10-21
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
OL-16479-01
Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Monitoring Attack Filtering
The format of the attack-information string sent when an attack begins is:
• If attack was detected in the traffic:
Attack detected: Attack 'IP-info> from 'side> side, protocol 'protocol>. 'rate1>open
flows per second detected, 'rate2' Ddos-suspected flows per second detected. Action
is: 'action'.
• If attack was declared as a result of a force-filter command:
Attack Filter: Forced 'forced-action' 'IP-info' from 'side' side, protocol 'protocol'.
Attack forced using a force-filter command.
The format of the attack-information string sent when an attack ends is:
• If attack was detected in the traffic:
End-of-attack detected: Attack 'IP-info' from 'side' side, protocol 'protocol'. Action
is: 'action' Duration 'duration' seconds, 'total-flows' 'hw-filter'
• If the end of the attack was declared as a result of a no force-filter command or a new don't-filter
command:
Attack Filter: Forced to end 'action2' 'IP-info' from 'side' side, protocol
'protocol'. Attack end forced using a 'no force-filter' or a 'don't-filter' command.
The format of the reason string sent when an attack begins is:
• If attack end was detected in the traffic:
Detected attack end
• If the end of the attack was declared as a result of a no force-filter command or a new don't-filter
command:
Forced attack end
Following are the possible values that may appear in the fields indicated in the information strings (''):
• 'action'
–
Report
–
Block
• 'forced-action' is one of the following values, depending on the configured force-filter action.
–
block of flows
–
report
• 'IP-info' is in one of the following formats, depending on the direction of the attack, and whether
one or two IP addresses were detected
–
from IP address A.B.C.D
–
on IP address A.B.C.D
–
from IP address A.B.C.D to IP address A.B.C.D
• 'side'
–
subscriber
–
network
To Next Page
Loading...
