Chapter 11
Identifying and Preventing Distributed-Denial-Of-Service Attacks
How to display the list of ports selected for subscriber notification
From the SCE> prompt, type show interface linecard 0 attack-filter subscriber-notification ports and
Step 1
press Enter.
How to find out whether hardware attack filtering has been activated
From the SCE> prompt, type
Step 1
Enter.
In the output from this command, look for the "HW-filter" field. If this field is "yes", the user must take
into account the probable inaccuracies in the attack reporting.
Note that this information also appears in the attack log file.
|---------------|-----------|------------|----------|------|------|------
|Source IP ->
|
|
|---------------|-----------|------------|----------|------|------|------
|10.1.1.1
|
|---------------|-----------|------------|----------|------|------|------
The Attack Log
•
•
The attack-log contains a message for each specific-IP detection of attack beginning and attack end.
Messages are in CSV format.
The message for detecting attack beginning contains the following data:
•
•
•
•
•
•
•
OL-7827-12
show interface linecard 0 attack-filter current-attacks
|Side /
Dest IP|Protocol
|
| Subscriber|
*|TCP
How to View the Attack Log, page 11-30
How to Copy the Attack Log to a File, page 11-30
IP address (Pair of addresses, if detected)
Protocol Port number (If detected)
Attack-direction (Attack-source or Attack-destination)
Interface of IP address (subscriber or network)
Open-flows-rate, suspected-flows-rate and suspected-flows-ratio at the time of attack detection
Threshold values for the detection
Action taken
|Open rate / |Handled
|Susp. rate
|
flows / |
|
|Duration
523|
4045|Report|No
|
0|
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
Monitoring Attack Filtering
|Action|HW-
|force-
|filter|filter
|
|
|
|No
9|
|
|
and press
11-29