Table of Contents
Advertisement
Chapter 11
Identifying and Preventing Distributed-Denial-Of-Service Attacks
Sample Attack Detector Configuration
The following configuration changes the default user threshold values used for detecting ICMP attacks,
and configures an attack-detector with high thresholds for UDP attacks, preventing false detections of
two DNS servers (10.1.1.10 and 10.1.1.13) as being attacked.
From the SCE(config)# prompt, type interface linecard 0 and press Enter.
Step 1
Enters linecard interface configuration mode
From the SCE(config if)# prompt, type attack-detector default protocol
Step 2
single-side-source
suspected-flows-ratio
Configures the default ICMP threshold and action.
From the SCE(config if)# prompt, type attack-detector 1 access-list 3 UDP-ports-list
Step 3
"DNS servers"
Enables attack detector #1, assigns ACL #3 to it, and defines the list of UDP destination ports with one
port, port 53.
From the SCE(config if)# prompt, type attack-detector 1 protocol UDP dest-port
Step 4
attack-direction
suspected-flows-rate
Defines the thresholds and action for attack detector #1
From the SCE(config if)# prompt, type attack-detector 1 protocol UDP dest-port specific
Step 5
attack-direction
Enables subscriber notification for attack detector #1.
From the SCE(config if)# prompt, type exit and press Enter.
Step 6
Exits the linecard interface configuration mode.
Configure ACL #3, which has been assigned to the attack detector.
Step 7
SCE(config)# access-list 3 permit 10.1.1.10
SCE(config)# access-list 3 permit 10.1.1.13
OL-7827-12
action
open-flow-rate
report
and press Enter.
10
and press Enter.
single-side-destination
and press Enter.
1000000
single-side-destination
suspected-flows-rate
1000
action report open-flow-rate
side
subscriber notify-subscriber
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
Configuring Attack Detectors
attack-direction
ICMP
100
comment
53
specific
1000000
and press Enter.
11-17
Advertisement
Table of Contents
