Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.5)
Monitoring Zone and Device Operations
Download this chapter
Monitoring Zone and Device OperationsMonitoring Zone and Device Operations
Download the complete book
Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.5), Book-Length PDF Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.5), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Monitoring Zone and Device Operations

Using the MDM Global Diagnostic Tools

Viewing the Network Summary Screen

Displaying the Global Guard Counters

Clearing the Guard Global Counters

Displaying the Network Event Log

Displaying the Current Status of all Zones

Using the Zone Diagnostic Tools

Displaying the Zone Status Screen

Zone Status Bar

Zone Traffic Rate Statistics and Graph

Zone Status Table

Zone Recent Events Table

Displaying the Zone Counters

Using Zone Counters to Analyze Traffic Flow

Clearing the Zone Counters

Displaying the Device Status and Device-Specific Counter Information

Displaying the Zone Event Log

Displaying the Zone Attacks Summary Report

Displaying Details of an Attack Report

Displaying Report Details of a Past Attack

Displaying Details of a Current Attack

Displaying an IP Summarization Report (Guard-only Function)

Understanding Attack Report Details

General Attack Information

Attack Statistics

Dropped/Bounced Packets

Detected Anomalies

Displaying Details of Detected Anomalies

Mitigated Attacks

Displaying Mitigated Attack Details

Replied IP Summarizations (Guard-Only Function)

HTTP Detected Zombies

Exporting Zone Attack Reports

Using the Attack Summary Screen Method for Exporting Attack Reports

Using the Zone Menu Method for Exporting Attack Reports

Deleting Attack Reports

Displaying the HTTP Zombies List

Displaying the Drop Statistics Table


Monitoring Zone and Device Operations

This chapter describes how to monitor the status of the Cisco DDoS MultiDevice Manager (MDM) network. You can monitor the network on a global basis, looking at all zones and devices as a whole, or on a more detailed, per-zone basis. Using the MDM statistical tools, you can diagnose problems related to the zone traffic flow.

The MDM gathers statistical information from the devices that you define on the network device list. The MDM aggregates the information to provide you with several statistical and status reporting tools for analyzing your network's operation. The MDM's consolidated reporting system allows you to display the following information:

Traffic counters and graphs—Aggregated counter information provides details on the rates associated with legitimate and malicious traffic.

Zone operating status—Operation status of the zone devices, such as Under Detection, Protected, or Tuning Thresholds.

Attack reports—The MDM highlights any current attacks and provides instant access to attack details

Events—Events reported by the zone Detectors and Guards.

Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.

This chapter contains the following sections:

Using the MDM Global Diagnostic Tools

Using the Zone Diagnostic Tools

Note When you delete a zone from the MDM, the MDM removes the zone configuration from the master device and all of the other devices that you had associated with the zone. This includes the cleanup of all zone-related files upon deletion of the zone from the MDM, such as logs and counters.

Using the MDM Global Diagnostic Tools

The MDM provides diagnostic information to assist you in monitoring and troubleshooting global events that occur within the MDM network. This section contains the following topics:

Viewing the Network Summary Screen

Displaying the Global Guard Counters

Clearing the Guard Global Counters

Displaying the Network Event Log

Displaying the Current Status of all Zones

Note When you delete a zone from the MDM, the MDM removes the zone configuration from the master device and all of the other devices that you had associated with the zone. This includes the cleanup of all zone-related files upon deletion of the zone from the MDM, such as logs and counters.

Viewing the Network Summary Screen

The MDM Network Summary screen (see Figure 11-1) provides a summary of the current network activity and is the first screen to appear when connecting to the MDM server. You can also access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right corner, click Home.

From the Network Summary menu, choose Main > Network Summary.

Figure 11-1 Network Summary Screen

The Network Summary screen provides a list of the activated zones that are currently under attack, with the most recent attack appearing at the top. To view the details of a particular zone under attack, click in the table row to display the associated Zone Summary screen.

Table 11-1 describes the fields of the Network Summary table.

Table 11-1 Field Descriptions for Network Summary Table

Fields
Description

Zone

Zone name. The zone name also provides a link to the zone status screen of the specified zone.

Attack Start Time

Date and time that the most recent attack on the zone was detected.

#DF

Number of dynamic filters that the zone Guards have created to mitigate the attack.

#PF

Number of pending dynamic filters. The display shows N/A (not applicable) if the zone is operating in automatic mode (not interactive mode). The devices automatically activate any dynamic filter that they produce as a result of the attack.

Legitimate Rate

Current rate of legitimate traffic (in bits per second) received by the devices. The zone Guards inject legitimate traffic back into the network.

Malicious Rate

Current rate of malicious traffic (in bits per second) received by the Guards and dropped.

Received Rate

Current rate of all traffic (in bits per second) received by the Guards. The received rate is equal to the legitimate rate plus the malicious rate.

Thumbnail of the zone traffic summary

Graph that displays a summary of the traffic (in bits per second) to the zone in the last half hour. The traffic rates are color-coded and display the following information:

Green—Legitimate traffic rate

Red—Malicious traffic rate

Azure—Master receive rate (this rate displays only when the master device is a Detector)


Displaying the Global Guard Counters

The Counters screen provides an in-depth analysis of the counter information that the MDM receives from all of the Guards that you have defined in the MDM device list. The Global Current Counter/Rates table within the Counters screen displays aggregated statistical information, such as the number of legitimate or malicious traffic packets, that the Guards have received. The Counters screen also provides a graphical representation of the counter statistical information.

To display the global Guard counters, follow these steps:

Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.

Step 2 From the Network Summary menu, choose Diagnostics > Counters > Guards Counters. The Counters screen appears, which includes the Global Current Counters/Rates table (see Table 11-2).

Step 3 (Optional) Add or remove information on the counters that the MDM displays in the Guard Traffic Rate graph by checking the check box next to the counters that you want to display or uncheck the check box next to the counters that you want to remove from the graph. Click Update Graph. The MDM updates the graph.

Step 4 (Optional) Modify the period of time that displays in the graph by choosing the period of time from the Graph Period drop-down list. Click Update Graph. The MDM updates the graph.

By default, the traffic rate graph displays counter information recorded in the last 2 hours.

Step 5 (Optional) Change the unit of measurement that the MDM uses in the traffic rate graph by choosing a unit of measurement from the Graph Type drop-down list. Click Update Graph. The MDM updates the graph.

The units of measurement options are as follows:

pps—Packets per second

bps—Bits per second (default setting)

Step 6 (Optional) Click Clear Counters to clear the Guard counters. The MDM clears the current counters and the traffic rates. Clear the Guard counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.

Table 11-2 describes the fields in the Global Current Counters/Rates table.

Table 11-2 Field Descriptions for the Global Current Counters/Rates Table

Field
Description

Shown in Graph

Selected counter information that the Guard Traffic Rates graph displays.

Counter

Type of traffic packets that the counter tracks.

Legitimate

Legitimate traffic forwarded by the Guards to the zones.

Malicious

Malicious traffic that targets the zones. Malicious traffic is the sum of Dropped packets and Spoofed packets (including the Zombie packets).

Received

Packets received and handled by the Guards. Received packets are the sum of legitimate traffic and malicious traffic.

Dropped

Packets that were identified by the Guards as malicious and dropped.

Replied

Packets to which replies were sent to the initiating client as part of the antispoofing or antizombie functions in order to verify whether they are part of authentic traffic or part of an attack.

Spoofed

Packets that were identified by the Guards as Spoofed packets and not forwarded to the zones. Spoofed packets are Replied (bounced) packets to which no replies were received. Spoofed packets include Zombie packets.

Packets

Total number of packets since the last reload or clear counter of each Guard.

Bits

Total number of bits since the last reload or clear counter of each Guard.

pps

Current traffic rate measured in packets per second.

bps

Current traffic rate measured in bits per second.


A legend that identifies the different counters appears below the graph. The minimum, maximum, and average rates for each counter displays for the time period that you selected.

Clearing the Guard Global Counters

You can clear the counters information that the MDM displays if you are going to perform testing and want to be sure that the counters include information from the testing session only.

To clear the counters, follow these steps:

Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.

Step 2 From the Network summary menu, choose Diagnostics > Counters > Guards Counters. The Counters screen appears.

Step 3 Click Clear Counters. The MDM clears the current counters and the traffic rates.

Displaying the Network Event Log

The MDM automatically creates a log in which it aggregates the various events reported by all of the network devices, which includes the system activity related to the protected zones and to the operations of all the zone devices. The MDM sorts all log entries according to the time stamp that each device assigns to an event. You can display the MDM logs to review and track the activity that the MDM monitors and records.

Note When you delete a zone from the MDM, the MDM removes the zone configuration from the master device and all of the other devices that you had associated with the zone. This includes the cleanup of all zone-related files upon deletion of the zone from the MDM, such as logs and counters.

Each event that the MDM records is assigned with one of the severity levels described in Table 11-3.

Table 11-3 Event Log Severity Levels 

Event Level
Description

Emergencies

System is unusable

Alerts

Immediate action required

Critical

Critical condition

Errors

Error condition

Warnings

Warning condition

Notifications

Normal but significant condition

Informational

Informational messages

Debugging

Debugging messages


To display the contents of the network event log, follow these steps:

Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.

Step 2 From the Network Summary menu, choose Diagnostics > Event log. The Events screen appears. Use the navigation tool provided above the Events table to scroll through the events.

Step 3 (Optional) Control which events display in the Events table by choosing one of the following options and then click Filter Events. The MDM updates the Events table.

Show all Events—Displays the events of each severity level.

Show events with severity level—Displays only the events of the severity levels that you select. See Table 11-3 for a description of the various event severity levels.

Displaying the Current Status of all Zones

From the Network Summary screen, you can display a list of the zones currently configured on the device. The zone list includes the current operating status of each zone and whether it is operating in automatic or interactive mode.

To display the list all the zones configured on the device, follow these steps:

Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.

Step 2 From the Network Summary menu, choose Zones > Zone List. The Zones List screen appears.

Step 3 (Optional) Click Show Active Zones (located above the Zones List table) to display only the active zones. By default, the MDM displays a complete list of the zones configured on the device, whether they are active or inactive.To return to the complete list, click Show All Zones.

Step 4 (Optional) Click a zone name to display the detailed status screen for the selected zone.

From the Zones List screen, you can also add or delete zones. For more information on these functions, see the "Creating a Zone" and "Deleting a Zone" sections in Chapter 5, "Creating and Configuring Zones".

Using the Zone Diagnostic Tools

The MDM provides diagnostic information to assist you in monitoring and troubleshooting zone events.

Note The rate values that the MDM displays in the maximum (max) and peak columns of the various zone attack reports represent the sum of the maximum rate values that the zone Guard devices experience during the report time period. Because the Guards may have experienced the maximum rates at different times, the displayed values do not necessarily represent the maximum rates experienced by the zone at any given point in time. If the Guards experience the maximum rates at different times, the actual maximum rate experienced by the zone at any point in time would be less than the value that the MDM displays.

This section contains the following topics:

Displaying the Zone Status Screen

Displaying the Zone Counters

Clearing the Zone Counters

Displaying the Device Status and Device-Specific Counter Information

Displaying the Zone Event Log

Displaying the Zone Attacks Summary Report

Displaying Details of an Attack Report

Understanding Attack Report Details

Exporting Zone Attack Reports

Deleting Attack Reports

Displaying the HTTP Zombies List

Displaying the Drop Statistics Table

Displaying the Zone Status Screen

The Zone Status screen (see Figure 11-2) provides a summary of the zone operating status that you select. You can navigate to this screen using one of the following methods:

From the Zones list in the navigation pane located on the left side of the window, click the zone name.

From the Network Summary menu, click Zones > Zone list and then click a zone name.

Figure 11-2 Zone Status Screen

The Zone Status screen is divided into four areas:

Zone Status bar (see the "Zone Status Bar" section)

Traffic Rate table (see the "Zone Traffic Rate Statistics and Graph" section)

Zone Status table (see the "Zone Status Table" section)

Recent Events table (see the "Zone Recent Events Table" section)

Above the Traffic Rate graph, the MDM displays one or more toggling function buttons. The buttons that display depend on the device types that you assign to the zone and the current activation state of each device type.

Detect—Displays only when you associate Detectors with the zone and toggles between Detect and Deactivate. Click Detect to activate anomaly detection on all zone Detectors. Click Deactivate to stop anomaly detection.

Protect—Displays only when you associate Guards with the zone and toggles between Protect and Deactivate. Click Protect to activate zone protection on all zone Guards. Click Deactivate to stop zone protection.

Deactivate—Displays only when you activate Detect and Protect simultaneously. Click Deactivate to choose the activation state to stop: Detect, Protect, or both.

Report—Displays only when the zone is active and under attack. Click Report to display the zone attack report.

Zone Status Bar

The zone status bar, which is across the top of the Zone Status screen, provides a quick reference to the current operating status of the zone. The zone status bar provides the following information:

Name of the zone.

Manner in which the zone devices perform anomaly detection or zone protection—Indicates whether the devices are operating in automatic or interactive protect mode for the zone. See the "Automatic and Interactive Zone Operation Modes" and "Changing Zone Operation Modes" sections in Chapter 10, "Activating Anomaly Detection and Zone Protection" for information on zone operation mode settings.

Zone operating state—Indicates the current operating state of the zone. The operating state is divided into two sections: the aggregated state of all Guards and the aggregated state of all Detectors. If only some of the devices of the same device type are in a certain state (for example, Protect), the MDM displays an (S) near the state to indicate a subset of the device type.

The status bar displays the following zone operating states:

Inactive—The zone devices are not performing anomaly detection (Detect) or zone protection (Protect).

Construct Policies—The zone device that you have selected to learn zone traffic is performing the policy construction phase of the learning process. For information on selecting the zone device to learn traffic, see "Defining the Tuned State of the Zone and Setting Up Automatic Learning Parameters" section in Chapter 9, "Learning Zone Traffic and Taking Snapshots".

Tuning Thresholds—The zone device you have selected to learn zone traffic is performing the threshold tuning construction phase of the learning process. You can enable this operation with the Detect and Protect operations. For information on selecting the zone device to learn traffic, see the "Defining the Tuned State of the Zone and Setting Up Automatic Learning Parameters" section in Chapter 9, "Learning Zone Traffic and Taking Snapshots".

Under Detection—The zone Detectors are activated and performing anomaly detection.

Protected—The zone Guards are activated and performing zone protection.

Under Attack—The activated zone devices have detected a traffic anomaly.

Zone Status icons—Depending on the operating state, one of the following status icons displays for each device type: Inactive, Protect, Detect, or Learning.

Recommendation icon—Indicates that new dynamic filter recommendations are available. This indication displays only when the zone operation mode is set to interactive. You must respond to the dynamic filter recommendations that the device creates during an attack.

Zone Traffic Rate Statistics and Graph

The Traffic Rate table contains a graph that displays the aggregated traffic rate of all zone Guards over the last 2 hours, measured in bits per second (bps). Also included in the table is statistical information related to the following traffic counters:

Legitimate rate—Valid, or clean, traffic that the Guards forwarded to the zone. This traffic displays in green in the graph.

Malicious rate—Attack traffic that was targeting the zone and dropped by the Guards. This traffic displays in red in the graph.

Master Receive rate—Traffic received by the master device. This field displays only when you have a Detector defined as the master device. This traffic displays in azure in the graph.

Table 11-4 describes the fields that appear below the zone traffic rate graph.

Table 11-4 Field Descriptions for Fields below Zone Traffic Rate Graph 

Field
Description

Min

Minimum aggregated traffic rate measured over the last 2 hours in bps.

Max

Maximum aggregated traffic rate measured over the last 2 hours in bps.

Avg

Average aggregated traffic rate measured over the last 2 hours in bps.

Cur

Current aggregated traffic rate in bps.


Zone Status Table

The Zone Status table provides information about the current operation of the zone and contains the following information:

Active Dynamic filters—Sum of the active dynamic filters created by all of the zone devices. The number of active dynamic filters is greater than 1 when the Guard identifies anomalies in the zone traffic.

Click Active Dynamic filters to view the dynamic filters screen. See the "Managing a Dynamic Filter" section in Chapter 10, "Activating Anomaly Detection and Zone Protection" for more information on dynamic filters.

Pending Dynamic filters—Sum of the pending dynamic filters on all of the zone devices. The number of pending dynamic filters is greater than 1 when the zone is in interactive protect mode and there are new recommendations.

Click Pending Dynamic filters to display the Recommendations screen. See the "Managing a Dynamic Filter" section in Chapter 10, "Activating Anomaly Detection and Zone Protection" for more information on dynamic filters. See the "Managing Device Recommendations for Dynamic Filters" section in Chapter 10, "Activating Anomaly Detection and Zone Protection" for more information on MDM recommendations.

Proxy usage—(Guard only) Percentage of the proxy ports being used on a per-device port basis. The Guard module can operate at two different bandwidth performance levels: 1 Gigabit per second (Gbps) or 3 Gbps.

Last attack time—Date and time that the last (and current) attack on the zone was first detected by a device.

Activation time—Date and time that zone protection was activated.

Zone Recent Events Table

The recent events table displays the reported zone events with a minimum severity level of notify. The MDM also records the events in the zone event log and the Guard event log.

Displaying the Zone Counters

The zone counters enable you to analyze zone-specific traffic information in order to verify the zone status and determine whether or not zone protection is functioning properly.With the exception of the Master Received rate, all displayed counter rates are Guard counter rates (the MDM provides an aggregated display of the counter information that it receives from the various zone Guards). The Master Received rate displays only when you select a Detector as the master device.

You can adjust the period of time that is displayed in the zone counters graph view to see how zone protection is evolving.

Note When you delete a zone from the MDM, the MDM removes the zone configuration from the master device and all of the other devices that you had associated with the zone. This includes the cleanup of all zone-related files upon deletion of the zone from the MDM, such as logs and counters.

To display the zone counter information, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone menu appears.

Step 2 From the zone main menu, choose Diagnostics > Counters > Zone Counters. The Zone Counters screen appears.

Step 3 (Optional) Modify the view of the traffic rates graph by checking the check box next to the counters that you want to include in the graph. Click Update Graph. The MDM updates the traffic rate graph.

The MDM can display the following types of traffic counters:

Legitimate—Legitimate traffic forwarded by the Guards to the zones.

Malicious—Malicious traffic identified by the Guards. The malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).

Received—Total amount of traffic received and handled by the Guards. Received packets are the sum of the legitimate traffic and the malicious traffic.

Dropped—Packets that were identified by the Guards as part of an attack and dropped.

Replied—Packets to which replies were sent by the Guards to the initiating client as part of the antispoofing or antizombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.

Spoofed—Packets that were identified by the Guards as Spoofed packets and were not forwarded to the zone. Spoofed packets are Replied (bounced) packets to which no replies were received. Spoofed packets include Zombie packets.

Master Received—Traffic received by the Detector master device. The MDM displays this field only when the master device is a Detector.

Step 4 (Optional) Modify the period of time that displays in the graph by choosing a period of time from the Graph Period drop-down list. Click Update Graph. The MDM updates the graph.

By default, the Traffic Rates graph displays the legitimate and malicious traffic over the last 2 hours, measured in bits per second (bps). If the zone master device is a Detector, then the graph also displays the Master Receive traffic rate.

Step 5 (Optional) Change the unit of measurement that the MDM uses in the Traffic Rate graph by choosing a unit of measurement from the Graph Type drop-down list. Click Update Graph. The MDM updates the graph.

The units of measurement can be one of the following:

pps—Packets per second

bps—Bits per second (the default)

Step 6 (Optional) Click Clear Counters to clear the zone counters. The MDM clears the current counters and the traffic rates. Clear the zone counters if you are going to perform testing and want to be sure that the counters include information from the testing session only.

Table 11-5 describes the fields of the Zone Current Counters/Rates graph.

Table 11-5 Field Descriptions for the Zone Current Counters/Rates Graph 

Field
Description

Shown in Graph

Status of whether the counter is displayed in the graph.

Counter

Type of available counters.

pps

Current traffic rate destined to the zone, measured in packets per second.

bps

Current traffic rate destined to the zone, measured in bits per second.


A legend that identifies the counters appears below the Traffic Rates graph. The minimum, maximum, and average rates for each counter displays for the time period that you select.

Using Zone Counters to Analyze Traffic Flow

You should analyze the traffic flow to determine if traffic is flowing to an active zone and is being analyzed by the zone Detectors and Guards. Follow these guidelines to analyze traffic flow and recognize possible problems:

The zone devices are active and processing traffic when the Received and Master Received counter rates are greater than zero. A Received rate greater than zero indicates that the zone Guards are processing traffic and performing zone protection. A Master Receive rate greater than zero indicates that the Detector master device is processing traffic and performing anomaly detection. The Master Receive rate displays only when the master device is a Detector.

When the zone contains Guards, the zone is under attack when the Malicious counter rate is greater than zero. This counter rate is the aggregated count of the zone Guards that are mitigating the attack. To verify that the zone is under attack, display the zone summary screen to see if the Guards are producing dynamic filters to handle the attack (see the "Displaying the Zone Status Screen" section).

When the zone contains Detectors only and you want to verify that the Detectors are responding to an attack, you must display the zone summary screen to see if the Detectors are producing dynamic filters to handle the attack (see the "Displaying the Zone Status Screen" section).

The MDM also allows you to display individual device status and counter rate information to help isolate problems (see the "Displaying the Device Status and Device-Specific Counter Information" section).

Based on your experience and knowledge of the network traffic, you should follow these guidelines:

If there are dropped packets, you should verify if a trusted source IP address is blocked by a dynamic filter created by the Guards. You can configure the traffic from that particular source IP address to bypass the Guard functions (see the "Managing a Bypass Filter" section in Chapter 6, "Managing Zone Filters"). You must modify the zone configuration and synchronize the zone (if enabled) while the zone is inactive. Reactivate the zone after making the required modifications.

If a policy has produced dynamic filters that drop too many IP flows, you should verify if filters are blocking flows from source IP addresses that seem legitimate but are sending traffic at rates above the thresholds. You can increase the policy threshold or prevent the policy from producing additional dynamic filters by deactivating the policy. See Chapter 8, "Managing Zone Policies," for information about configuring the zone policies. You must modify the zone configuration and synchronize the zone (if enabled) while the zone is inactive. Reactivate the zone after making the required modifications.

If you activate Protect and the Guards do not receive the packets destined to the zone (Received counter = 0), look for a traffic diversion that is preventing the Guards from receiving network traffic.

If the Guards receive and block all of the zone traffic, the Guards may be dropping traffic because they falsely identified the traffic as malicious. Check if the Received rate is greater than zero and Legitimate is equal to zero over a period of time (see Figure 11-3).

Scan the dynamic filters that the Guards produced for a drop-action filter and do the following:

Delete the drop-action dynamic filter.

Deactivate the policy that produced the drop-action dynamic filter. If you do not take this action, the drop-action filter reappears when you delete the dynamic filter because the Guard continues to identify the traffic as malicious. See Chapter 8, "Managing Zone Policies," for information about configuring the zone policies. You must modify the zone configuration and synchronize the zone (if enabled) while the zone is inactive. Reactivate the zone after making the required modifications.

Figure 11-3 Problem Analysis for Received Traffic: Rcv >0, Legitimate = 0

Caution When you deactivate a policy, you may compromise zone protection because the Guards cannot apply the policy to the traffic flow.

Clearing the Zone Counters

You can clear the zone counters if you are going to perform testing and want to be sure that the counter rates include information from the testing session only.

To clear the zone counters, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Counters > Zone Counters. The zone Counters screen appears.

Step 3 Click Clear Counters. The MDM clears the current zone counters display.

Displaying the Device Status and Device-Specific Counter Information

While the zone status page provides an aggregated view of the zone device counters, you can view a detailed look at the status and counter information associated with each zone device.

To display device-specific counter information, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone main menu appears.

Step 2 From the zone main menu, choose Configuration > General. The General Configuration screen appears.

Step 3 Scroll down to the Device List table to display the status and counter information for each zone device (see Table 11-6).

Table 11-6 describes the fields of the Device List table.

Table 11-6 Field Descriptions for the Device List Table 

Field
Description

Hostname

Status of whether the counter is displayed in the graph.

Type

Type of available counters.

State

Connection status between the MDM and the device. The connection status is one of the following states:

Connected—The MDM can communicate with the device.

Disconnected—The MDM can communicate with the device. This state may be caused by one of the following reasons:

You suspended communication with the device.

The MDM is currently initializing the device.

A communication failure exists in the network.

To troubleshoot this problem, open the MDM device list (Main > Devices List) from the Network Summary menu to display a more detailed connection status information (see the "Adding a Device to the MDM Device List" section in Chapter 3, "Managing Devices on the MDM Network").

#DF

Number of dynamic filters that the device created and are currently active. Because the device creates a dynamic filter only when it detects an anomaly, a #DF value greater that zero indicates that the device is currently handling an attack on the zone.

#PF

Number of pending dynamic filters that the device has queued and is waiting for your input. The number of pending dynamic filters is greater than 1 when the zone is in operating interactive protect mode and there are new recommendations.

Legitimate Rate

Current rate of legitimate traffic (in bps) forwarded by the device to the zones.

Malicious Rate

Current rate of malicious traffic (in bps) that the device is handling.


Displaying the Zone Event Log

The MDM automatically logs system activity and events that occur across all of the zone devices. You can display the MDM logs to review and track the zone activity.

Note When you delete a zone from the MDM, the MDM removes the zone configuration from the master device and all of the other devices that you had associated with the zone. This includes the cleanup of all zone-related files upon deletion of the zone from the MDM, such as logs and counters.

Table 11-7 describes the zone event severity levels.

Table 11-7 Event Log Severity Levels 

Event Level
Description

Emergencies

System is unusable

Alerts

Immediate action required

Critical

Critical condition

Errors

Error condition

Warnings

Warning condition

Notifications

Normal but significant condition

Informational

Informational messages

Debugging

Debugging messages


To display the contents of the zone event log, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Event log. The zone Events screen appears.

Step 3 (Optional) To control which events display in the events table by using one of the following methods and then click Filter Events:

Show all Events—Displays the events of each severity level.

Show events with severity level—Displays only the events of the severity levels that you choose (see Table 11-7).

The MDM updates the events table.

Displaying the Zone Attacks Summary Report

The MDM provides a high-level summary report of the attacks for each zone. The report summarizes the DDoS attacks made on the zone during a user-defined period of time. When you request the attack summary report, the MDM creates the report from attack information that it gathers from the zone devices. The report provides information about the total number and intensity of the attacks with a short summary for each attack. The MDM also presents the attack data in a graph format.

To display the zone attacks summary report, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone main menu appears.

Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks summary screen appears. By default, the report displays attack information for the last month.

Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates. Click Get Reports. You can enter the dates manually or click the calendar icon at the right of each date field and then choose a date from the calendar popup.

The Attack Summary Report screen contains the following areas:

Protection Graph—Provides a graphical summary of the attacks during the period of time that you defined (see Figure 11-4).

Figure 11-4 Zone Protection Summary Report—Protection Graph

The X-axis displays the time over which the attack occurred. The Y-axis displays the average attack rate in packets per second (pps). Each attack is represented by a bar. If you hold your mouse over any of the attack bars for a few seconds, the average attack rate displays.

To display the attack details, click the attack bar in the graph to open the attack report (see the "Displaying Details of an Attack Report" section).

Total Attacks Statistics table—Provides information about the number of attacks on the zone and the aggregated attack details during the period of time that you defined.

Table 11-8 describes the fields in the Total Attack Statistics table.

Table 11-8 Field Descriptions for Total Attack Statistics Table

Field
Description

Attacks Mitigated

Number of attacks mitigated.

Attacks Duration

Aggregated duration of the mitigated attacks.

Max. Traffic Rate

Estimated maximum rate of malicious traffic destined to the zone.

Total Rx

Total amount of traffic that the Guards received that was destined to the zone.

Total Blocked

Total amount of traffic destined to the zone that the Guards dropped.

Legitimate vs. Malicious Traffic

Pie chart display of the percentage of the malicious traffic (displayed in red) and legitimate traffic (displayed in blue) in the total zone traffic.


Per Attack Summary Table—Provides a table with a list of the DDoS attacks on the zone during the period of time that you defined. You can delete the information currently displayed in the Per Attack Summary table (see the "Deleting Attack Reports" section) or export the contents of an attack report (see the "Exporting Zone Attack Reports" section).

To display attack details, click in any of the rows of the Per Attack Summary table (see the "Displaying Details of an Attack Report" section).

Table 11-9 describes the fields in the columns of the Per Attack Summary table.

Table 11-9 Field Descriptions for the Per Attack Summary Report 

Field
Description

#

Identification number (ID) that the device assigns to the mitigated attack. The MDM displays a value of Curr for an ongoing attack.

Device Name

Name that you assigned to the device using the CLI.

Start time

Date and time of the mitigated attack.

Duration

Duration of the mitigated attack in hours, minutes, and seconds.

Type

Type of mitigated attack. Possible values are as follows:

Client Attack—All nonspoofed traffic anomalies.

Malformed Packets—All traffic anomalies identified as consisting of maliciously malformed packets.

Spoofed—Traffic anomalies identified as a DDoS attack from a spoofed source.

User Defined—All anomalies handled by the user filters. These values can either function by default or be user configured.

Zombie—Traffic anomalies identified as having originated by zombies.

Hybrid—An attack made up of several attacks with different characteristics.

Traffic Anomaly—An anomaly that was only detected for a short period of time and did not require mitigation.

Peak (pps)

Estimated maximum attack rate measured in packets per second.

Received Pkts

Total number of packets destined to the zone that was handled by the Guards during the attack.

Legitimate vs. Malicious Traffic

Pie chart that displays the percentage of malicious traffic (displayed in red) and legitimate traffic (displayed in blue) in the total traffic during the attack.


Subzone Reports—Provides a list of subzones. Subzones are zones that a Guard creates to protect a partial zone (a zone that does not include the complete IP address range of the source zone). To display the attack reports of the subzone, click the subzone name. For more information about subzones, see the "Understanding Subzones Created by the Guard" section in Activating Anomaly Detection and Zone Protection.

Note The Guard deletes the subzone when protection for the subzone ends. The MDM saves the associated subzone syslogs in the parent zone's network event log (see the "Displaying the Zone Event Log" section) and saves the attack reports in the parent zone's attacks summary page.

Displaying Details of an Attack Report

The MDM allows you to display details of an attack report. The MDM begins generating the attack report when there are indications of an attack, such as the existence of malicious traffic counter rates or the production of the first dynamic filters. The report ends when zone protection is terminated by a user decision or by the action of a timeout parameter.

The MDM gathers the attack information from the zone devices and organizes the data into categories. You can display the details of past and current attacks.

This section contains the following topics:

Displaying Report Details of a Past Attack

Displaying Details of a Current Attack

Displaying an IP Summarization Report (Guard-only Function)

Displaying Report Details of a Past Attack

To display the report details of a past zone attack, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone status screen and the zone main menu appear.

Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks Summary screen appears, displaying attack information for the past month.

Step 3 (Optional) Change the period of time of the attack report by entering the period of time that you want to display in the Period from and to dates. Click Get Reports. You can enter the dates manually or click the calendar icon at the right of each date field and then choose a date from the calendar popup.

Step 4 Display details of the attack report by using one of the following methods:

Click the attack bar in the Protection Graph.

Click any of the fields for the attack listed in the Per Attack Summary table.

Displaying Details of a Current Attack

When an attack on a zone is in progress, the MDM displays a Report function button on the zone's status screen.

To view the current attack report of a zone, follow these steps:

Step 1 Choose a zone under attack from the navigation pane. The zone status screen and the zone main menu appear.

Step 2 Use one of the following methods to display the report of the current attack on the zone:

On the zone status screen, click Report.

Choose Diagnostics > Attack Reports > Attack Summary from the zone menu, and then click any of the fields of the attack in progress in the Per Attack Summary table. The MDM displays a value of Curr for the identification number (#) of an ongoing attack.

Displaying an IP Summarization Report (Guard-only Function)

The IP summarizations sections of the report provide lists of spoofed and non-spoofed source IP addresses obtained from the attack report from each zone Guard. The IP summarizations report consists of the following two sections:

Replied IP Summarizations (attack start)

Replied IP Summarizations (overall attack summary)

The Guard provides an attack report for every zone that provides zone status information and details of the attack, starting with the production of the first dynamic filter and ending with protection termination. If you do not have any Guards associated with the zone, this report will not display.

Note The automatic packet-dump feature must be enabled on the zone Guards to view the IP summarizations report on the MDM.

You can review the two sections of the IP summarizations report in the MDM to determine if the source location of an attack in a specific zone changed during the attack time period, beginning from one location at the start of the attack and then shifting to other subnets during the attack.

The IP summarization information that the MDM receives as part of the attack report that is retrieved from the different Guards, enabling you to determine the source of a spoofed attack. The MDM also pulls this information from the Guard's attack report and displays it in the zone attack report under the heading Replied IP Summarization (see "Replied IP Summarizations (Guard-Only Function)" section).

To ensure accurate replied IP summarization results, leave the packet dump capture function enabled during the length of the attack on the zone (see Table 5-7 in the "Modifying the Zone General Configuration Attributes" section). The MDM displays the replied IP summarization information received from the Guard's attack report only when you have the automatic packet-dump feature enabled. If you disable the packet-dump capture function during the attack, the replied IP summarization information may not display or may not be accurate or may not exist. The Guard can display replied IP summarization information in the attack report only when you have the packet-dump automatic capture function enabled (no replied IP summarization information displays for manually activated packet-dump captures).

Note The IP summarization process is resource consuming. When resources become low, the Guard suspends the process and issues a log message that appears in the zone log. The capture xml file will contain a status attribute stating that the capture file has no IP summarization information due to a failure.

When a zone is the victim of a large-scale spoofed attack, the subnets that the attacker uses will most likely appear in the IP summarization results. The results may also contain nonspoofed IP addresses because the Guard performs IP summarization on all traffic that passes though the anti-spoofing processes (replied traffic). Because the Guard performs only one authentication every few minutes for nonspoofed traffic but continuously attempts to authenticate spoofed traffic, spoofed IP addresses appear more frequently in the IP summarizations.

The Replied IP Summarizations sections are the only attack report sections received from the Guards that provide spoofed IP address information. The IP addresses of nonspoofed attacks, however, may also appear in the mitigation action section because these packets are dropped by dynamic filters.

To display the Replied IP Summarization sections, retrieved from each Guard, follow these steps:

Step 1 Choose a zone from the navigation pane. The zone status screen and the zone main menu appear.

Step 2 From the zone main menu, choose Diagnostics > Attack Reports > Attack Summary. The Attacks Summary screen appears, displaying attack information for the past month.

Step 3 Select the remote Guard from which you want to view the IP summarizations report on the MDM.

Understanding Attack Report Details

This section contains the following topics:

General Attack Information

Attack Statistics

Dropped/Bounced Packets

Detected Anomalies

Displaying Details of Detected Anomalies

Mitigated Attacks

Displaying Mitigated Attack Details

Replied IP Summarizations (Guard-Only Function)

HTTP Detected Zombies

General Attack Information

The first section of the attack report provides information about the timing of the attack, which includes when the attack started, when it ended, and how long it lasted.

To display additional report details, click i or Show details for all events.

All counters are integers except for the rate. You can select the statistics unit of measurement from the general attack information area of the screen.

To change the statistic unit of measurement, choose the desired units to use from the Statistics units drop-down list and then click Set units. The MDM updates the display.

Attack Statistics

The attack statistics table provides information about the following packet types:

Received—Traffic received by the Guards destined to the zone.

Forwarded—Legitimate traffic that the Guards forwarded to the zone.

Replied—Traffic sent to the client as part of the Guards antispoofing and antizombie features.

Dropped—Total number of packets destined to the zone and dropped by the Guards.

Table 11-10 describes the information for each packet type.

Table 11-10 Attack Statistics 

Field
Description

Total

Total number of packets in the category.

Estimated Max Rate

Estimated maximum packet rate that was measured by the devices.