Subscriber Notification; Hardware Filtering - Cisco SCE8000 Configuration Manual

Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks
•
•
•

Subscriber Notification

When an attack is identified, if the IP address is detected on the subscriber side and is mapped to a
subscriber, the system notifies the application about the attack. This enables the application to notify the
subscriber about the attack on-line by redirecting HTTP requests of this subscriber to a server that will
notify it of the attack.
In addition, when blocking TCP traffic, the system can be configured not to block a specified port to
make this redirection possible. This port is then considered to be un-blockable.
Note Subscriber-notification can only function if supported by the Service Control Application currently
loaded to the SCE platform, and the application is configured to activate this capability. To verify
whether the application you are using supports attack subscriber notification, and for details about
enabling attack subscriber notification in the application, please refer to the documentation of the
relevant Service Control Application.

Hardware Filtering

The SCE platform has two ways of handling an attack: by software or by hardware. Normally, attacks
are handled by software. This enables the SCE platform to accurately measure the attack flows and to
instantly detect that an attack has ended.
However, very strong attacks cannot be handled successfully by the software. If the software cannot
adequately handle an attack, the resulting high CPU load will harm the service provided by the SCE
platform (normal traffic classification and control). An attack that threatens to overwhelm the software
will, therefore, be automatically filtered by the hardware.
When the hardware is used to filter the attack, the software has no knowledge of the attack packets, and
therefore the following side effects occur:
OL-16479-01
Configuring sending an SNMP trap (alarm):
Enabled — An SNMP trap is sent when attack begins and ends.
The SNMP trap contains the following information fields:
A specific IP address or
–
Protocol (TCP, UDP, ICMP or Other)
–
Interface (User/Network) behind which the detected IP address is found. This is referred to
–
below as the attack 'side'
Attack direction (whether the IP address is the attack source or the attack destination).
–
Type of threshold breached (open- flows / ddos- suspected- flows) ['attack- start' traps only]
–
Threshold value breached ['attack- start' traps only]
–
Action taken (report, block) indicating what was the action taken by the SCE platform in
–
response to the detection
Amount of attack flows blocked/ reported providing the total number of flows detected
–
during the attack ['attack- stop' traps only]
Disabled — No SNMP trap is sent
Attack Filtering and Attack Detection
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
10-5