Configuring Attack Detectors - Cisco SCE 8000 10GBE Software Configuration Manual

Configuring Attack Detectors

Configuring Attack Detectors
•
•
•
•
The Cisco attack detection mechanism is controlled by defining and configuring special entities called
Attack Detectors.
There is one attack detector called 'default', which is always enabled, and 99 attack detectors (numbered
1-99), which are disabled by default. Each detector (both the default and detectors 1-99) can be
configured with a separate action and threshold values for all 32 possible attack types.
When detectors 1-99 are disabled, the default attack detector configuration determines the thresholds
used for detecting an attack, and the action taken by the Cisco SCE platform when an attack is detected.
For each attack type, a different set of thresholds and action can be set. In addition,
subscriber-notification and SNMP traps (alarm) can be enabled or disabled in the same granularity.
The default attack detector should be configured with values that reflect the desired Cisco SCE platform
behavior for the majority of the traffic flows flowing through it. However, it is not feasible to use the
same set of values for all the traffic that traverses through the Cisco SCE platform, since there might be
some network entities for which the characteristics of their normal traffic should be considered as an
attack when coming from most other network elements. Here are two common examples:
•
•
To let the Cisco SCE platform treat such special cases differently, the user can configure non-default
attack detectors in the range of 1-99. Like the default attack detector, non-default attack detectors can
be configured with different sets of values of action and thresholds for every attack type. However, to be
effective, a non-default attack detector must be enabled and must be assigned an ACL (access control
list). The action and thresholds configured for such attack detector are effective only for IP addresses
permitted by the ACL. Non-default attack-detectors can be assigned a label for describing their purpose,
such as 'DNS servers' or 'Server farm'.
Non-default attack detectors are effective only for attack types that have been specifically configured.
This eliminates the need to duplicate the default attack detector configuration into the configuration
non-default attack detectors, and is best illustrated with an example: Suppose an HTTP server on the
subscriber side of the Cisco SCE platform is getting many requests, which requires the use of a
non-default attack detector for configuring high threshold values for incoming TCP flow rates. Assume
Cisco SCE 8000 10GBE Software Configuration Guide
12-8
Enabling Specific-IP Detection, page 12-10
Configuring the Default Attack Detector, page 12-11
Specific Attack Detectors, page 12-14
Sample Attack Detector Configuration, page 12-18
A DNS server is expected to be the target of many short DNS queries. These queries are typically
UDP flows, each flow consisting of two packets: The request and the response. Normally, the Cisco
SCE platform considers all UDP flows that are opened to the DNS server as DDoS-suspected flows,
since these flows include less than 3 packets. A DNS server might serve hundreds of DNS requests
per second at peak times, and so the system should be configured with a suitable threshold for
DDoS-suspected flows for protocol = UDP and direction = attack-destination. A threshold value of
1000 flows/second would probably be suitable for the DNS server. However, this threshold would
be unsuitable for almost all other network elements, since, for them, being the destination of such
large rate of UDP flows would be considered an attack. Therefore setting a threshold of 1000 for all
traffic is not a good solution.
The subscriber side of the Cisco SCE platform might contain many residential subscribers, each
having several computers connected through an Internet connection, and each computer having a
different IP address. In addition, there might be a few business subscribers, each using a NAT that
hides hundreds of computers behind a single IP address. Clearly, the traffic seen for an IP address
of a business subscriber contains significantly more flows than the traffic of an IP address belonging
to a residential subscriber. The same threshold cannot be adequate in both cases.
Chapter 12 Identifying and Preventing Distributed Denial-of-Service Attacks
OL-30621-02