10-8
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
OL-16479-01
Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Configuring Attack Detectors
For each attack type, the set of enabled attack detectors, together with the default attack detector, forms
a database used to determine the threshold and action to take when an attack is detected. When the
platform detects a possible attack, it uses the following algorithm to determine the thresholds for attack
detection.
• Enabled attack detectors are scanned from low to high numbers.
• If the IP address is permitted by the ACL specified by the attack detector, and a threshold is
configured for this attack type, then the threshold values specified by this attack detector are used.
If not, the scan continues to the next attack detector.
• If no attack detector matches the IP address/protocol combination, then the values of the default
attack detector are used.
The same logic is applied when determining the values to use for the remaining settings: action,
subscriber-notification and alarm. The value that is used is the one specified by the lowest-numbered
enabled attack detector that has a configured value for the attack type. If none exists, the configuration
of the default attack detector is used.
Use the following commands to configure and enable attack detection:
• [no] attack-filter protocol protocol attack-direction direction
• attack-detector (default| number) protocol protocol attack-direction direction side side action
action [open-flows number suspected-flows-rate number suspected-flows-ratio number]
• attack-detector (default| number) protocol protocol attack-direction direction side side
(notify-subscriber|don't-notify-subscriber)
• attack-detector (default| number) protocol protocol attack-direction direction side side
(alarm|no-alarm)
• default attack-detector (default| number) protocol protocol attack-direction direction side side
• default attack-detector default
• default attack-detector number
• default attack-detector (all-numbered|all)
• attack-detector number access-list comment
• attack-detector number (TCP-dest-ports|UDP-dest-ports) (all|(port1 [port2 …]))
• [no] attack-filter subscriber-notification ports port1
Enabling Specific-IP Detection
• Options, page 10-9
• How to Enable Specific-IP Detection, page 10-9
• How to Enable Specific-IP Detection for the TCP Protocol Only for all Attack Directions, page 10-9
• How to Enable Specific-IP Detection for the TCP Protocol for Port-based Detections Only for
Dual-sided Attacks, page 10-9
• How to Disable Specific-IP Detection for Protocols Other than TCP, UDP, and ICMP for all Attack
Directions, page 10-10
• How to Disable Specific-IP Detection for ICMP for Single-sided Attacks Defined by the Source IP,
page 10-10
To Next Page
Loading...
Need help?
General
