Cisco SCE8000 Configuration Manual page 195

Service control engine

Hide thumbs Also See for SCE8000:

Installation and configuration manual (248 pages)

Installation manual (51 pages)

Removal and replacement procedures (36 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

page of 262

/ 262
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 10

Identifying and Preventing Distributed-Denial-Of-Service Attacks

The default attack detector should be configured with values that reflect the desired SCE platform

behavior for the majority of the traffic flows flowing through it. However, it is not feasible to use the

same set of values for all the traffic that traverses through the SCE platform, since there might be some

network entities for which the characteristics of their normal traffic should be considered as an attack

when coming from most other network elements. Here are two common examples:

A DNS server is expected to be the target of many short DNS queries. These queries are typically

•

UDP flows, each flow consisting of two packets: The request and the response. Normally, the SCE

platform considers all UDP flows that are opened to the DNS server as DDoS-suspected flows, since

these flows include less than 3 packets. A DNS server might serve hundreds of DNS requests per

second at peak times, and so the system should be configured with a suitable threshold for

DDoS-suspected flows for protocol = UDP and direction = attack-destination. A threshold value of

1000 flows/second would probably be suitable for the DNS server. However, this threshold would

be unsuitable for almost all other network elements, since, for them, being the destination of such

large rate of UDP flows would be considered an attack. Therefore setting a threshold of 1000 for all

traffic is not a good solution.

•

The subscriber side of the SCE platform might contain many residential subscribers, each having

several computers connected through an Internet connection, and each computer having a different

IP address. In addition, there might be a few business subscribers, each using a NAT that hides

hundreds of computers behind a single IP address. Clearly, the traffic seen for an IP address of a

business subscriber contains significantly more flows than the traffic of an IP address belonging to

a residential subscriber. The same threshold cannot be adequate in both cases.

To let the SCE platform treat such special cases differently, the user can configure non-default attack

detectors in the range of 1-99. Like the default attack detector, non-default attack detectors can be

configured with different sets of values of action and thresholds for every attack type. However, to be

effective, a non-default attack detector must be enabled and must be assigned an ACL (access control

list). The action and thresholds configured for such attack detector are effective only for IP addresses

permitted by the ACL. Non-default attack-detectors can be assigned a label for describing their purpose,

such as 'DNS servers' or 'Server farm'.

Non-default attack detectors are effective only for attack types that have been specifically configured.

This eliminates the need to duplicate the default attack detector configuration into the configuration

non-default attack detectors, and is best illustrated with an example: Suppose an HTTP server on the

subscriber side of the SCE platform is getting many requests, which requires the use of a non-default

attack detector for configuring high threshold values for incoming TCP flow rates. Assume attack

detector number 4 is used for this purpose; hence it is enabled, and assigned an ACL which permits the

IP address of the HTTP server. Also suppose that it is desirable to protect subscribers from UDP attacks,

hence the default attack detector is configured to block UDP attacks coming from the network (The

default configuration is only to report attacks, not block them). If the HTTP server is attacked by a UDP

attack from the network, the configuration of the default attack detector will hold for this HTTP server

as well, since attack detector number 4 was not configured for UDP attacks.

For each of the non-default attack detectors, for each of the 32 attack types, there are four configurable

settings:

Threshold

•

Action

•

Subscriber-notification

•

Alarm

•

Each of these four settings can be either configured (with a value or set of values) or not configured. The

default state is for all them is not configured.

OL-16479-01

Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S

Configuring Attack Detectors

10-7

Table of Contents

Cisco SCE8000 Configuration Manual page 195

Related Manuals for Cisco SCE8000

Related Products for Cisco SCE8000

Table of Contents