10-28
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
OL-16479-01
Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Monitoring Attack Filtering
How to find out whether hardware attack filtering has been activated
Step 1 From the SCE> prompt, type show interface linecard 0 attack-filter current-attacks and press Enter.
In the output from this command, look for the "HW-filter" field. If this field is "yes", the user must take
into account the probable inaccuracies in the attack reporting.
Note This information also appears in the attack log file.
---|---------------|-----------|------------|----------|------|------|------
---|Source IP -----|Side / |Open rate / |Handled |Action|HW- |force-
---| Dest IP|Protocol |Susp. rate | flows / | |filter|filter
---| |Duration | | |
---|---------------|-----------|------------|----------|------|------|------
|10.1.1.1 |Subscriber| 523| 4045|Report|No |No
| *|TCP | 0| 9| | |
---|----------------|-----------|------------|------------|------|------|-------
Viewing the Attack Log
• The Attack Log, page 10-28
• How to View the Attack Log, page 10-29
• How to Copy the Attack Log to a File, page 10-29
The Attack Log
The attack-log contains a message for each specific-IP detection of attack beginning and attack end.
Messages are in CSV format.
The message for detecting attack beginning contains the following data:
• IP address (Pair of addresses, if detected)
• Protocol Port number (If detected)
• Attack-direction (Attack-source or Attack-destination)
• Interface of IP address (subscriber or network)
• Open-flows-rate, suspected-flows-rate and suspected-flows-ratio at the time of attack detection
• Threshold values for the detection
• Action taken
The message for detecting attack end contains the following data:
• IP address (Pair of addresses, if detected)
• Protocol Port number (If detected)
• Attack-direction (Attack-source or Attack-destination)
• Interface of IP address
• Number of attack flows reported/blocked
To Next Page
Loading...
