11-29
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Monitoring Attack Filtering
How to display the list of ports selected for subscriber notification
Step 1 From the SCE> prompt, type show interface linecard 0 attack-filter subscriber-notification ports and
press Enter.
How to find out whether hardware attack filtering has been activated
Step 1 From the SCE> prompt, type show interface linecard 0 attack-filter current-attacks and press
Enter.
In the output from this command, look for the "HW-filter" field. If this field is "yes", the user must take
into account the probable inaccuracies in the attack reporting.
Note that this information also appears in the attack log file.
|---------------|-----------|------------|----------|------|------|------
|Source IP -> |Side / |Open rate / |Handled |Action|HW- |force-
| Dest IP|Protocol |Susp. rate | flows / | |filter|filter
| | | |Duration | | |
|---------------|-----------|------------|----------|------|------|------
|10.1.1.1 | Subscriber| 523| 4045|Report|No |No
| *|TCP | 0| 9| | |
|---------------|-----------|------------|----------|------|------|------
The Attack Log
• How to View the Attack Log, page 11-30
• How to Copy the Attack Log to a File, page 11-30
The attack-log contains a message for each specific-IP detection of attack beginning and attack end.
Messages are in CSV format.
The message for detecting attack beginning contains the following data:
• IP address (Pair of addresses, if detected)
• Protocol Port number (If detected)
• Attack-direction (Attack-source or Attack-destination)
• Interface of IP address (subscriber or network)
• Open-flows-rate, suspected-flows-rate and suspected-flows-ratio at the time of attack detection
• Threshold values for the detection
• Action taken
To Next Page
Loading...
