Cisco SCE8000 Configuration Manual page 201

Service control engine
Table of Contents

Advertisement

Chapter 10
Identifying and Preventing Distributed-Denial-Of-Service Attacks
Options
A specific attack detector may be configured for each possible combination of protocol, attack direction,
and side. The SCE platform supports a maximum of 100 attack detectors. Each attack detector is
identified by a number (1-100). Each detector can be either disabled (default) or enabled. An enabled
attack detector must be configured with the following parameters:
In addition, an enabled attack detector may contain the following settings:
The following settings are configurable for each attack type in each attack detector. Each setting can
either be in a 'not configured' state (which is the default), or be configured with a specific value.
OL-16479-01
access-list — The number of the Access-Control List (ACL) associated with the specified attack
detector. The ACL identifies the IP addresses selected by this detector. (See Access Control Lists.)
For dual-ip detections, the destination IP address is used for matching with the ACL.
Use the "none" keyword to indicate that all IP addresses are permitted by this attack-detector.
This option is useful when using the command to define a port list, and the desired configuration
should be set for all IP addresses.
comment — For documentation purposes.
TCP-port-list/UDP-port-list — Destination port list for the specified protocol. TCP and UDP
protocols may be configured for specified ports only. This is the list of specified destination ports
per protocol.
Up to 15 different TCP port numbers and 15 different UDP port numbers can be specified.
Configuring a TCP/UDP port list for a given attack detector affects only attack types that have the
same protocol (TCP/UDP) and are port-based (i.e. detect a specific destination port). Settings for
other attack types are not affected by the configured port list(s).
action — action:
report (default) — Report beginning and end of the attack by writing to the attack-log.
block — Block all further flows that are part of this attack, the SCE platform drops the packets.
Thresholds:
open-flows-rate — Default threshold for rate of open flows. suspected-flows-rate — Default
threshold for rate of suspected DDoS flows.
suspected-flows-ratio — Default threshold for ratio of suspected flow rate to open flow rate.
Use the appropriate keyword to enable or disable subscriber notification by default:
notify-subscriber — Enable subscriber notification.
don't-notify-subscriber — Disable subscriber notification.
Use the appropriate keyword to enable or disable sending an SNMP trap by default:
alarm — Enable sending an SNMP trap.
no-alarm — Disable sending an SNMP trap.
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
Configuring Attack Detectors
10-13

Advertisement

Table of Contents
loading

Table of Contents