Scribd Logo
Upload

Welcome to Scribd!

  • Alarm+Category + DDoS +-+Use+Case+Document+-+PDF+

    Uploaded by

    khushal ameta
    14 views8 pages
    alarm

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    alarm

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views8 pages

    Alarm+Category + DDoS +-+Use+Case+Document+-+PDF+

    Uploaded by

    khushal ameta
    alarm

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Alarm Category: DDoS

    Use Case Abstract


    Customer situation
    In a distributed denial-of-service (DDoS) attack, multiple compromised computer systems attack a target, such as a server,
    website, or other network resource by flooding it with incoming messages, connection requests, or malformed packets. This
    increased traffic forces the system to slow down or even crash and shut down, thereby denying service to legitimate users
    or systems.

    Solution
    The Cisco Stealthwatch® Security Insight Dashboard has two alarm categories dedicated to detecting DDoS attacks:

     High DDoS Source Index: Indicates a DDoS source has been identified.

     High DDoS Target Index: Indicates a DDoS target has been identified.

    As Stealthwatch collects network telemetry, it gains visibility into all host-to-host communications across the network. It can
    then compare collected data to determine if certain security criteria are met to trigger security events associated with these
    two DDoS alarms.

    Minimum requirements
    The Cisco Stealthwatch system configuration minimum requirements are:

     Visibility of all host-to-host traffic from the core/distribution

     Stealthwatch Release 6.8 or greater

    Page 1 of 8
    Alarm Category: DDoS

    Security Events and Alarm Categories


    Specific types of security events contribute index points to a particular type of alarm. Some security events contribute to
    multiple alarm categories. An alarm is generated based on the type of security event that occurs. Alarms are grouped into
    one or more alarm categories based on type.

    The tables list security events that are associated with the DDoS alarms and the number of default points that are assigned
    to the alarm category when the security event occurs.

    High DDoS Source Index

    Name of security event Number of points assigned by default

    Half Open Attack Based on observed flow

    ICMP Flood Based on observed flow

    Packet Flood Based on observed flow

    Slow Connection Flood 3000

    SYN Flood Based on observed flow

    UDP Flood Based on observed flow

    High DDoS Target Index

    Name of security event Number of points assigned by default

    Connection From Bogon Address Attempted 100

    Page 2 of 8
    Alarm Category: DDoS

    Connection From Bogon Address Successful 1000

    Half Open Attack 3000

    ICMP Received Based on observed flow

    Max Flows Served Based on observed flow

    New Flows Served Based on observed flow

    Packet Flood Based on observed flow

    Slow Connection Flood 3000

    SYNs Received Based on observed flow

    UDP Received Based on observed flow

    Here is a closer look at some of the key events for the DDoS alarm categories:

     Slow Connection Flood: A host initiates multiple connections to a target with a very low packet rate. The goal is to
    maintain open connections while using minimal bandwidth. Because this type of application denial-of-service (DoS)
    attack can render a service unavailable with so little bandwidth, it is easier to attack a vulnerable host and it is often
    more difficult to detect.

     Packet Flood: The source host sends an excessive number of short packets to the target host. This security event
    is considered a result of brute force attacks, DoS attacks, and malfunctioning network applications.

     Half Open Attack: A half open attack can be an attempt to exhaust either bandwidth or connection handlers
    because it opens connections but never carries them out. This type of DoS attack forces the victim host to wait long
    enough to cause the malicious connections to time out.

    Page 3 of 8
    Alarm Category: DDoS

    More information on alarm categories and the associated security events is in the Stealthwatch Help documentation from
    the Stealthwatch Management Console (SMC) Desktop Client and the SMC Web User Interface (UI).

    Page 4 of 8
    Alarm Category: DDoS

    Investigating DDoS Activity


    The SMC Web UI offers a comprehensive tool for investigating DDoS activity: the Security Insight Dashboard. This section
    shows a typical investigation using the dashboard.

    On the Security Insight Dashboard, you will see the alarm categories listed across the top. This view shows the number of
    hosts that have generated events in each category. This figure shows that one host has generated a DDoS event.

    Click the DDoS Target category to generate a report that shows the host that triggered the event and information such as
    the host IP address and host group.

    Note that this host has a DDoS target index value of 131%. Click the percentage to get more information.

    The following widgets display:

     Application Traffic: Shows the applications that were used during this DDoS attack.

     Summary of Targets: Shows the target hosts.

     Alarm: Shows alarm information such as why the alarm was triggered as displayed in the details.

    Page 5 of 8
    Alarm Category: DDoS

    Click the link in the Details column in the Alarm widget.

    Information on the security event that triggered this alarm displays.

    The Security Event Details widget shows that host 10.10.30.15 triggered the security event called SYNs Received. Click
    View Flows to get information on the associated flows for this event.

    A Flow Search window displays and shows all criteria automatically populated. Because SYN floods from internal hosts are
    probably due to misconfiguration, editing the search to include the outside host group as the peer will yield only flows
    coming from external sources.

    Click Search to display the results.

    Page 6 of 8
    Alarm Category: DDoS

    The results show default information about the attack. We can see where multiple outside hosts are attempting to
    communicate with the internal DNS server. To see more information, add columns to the results. Click Manage Columns
    and select the additional fields as desired.

    For this example, we selected the Connection TCP Connections column to show how many TCP connections were
    accomplished. A zero indicates a connection was not made, meaning that these were probably SYN packets with no
    response.

    Page 7 of 8
    Alarm Category: DDoS

    The Connection TCP Connections column shows all zeros, indicating that these were all SYN packets, and suggesting that
    a SYN flood attack was attempted on the DNS server.

    1
    DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED "AS IS" AND AS SUCH MAY INCLUDE TYPOGRAPHICAL, GRAPHICS, OR FORMATTING
    ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESSED, IMPLIED,
    STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL
    IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING
    FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.

    Page 8 of 8

    You might also like