These appliances (or Cat 6500 Modules) are based upon the patented Multi-Verification Process (MVP) architecture.
This MVP architecture enables the Cisco Guard and Cisco Traffic Anomaly Detector to leverage the latest analysis and attack recognition techniques to detect and remove network attack traffic while scrubbing and reinjecting valid network traffic to its proper destination.
The Traffic Anomaly Detector learns what is a normal traffic pattern for a protected network area, or zone. DDoS mitigation policies are constructed and thresholds are tuned in order to react to various DDoS attack scenarios.
This DDoS attack diversion is typically implemented by updating the Border Gateway Protocol (BGP) routing table or by other mechanisms including static routes (manual IP routes) and policy-based routes (specific traffic forwarding based upon parameters including application and packet size).
The Guard's ability to update routing tables in the event of an attack (or always run inline with the Cat6500 Modules) allows the Guard to automatically scrub the DDoS attack traffic, while still forwarding or tunneling valid network traffic to the destination zone.
So less about the Guard itself on this blog (more soon on network-response), but look out tomorrow for an example MARS custom parser for the Guard & Detector.