dropped/Replied Packets Table
Guard Only
�
Ty p e: S p ec i a l
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Det a i l s w h a t m ec h a n i sm h a n d l ed w h a t t r a f f i c a m o u n t s d u r i n g a n a t t a c k . T h i s i s i n P P S a n d p er c en t a g es.
I n t h e b o o k : T a b l e d ef i n i n g f i el d s o f r ep o r t
Mi s c :
7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-7
D e te cte d An o m al ie s
D etected An o m alies TableGuard & D e t e c t o r
�
Ty p e: S p ec i a l
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Det a i l s t h e t r a f f i c a n o m a l i es t h a t o c c u r r ed d u r i n g a n a t t a c k .
I n t h e b o o k : A t a b l e d en o t i n g f i el d o f r ep o r t .
Mi s c :
8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-8
Detected Anomalies (Cont.)
Detected Anomaly Flow Fields
Protocol N u m b e r
S ou rce I P S ou rce Port
D e s ti n a ti on I P D e s ti n a ti on Port
F ra g m e n ta ti on
1 1 9 2 . 1 6 8 . 2 0 0 . 9 1 * 1 9 2 . 1 6 8 . 2 0 0 . 2 5 4 * n o f ra g m e n ts
Guard & D e t e c t o r
�
Ty p e: S p ec i a l
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x p l a i n s so m e o f t h e i n f o r m a t i o n p r o v i d ed b y t h e r ep o r t . T h i s ex a m p l e i s I C M P b a sed so t h er e a r e “ * ” f o r t h e p o r t n u m b er s. O f t en t i m es p r o t o c o l f i el d s w i l l b e ei t h er 6 o r 1 7 f o r T C P o r U DP b a sed a t t a c k s. I n t h e b o o k : Desc r i p t i o n o f r ep o r t f i el d s.
Mi s c :
48 I n s t r u c t o r S l i d e R e f e r e n c e ( D D O S ) v 2. 0 © 20 0 7 C i s c o S y s t e m s , I n c .
# S l i d e D es c r i p t i o n
9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-9
M itigated A ttack s T ab l e
Mitigated Attacks TableGuard Only
�
Ty p e: S p ec i a l
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Det a i l s t h e st ep s t h e Gu a r d t o o k t o p r o t ec t t h e z o n e.
I n t h e b o o k : O n l y a v a i l a b l e o n t h e Gu a r d . T a b l e t h a t d ef i n es f i el d s o f t h e r ep o r t .
Mi s c :
10 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1 0
M itig ated Attack s Tab le ( Cont. )
There are five types of mitigated attacks: • Spoofed.• Z om b i e.• C l i en t a t t a c k .• U s er -defi n ed.• M a l for m ed pa c k et s .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: R ev i ew t h e t y p es o f m i t i g a t ed a t t a c k s.
I n t h e b o o k : T h er e a r e 5 c l a ssi f i c a t i o n s o f a t t a c k s
Mi s c :
11.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1 1
M itig ated Attack s Tab le ( Cont. )T y pes of s poofed a t t a c k s :
• spoofed/dns_replies (basic)• spoofed/t cp_ou t g oing (st rong )
• spoofed/dns_q u eries (st rong )• spoofed/t cp_incom ing (st rong )• spoofed/ot h er_prot ocols_frag m ent s• spoofed/t cp_incom ing (basic)• spoofed/u dp_frag m ent s• spoofed/t cp_sy n_ack (st rong )• spoofed/t cp_frag m ent s• spoofed/t cp_sy n_ack (basic)• spoofed/ot h er_prot ocols• spoofed/t cp_sy n (st rong )
• spoofed/dns_replies (st rong )• spoofed/u dp (basic)
• spoofed/u dp (st rong )• spoofed/t cp_sy n (basic)
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L i st o f t h e v a r i o u s sp o o f ed a t t a c k s.
I n t h e b o o k : A t a b l e t h a t d ef i n es ea c h i n m o r e d et a i l .
Mi s c :
12 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1 2
M itig ated Attack s Tab le ( Cont. )
T y pes of z om b i e a t t a c k s :• zombie/http.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a r a c t er i z e t h e H T T P Z o m b i e a t t a c k .
I n t h e b o o k : A z o m b i e / h t t p a t t a c k i s t h e o n l y k i n d o f z o m b i e a t t a c k . T h i s i s a f l o o d o f H T T P t r a f f i c f r o m m a n y so u r c es t h a t a r e c o n si d er ed n o n sp o o f ed , y et h a v e n o t b een su c c essf u l l y a u t h en t i c a t ed . Mi s c :
�
© 20 0 7 C i s c o S y s t e m s , I n c . I n s t r u c t o r ’ s G u i d e 49
# S l i d e D es c r i p t i o n
13 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1 3
M itig ate d Attacks T ab l e ( C o n t. )
Ty p es o f clien t attacks:
• client_attack/dns (udp)• client_attack/user• client_attack/unauth enticated_tcp• client_attack/f r ag m ents• client_attack/tcp_o utg o ing• client_attack/o th er _pr o to co ls• client_attack/tcp_ inco m ing• client_attack/udp• client_attack/h ttp• client_attack/dns (tcp)• client_attack/tcp_co nnectio ns
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L i st t h e v a r i o u s c l i en t a t t a c k s.
I n t h e b o o k : A t a b l e t h a t d ef i n es ea c h i n m o r e d et a i l .
Mi s c :
14 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1 4
M itig ate d Attacks T ab l e ( C o n t. )
Ty p es o f u ser -d ef in ed attacks:• user _def ined/r ate_lim it.• user _def ined/user _dr o p_f ilter s.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L i st t h e u ser -d ef i n ed a t t a c k s
I n t h e b o o k : A t a b l e t h a t d ef i n es ea c h i n m o r e d et a i l .
Mi s c : T h ese a t t a c k s w er e c o n si d er ed so b a sed o n v i o l a t i o n s o f u ser d ef i n ed f i l t er s.
15 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1 5
M itig ate d Attacks T ab l e ( C o n t. )
Ty p es o f m alf o r m ed p ackets:• m alf o r m ed_packets/packets_to _pr o x y _ip• m alf o r m ed_packets/dns_anti_spo o f ing _alg o• m alf o r m ed_packets/dns (q uer ies)• m alf o r m ed_packets/dns (sh o r t_q uer ies)• m alf o r m ed_packets/dns (r eplies)• m alf o r m ed_packets/sr c ip = dst ip• m alf o r m ed_packets /z er o _h eader _f ield
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L i st t h e t y p es o f m a l f o r m ed p a c k et a t t a c k s.
I n t h e b o o k : A t a b l e t h a t d ef i n es ea c h i n m o r e d et a i l .
Mi s c :
16 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1 6
I nter p r eting Cisco G u ar d Attack R ep or ts
admin@GUARD-c o nf -z o ne -s c anne t # s h o w r e p o r t s
Attack Report ListGuard & D e t e c t o r
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o u n d er st a n d t h e “ S h o w r ep o r t s” c o m m a n d .
I n t h e b o o k : A t a b l e t h a t d ef i n es t h e sy n t a x a n d a d d i t i o n a l a r g u m en t s f o r u se w i t h t h e c o m m a n d .
Mi s c :
5 0 I n s t r u c t o r S l i d e R e f e r e n c e ( D D O S ) v 2. 0 © 20 0 7 C i s c o S y s t e m s , I n c .
# S l i d e D es c r i p t i o n
17 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-17
Cu rrent A ttack R ep ort
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o ex p l a i n t h e u se o f t h e c o m m a n d “ sh o w r ep o r t s c u r r en t ” c o m m a n d .
I n t h e b o o k : I t p r o v i d es a n ex p l a n a t i o n o f t h e r ep o r t ex a m p l e d ef i n i n g t h e f i el d s a n d a p p l y i n g t h em w i t h t h e n u m b er s i n t h e r ep o r t . T h e t x t “ d i ssec t s” a n d ex p l a i n s t h i s r ep o r t . Mi s c :
18 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1 8
Detailed Attack Report
admin@GUARD-c o nf -z o ne -s c anne t # s h o w r e p o r t s de t ail s
Detailed Report—Detec ted A n om alies S ec tion :
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o ex p l a i n t h e u se o f t h e c o m m a n d “ sh o w r ep o r t s d et a i l s” c o m m a n d . T h i s r ep o r t p r o v i d es a d d i t i o n a l i n f o r m a t i o n .
I n t h e b o o k : A t a b l e d ef i n i n g t h e d i f f er en t p a r a m et er s o f t h e r ep o r t .
Mi s c :
19 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-1 9
Detailed Attack Report (Cont.)Detailed Report—M itig ated A ttac k s S ec tion :
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C o n t i n u ed f r o m t h e p r ev i o u s sl i d e.
I n t h e b o o k : A t a b l e d ef i n i n g t h e d i f f er en t p a r a m et er s o f t h e r ep o r t .
Mi s c :
2 0 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-20
D etail ed A ttack R ep ort ( Cont. )Detailed Report—Z om b ies S ec tion :
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C o n t i n u ed f r o m t h e p r ev i o u s sl i d e. I f a n a t t a c k i s z o m b i e b a sed , t h e c o m m a n d “ sh o w r ep o r t d et a i l s” w i l l p r o v i d e i n f o r m a t i o n a b o u t t h e z o m b i e I p a d d r esses. I n t h e b o o k : A t a b l e d ef i n i n g t h e r ep o r t p a r a m et er s.
Mi s c :
�
© 20 0 7 C i s c o S y s t e m s , I n c . I n s t r u c t o r ’ s G u i d e 5 1
# S l i d e D es c r i p t i o n
2 1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-21
Cisco Guard Attack Report Example
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: A n o t h er ex a m p l e ex p l a i n i n g t h e r ep o r t w i t h t h e n u m b er s i n t h e ex a m p l e.
I n t h e b o o k : B u l l et s ex p l a i n t h e r ep o r t a s a p r a c t i c a l ex a m p l e.
Mi s c :
2 2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-22
V iew in g D ropped T raf f ic S tatisticsadmin@GUARD-c o nf -z o ne -s c anne t # s h o w dr o p -s t at is t ic s
Guard Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o u n d er st a n d t h e “ sh o w d r o p st a t i st i c s” c o m m a n d .
I n t h e b o o k : A t a b l e t h a t d ef i n es t h e r ep o r t p a r a m et er s.
Mi s c :
2 3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—7-23
Summary
• Guard and Detector attack reports include details of th e attacks org aniz ed into sections, each of w h ich describ es dif f erent aspects of th e traf f ic f low during an attack.
• A naly z ing and interpreting th e inf orm ation in th e Guard attack report enab les y ou to f ine-tune th e Guard protection setting s.
• Y ou can v iew th e distrib ution of packets dropped b y th e Guard protection m odules f or an ong oing attack.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
2 4 .
�
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s.
I n t h e b o o k : N / A
Mi s c :
�
5 2 I n s t r u c t o r S l i d e R e f e r e n c e ( D D O S ) v 2. 0 © 20 0 7 C i s c o S y s t e m s , I n c .
Lesson 8 # S l i d e D es c r i p t i o n
1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Mitigating D D o S U s ing C is c o G u ar d and T r af f ic A no m al y D e te c to r
Multi-D e v ic e
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l ev el o v er v i ew o f c h a p t er .
I n t h e b o o k : N / A
Mi s c :
2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-2
Outline
• Overview.– C o n s o l id a t ed in f o rm a t io n .– S y n c h ro n iz a t io n o f C o n f ig u ra t io n .
• Overview o f M a in S c reen s .• S o f t wa re a rc h it ec t u re.• C o m m u n ic a t io n c h a n n el s .• I n s t a l l a t io n .
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l i g h t t h e m a j o r p o i n t s t h a t w i l l b e d i sc u ssed i n t h e l esso n .
I n t h e b o o k : N / A
Mi s c :
3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-3
P r o d uc t O v e r v ie w
• The D D o S M u l t i D ev i c eM a n a g er 1 . 0 ( M D M ) i s a s o f t w a r e p r o d u c t t ha t en a b l es m o n i t o r i n g , m a n a g em en t a n d r ep o r t i n g o f m u l t i p l e C i s c o G u a r d s a n d D et ec t o r s i n a c u s t o m er n et w o r k a n d p r o v i d es c o n s o l i d a t ed v i ew o f a t t a c k i n f o r m a t i o n i n r ea l -t i m e a n d a s d et a i l ed r ep o r t s .
• The M D M 1 . 0 r u n s o n a L i n u x S er v er a n d n eed s t o b e i n s t a l l ed o n a s er v er o w n ed a n d o p er a t ed b y t he c u s t o m er a n d r eq u i r es R 5 . 1 ( 5 ) o n t he G u a r d a n d D et ec t o r d ev i c es .
• The MDM GUI is based on the Web Based Management GUI that is c u r r entl y av ail abl e on the Gu ar d and Detec tor dev ic es and disp l ay s attac k inf or mation on siz e and ty p e ac r oss dev ic es on a singl e sc r een.
• The MDM al so su p p or ts the distr ibu tion of basic z one l ev el c onf igu r ations f r om a master dev ic e to a set of other dev ic es ( Gu ar ds, Detec tor s) on the netw or k .
• C onsol idation is done on c ou nter s, r ates, gr ap hs, attac k r ep or ts, ev ents l og, and z one statu s ac r oss al l dev ic es.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o p r o v i d e a n o v er v i ew o f f u n c t i o n s a v a i l a b l e w i t h t h e M u l t i d ev i c e M a n a g er .
I n t h e b o o k : M en t i o n s t h e R A ( r em o t e a g en t ) w h i c h en a b l es c o m m u n i c a t i o n b et w een t h e d ev i c e a n d t h e M DM so f t w a r e.
Mi s c :
4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-4
Product Overview: MDM Deployment Example
S amp l e MDM Dep l oy ment in a N etw or k w ith C isc o Gu ar ds, Detec tor s�
Ty p e: Gr a p h i c
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: S h o w t h e b en ef i t o f u si n g t h e M DM t o m a n a g e m u l t i p l e Gu a r d a n d Det ec t o r d ev i c es f r o m a c en t r a l p o i n t .
I n t h e b o o k : C o m m u n i c a t i o n b et w een t h e M DM a n d t h e d ev i c es o c c u r s v i a S S L .
Mi s c :
�
© 20 0 7 C i s c o S y s t e m s , I n c . I n s t r u c t o r ’ s G u i d e 5 3
# S l i d e D es c r i p t i o n
5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-5
Consolidated Information
• The MDM gives the user the ability to monitor all DDoS d etec tion and mitigation ac tions in its netw ork f rom a W E B G U I : all z ones that are und er d etec tion, all z ones that are und er attac k , all mitigation ac tions.
• W hen a z one is being p rotec ted by several G uard s all inf ormationregard ing the z one is c onsolid ated to one view .
• C onsolid ated inf ormation inc lud es:– A ggregate z one state of all d evic es ( e. g. ind ic ates w hether all
G uard s d etec ted an attac k as op p osed to a subset. )– A ggregation of all d ynamic f ilters ac ross all d evic es to one list.– A ggregation of all log events f rom all d evic es to one log f ile
sorted by time in d evic e level and z one level.– A ggregation of c ounters and rates f rom all G uard s.– G eneration of attac k rep orts that c onsolid ate inf ormation f rom
all G uard s.�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Det a i l t h e b en ef i t s o f c en t r a l a d m i n i st r a t i o n f o r v i ew i n g st a t u s i n f o r m a t i o n .
I n t h e b o o k : B u l l et p o i n t l i st o f t h e t h i n g s t h e M DM a l l o w s y o u t o see f r o m a c en t r a l p o i n t .
Mi s c :
6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-6
Synchronization of Configuration• Synchronization is the process of distributing the master zone configuration to al l dev ices by ov erw riting the dev ices’ zone configuration.
• T he synchronization can be triggered automatical l y by the fol l ow ing ev ents:– B efore user-initiate protection.– E ach time l earning resul ts are accepted by the user.– C onfiguration change ( C onfiguration through the M D M . )
• Synchronization can be al so triggered manual l y from the menu.• Synchronization is not done on an activ e zone.• T he user can choose to disabl e the automatic synchronization:
– T o av oid ov erw riting G l obal threshol ds in scenarios w here different G uards protecting the same zone see different portion of the traffic.
– W hen mul tipl e D etectors are used and the zone has on each D etector a different remote-guards l ist.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Det a i l t h e b en ef i t s o f c en t r a l a d m i n i st r a t i o n f o r d ev i c e c o n f i g u r a t i o n .
I n t h e b o o k : Z o n e c o n f i g u r a t i o n sy n c h r o n i z a t i o n c a n o n l y o c c u r w h en t h e z o n e i s a c t i v e. Z o n es m u st h a v e a “ m a st er ” d ev i c e i n c h a r g e o f t h a t z o n es c o n f i g u r a t i o n . Mi s c :
7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-7
Overview of Main Screens
• Network summary screen• D ev i ce L i st S creen• C reate z one screen• Z one h ome p ag e• A ttack R ep ort screen• C onf l i ct R esol uti on screen
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L i st t h e m a i n GU I t a b s i n t h e M DM .
I n t h e b o o k : N / A
Mi s c :
8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-8
Network Summary Screen• D ispl ay al l zones that are currentl y under attack in the entire netw ork , sorted according attack start time.
• T he N etw ork Summary Screen displ ays basic information such as number of dynamic fil ters and traffic statistics.
• C l ick ing on a zone l ine l ink s you to the zone home page.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e N et w o r k S u m m a r y S c r een .
I n t h e b o o k : H o w t o n a v i g a t e t o t h e sc r een i n t h e M DM . T h i s i s t h e “ h o m e p a g e” o f t h e M DM p r o v i d i n g a n n et w o r k st a t u s o v er v i ew .
Mi s c :
5 4 I n s t r u c t o r S l i d e R e f e r e n c e ( D D O S ) v 2. 0 © 20 0 7 C i s c o S y s t e m s , I n c .
# S l i d e D es c r i p t i o n
9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-9
Device List Screen• Displays all devices that reside on the MDM database.• Displays u tiliz ation inf orm ation on each device inclu ding : hostnam e device type, statu s, z one inf orm ation, and traf f ic statistics.
• Device type: G u ard or Detector.• Device States:
– I n itial iz in g – w h il e in itiatin g co n n ectio n .
– E stab l ish – C o n n ectio n estab l ish ed w ith d evice.
– Disco n n ected – F ail to cr eate sessio n .
– Su sp en d ed - U ser d isab l ed co m m u n icatio n .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e Dev i c e l i st sc r een .
I n t h e b o o k : A t a b l e t h a t d et a i l s i n f o r m a t i o n a v a i l a b l e o n t h i s sc r een .
Mi s c :
10 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-1 0
Create Zone Screen• The user should choose on which devices the zone should b e crea ted.
• O ne of the devices m ust b e chosen a s a m a ster device.• I f there is a detector in the device list the D etector m ust b e the m a ster.
• Choosing the devices for a z one dep ends on variou s p aram eters: – The network architecture.– The ex p ected attack cap acity ( if attacks l arg er than 1 G are ex p ected than s ev eral G uard s s houl d b e us ed .)
– L oad s haring s chem e ( each g uard can p rotect concurrentl y on 3 0 z ones .)
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e C r ea t e Z o n e sc r een .
I n t h e b o o k : i n f o r m a t i o n a b o u t sy n c h r o n i z a t i o n o p t i o n s. A t a b l e t h a t d et a i l s i n f o r m a t i o n a v a i l a b l e o n t h i s sc r een .
Mi s c :
11.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-1 1
Zone Home Page
• The Zone Status Bar: This displays the current status of the z one.
• D ynam ic f ilters are ag g reg ated across all dev ices.• E v ents are ag g reg ated across all dev ices.
• The rate graphs contains three l ines:– The receiv ed traf f ic as seen in
the m aster D etector ( b l u e l ine) .– L egitim ate traf f ic aggregated
across al l G u ard s ( green l ine) .– M al iciou s traf f ic aggregated
across al l G u ard s ( read l ine) .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e Z o n e H o m e P a g e.
I n t h e b o o k : S u b d i v i d ed i n t o z o n e st a t u s b a r , T r a f f i c R a t e t a b l e, S t a t u s t a b l e, r ec en t ev en t t a b l e. Det a i l ed i n f o r m a t i o n a b o u t c o n f i g u r a t i o n o p t i o n s a n d st a t u s i n f o r m a t i o n a v a i l a b l e o n t h i s p a g e. Mi s c :
12 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-1 2
Attack Report Screen• The attack report list all Guards that participate in detection and m itig ation of the z one attack.
• A ttack counters/ rates statistics are ag g reg ated across f rom all Guards.
• M itig ation actions are ag g reg ated across all Guards.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e A t t a c k r ep o r t sc r een . R e-v i si t t h e b en ef i t s o f n et w o r k w i d e DDo S r ep o r t i n g c o n so l i d a t ed a b i l i t i es.
I n t h e b o o k : I n f o r m a t i o n a v a i l a b l e o n t h i s sc r een .
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 5 5
# S l i d e D es c r i p t i o n
13 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-1 3
Conflict Resolution Screen
• Displays configuration inconsistencies across the netw ork and helps to resolv e them .
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e C o n f l i c t R eso l u t i o n sc r een .
I n t h e b o o k : U sed t o a l er t t h e a d m i n i st r a t o r a n d h el p t o f i x c o n f i g u r a t i o n o r c o m m u n i c a t i o n i ssu es b et w een d ev i c es a n d t h e M DM .
Mi s c :
14 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-1 4
Software Architecture• Communication between back-end and d ev ices is ov er S S L .• L og s ev ent ar e s ent ov er v ia s y s l og f r om al l d ev ices to th e M D M .• T h e A g ent or R A , on th e D ev ice is p ar t of th e M D M ( can be up g r ad ed by th e M D M with no need f or v er s ion up g r ad e in th e d ev ice) . T h e D ev ice imag e onl y contains an up g r ad eabl e ag ent s tub.
• T h e M D M d atabas e is a “th in” d atabas e. I t h ol d s th e l is t of known d ev ices d ef ined f or each z one and th e l is t of d ev ices it was d ef ined on.
• T h e M D M d atabas e d oes not h ol d z ones ’ conf ig ur ation.• W h en d is p l ay ing a z one conf ig ur ation, th e M D M d is p l ay s th e z one’s conf ig ur ation as d ef ined by th at z one’s mas ter d ev ice conf ig ur ation.
• T h e z one conf ig ur ation in th e mas ter d ev ice is d is tr ibuted to th e oth er d ev ices in th e z one’s d ev ice l is t.
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: P r o v i d e i n f o r m a t i o n a b o u t t h e M DM p r o d u c t .
I n t h e b o o k : N / A
Mi s c :
15 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-1 5
MDM Communication Channels
• Open ports to the MDM.–https ( 4 4 3 / tc p) f or W E B G U I c l i ents.– S S H ( 2 2 / tc p) K ey ex c ha ng e w i th the d ev i c es.– S y sl og ( 5 1 4 / u d p) so the MDM c a n rec ei v e sy sl ogf rom the netw ork ’s m u l ti pl e G u a rd a nd Detec tors.
• Open ports f rom the MDM.–Dev i c e R em ote A g ent ( 1 3 3 4 / tc p.)– N T P ( i f i nsta l l ed .)– T A C A C S ( i f i nsta l l ed .)
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Det a i l s c o m m u n i c a t i o n a n d p r o t o c o l r eq u i r em en t s o f t h e M DM .
I n t h e b o o k : N / A
Mi s c :
16 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-1 6
Installation
• HW requirements: – minimum: C P U 1 G Hz , R A M 5 1 2 M , h a rd d isk 2 G .– R ec o mmend ed : C P U 2 G Hz , R A M 1 G B , h a rd d isk 2 G .
• S erv er S o f tw a re requirement: – R ed Ha tE nterp rise L inux v ersio n 3 a nd 4 . – “C l ea n” ma c h ine, no my S Q L o r to mc a t insta l l ed .
• D ev ic e S o f tw a re R equirements: R 5 . 1 ( 5 ) o r l a ter.• D ev ic e sh o ul d b e c o nf ig ured in th e M D M a nd f o r ea c h d ev ic e.• T h e user must initia te a k ey ex c h a ng e b etw een th e M D M a nd th e d ev ic e.
• C o nf l ic t reso l utio n is required a f ter insta l l a tio n to integ ra te a l rea d y d ef ined z o nes.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H a r d w a r e r eq u i r em en t s f o r M DM i n st a l l a t i o n .
I n t h e b o o k : A t a b l e w i t h m o r e d et a i l a b o u t S er v er r eq u i r em en t s.
Mi s c :
5 6 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
17 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-1 7
Sum m ary
• The MDM consolidates management and reporting across mu ltiple G u ard and Detector dev ices.
• The MDM sy nchroniz es z one conf igu ration inf ormation across mu ltiple G u ard and Detector dev ices.
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
18 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—8-1 8 �
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s.
I n t h e b o o k : N / A
Mi s c :
�
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 5 7
Lesson 9 # S l i d e D es c r i p t i o n
1.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .
Mitigating D D o S U s ing C is c o G u ar d and T r af f ic A no m al y D e te c to r
Cisco Guard and T raf f ic A nom al y D e t e ct or M odul e s
�
Ty p e: T i t l e I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l ev el o v er v i ew o f c h a p t er .
I n t h e b o o k : N / A
Mi s c :
2 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-2
Outline
• DDoS P r ot e c t i on Se r v i c e M od u l e s .• De p l oy m e n t O p t i on s .• Da t a H i j a c k i n g a n d I n j e c t i on .• G u a r d a n d De t e c t or c on f i g u r a t i on C om m a n d s .• C on f i g u r i n g SP A N Se s s i on s .• C on f i g u r a t i on E x a m p l e s .• Su m m a r y .
�
Ty p e: O u t l i n e
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: H i g h l i g h t t h e m a j o r p o i n t s t h a t w i l l b e d i sc u ssed i n t h e l esso n .
I n t h e b o o k : N / A
Mi s c :
3 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-3
Attack DETECTION to support on-d e m and scrub b i ng .M oni tors a COP Y OF TR AF F IC.
Cisco Anomaly Guard Module.
Cisco T raf f ic Anomaly D et ect or Module.
Attack ANAL Y S IS AND M ITIG ATION.Di v e rts traf f i c f l ow s f or ON-DEM AND S CR U B B ING .
D D o SD D o S P r o tec tio n S er v ic e M o d ulesP r o tec tio n S er v ic e M o d ules
�
Ty p e: Gr a p h i c
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e Gu a r d a n d Det ec t o r M o d u l es a v a i l a b l e f o r u se i n t h e 6 5 0 0 a n d 7 6 0 0 p l a t f o r m s.
I n t h e b o o k : A n o v er v i ew o f t h e p r o d u c t s. I n f o r m a t i o n t h e st u d en t s sh o u l d a l r ea d y k n o w .
Mi s c :
4 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-4
D D o SD D o S P r o tec tio n S er v ic e M o d uleP r o tec tio n S er v ic e M o d ule
• G u a r d / De t e c t or M V P -O S R e l e a s e 5 . 1 Si n g l e -s l ot m od u l e s f or C i s c o C a t a l y s t 6 5 0 0 Sw i t c h a n d C i s c o 7 6 0 0 R ou t e r p r od u c t l i n e s .
• I n t e r f a c e s v i a b a c k p l a n e , n o e x t e r n a l p or t s .• R e q u i r e s N a t i v e C i s c o I O S 1 2 . 2 ( 1 8 ) SX D3 or l a t e r .• M u l t i p l e G u a r d s a n d De t e c t or s p e r c h a s s i s p r ov i d i n g p r ot e c t i on f or a s i n g l e d e s t i n a t i on z on e .
• C L I , W e b G U I , a n d SN M P m a n a g e m e n t .• V e r s i on 6 . x M V P O S w i l l a l l ow f or a l i c e n s e d u p g r a d e t o “t u r n u p ” p r oc e s s or s e n a b l i n g e v e n g r e a t e r t h r ou g h p u t .
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: Det a i l s O S r eq u i r em en t s f o r 7 6 0 0 a n d 6 5 0 0 s. M en t i o n s a d d i t i o n a l p r o c esso r s c a n b e “ t u r n ed u p ” i n t h e 6 .0 v er si o n o f c o d e f o r a l i c en sed u p g r a d e. I n t h e b o o k : N / A
Mi s c :
5 8 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
5 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-5
Integrated system:• Fits existing switch/routing infrastructure with other serv ices.
• I d eal for d ata center d ep l oy m ents of 1–3 m od ul es.
• I ntrachassis d iv ersion.
D edi c ated system:• N ew chassis d ed icated to D D oS .• S up p orts l arge range of fl exib l e I /O .• I d eal for high-cap acity d ep l oy m ents . • E xternal d iv ersion v ia C isco I O S sup erv isor routing.
Deployment OptionsDeployment Options
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T o d i sc u ss t h e o p t i o n s o f a n i n t eg r a t ed sy st em v s. a d ed i c a t ed c h a ssi s.
I n t h e b o o k : I n t eg r a t ed b et t er su i t ed f o r en t er p r i se. Ded i c a t ed c h a ssi s i s b et t er su i t ed f o r a sc r u b b i n g c en t er – ser v i c e p r o v i d er n et w o r k s. A l a r g e en t er p r i se m a y a l so h a v e a sc r u b b i n g c en t er . Mi s c :
6 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-6
P ath P ro c essi ng o f G u ard/ D etec to r M o du l eP ath P ro c essi ng o f G u ard/ D etec to r M o du l e
Guard Module
MODULE
B I T W : B um p i n t h e W i re.Mo d u l e m u s t b e p l a c e d i n t h e p a t h f o r d a t a t o b e p r o c e s s e d .
Da t a Da t a Da t a Da t a
P arallel P roc es s i n g :Mo d u l e DOES N OT n e e d t o b e p l a c e d i n t h e d a t a p a t h , r a t h e r a c o p y o f t h e d a t a i s f o r w a r d t o t h e m o d u l e .
MODULE
Da t a Da t a Da t a Da t a Da t a Da t aS w i t c h En g i n e
S w i t c h En g i n e
D et ec t or Module
�
Ty p e: C o n c ep t
I m p o r t a n c e: H i g h Ti m e: A s N eed ed
Pu r p o s e: T h e Gu a r d m o d u l e w o r k s i n l i n e o n t h e t r a f f i c . T h e Det ec t o r m o d u l e m u st r ec ei v e a c o p y o f t h e t r a f f i c .
I n t h e b o o k : T a l k s a b o u t R H I f o r c r ea t i n g d i v er si o n . N o t l i m i t ed t o j u st B GP l i k e w i t h t h e a p p l i a n c es.
Mi s c :
7 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-7
Div er sion P r oc essDiv er sion P r oc ess
Hijacking:• H ij ack ing.• C hange to the b y p assing route for Z one on S up erv isor E ngine when G uard M od ul e enab l e to p rotect m od e.– D iv ert to D ata P ort of G uard M od ul e from critical p ath on S up erv isor.
– D iv ert to G uard M od ul e through the S up erv isor E ngine from critical p ath on the external router.
• U sing R H I ( R em ote H eal th I nj ect) p rotocol for internal route ad v ertisem ent in C at6 K .
I nje ct io n:• R e-I nj ect scrub b ed traffic to the N ext H op R outer or L ocal connected z one.
�
Ty p e: C o n c ep t
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: R ev i ew o f t r a f f i c d i v er si o n a n d i n j ec t i o n . S i m i l a r t o a p p l i a n c es ex c ep t R H I i s a v a i l a b l e.
I n t h e b o o k : Do n o t i n j ec t t r a f f i c t o t h e I P a d d r ess o n t h e su p er v i so r en g i n e.
Mi s c :
8 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-8
Div er sion M ec h a nismDiv er sion M ec h a nism
• D iv e r s io n C o nf igu r at io n is ap p l ie d f r o m G l o b al C o nf igu r at io n M o d e o n s u p e r v is o r .
• C h ange t h e r o u t e o n S u p e r v is o r o nb o ar d r o u t ing t ab l e b y inje ct ing s t at ic r o u t e v ia R HI .
• R HI al w ay s ad v e r t is e s 2 d iv id e d r o u t e s t o t h e z o ne ach ie v ing t h e l o nge s t p r e f ix .
Supervisor Main R out ing E ng ine
G uard Mod ul e
R ec eive-via-V l anSend -via-V l an
R ec eive-via-I P
Send -via-I P ( L 3 ) nex t h op I P
Send -via-I P ( L 2 ) nex t h op I P
F or D iversion
F or I nj ec t ion
�
Ty p e: Di a g r a m
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: Det a i l s a b o u t t h e d i v er si o n p r o c ess.
I n t h e b o o k : T r a f f i c i s l o a d b a l a n c ed a c r o ss t h e g u a r d m o d u l es i n t er f a c es f o r 3 g i g a b y t e o p er a t i o n . I n 1 g i g o p er a t i o n a l l t r a f f i c f l o w s a c r o ss d a t a p o r t 2 .
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 5 9
# S l i d e D es c r i p t i o n
9 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-9
G u a r d M od u le C onf ig u r a tionG u a r d M od u le C onf ig u r a tion
admin@GUARD-c o nf # div e r s io n ?h ij ac k ing : S et gl ob al hij ack ing p aram eters.inj e c t io n : S et I nj ection p aram eters.
admin@GUARD-c o nf # div e r s io n h ij ac k ing ?r e c e iv e -v ia-ip : I P ad d ress to receiv e traffic to.r e c e iv e -v ia-v l an : V L A N to receiv e traffic on.w e ig h t : W eight to ad v ertise route with.
admin@GUARD-c o nf # div e r s io n h ij ac k ing w e ig h t ?<weight> : W eight to ad v ertise route with.
Guard Module Only
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e c o m m a n d s n ec essa r y f o r d i v er si o n .
I n t h e b o o k : A t a b l e t h a t d et a i l s a v a i l a b l e p a r a m et er s o f t h e c o m m a n d .
Mi s c :
10 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 0
G u a r d M od u le C onf ig u r a tion f or Div er sionG u a r d M od u le C onf ig u r a tion f or Div er sion• A ssign the receiv e-v ia-v l an and receiv e-v ia-ip for traffic hij ack ing.– V L A N num b ers m ust b e assigned on the S up erv isor m od ul e.
• I f there are no statem ents the G uard M od ul e wil l use sm al l est V L A N num b er assigned on l ogical interface on D atap ort ( G iga2 ) .
c at 6 k ( c o nf ig ) # div e r s io n h ij ac k ing r e c e iv e -v ia-ip1 9 2 . 1 6 8 . 1 0 0 . 1c at 6 k ( c o nf ig ) # div e r s io n h ij ac k ing r e c e iv e -v ia-v l an1 0 0
S up erv i s or Module
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C o n t i n u ed f r o m t h e p r ev i o u s sl i d e.
I n t h e b o o k : A t a b l e t h a t d et a i l s a v a i l a b l e p a r a m et er s o f t h e c o m m a n d .
Mi s c :
11.
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 1
G u a r d M od u le C onf ig u r a tion f or I nj ec tionG u a r d M od u le C onf ig u r a tion f or I nj ec tion• A ssign N ext-hop I P ad d ress for the scrub b ed traffic.
– I P A d d ress on S up erv isor ( L 3 I nj ection) .– I P A d d ress of N ext-hop L 3 D ev ice ( L 2 I nj ection) .
admin@GUARD-c o nf # div e r s io n inj e c t io n 1 9 2 . 1 6 8 . 1 1 1 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 ne x t h o p 6 4 . 0 . 0 1 .
• I f there are no inj ection statem ents the p rocess wil l fail .M e s s ag e f r o m s y s l o g d@l o c al h o s t at M o n M ar 7 2 0 : 2 9 : 2 8 2 0 0 7 . . . .l o c al h o s t c m: C u s t o me r , 0 div e r s io n-f ail e d: N o inj e c t io n p at h f o r r o u t ing s u b ne t ( 1 9 2 . 1 6 8 . 1 1 1 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 ) .
S up erv i s or Module
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e c o m m a n d s n ec essa r y f o r i n j ec t i o n .
I n t h e b o o k : A t a b l e t h a t d et a i l s a v a i l a b l e p a r a m et er s o f t h e c o m m a n d .
Mi s c :
12 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 2
Configuring the GuardConfiguring the Guard’’s M odul es D ata and s M odul es D ata and M anagem ent Connec tionsM anagem ent Connec tions
• Assign the VLAN numbers used between Supervisor and G uard M odul e f or D iversion ( giga2 ) and M anagement ( eth1 ) .
• 2 VLANs are req uired f or H ij ac k ing/ I nj ec ting on D ata P ort 2 .– P ort 3 wil l be avail abl e in version 6 . X of M VP O S.
• M anagement P ort = 1 .
cat6k(config)# anomaly-gu ar d mod u le 2 p or t 1 allow e d -v lan 1 0cat6k(config)# anomaly-gu ar d mod u le 2 p or t 1 nativ e -v lan1 0cat6k(config)# anomaly-gu ar d mod u le 2 p or t 2 allow e d -v lan 1 0 0 , 2 0 0
Supervisor Module
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: I n t r o d u c e t h e c o m m a n d s t o c o n f i g u r e t h e Gu a r d s Da t a a n d M a n a g em en t i n t er f a c e c o n n ec t i o n s t o t h e su p er v i so r en g i n e.
I n t h e b o o k : A t a b l e t h a t d et a i l s a v a i l a b l e p a r a m et er s o f t h e c o m m a n d .
Mi s c :
6 0 Instr u ctor Sl id e R ef er ence ( D D O S) v 2.0 © 2007 Cisco Systems, Inc.
# S l i d e D es c r i p t i o n
13 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 3
I nter na l M onitor ing v ia S P A NI nter na l M onitor ing v ia S P A N
.2 5 4
N O C
I nt ernet
.2 5 4
.2 5 3
.2 5 4R out ed ( L 3 ) P ort
P ort 2 ( D at a P ort )g ig a2
P ort 1 ( Manag em ent P ort )
10 .1.1.0 / 2 4V L A N 10
19 2 .16 8 .12 8 .0 / 2 4
Z one19 2 .16 8 .1.0 / 2 4
G i1/ 2
G i1/ 1
V L A N 2 0 019 2 .16 8 .2 0 0 .0 / 2 4
anomaly-d e t e c t or mod u le 5 manag e me nt -p or t ac c e s s -v lan 1 1
moni t or s e s s i on 2 s ou r c e i nt e r f ac e g i 1 / 1 r xmoni t or s e s s i on 2 s ou r c e i nt e r f ac e g i 1 / 2 r xmoni t or s e s s i on 2 d e s t i nat i on anomaly-d e t e c t or -mod u le 5 d at a-p or t 1
S up erv i s or C onf i g urat i on
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: T o sh o w t h e n ec essa r y c o m m a n d s t o en a b l e a S P A N sessi o n t o t h e Det ec t o r M o d u l e.
I n t h e b o o k : A t a b l e t h a t d et a i l s a v a i l a b l e p a r a m et er s o f t h e c o m m a n d .
Mi s c :
14 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 4
L 2 H ij a c k ing / L 2 I nj ec tionL 2 H ij a c k ing / L 2 I nj ec tion
Z one19 2 .16 8 .1.0 / 2 4
V L A N 10 0
V L A N 2 0 0
19 2 .16 8 .10 0 .0 / 2 4
19 2 .16 8 .2 0 0 .0 / 2 4
.1
.1
.2 5 4
.2 5 4
N O C
I nt ernet
.2 5 4
.2 5 3
V L A N int erf ac e
.1
P ort 2 ( D at a P ort )g ig a2
P ort 1 ( Manag em ent P ort )
10 .1.1.0 / 2 4V L A N 10
G i1/ 1
G i1/ 2
diversion hijacking receive-via-ip1 9 2 . 1 6 8 . 1 0 0 . 1diversion hijacking receive-via-vl an 1 0 0diversion inject ion 1 9 2 . 1 6 8 . 1 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 nex t hop 1 9 2 . 1 6 8 . 2 0 0 . 2 5 3
int erf ace et h1ip address 1 0 . 1 . 1 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0m t u 1 5 0 0no shu t dow n
ex itint erf ace giga2
m t u 1 5 0 0no shu t dow n
ex itint erf ace giga2 . 1 0 0
ip address 1 9 2 . 1 6 8 . 1 0 0 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0m t u 1 5 0 0no shu t dow n
ex itint erf ace giga2 . 2 0 0
ip address 1 9 2 . 1 6 8 . 2 0 0 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0m t u 1 5 0 0no shu t dow n
E x itp rox y 1 9 2 . 1 6 8 . 2 0 0 . 1 0 0 on Vlan200
Guard Module
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x a m p l e o f L 2 H i j a c k i n g a n d I n j ec t i o n – S u p er v i so r M o d u l e c o n f i g u r a t i o n .
I n t h e b o o k : N / A
Mi s c :
15 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 5
anom al y -gu ard m odu l e 2 p ort 1 al l ow ed-vl an1 0anom al y -gu ard m odu l e 2 p ort 2 al l ow ed-vl an1 0 0 , 2 0 0anom al y -gu ard m odu l e 2 p ort 1 nat ive-vl an1 0
int erf ace G igab it E t hernet 1 / 1no ip addresssw it chp ortsw it chp ort t ru nk encap su l at ion dot 1 qsw it chp ort m ode t ru nk
!int erf ace G igab it E t hernet 1 / 2no ip addresssw it chp ortsw it chp ort t ru nk encap su l at ion dot 1 qsw it chp ort m ode t ru nk
int erf ace V l an1 0 0ip address 1 9 2 . 1 6 8 . 1 0 0 . 2 5 4 2 5 5 . 2 5 5 . 2 5 5 . 0no ip redirect sno ip u nreachab l esno ip p rox y -arp
int erf ace V l an2 0 0ip address 1 9 2 . 1 6 8 . 2 0 0 . 2 5 4 2 5 5 . 2 5 5 . 2 5 5 . 0no ip redirect sno ip u nreachab l es
L 2 H ij a c k ing / L 2 I nj ec tion ( c ont)L 2 H ij a c k ing / L 2 I nj ec tion ( c ont)
P ort 1 ( Manag em ent P ort )
Z one19 2 .16 8 .1.0 / 2 4
V L A N 10 0
V L A N 2 0 0
19 2 .16 8 .10 0 .0 / 2 4
19 2 .16 8 .2 0 0 .0 / 2 4
.1
.1
.2 5 4
.2 5 4
N O C
I nt ernet
.2 5 4
.2 5 3
P ort 2 ( D at a P ort )g ig a2
V L A N int erf ac e
10 .1.1.0 / 2 4
.1
V L A N 10
G i1/ 1
G i1/ 2
S up erv i s or C onf i g urat i on �
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x a m p l e o f L 2 H i j a c k i n g a n d I n j ec t i o n – Gu a r d M o d u l e c o n f i g u r a t i o n .
I n t h e b o o k : N / A
Mi s c :
16 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 6
L 3 H ij a c k ing / L 3 P B R I nj ec tionL 3 H ij a c k ing / L 3 P B R I nj ec tiondiversion hijacking receive-via-ip1 9 2 . 1 6 8 . 1 0 0 . 1diversion hijacking receive-via-vl an 1 0 0diversion inject ion 1 9 2 . 1 6 8 . 1 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 nex t hop 1 9 2 . 1 6 8 . 2 0 0 . 2 5 4
int erf ace et h1ip address 1 0 . 1 . 1 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0m t u 1 5 0 0no shu t dow n
ex itint erf ace giga2
m t u 1 5 0 0no shu t dow n
ex itint erf ace giga2 . 1 0 0
ip address 1 9 2 . 1 6 8 . 1 0 0 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0m t u 1 5 0 0no shu t dow n
ex itint erf ace giga2 . 2 0 0
ip address 1 9 2 . 1 6 8 . 2 0 0 . 1 2 5 5 . 2 5 5 . 2 5 5 . 0m t u 1 5 0 0no shu t dow n
ex it
p rox y 1 9 2 . 1 6 8 . 2 0 0 . 1 0 0
V L A N 10 0
V L A N 2 0 0
19 2 .16 8 .10 0 .0 / 2 4
19 2 .16 8 .2 0 0 .0 / 2 4
.1
.1
.2 5 4
.2 5 4
N O C
I nt ernet
.2 5 4
.1
.2 5 4R out ed ( L 3 ) P ort
P ort 2 ( D at a P ort )g ig a2
P ort 1 ( Manag em ent P ort )
10 .1.1.0 / 2 4V L A N 10
19 2 .16 8 .12 8 .0 / 2 4
Z one19 2 .16 8 .1.0 / 2 4
.1
G i1/ 26 4 .0 .0 .0 / 2 4
R out ed ( L 3 ) P ort
Guard Module
�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x a m p l e o f L 3 H i j a c k i n g a n d I n j ec t i o n – Gu a r d M o d u l e c o n f i g u r a t i o n
I n t h e b o o k : N / A
Mi s c :
�
© 2007 Cisco Systems, Inc. Instr u ctor ’ s G u id e 6 1
# S l i d e D es c r i p t i o n
17 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 7
L 3 H ij a c k ing / L 3 P B R I nj ec tionL 3 H ij a c k ing / L 3 P B R I nj ec tionanomaly-g u ar d mod u le 2 p or t 1 allow e d -v lan 10anomaly-g u ar d mod u le 2 p or t 2 allow e d -v lan 10 0 , 2 0 0anomaly-g u ar d mod u le 2 p or t 1 nat i v e -v lan 10i nt e r f ac e G i g ab i t E t h e r ne t 1/ 1i p ad d r e s s 19 2 . 16 8 . 12 8 . 2 5 4 2 5 5 . 2 5 5 . 2 5 5 . 0
i nt e r f ac e G i g ab i t E t h e r ne t 1/ 2i p ad d r e s s 6 4 . 0 . 0 . 2 5 4 2 5 5 . 2 5 5 . 2 5 5 . 0
i nt e r f ac e V lan10 0i p ad d r e s s 19 2 . 16 8 . 10 0 . 2 5 4 2 5 5 . 2 5 5 . 2 5 5 . 0no i p r e d i r e c t sno i p u nr e ac h ab le sno i p p r ox y-ar p
i nt e r f ac e V lan2 0 0i p ad d r e s s 19 2 . 16 8 . 2 0 0 . 2 5 4 2 5 5 . 2 5 5 . 2 5 5 . 0no i p r e d i r e c t sno i p u nr e ac h ab le sno i p p r ox y-ar pi p p oli c y r ou t e -map P B R 1
ac c e s s -li s t 10 0 p e r mi t i p any 19 2 . 16 8 . 1. 0 0 . 0 . 0 . 2 5 5
r ou t e -map P B R 1 p e r mi t 10mat c h i p ad d r e s s 10 0s e t i p ne x t -h op 6 4 . 0 . 0 . 1
r ou t e r os p f 1ne t w or k 19 2 . 16 8 . 2 0 0 . 0 0 . 0 . 0 . 2 5 5 ar e a 0
V L A N 10 0
V L A N 2 0 0
19 2 .16 8 .10 0 .0 / 2 4
19 2 .16 8 .2 0 0 .0 / 2 4
.1
.1
.2 5 4
.2 5 4
N O C
I nt ernet
.2 5 4
.1
.2 5 4R out ed ( L 3 ) P ort
P ort 2 ( D at a P ort )g ig a2
P ort 1 ( Manag em ent P ort )
10 .1.1.0 / 2 4V L A N 10
19 2 .16 8 .12 8 .0 / 2 4
Z one19 2 .16 8 .1.0 / 2 4
.1
G i1/ 26 4 .0 .0 .0 / 2 4R out ed ( L 3 ) P ort
S up erv i s or C onf i g urat i on�
Ty p e: C o m m a n d
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: E x a m p l e o f L 3 H i j a c k i n g a n d I n j ec t i o n – S u p er v i so r M o d u l e c o n f i g u r a t i o n
I n t h e b o o k : N / A
Mi s c :
18 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 8
S u mma r y• T h e C is co G u ar d and T r af f ic A no m al y D e t e ct o r m o d u l e s ar e av ail ab l e f o r C is co C at al y s t 6 5 0 0 and 7 6 0 0 R o u t e r l ine s .
• A s ingl e C is co G u ar d M o d u l e o f f e r s G igab it p e r f o r m ance r u nning 5 . 1 co d e and u p t o 3 G igab it p e r f o r m ance r u nning 6 . X co d e .
• A f t e r e nab l ing co m m u nicat io n b o t h in-b and and o u t o f b and f o r t h e C is co G u ar d and D e t e ct o r m o d u l e s , t h e y ar e co nf igu r e d u s ing t h e s am e co m m and s y nt ax as t h e ap p l iance s .
• T h e C is co G u ar d m o d u l e can b e co nf igu r e d t o Hijack and R e -inje ct s cr u b b e d t r af f ic in a v ar ie t y o f w ay s .
�
Ty p e: S u m m a r y
I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: C h a p t er S u m m a r y
I n t h e b o o k : N / A
Mi s c :
19 .
© 2 0 0 7 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d . DDoS v2.0—9-1 9 �
Ty p e: L a st I m p o r t a n c e: M ed i u m
Ti m e: A s N eed ed
Pu r p o s e: L esso n c o n c l u si o n , a n d o p p o r t u n i t y f o r b r ea k s, q u est i o n s a n d a n sw er s.
I n t h e b o o k : N / A
Mi s c :
���
![Cisco IT Case Study Cisco Guard Print[1]](https://img.pdfslide.net/doc/110x75/577cd7801a28ab9e789f2542/cisco-it-case-study-cisco-guard-print1.jpg)
