Cisco Cisco Catalyst 6500 Cisco 7600 Router Anomaly Guard Module 디자인 가이드

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.

Page 9 of 12

Given that each zone can contain multiple destination IP addresses (each representing a server) that are either host destinations (/32 mask) or

subnetted destinations, multiple customers can be configured onto one zone. The most significant configuration constraint is that active zones

cannot have duplicate IP address space. Therefore, one can potentially configure DDoS detection (Traffic Anomaly Detector) and mitigation

(Anomaly Guard) for thousands of customers on each individual module. Apart from the active zone limit, total module bandwidth capacity, as

described above, is the other factor to consider when designing a hosting provider managed service deployment.

5. ISP MANAGED SERVICE DEPLOYMENT

Internet service providers (ISPs) can deploy DDoS protection for their subscribers as a managed service offering to complement their Internet

connectivity services. In an ISP-managed DDoS service, Anomaly Guard modules will always be deployed in the service provider network.

Traffic Anomaly Detector modules can be deployed on the subscriber premises or within the service provider network, depending on the type

of attack detection system being used.

Deployment Considerations

Centralized or Distributed Attack Mitigation

There are two options for deploying Anomaly Guard Modules—centralized or distributed deployment.

The centralized model is optimal for ubiquitous DDoS managed service deployments, where all subscribers and the service provider’s peering

ingress points are being protected by Anomaly Guard Modules. The distributed model is easier to deploy for service providers that are introducing

the managed service to a subset of customers over a staggered introduction process.

Centralized Model

In the centralized deployment model, Anomaly Guard clusters are installed in a single central location on the service provider backbone network or

in multiple regional locations (Figure 5). These Anomaly Guard “scrubbing centers” are engaged to clean traffic from any source to any destination

on the service provider backbone. The destinations are addresses (representing servers or network infrastructure that are potential attack targets)

of ubscribers who have signed up for the DDoS protection service.

Attack detection in the centralized deployment model can be accomplished using a different detection mechanism than the Traffic Anomaly

Detector odule. Given the broad mitigation coverage afforded by a centralized model (attacks destined for any subscriber destination throughout

the ervice provider network will be directed to a central location for cleaning), a broadly based attack detection mechanism would be best provided

by a NetFlow-based system, such as Arbor Networks’ Peakflow SP product.

In a centralized deployment, Anomaly Guard modules can be dedicated for individual subscribers, shared among all subscribers, or a combination

of edicated and shared. However, the centralized model is well suited for a ubiquitous managed service deployment, where all subscribers share

the entral Anomaly Guard cluster.

A variation of a single centralized cluster is the deployment of multiple regional clusters that would more efficiently process anomalous traffic in

a arge backbone network.

Design recommendations for the centralized model include:

•

Sufficient backbone network capacity (bandwidth) exists to transport the anomalous traffic (good and bad traffic destined for a target that

requires cleaning) from ingress points to the Anomaly Guard cluster.

•

Scalable traffic injection methods are configured for forwarding the cleaned (legitimate) traffic from the Anomaly Guard cluster to the

intended destinations (using MPLS-VRF rather than GRE tunnel’s more efficient router operation, for example).