Table of Contents
Advertisement
Configuring Attack Detectors
detector number 4 is used for this purpose; hence it is enabled, and assigned an ACL which permits the
IP address of the HTTP server. Also suppose that it is desirable to protect subscribers from UDP attacks,
hence the default attack detector is configured to block UDP attacks coming from the network (The
default configuration is only to report attacks, not block them). If the HTTP server is attacked by a UDP
attack from the network, the configuration of the default attack detector will hold for this HTTP server
as well, since attack detector number 4 was not configured for UDP attacks.
For each of the non-default attack detectors, for each of the 32 attack types, there are four configurable
settings:
Threshold
•
Action
•
Subscriber-notification
•
Alarm
•
Each of these four settings can be either configured (with a value or set of values) or not configured. The
default state is for all them is not configured.
For each attack type, the set of enabled attack detectors, together with the default attack detector, forms
a database used to determine the threshold and action to take when an attack is detected. When the
platform detects a possible attack, it uses the following algorithm to determine the thresholds for attack
detection.
•
Enabled attack detectors are scanned from low to high numbers.
•
If the IP address is permitted by the ACL specified by the attack detector, and a threshold is
configured for this attack type, then the threshold values specified by this attack detector are used.
If not, the scan continues to the next attack detector.
If no attack detector matches the IP address/protocol combination, then the values of the default
•
attack detector are used.
The same logic is applied when determining the values to use for the remaining settings: action,
subscriber-notification and alarm. The value that is used is the one specified by the lowest-numbered
enabled attack detector that has a configured value for the attack type. If none exists, the configuration
of the default attack detector is used.
Use the following commands to configure and enable attack detection:
[no] attack-filter protocol protocol attack-direction direction
•
attack-detector (default| number ) protocol protocol attack-direction direction side side action
•
action [open-flows number suspected-flows-rate number suspected-flows-ratio number ]
attack-detector (default| number ) protocol protocol attack-direction direction side side
•
(notify-subscriber|don't-notify-subscriber)
•
attack-detector (default| number ) protocol protocol attack-direction direction side side
(alarm|no-alarm)
•
default attack-detector (default| number ) protocol protocol attack-direction direction side side
•
default attack-detector default
•
default attack-detector number
default attack-detector (all-numbered|all)
•
attack-detector number access-list comment
•
attack-detector number (TCP-dest-ports|UDP-dest-ports) (all|(port1 [port2 ...]))
•
[no] attack-filter subscriber-notification ports port1
•
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
11-8
Chapter 11
Identifying and Preventing Distributed-Denial-Of-Service Attacks
OL-7827-12
Advertisement
Table of Contents
