Cisco SCE8000 Configuration Manual page 209

Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks
The format of the attack-information string sent when an attack begins is:
If attack was detected in the traffic:
•
Attack detected: Attack 'IP-info> from 'side> side, protocol 'protocol>. 'rate1>open
flows per second detected, 'rate2' Ddos-suspected flows per second detected. Action
is: 'action'.
If attack was declared as a result of a force-filter command:
•
Attack Filter: Forced 'forced-action' 'IP-info' from 'side' side, protocol 'protocol'.
Attack forced using a force-filter command.
The format of the attack-information string sent when an attack ends is:
If attack was detected in the traffic:
•
End-of-attack detected: Attack 'IP-info' from 'side' side, protocol 'protocol'. Action
is: 'action' Duration 'duration' seconds, 'total-flows' 'hw-filter'
If the end of the attack was declared as a result of a no force-filter command or a new don't-filter
•
command:
Attack Filter: Forced to end 'action2' 'IP-info' from 'side' side, protocol
'protocol'. Attack end forced using a 'no force-filter' or a 'don't-filter' command.
The format of the reason string sent when an attack begins is:
If attack end was detected in the traffic:
•
Detected attack end
If the end of the attack was declared as a result of a no force-filter command or a new don't-filter
•
command:
Forced attack end
Following are the possible values that may appear in the fields indicated in the information strings (''):
'action'
•
–
–
• 'forced-action' is one of the following values, depending on the configured force-filter action.
–
–
'IP-info' is in one of the following formats, depending on the direction of the attack, and whether
•
one or two IP addresses were detected
–
–
–
'side'
•
–
–
OL-16479-01
Report
Block
block of flows
report
from IP address A.B.C.D
on IP address A.B.C.D
from IP address A.B.C.D to IP address A.B.C.D
subscriber
network
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
Monitoring Attack Filtering
10-21