Cisco Guard DDoS Mitigation is the industry's standard solution for defeating the most complex and sophisticated DDoS attacks. Cisco Guard DDoS Mitigation works in combination with the Cisco Traffic Anomaly Detector device.
The Cisco Guard Mitigation delivers multigigabit performance to protect the service provider and large-scale enterprise environments from DDoS attacks by performing granular per-flow-level analysis and identification, and it provides blocking capabilities to stop DDoS attack traffic in real-time while allowing legitimate traffic to flow seamlessly. The guard is capable of filtering attacks from hundreds of thousands of zombies simultaneously.
Cisco Guard DDoS Mitigation products are available in two options:
Cisco Guard DDoS Mitigation XT 5600 Series Appliance
Cisco Guard DDoS Mitigation Guard Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
One of the most important advantages of Cisco Guard is that it is not an inline solution. It can therefore be deployed off the critical path at any point in the network, yet achieve the in-the-traffic flow between the data stream type of scenario by using its dynamic diversion capability. This also ensures that the failure of a Cisco Guard device does not impact the traffic flow.
As shown in Figure 22-4, the Cisco Guard device receives diverted suspect traffic from the Cisco Traffic Anomaly Detector for data scrubbing and cleaning services, using its advanced statistical profiling techniques and antispoofing technologies. During the traffic-cleaning process, the Cisco Guard identifies and drops the attack packets and forwards the legitimate packets to their targeted network destinations.
The Cisco Guard is based on a unique Multi-Verification Process (MVP) architecture developed by Cisco. The diverted traffic is subjected to the MVP architecture that employs the most advanced anomaly recognition, protocol analysis, source verification, and antispoofing technologies.
Cisco Guard provides robust protection against all types of attacks with the integrated dynamic filters and active verification technologies, driven by a sophisticated profile-based anomaly recognition engine. In addition, the protocol analysis and rate limiting features ensure that only valid traffic gets through without overwhelming other downstream devices.
Figure 22-5 illustrates the innovative MVP architecture that delivers multiple interactive layers of defense, which are designed to identify and block the specific packets and flows responsible for the attack.
The information in Figure 22-5 is compiled from the Cisco Networkers session presentation BRKSEC-2030 on "Deploying Network IPS."
The Cisco Guard Mitigation device is capable of processing attack traffic at multigigabit line rates, and the recognition engine identifies a broad range of DDoS attacks, including
TCP-based attacks
UDP-based attacks
HTTP attacks
DNS attacks
SIP (VoIP) attacks
The Guard DDoS Mitigation performs the following tasks:
Traffic learning: Classify and categorize the normal zone traffic pattern using an algorithm-based process to establish a baseline. During the learning process, the Guard modifies the default zone traffic policies and policy thresholds to match the characteristics of normal zone traffic. The traffic policies and thresholds define the reference points that the Guard uses to determine when the zone traffic is normal or abnormal (indicating an attack on the zone).
Traffic protection: Distinguish between legitimate and malicious traffic and filter the malicious traffic so that only the legitimate traffic is allowed to pass on to the protected zone.
Traffic diversion: Divert the zone traffic from its normal network path to the Guard learning and protection processes and then return the legitimate zone traffic to the network.
To provide the best possible implementation scenario, the Cisco Guard can be deployed in a distributed upstream configuration at the backbone level, close to the network edge or ISP connection.
Cisco Guard is typically deployed off the critical path at any point in the network, from enterprise access points to peering points off an ISP backbone.
Combined with the Cisco Traffic Anomaly Detector, the Cisco Guard Mitigation provides the industry's most comprehensive DDoS defense system.