Attack Detection - Cisco SCE8000 Configuration Manual
Service control engine
Hide thumbs
Also See for SCE8000:
- Installation and configuration manual (248 pages) ,
- Installation manual (51 pages) ,
- Removal and replacement procedures (36 pages)
Table of Contents
Advertisement
Chapter 10
Identifying and Preventing Distributed-Denial-Of-Service Attacks
Specific IP filtering for selected attack types is enabled with the following parameters. These parameters
control which of the 32 attack types are being filtered for:
•
•
•
Attack Detection
Specific IP detections are identified with the following parameters:
•
•
•
•
•
The system can identify a maximum of 1000 independent, simultaneous attacks.
Once an attack is identified, the system can be instructed to perform any of the following actions:
•
•
•
•
Attack detection and handling are user-configurable. The remainder of this chapter explains how to
configure and monitor attack detection.
OL-16479-01
Protocol — TCP, UDP, ICMP, or Other
Attack direction — The direction of the attack may be identified by only one IP address or by two
IP addresses:
–
single side — The attack is identified by either the source IP address or the destination address
only.
The filter definition may specify the specific side, or may include any single side attack, regardless
of side (both).
dual side (TCP and UDP protocols only) — The attack is identified by both the source and
–
destination IP addresses. In other words, when a specific IP attacks a specific IP, this is detected
as one incident rather than as two separate incidents.
Destination port (TCP and UDP protocols only) — Defines whether specific IP detection is enabled
or disabled for port-based or port-less detections. Enable port-based detection for TCP/UDP attacks
that have a fixed destination port or ports.
The list of destination ports for port-based detection is configured separately. (See
Detectors, page
10-12.)
Specific IP address (or two IP addresses for dual-sided detections)
Protocol — TCP, UDP, ICMP or Other
Port — For TCP/UDP attacks that have a fixed destination port
Side — Interface (Subscriber/Network) from which attack packets are sent
Attack-direction — If a single IP address is specified, the IP address is an attack-source or an
attack-destination address.
Report — By default, the attack beginning and end are always reported.
Block — The system will block all attack traffic for the duration of the attack. (The traffic is from
or to the attack IP address, depending on whether the IP address is an attack-source or
attack-destination)
Notify — Subscriber notification. When the IP address identified is mapped to a particular
subscriber context, the system can be configured to notify the subscriber of the fact that he is under
an attack (or a machine in his network is generating such an attack), using HTTP
Redirect. Alarm — The system will generate an SNMP trap each time an attack starts and stops.
Attack Filtering and Attack Detection
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
Specific Attack
10-3
Advertisement
Table of Contents
