Cisco Cisco Catalyst 6500 Cisco 7600 Router Anomaly Guard Module Designanleitung
All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 12
DESIGN GUIDE
CISCO TRAFFIC ANOMALY DETECTOR MODULE AND
CISCO ANOMALY GUARD MODULE
CISCO ANOMALY GUARD MODULE
SUMMARY
This document provides some general design considerations and introductory design guidelines for deploying the Cisco
®
Traffic Anomaly Detector
Module and the Cisco Anomaly Guard Module. These modules work together to detect and mitigate distributed denial of service (DDoS) attacks.
1. CISCO TRAFFIC ANOMALY DETECTOR MODULE
Role of the Cisco Traffic Anomaly Detector Module
The Cisco Traffic Anomaly Detector Module is a passive monitoring device that constantly looks for indications of a DDoS attack against a
protected destination (referred to as a “zone”), such as a server, firewall interface, or router interface. The Traffic Anomaly Detector Module
analyzes copies of all inbound traffic (via Switched Port Analyzer [SPAN] or passive network tap) destined for the protected zone or zones.
This analysis consists of comparing the current traffic to a set of behavioral thresholds (a “zone policy”) to detect anomalous traffic behavior.
If anomalous behavior is seen and is considered a possible attack, the Traffic Anomaly Detector Module will signal the Anomaly Guard Module
(via an out-of-band Ethernet management network) to start mitigating the attack.
Place in the Network
The Traffic Anomaly Detector Module is placed logically downstream from the Anomaly Guard Module, but upstream of any firewall. During non-
attack periods, the Traffic Anomaly Detector Module will see all inbound traffic destined for the protected zone. During an attack where an Anomaly
Guard has diverted traffic from the targeted zone for mitigation, the Traffic Anomaly Detector will only see the “cleaned” traffic leaving the
Anomaly Guard destined for the zone.
Performance and Capacity Limits
Each individual Traffic Anomaly Detector Module is capable of:
•
Analyzing up to 1 Gbps of inbound Ethernet traffic
•
Containing a maximum of 500 configured zones
•
Actively monitoring 90 zones (where each zone is one or more protected destination IP addresses) concurrently
Up to eight Traffic Anomaly Detector Modules can be deployed in a Catalyst 6500 chassis with a minimum Supervisor Engine 2 and SFM.