Configuring Attack Detectors
The following settings are configurable for each attack type in each attack detector. Each setting can
either be in a 'not configured' state (which is the default), or be configured with a specific value.
•
•
•
•
How to Enable a Specific Attack Detector and Assign it an ACL
From the SCE(config if)# prompt, type attack-detector number access-list (aclnumber |none)
Step 1
[comment comment] and press Enter.
Enables the attack detector and assigns it the specified ACL.
How to Define the Action and Optionally the Thresholds for a Specific Attack Detector
From the SCE(config if)# prompt, type attack-detector number protocol (((TCP|UDP) [dest-port
Step 1
(specific|not- specific|both)])|ICMP|other|all) attack-direction
(single-side-source|single-side-destination|single-side-both|dual-sided|all) side
(subscriber|network|both) [action (report|block)] [open-flows-rate number suspected-flows-rate
rate suspected-flows-ratio ratio
Defines the action of the specified attack detector
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
11-14
action — action:
report (default) — Report beginning and end of the attack by writing to the attack-log.
–
block — Block all further flows that are part of this attack, the SCE platform drops the packets.
–
Thresholds :
open-flows-rate — Default threshold for rate of open flows. suspected-flows-rate — Default
–
threshold for rate of suspected DDoS flows.
suspected-flows-ratio — Default threshold for ratio of suspected flow rate to open flow rate.
–
Use the appropriate keyword to enable or disable subscriber notification by default:
notify-subscriber — Enable subscriber notification.
–
don't-notify-subscriber — Disable subscriber notification.
–
Use the appropriate keyword to enable or disable sending an SNMP trap by default:
alarm — Enable sending an SNMP trap.
–
no-alarm — Disable sending an SNMP trap.
–
Chapter 11
Identifying and Preventing Distributed-Denial-Of-Service Attacks
and press Enter.
]
OL-7827-12