Enabling Specific-Ip Detection - Cisco SCE8000 Configuration Manual

Configuring Attack Detectors
For each attack type, the set of enabled attack detectors, together with the default attack detector, forms
a database used to determine the threshold and action to take when an attack is detected. When the
platform detects a possible attack, it uses the following algorithm to determine the thresholds for attack
detection.
•
•
•
The same logic is applied when determining the values to use for the remaining settings: action,
subscriber-notification and alarm. The value that is used is the one specified by the lowest-numbered
enabled attack detector that has a configured value for the attack type. If none exists, the configuration
of the default attack detector is used.
Use the following commands to configure and enable attack detection:
•
•
•
•
•
•
•
•
•
•
•

Enabling Specific-IP Detection

•
•
•
•
•
•
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
10-8
Enabled attack detectors are scanned from low to high numbers.
If the IP address is permitted by the ACL specified by the attack detector, and a threshold is
configured for this attack type, then the threshold values specified by this attack detector are used.
If not, the scan continues to the next attack detector.
If no attack detector matches the IP address/protocol combination, then the values of the default
attack detector are used.
[no] attack-filter protocol protocol attack-direction direction
attack-detector (default| number) protocol protocol attack-direction direction side side action
action [open-flows number suspected-flows-rate number suspected-flows-ratio number]
attack-detector (default| number) protocol protocol attack-direction direction side side
(notify-subscriber|don't-notify-subscriber)
attack-detector (default| number) protocol protocol attack-direction direction side side
(alarm|no-alarm)
default attack-detector (default| number) protocol protocol attack-direction direction side side
default attack-detector default
default attack-detector number
default attack-detector (all-numbered|all)
attack-detector number access-list comment
attack-detector number (TCP-dest-ports|UDP-dest-ports) (all|(port1 [port2 ...]))
[no] attack-filter subscriber-notification ports port1
Options, page 10-9
How to Enable Specific-IP Detection, page 10-9
How to Enable Specific-IP Detection for the TCP Protocol Only for all Attack Directions, page 10-9
How to Enable Specific-IP Detection for the TCP Protocol for Port-based Detections Only for
Dual-sided Attacks, page 10-9
How to Disable Specific-IP Detection for Protocols Other than TCP, UDP, and ICMP for all Attack
Directions, page 10-10
How to Disable Specific-IP Detection for ICMP for Single-sided Attacks Defined by the Source IP,
page 10-10
Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks
OL-16479-01