Table of Contents
Advertisement
Chapter 11
Identifying and Preventing Distributed-Denial-Of-Service Attacks
Attack Handling
Attack handling can be configured as follows
•
•
•
Subscriber Notification
When an attack is identified, if the IP address is detected on the subscriber side and is mapped to a
subscriber, the system notifies the application about the attack. This enables the application to notify the
subscriber about the attack on-line by redirecting HTTP requests of this subscriber to a server that will
notify it of the attack.
In addition, when blocking TCP traffic, the system can be configured not to block a specified port to
make this redirection possible. This port is then considered to be un-blockable.
Note that subscriber-notification can only function if supported by the Service Control Application
currently loaded to the SCE platform, and the application is configured to activate this capability. To
verify whether the application you are using supports attack subscriber notification, and for details about
enabling attack subscriber notification in the application, please refer to the documentation of the
relevant Service Control Application.
OL-7827-12
Configuring the action:
Report — Attack packets are processed as usual, and the occurrence of the attack is reported.
–
Block — Attack packets are dropped by the SCE platform, and therefore do not reach their
–
destination.
Regardless of which action is configured, two reports are generated for every attack: one when the
start of an attack is detected, and one when the end of an attack is detected.
Configuring subscriber-notification (notify):
–
Enabled — If the subscriber IP address is detected to be attacked or attacking, the subscriber is
notified about the attack.
–
Disabled — The subscriber is not notified about the attack.
Configuring sending an SNMP trap (alarm):
–
Enabled — An SNMP trap is sent when attack begins and ends.
The SNMP trap contains the following information fields:
A specific IP address or
Protocol (TCP, UDP, ICMP or Other)
Interface (User/Network) behind which the detected IP address is found. This is referred to
below as the attack 'side'
Attack direction (whether the IP address is the attack source or the attack destination).
Type of threshold breached (open- flows / ddos- suspected- flows) ['attack- start' traps only]
Threshold value breached ['attack- start' traps only]
Action taken (report, block) indicating what was the action taken by the SCE platform in
response to the detection
Amount of attack flows blocked/ reported providing the total number of flows detected
during the attack ['attack- stop' traps only]
Disabled — No SNMP trap is sent
–
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
Attack Filtering and Attack Detection
11-5
Advertisement
Table of Contents
