Cisco SCE 8000 10GBE Software Configuration Manual page 339

Chapter 12 Identifying and Preventing Distributed Denial-of-Service Attacks
Separate rate meters are maintained both for each IP address separately (single side) and for IP address
pairs (the source and destination of a given flow), so when a specific IP is attacking a specific IP, this
pair of IP addresses defines a single incident (dual-sided).
Based on these two metrics, a specific-IP attack is declared if either of the following conditions is
present:
The new flows rate exceeds a certain threshold
•
The suspected flows rate exceeds a configured threshold and the ratio of suspected flows rate to total
•
new flow rate exceeds a configured threshold.
When the rates stop satisfying this criterion, the end of that attack is declared.
Note that specific attack filtering is configured in two steps:
Enabling specific IP filtering for the particular attack type.
•
• Configuring an attack detector for the relevant attack type. Each attack detector specifies the
thresholds that define an attack and the action to be taken when an attack is detected.
In addition to specific attack detectors, a default detector exists that can be configured with
user-defined thresholds and action, or system defaults may be retained.
In addition, the user can manually override the configured attack detectors to either force or prevent
attack filtering in a particular situation.
Specific IP filtering for selected attack types is enabled with the following parameters. These parameters
control which of the 32 attack types are being filtered for:
Protocol—TCP, UDP, ICMP, or Other
•
Attack direction—The direction of the attack may be identified by only one IP address or by two
•
IP addresses:
–
The filter definition may specify the specific side, or may include any single side attack, regardless
of side (both).
–
• Destination port (TCP and UDP protocols only)—Defines whether specific IP detection is enabled
or disabled for port-based or port-less detections. Enable port-based detection for TCP/UDP attacks
that have a fixed destination port or ports.
The list of destination ports for port-based detection is configured separately. (See
Detectors" section on page
OL-30621-02
single side—The attack is identified by either the source IP address or the destination address
only.
dual side (TCP and UDP protocols only)—The attack is identified by both the source and
destination IP addresses. In other words, when a specific IP attacks a specific IP, this is detected
as one incident rather than as two separate incidents.
12-14.)
Attack Filtering and Attack Detection
Cisco SCE 8000 10GBE Software Configuration Guide
"Specific Attack
12-3