10-3
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
OL-16479-01
Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Attack Filtering and Attack Detection
Specific IP filtering for selected attack types is enabled with the following parameters. These parameters
control which of the 32 attack types are being filtered for:
• Protocol — TCP, UDP, ICMP, or Other
• Attack direction — The direction of the attack may be identified by only one IP address or by two
IP addresses:
–
single side — The attack is identified by either the source IP address or the destination address
only.
The filter definition may specify the specific side, or may include any single side attack, regardless
of side (both).
–
dual side (TCP and UDP protocols only) — The attack is identified by both the source and
destination IP addresses. In other words, when a specific IP attacks a specific IP, this is detected
as one incident rather than as two separate incidents.
• Destination port (TCP and UDP protocols only) — Defines whether specific IP detection is enabled
or disabled for port-based or port-less detections. Enable port-based detection for TCP/UDP attacks
that have a fixed destination port or ports.
The list of destination ports for port-based detection is configured separately. (See Specific Attack
Detectors, page 10-12.)
Attack Detection
Specific IP detections are identified with the following parameters:
• Specific IP address (or two IP addresses for dual-sided detections)
• Protocol — TCP, UDP, ICMP or Other
• Port — For TCP/UDP attacks that have a fixed destination port
• Side — Interface (Subscriber/Network) from which attack packets are sent
• Attack-direction — If a single IP address is specified, the IP address is an attack-source or an
attack-destination address.
The system can identify a maximum of 1000 independent, simultaneous attacks.
Once an attack is identified, the system can be instructed to perform any of the following actions:
• Report — By default, the attack beginning and end are always reported.
• Block — The system will block all attack traffic for the duration of the attack. (The traffic is from
or to the attack IP address, depending on whether the IP address is an attack-source or
attack-destination)
• Notify — Subscriber notification. When the IP address identified is mapped to a particular
subscriber context, the system can be configured to notify the subscriber of the fact that he is under
an attack (or a machine in his network is generating such an attack), using HTTP
• Redirect. Alarm — The system will generate an SNMP trap each time an attack starts and stops.
Attack detection and handling are user-configurable. The remainder of this chapter explains how to
configure and monitor attack detection.
To Next Page
Loading...
Need help?
General
