Specific Attack Filtering; C H A P T E R 10 Identifying And Preventing Distributed-Denial-Of-Service Attacks - Cisco SCE8000 Configuration Manual

Attack Filtering and Attack Detection
There are 32 different attack types:
•
•
•
•
•
•
•
•
•

Specific Attack Filtering

When the specific IP attack filter is enabled for a certain attack type, two rates are measured per defined
entity:
•
•
Separate rate meters are maintained both for each IP address separately (single side) and for IP address
pairs (the source and destination of a given flow), so when a specific IP is attacking a specific IP, this
pair of IP addresses defines a single incident (dual-sided).
Based on these two metrics, a specific-IP attack is declared if either of the following conditions is
present:
•
•
When the rates stop satisfying this criterion, the end of that attack is declared.
Specific attack filtering is configured in two steps:
Note
•
•
In addition, the user can manually override the configured attack detectors to either force or prevent
attack filtering in a particular situation.
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
10-2
1 — TCP flows from a specific IP address on the subscriber side, regardless of destination port
2 — TCP flows to a specific IP address on the subscriber side, regardless of destination port
3-4 — Same as 1 and 2, but for the opposite direction (subscriber network)
5 — TCP flows from a specific IP address on the subscriber side to a specific IP address on the
network side
6 — Same as 5, but for the opposite direction (from the network side to the subscriber side)
7-12 — Same as 1-6 but with a specific destination port common to all flows of the attack (1-6 are
port-less attack types, 7-12 are port-based attack types)
13-24 — Same as 1-12 but for UDP instead of TCP
25-28 — Same as 1-4 but for ICMP instead of TCP
29-32 — Same as 1-4 but for Other protocols instead of TCP
Rate of new flows
Rate of suspected flows (In general, suspected flows are flows for which the SCOS did not see
proper establishment (TCP) or saw only a single packet (all other protocols)).
The new flows rate exceeds a certain threshold
The suspected flows rate exceeds a configured threshold and the ratio of suspected flows rate to total
new flow rate exceeds a configured threshold.
Enabling specific IP filtering for the particular attack type.
Configuring an attack detector for the relevant attack type. Each attack detector specifies the
thresholds that define an attack and the action to be taken when an attack is detected.
In addition to specific attack detectors, a default detector exists that can be configured with
user-defined thresholds and action, or system defaults may be retained.
Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks
OL-16479-01