11-14
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Configuring Attack Detectors
The following settings are configurable for each attack type in each attack detector. Each setting can
either be in a 'not configured' state (which is the default), or be configured with a specific value.
• action — action:
–
report (default) — Report beginning and end of the attack by writing to the attack-log.
–
block — Block all further flows that are part of this attack, the SCE platform drops the packets.
• Thresholds :
–
open-flows-rate — Default threshold for rate of open flows. suspected-flows-rate — Default
threshold for rate of suspected DDoS flows.
–
suspected-flows-ratio — Default threshold for ratio of suspected flow rate to open flow rate.
• Use the appropriate keyword to enable or disable subscriber notification by default:
–
notify-subscriber — Enable subscriber notification.
–
don't-notify-subscriber — Disable subscriber notification.
• Use the appropriate keyword to enable or disable sending an SNMP trap by default:
–
alarm — Enable sending an SNMP trap.
–
no-alarm — Disable sending an SNMP trap.
How to Enable a Specific Attack Detector and Assign it an ACL
Step 1 From the SCE(config if)# prompt, type attack-detector number access-list (aclnumber |none)
[comment
comment] and press Enter.
Enables the attack detector and assigns it the specified ACL.
How to Define the Action and Optionally the Thresholds for a Specific Attack Detector
Step 1 From the SCE(config if)# prompt, type attack-detector number protocol (((TCP|UDP) [dest-port
(specific|not- specific|both)])|ICMP|other|all) attack-direction
(single-side-source|single-side-destination|single-side-both|dual-sided|all) side
(subscriber|network|both) [action (report|block)] [open-flows-rate
number suspected-flows-rate
rate suspected-flows-ratio ratio] and press Enter.
Defines the action of the specified attack detector
To Next Page
Loading...
