For feedback and comments:
documentation.feedback@alcatel-lucent.com

Table of Contents Previous Next PDF


Threat Management Service
In This Section
This section describes how to configure the Threat Management Service applications.
Topics include:
TMS Service Introduction
The ISA-TMS supports routed redirect mode on IOM3, which means that traffic based on destination IP address (under attack) is filtered (scrubbed) by a variety of DDoS filtering rules provided by 3rd party code from Arbor Networks.
When a DDoS attack is detected by the Arbor Networks CP (based on cflowd counters) a notification is send to the 7750 SR CPM. This is the trigger for the 7750 SR CPM to attract the traffic under attack via the advertisement of a route with prefix the destination IP address under attack and with next-hop the scrubber. This process is called off-ramping.
At that point all destination traffic to the IP address under attack is forwarded to the 7750 SR where:
Configuration Guidelines and Example
 
TMS Image Location
The TMS images should be stored in the same location as the other images (cpm.tim, iom.tim, etc). This is to where the BOF points.
The name of the file is peakflow-tms.tim
 
Configuration Example For TMS Interfaces on the SR OS
configure service vprn 1
tms-interface "mda-1-1" create
address 20.folk.43/32
description "tms-1-1"
port 1/1
password "password=arbor zone-secret=admin"
exit
exit
 
configure router
interface "itfToArborCP"
address 10.12.0.1/24
port 3/2/4
exit
exit
 
configure router policy-options
policy-statement "exporttmsgrt"
entry 1
from
protocol vpn-leak
exit
action accept
exit
exit
entry 2
from
protocol tms
exit
action accept
exit
exit
exit
exit
 
 
Follow the usage guidelines listed below:
Use mda-type isa-tms
         *A:Dut-C# show router route-table 20.12.0.43/32 
 
===============================================================================
Route Table (Router: Base)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
20.12.0.43/32 Remote Static 00h08m49s 5
vprn1:mda-1-1 1
-------------------------------------------------------------------------------
Use a TMS cluster which holds the relevant isa-tms’ Administration> Mitigation> TMS-ISA Clusters
Put the TMS cluster in a TMS group Administration> Mitigation> TMS Groups
Use the TMS Group in the mitigation rule (Mitigation> Threat Management>Add> TMS Appliances)
 
Dynamic Control of IP Filter Entries
The following requirement will enhance the performance and scale of DDoS protection via a tight integration between the Arbor TMS DDoS scrubbing application and the 7750 highly scalable IP filters.
The Arbor TMS application uses a wide variety of methods for identifying specific flows that are part of a network or application Denial of Service attack. These techniques include network and application behavior analysis as well as specific packet-based content detection.
Once a specific flow has been identified as part of the attack, one of the common methods of mitigation includes host-based (source-IP), IP blacklisting. Instead of continuing to analyze every packet of that flow up to Layer 7 analysis, based on the initial detection TMS will use IP host-based blacklisting to temporarily block traffic from that source toward the destination under attack.
This feature adds the ability to have the TMS application within the 7750 signal the 7750 through the ALU API controlling highly scalable IP filters for hardware-based, source-IP blacklisting in order to significantly enhance the scale and performance of the blacklisting function.
Note: R6.0p4 or later of Arbor TMS is required to support this feature on the 7750.
This feature exemplifies how Arbor Networks and ALU continue to improve the overall DDoS detection and mitigation function.