Cisco Service Control Service Security: Outgoing Spam Mitigation

Similar documents
Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

Maintenance Checklists for Microsoft Exchange on a Cisco Unity System

Release Notes for Cisco ONS MA Release 9.01

Using Microsoft Outlook to Schedule and Join Cisco Unified MeetingPlace Express Meetings

Connecting Cisco 4-Port FXS/DID Voice Interface Cards

Release Notes for Cisco ONS SDH Release 9.01

Maintenance Checklists for Active Directory on a Cisco Unity System with Exchange as the Message Store

Protected URL Database

Release Notes for Cisco Unified Attendant Console Standard Release

Release Notes for Catalyst 6500 Series and Cisco 7600 Series Internet Router CEF720 Module ROMMON Software

Cisco Unified Web and Interaction Manager Browser Settings Guide

Installing the RJ-45 Bracket and Cable on the Cisco ONS Rack

Cisco Unified Attendant Console Backup and Restore Guide

Service Security Using the Cisco SCE Platform Application Note

Cisco Aironet Very Short 5-GHz Omnidirectional Antenna (AIR-ANT5135SDW-R)

1 Obtaining Cisco ANA NSA 1.0 Patch 1

RAID Controller Firmware Upgrade Instructions for the Cisco WAE-7341, 7371, and 674

Cisco Redundant Power System 2300 Compatibility Matrix

Cisco Software Licensing Information for Cisco Unified Communications 500 Series for Small Business

Connecting Cisco DSU/CSU High-Speed WAN Interface Cards

Release Notes for Cisco Broadband Access Center 3.5

Release Notes for Cisco Service Control Management Suite Collection Manager (SCMS CM) 3.1.6

RAID Battery Backup Unit Replacement and RAID Firmware Upgrade for Cisco Security MARS

Exclusive Configuration Change Access and Access Session Locking

Configuring an Intermediate IP Multicast Helper Between Broadcast-Only Networks

Release Notes for TimeCardView 7.0.x

The CVD program consists of systems and solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer

Cisco Payment Card Industry Compliance Services

Release Notes for Click to Call Release 7.x

User Guide for Microsoft Outlook Plug-in for Cisco Unified Videoconferencing Manager Release 7.1

7825-I4, 7828-I4 Hard Disk Firmware Update

Release Notes for Cisco Unified Attendant Console Compact Edition Version

Contextual Configuration Diff Utility

Installing IEC Rack Mounting Brackets on the ONS SDH Shelf Assembly

Cisco Video Surveillance Virtual Matrix Client Configuration Guide

Release Notes for Cisco Small Business Pro ESW 500 Series Switches

Connecting Cisco WLAN Controller Enhanced Network Modules to the Network

Cisco Unified Web and Interaction Manager Browser Settings Guide

Release Notes for SPA942 and SPA962 IP Phones Firmware Version 6.1.3

Security Best Practices Supplement for Cisco Digital Media Encoders

PPPoE Agent Remote-ID and DSL Line Characteristics Enhancement

Cisco PGW 2200 Softswitch Generic Call Tagging Feature Module

Cisco WAAS Mobile User Guide

Installing and Configuring the Microsoft Outlook Client Plug-in for Cisco Unified Videoconferencing Manager Release 7.1

Configuring the WIP310 Wireless-G IP Phone with the SPA9000 Voice System

Behavioral Change for Buffer Recarving

ADMINISTRATION GUIDE Cisco Small Business

Cisco BTS Softswitch Turkish ISUP Feature Module

Cisco Virtual Office End User Instructions for Cisco 1811 Router Set Up at Home or Small Office

Upgrading to the Cisco ASR 1000 Series Routers ROMmon Image Release 12.2(33r)XNC

Release Notes for SPA9000 Voice System

Installing and Configuring the Lotus Notes Plug-in for Cisco Unified Videoconferencing Manager Release 7.1

Cisco Nexus 4001I and 4005I Switch Module for IBM BladeCenter Getting Started Guide

Cisco Unified Mobile Communicator 3.0 User Portal Guide

Cisco Unified Web and Interaction Manager Supervision Console User s Guide

VPDN LNS Address Checking

Configuring LDAP. Finding Feature Information. Contents

Cisco SAN Health Check Service

Cisco Unified MeetingPlace for Microsoft Office Communicator

Modified LNS Dead-Cache Handling

ATM VP Average Traffic Rate

IP SLAs Proactive Threshold Monitoring

Cisco Data Center Business Continuity Planning Service

Configuration Replace and Configuration Rollback

Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)

Release Notes for Cisco MDS 9000 Family Fabric Manager Release 4.1(3b)

Cisco Registered Envelope Recipient Guide

Release Notes for Cisco Video Surveillance Manager 4.1/6.1

CCNP Security Secure

Online Bank Secures Future Leadership

Release Notes for Cisco Unified CRM Connector for SAP Release 1.0(1)

Cisco Smart Business Communications System Teleworker Set Up

PPPoE Agent Remote-ID and DSL Line Characteristics Enhancement

Installing the Cisco ONS Deep Door Kit

Wireless-G IP Phone QUICK INSTALLATION GUIDE. Package Contents

Logging to Local Nonvolatile Storage (ATA Disk)

Cisco Unity Express Voic System User s Guide

ADMINISTRATION GUIDE Cisco Small Business

Full Number Translations

Cisco BTS Softswitch Site Preparation and Network Communications Requirements, Release 6.0. Safety and Compliance

User Guide for Cisco IP Phone Messenger Release 8.0, 8.5, and 8.6

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, and AP1522 Wireless LAN Access Points

Per IP Subscriber DHCP Triggered RADIUS Accounting

Cisco 806, Cisco 820 Series, Cisco 830 Series, SOHO 70 Series and SOHO 90 Series Routers ROM Monitor Download Procedures

BGP Enforce the First Autonomous System Path

PPPoE Session Recovery After Reload

White Paper: Using Microsoft Windows Server 2003 with Cisco Unity 4.0(4)

Cisco Intrusion Detection and Prevention Signatures

DHCP Lease Limit per ATM/RBE Unnumbered Interface

QUICK START Remote Control Quick Start Guide for Cisco Digital Media Players

Release Notes for Cisco Secure Services Client Release for Windows Vista

Release Notes for Cisco Security Agent for Cisco Unified MeetingPlace Release 6.0(7)

Release Notes for Cisco Insight Reporter v December 23, 2013

PPPoE on ATM. Finding Feature Information. Contents

IS-IS Incremental SPF

Generic Routing Encapsulation Tunnel IP Source and Destination VRF Membership

Cisco TEO Adapter Guide for BMC Remedy

Suppress BGP Advertisement for Inactive Routes

CCNP Voice TVoice

OSPF Incremental SPF

Transcription:

CISCO SERVICE CONTROL SOLUTION GUIDE Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 3.5.5 1 Introduction and Scope 2 Functionality Overview 3 Mass-Mailing Based Threats 4 Obtaining Documentation and Submitting a Service Request

Revised: July 28, 2009, OL-18876-02 1 Introduction and Scope The need for protection from various attacks and malicious traffic that originate from the Internet has gained focus. Denial of Service (DoS) and Distributed Dos (DDoS) attacks, worms, viruses, malicious HTTP content, and multiple types of intrusions are common. Deep Packet Inspection (DPI) platforms, and specifically the Cisco Service Control Engine (SCE) are deployed inline and are stateful and programmable. These features position the SCE platform to detect and mitigate the effect of malicious traffic on service providers and their customers. The Service Control Application for Broadband (SCA BB) includes service security functionality comprising anomaly detection, spam and mass-mailing detection, and signature detection. These detection features allow the SCE platform to address threats that exist in current networks. The SCA BB solution is effective in providing an insight into malicious activity in an operator network, and in mitigating large scale eruptions of malicious activity that might compromise overall network performance and degrade user experience. This guide describes the specifics of detecting and mitigating outgoing spam and mass-mailing based threats. For a full description of the service security functionality and relevant management modules, refer to the SCA BB user guides. 2 Functionality Overview Overview The Cisco SCE platform uses the Mass-Mailing activity detection approach to detect and mitigate outgoing spam. Simple Mail Transfer Protocol (SMTP) is a protocol used for sending email. An excess rate of such sessions originating from an individual subscriber is usually indicative of malicious activity involving sending email: either mail-based viruses or spam-zombie activity. This mechanism is based on monitoring SMTP session rates for individual subscribers. It uses the SCE platform's subscriber-awareness and can work in subscriber-aware or anonymous subscribers mode. This detection approach provides operators with several possible courses of action to be implemented based on their business needs. Monitor Inspect the network for malicious activity detected by this method. This can be done using reports that are based on information collected for malicious activity that is detected. Block Automatically block malicious activity that is detected by the SCE platform to avoid threat propagation and adverse effects to the network. Notify Notify subscribers that they are detected as being involved in malicious activity by redirecting their web sessions to a captive portal. Operators have flexibility in customizing the detection methods and actions to be taken based on their specific needs. The SCA BB Security Dashboard GUI application (Figure 1) provides a front end for configuring and monitoring security functionality. 2

Figure 1 SCA BB Security Dashboard Mass-Mailing Detection Process The following is an overview of the mass-mailing detection process after configuration is complete. The mass-mailing detection process is based on session quotas. A quota is a number of sessions for a given time interval. 1. The time interval begins with the first session. 2. When a second session is sent, if the time is still within the first interval, the session is counted within the first interval. If the time is beyond the first interval, then the second interval begins at that point, with the session. 3. After subscribers send more sessions than allotted within the time interval, they have exceeded their quota, and are marked as spammers. From that point on, all traffic sent from the subscriber is handled as spam, and the defined action (send Raw Data Record (RDR), block, notification, or mirror) is applied. Note The action is only applied from that point on, and does not apply to any sessions that are still open from before the subscriber was marked as a spammer. 4. The subscriber is marked as a spammer until an interval elapses without the sessions exceeding the configured quota. 5. For example, the quota is defined as 6 sessions in 10 seconds. The 10 seconds begin when the first session is sent. If 5 more sessions are sent within 10 seconds, from that point on, the subscriber is marked as a spammer and the defined action (RDR, block, notification or mirror) is applied. Note that if some of the 6 sessions are still open from before the subscriber was marked as a spammer, the actions are not applied to the open sessions. 3

When the next session is sent at, for example, 12 seconds, the time interval begins again at 0 and the sessions are again counted. If the subscriber sends fewer than 6 sessions in the 10 second interval then the subscriber is no longer considered a spammer and the specified action is removed. An RDR is sent to the Collection Manager indicating that the subscriber is no longer a spammer. Related Topics Configuring Outgoing Spam Detection Settings, page 5 3 Mass-Mailing Based Threats The mass-mailing based threat detection module is based on monitoring SMTP session rates for individual subscribers. It uses the SCE platform's subscriber-awareness and can work in subscriber-aware or anonymous subscribers mode. SMTP is a protocol used for sending email; an excess rate of such sessions from an individual subscriber is usually indicative of malicious activity involving sending email: either mail-based viruses or spam-zombie activity. Configuring Mass-Mailing Detection Mass-mailing detection is based on a subscriber breaching a predefined SMTP session quota. In order for the functionality to operate correctly, you must configure the system to subscriber-aware or anonymous subscribers mode. This allows the SCE platform to accurately count the number of SMTP sessions generated by each subscriber. Configuration is based on the following stages: Configuring the service for detection You should configure the appropriate service, which should have been built before this stage, for mass-mailing detection. It is common to use a service that includes only the SMTP protocol. Refinements can be made to narrow the scope of detection and to potentially reduce the detection threshold. Outbound SMTP To account for only SMTP sessions generated by a subscriber. SMTP should not normally be seen as an inbound protocol because a subscriber is not expected to run an SMTP server on their own premises. Inbound SMTP connections may represent other kinds of malicious activity. To build such a service, a user should include the Subscriber-Initiated attribute in the service definition. OffNet SMTP SMTP that is not targeted to a subscriber's home SMTP server. Normal email clients send email through a home SMTP server, which later relays the email to wherever needed. Limiting the service to offnet can avoid accounting for legitimate sessions; that is sessions that subscribers conduct with the SMTP server of their ISP. One caveat is that prominent non-isp email providers provide an SMTP based service either for a fee, or free of charge. OffNet is no longer a suitable differentiator between legitimate and non-legitimate activity. To build such a service, a user should define a Zone of IP ranges and then define a service that associates the SMTP protocol with the defined Zone. A combination of the two. Define the quota to be used for indicating anomalous email activity. The quota is defined as a number of sessions for a given period number of sessions and period length are both configurable. It is suggested that the user should base the values for these fields on some baseline monitoring of subscriber activity. Define the action to be taken upon detecting mass-mailing activity. The action to be taken can be: Send RDR The SCE sends a Raw Data Record (RDR) to the Collection Manager, and sends a second RDR when the subscriber's status as a spammer is removed. The Collection Manager collects these RDRs in comma separated value (CSV) files for logging purposes. Alternatively, you can implement your own RDR collectors to receive these RDRs and respond in real-time. Block Block the spam SMTP traffic. Notify Redirect the subscriber browsing sessions to a captive portal presenting a message from the operator. This is performed using subscriber notification. Mirror Divert spam SMTP traffic to an inline spam detection service. 4

Note For the send RDR action, the SCE sends one RDR when the subscriber is marked as a spammer and sends a second RDR once the subscriber is no longer considered a spammer. However, when using the block, notify, and mirror actions, the action begins when the subscriber is marked as a spammer and is maintained until the subscriber is no longer considered a spammer. Configuring Outgoing Spam Detection Settings Step 1 In the Service Security Dashboard, in the Spam Zombies and Email Viruses Detection pane, click Configure. The Spam Detection and Mitigation Settings window appears as shown in Figure 2. Figure 2 Spam Detection and Mitigation Settings Window Step 2 From the Service to monitor for spam drop-down list, choose a service. Note Leave the default value for the monitored service (SMTP), unless you have defined a more specific service, such as Outbound SMTP or OffNet SMTP. Step 3 For each package, do the following: a. Define the quota to be used for indicating anomalous email activity. The quota is defined as a number of sessions for a given period number of sessions and period length are both configurable. We recommend that you base the values for these fields on some baseline monitoring of subscriber activity. Click the Detection Threshold column. A More ( ) button appears. Click the More button. The Spam Detection Threshold window appears as shown in Figure 3. 5

Figure 3 Spam Detection Threshold Window Define the threshold email session rate for anomalous behavior. Click OK. b. Define one or more actions to be taken upon detecting mass-mailing activity. Available actions are: Send RDR The SCE sends a Raw Data Record (RDR) to the Collection Manager, and sends a second RDR when the subscriber's status as a spammer is removed. The Collection Manager collects these RDRs in CSV files for logging purposes. Alternatively, you can implement your own RDR collectors to receive these RDRs and respond in real-time. Block SMTP Traffic Block the spam SMTP traffic. Notify Subscriber (HTTP) Redirect the subscriber browsing sessions to a captive portal presenting a message from the operator. This is performed using subscriber notification. Mirror SMTP traffic Copy spam SMTP traffic to an inline spam detection service. Note For the send RDR action, the SCE sends one RDR when the subscriber is marked as a spammer and sends a second RDR once the subscriber is no longer considered a spammer. However, when using the block, notify, and mirror actions, the action begins when the subscriber is marked as a spammer and is maintained until the subscriber is no longer considered a spammer. Note Block SMTP Traffic and Mirror SMTP traffic cannot both be selected. If you select one, the other is disabled. To perform the Notify Subscriber (HTTP) action, choose or enter a notify subscriber (Figure 4). 6

Figure 4 Spam Detection and Mitigation Settings Window Notify Subscriber Step 4 Step 5 To perform the Mirror SMTP traffic action, choose a Server Group. Click Finish. Apply the service configuration to the SCE platform. a. From the toolbar, click (Apply Service Configuration to SCE Devices). A Password Management dialog box appears. b. Enter the username and password for managing the SCE and click Apply. The service configuration is applied to the SCE platform. Related Topics Monitoring Mass Mailing Activity, page 8 Disabling Outgoing Spam Detection Step 1 Step 2 Step 3 In the Service Security Dashboard, in the Spam Zombies and Email Viruses Detection pane, click Configure. The Spam Detection and Mitigation settings dialog box appears. Uncheck the Enable Spam detection and mitigation check box. All other fields are disabled. Click Finish. 7

Disabling Outgoing Spam Detection per Package Step 1 Step 2 Step 3 Step 4 Step 5 In the Service Security Dashboard, in the Spam Zombies and Email Viruses Detection pane, click Configure. The Spam Detection and Mitigation settings dialog box appears. In the row of the package for which you want to disable outgoing spam detection, click inside the Detection Threshold column. A More button ( ) appears. Click the More button. The Spam detection threshold dialog box appears. Uncheck the Enable Spam detection for this package check box. All fields are disabled. Click OK. Monitoring Mass Mailing Activity Mass mailing activity can be monitored based on information processed and stored in the Collection Manager database. The most suitable report for detecting mass mailing activity by subscribers is the Top Subscribers report (Figure 5). This report is generated by running the Top Subscribers report with Metric=Aggregated sessions. The Top Subscribers report is generated for the service that is used for mass-email detection (SMTP or a more granular service if it was defined). The report can be used to identify the IDs of subscribers most likely to be involved in mass mailing activity. Figure 5 Top Subscribers Report Following are examples of two commonly-used reports: Global Daily Usage Sessions per Service Report Shows the distribution of sessions among the different service usage counters defined in the system, grouped by day (Figure 6). Global Hourly Usage Sessions per Service Report Shows the distribution of sessions among the different service usage counters defined in the system, grouped by hour (Figure 7). 8

Figure 6 Global Daily Usage Sessions per Service Report Figure 7 Global Hourly Usage Sessions per Service Report 9

Viewing a Service Security Mass Mailing Report Step 1 Step 2 Step 3 Step 4 In the Service Security Dashboard, in the Spam Zombies and Email Viruses Detection pane, click View Report. A Choose a report dialog box appears, displaying a tree of relevant reports. Choose a report from the report tree. Click OK. The Choose a report dialog box closes. The Reporter tool opens in the Console, and displays the requested report. For information about manipulating and saving the report, see the Getting Started chapter of the Cisco Service Control Application Reporter User Guide. 4 Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/us/docs/general/whatsnew/whatsnew.html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0. CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, iquick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2009 Cisco Systems, Inc. All rights reserved. Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. OL-18876-02

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback