Table of Contents
Advertisement
Attack Filtering and Attack Detection
Once an attack is identified, the system can be instructed to perform any of the following actions:
•
•
•
•
Attack detection and handling are user-configurable. The remainder of this chapter explains how to
configure and monitor attack detection.
Attack Detection Thresholds
There are three thresholds that are used to define an attack. These thresholds are based on meters that
are maintained by the SCE platform for each IP address or pair of addresses, protocol, interface and
attack-direction.
•
•
•
As explained above, a specific-IP attack is declared if either of the following conditions is present:
•
•
The values for each attack type will have a separate configured default value.
In general, for a given protocol, the suspected flows rate threshold should be lower for a port-based
detection than for a port-less detection. This is because flows with a given IP address and a common
destination port are metered twice:
•
•
If a port-based attack occurs, and the rate of flows is above both thresholds (port-based thresholds and
the port-less thresholds), it is desirable for the port-based attack to be detected before the port-less
attack. Similarly, this threshold should be lower for dual-IP detections then for single-IP detections.
The user may define values for these thresholds that override the preset defaults. It is also possible to
configure specific thresholds for certain IP addresses and ports (using access lists and port lists). This
enables the user to set different detection criteria for different types of network entities, such as a server
farm, DNS server, or large enterprise customer.
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
11-4
Report — By default, the attack beginning and end are always reported.
Block — The system will block all attack traffic for the duration of the attack. (The traffic is from
or to the attack IP address, depending on whether the IP address is an attack-source or
attack-destination)
Notify — Subscriber notification. When the IP address identified is mapped to a particular
subscriber context, the system can be configured to notify the subscriber of the fa ct that he is under
an attack (or a machine in his network is generating such an attack), using HTTP Redirect.
Alarm — The system will generate an SNMP trap each time an attack starts and stops.
open flow rate — A flow for which some traffic was seen. Any packet seen for a new flow is enough
to declare this flow an open flow.
The rate is measured in new flows per second.
suspected flow rate — A suspected flow is one that was opened, but did not become an established
flow.
The rate is measured in new flows per second.
suspected flow ratio — The ratio of the suspected flow rate to the open flow rate.
The open flows rate exceeds the threshold
The suspected flows rate exceeds the threshold and the suspected flows ratio exceeds the threshold.
By themselves — to detect a port-based attack
Together with flows with the same IP address and different destination ports — to detect a port-less
attack
Chapter 11
Identifying and Preventing Distributed-Denial-Of-Service Attacks
OL-7827-12
Advertisement
Table of Contents
