Cisco Traffic Anomaly Detector

The Cisco Traffic Anomaly Detector is the industry's standard solution for detecting the most complex and sophisticated DDoS attacks. The Cisco Traffic Anomaly Detector works in combination with the Cisco Guard DDoS Mitigation device.

Cisco Traffic Anomaly Detectors identify potential DDoS attacks and divert traffic destined for the targeted device to the Cisco Guard to scrub, identify, and block malicious traffic in real-time, without affecting the flow of legitimate traffic.

Cisco Traffic Anomaly Detection is based on sophisticated anomaly detection intelligence capabilities that compare current activity to profiles of known normal behavior, enabling the Traffic Anomaly Detector to identify any type of DDoS attacks including day-zero attacks. The detector has a built-in behavioral recognition engine that enables traffic pattern comparison, thus eliminating the need to manually update profiles. This also reduces the number of false alarms, in contrast to signature-based engines.

The Cisco Traffic Anomaly Detectors deliver high performance detection, diversion, and alerting capabilities for potential DDoS attacks, worms, and day-zero attacks. Without impacting legitimate flow, the Traffic Anomaly Detector triggers a mitigation service to remove malicious attack flows and blocks the attack before network resource availability is adversely affected.

The Cisco Traffic Anomaly Detector can monitor attack flows at full multigigabit line rates, by identifying more than 100,000 sources per device in a single attack, thereby providing robust protection for high-volume environments.

The Cisco Traffic Anomaly Detector is based on a unique, patented Multi-Verification Process (MVP) architecture developed by Cisco, as shown in Figure 22-5. MVP utilizes the latest behavioral analysis and attack recognition technology to proactively detect and identify all types of DDoS attacks.

Cisco Traffic Anomaly Detector products are available in two options:

• Cisco Traffic Anomaly Detector XT 5600 Series Appliance

• Cisco Traffic Anomaly Detector Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Cisco Traffic Anomaly Detector continuously monitors a mirrored copy of selected traffic destined for a protected host or group of hosts and compiles detailed profiles that indicate how individual hosts behave under normal operating conditions. When a traffic pattern deviation is detected, it is considered as the anomalous behavior of a potential attack, and the Detector responds based on user-configured preferences by

• Sending an operator alert to initiate a manual response

• Triggering an existing management system

• Launching the Cisco Guard XT DDoS Mitigation Appliance to immediately begin mitigation services

The Traffic Anomaly Detector performs the following tasks:

• Traffic learning: Classifies and categorizes the normal zone traffic pattern by using an algorithm-based process to establish a baseline. During the learning process, the Detector modifies the default zone traffic policies and policy thresholds to match the characteristics of normal zone traffic. The traffic policies and thresholds define the reference points that the Detector uses to determine when the zone traffic is normal or abnormal (indicating an attack on the zone).

• Traffic anomaly detection: Detects anomalies in protected zone traffic based on normal traffic characteristics.

Figure 22-4 illustrates the operation of the Cisco Traffic Anomaly Detector in which the Traffic Detector receives a mirrored copy (using SPAN/VACL) of the network traffic for analysis. If deviation is detected, it reroutes the traffic to the Cisco Guard Mitigation for analysis and mitigation services.

Figure 22-4. Cisco Traffic Anomaly Detection and Mitigation Operation

The Traffic Detector can operate as an independent DDoS detection and alarm component; however, it works optimally with the Cisco Guard to provide mitigation services completing the DDoS protection solution.

Cisco Traffic Detector device is capable of processing attack traffic at multigigabit line rates, and the recognition engine identifies the broadest range of DDoS attacks, including

• TCP-based attacks

• UDP-based attacks

• HTTP attacks

• DNS attacks

• SIP (VoIP) attacks

• Botnets and Zombie attacks

To provide the best possible implementation scenario, the Cisco Traffic Anomaly Detector can be deployed downstream, close to protected resources in the data center, or upstream adjacent to a Cisco Guard to provide more widespread coverage.

Combined with the Cisco Guard Mitigation, the Cisco Traffic Anomaly Detector provides industry's most comprehensive DDoS defense system.