Attack Detection Thresholds; Attack Handling - Cisco SCE8000 Configuration Manual

Attack Filtering and Attack Detection

Attack Detection Thresholds

There are three thresholds that are used to define an attack. These thresholds are based on meters that
are maintained by the SCE platform for each IP address or pair of addresses, protocol, interface and
attack-direction.
•
•
•
As explained above, a specific-IP attack is declared if either of the following conditions is present:
•
•
The values for each attack type will have a separate configured default value.
In general, for a given protocol, the suspected flows rate threshold should be lower for a port-based
detection than for a port-less detection. This is because flows with a given IP address and a common
destination port are metered twice:
•
•
If a port-based attack occurs, and the rate of flows is above both thresholds (port-based thresholds and
the port-less thresholds), it is desirable for the port-based attack to be detected before the port-less
attack. Similarly, this threshold should be lower for dual-IP detections then for single-IP detections.
The user may define values for these thresholds that override the preset defaults. It is also possible to
configure specific thresholds for certain IP addresses and ports (using access lists and port lists). This
enables the user to set different detection criteria for different types of network entities, such as a server
farm, DNS server, or large enterprise customer.

Attack Handling

Attack handling can be configured as follows
•
•
•
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
10-4
open flow rate — A flow for which some traffic was seen. Any packet seen for a new flow is enough
to declare this flow an open flow.
The rate is measured in new flows per second.
suspected flow rate — A suspected flow is one that was opened, but did not become an established
flow.
The rate is measured in new flows per second.
suspected flow ratio — The ratio of the suspected flow rate to the open flow rate.
The open flows rate exceeds the threshold
The suspected flows rate exceeds the threshold and the suspected flows ratio exceeds the threshold.
By themselves — to detect a port-based attack
Together with flows with the same IP address and different destination ports — to detect a port-less
attack
Configuring the action:
– Report — Attack packets are processed as usual, and the occurrence of the attack is reported.
Block — Attack packets are dropped by the SCE platform, and therefore do not reach their
destination.
Regardless of which action is configured, two reports are generated for every attack: one when the
start of an attack is detected, and one when the end of an attack is detected.
Configuring subscriber-notification (notify):
– Enabled — If the subscriber IP address is detected to be attacked or attacking, the subscriber is
notified about the attack.
– Disabled — The subscriber is not notified about the attack.
Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks
OL-16479-01