Attack Handling - Cisco SCE 8000 10GBE Software Configuration Manual

Chapter 12 Identifying and Preventing Distributed Denial-of-Service Attacks
In general, for a given protocol, the suspected flows rate threshold should be lower for a port-based
detection than for a port-less detection. This is because flows with a given IP address and a common
destination port are metered twice:
•
•
If a port-based attack occurs, and the rate of flows is above both thresholds (port-based thresholds and
the port-less thresholds), it is desirable for the port-based attack to be detected before the port-less
attack. Similarly, this threshold should be lower for dual-IP detections then for single-IP detections.
The user may define values for these thresholds that override the preset defaults. It is also possible to
configure specific thresholds for certain IP addresses and ports (using access lists and port lists). This
enables the user to set different detection criteria for different types of network entities, such as a server
farm, DNS server, or large enterprise customer.

Attack Handling

Attack handling can be configured as follows
•
•
•
•
•
OL-30621-02
By themselves—To detect a port-based attack
Together with flows with the same IP address and different destination ports—to detect a port-less
attack
Configuring the action:
Report—Attack packets are processed as usual, and the occurrence of the attack is reported.
–
Block—Attack packets are dropped by the Cisco SCE platform, and therefore do not reach their
–
destination.
Regardless of which action is configured, two reports are generated for every attack: one when the
start of an attack is detected, and one when the end of an attack is detected.
Configuring subscriber-notification (notify):
– Enabled—If the subscriber IP address is detected to be attacked or attacking, the subscriber is
notified about the attack.
– Disabled—The subscriber is not notified about the attack.
Configuring sending an SNMP trap (alarm):
Enabled—An SNMP trap is sent when attack begins and ends.
The SNMP trap contains the following information fields:
A specific IP address or
–
Protocol (TCP, UDP, ICMP or Other)
–
Interface (User/Network) behind which the detected IP address is found. This is referred to
–
below as the attack 'side'
Attack direction (whether the IP address is the attack source or the attack destination).
–
Type of threshold breached (open- flows / ddos- suspected- flows) ['attack- start' traps only]
–
Threshold value breached ['attack- start' traps only]
–
Action taken (report, block) indicating what was the action taken by the Cisco SCE platform
–
in response to the detection
Amount of attack flows blocked/ reported providing the total number of flows detected
–
during the attack ['attack- stop' traps only]
Disabled—No SNMP trap is sent
Attack Filtering and Attack Detection
Cisco SCE 8000 10GBE Software Configuration Guide
12-5