C H A P T E R 11 Identifying And Preventing Distributed-Denial-Of-Service Attacks; Attack Filtering; Specific Attack Filtering - Cisco SCE2020-4XGBE-SM Configuration Manual

Attack Filtering and Attack Detection

Attack Filtering

The SCE platform includes extensive capabilities for identifying DDoS attacks, and protecting against
them.
Attack filtering is performed using specific-IP attack detectors. A specific-IP attack detector tracks the
rate of flows (total open and total suspected) in the SCE platform for each combination of IP address (or
pair of IP addresses), protocol (TCP/UDP/ICMP/Other), destination port (for TCP/UDP), interface and
direction. When the rates satisfy user-configured criteria, it is considered an attack, and a configured
action can take place (report/block, notify subscriber, send SNMP trap).
This mechanism is enabled by default, and can be disabled and enabled for each attack type
independently.
There are 32 different attack types:
•
•
•
•
•
•
•
•
•

Specific Attack Filtering

When the specific IP attack filter is enabled for a certain attack type, two rates are measured per defined
entity:
•
•
Separate rate meters are maintained both for each IP address separately (single side) and for IP address
pairs (the source and destination of a given flow), so when a specific IP is attacking a specific IP, this
pair of IP addresses defines a single incident (dual-sided).
Based on these two metrics, a specific-IP attack is declared if either of the following conditions is
present:
•
•
When the rates stop satisfying this criterion, the end of that attack is declared.
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
11-2
1 — TCP flows from a specific IP address on the subscriber side, regardless of destination port
2 — TCP flows to a specific IP address on the subscriber side, regardless of destination port
3-4 — Same as 1 and 2, but for the opposite direction (subscriber network)
5 — TCP flows from a specific IP address on the subscriber side to a specific IP address on the
network side
6 — Same as 5, but for the opposite direction (from the network side to the subscriber side)
7-12 — Same as 1-6 but with a specific destination port common to all flows of the attack (1-6 are
port-less attack types, 7-12 are port-based attack types)
13-24 — Same as 1-12 but for UDP instead of TCP
25-28 — Same as 1-4 but for ICMP instead of TCP
29-32 — Same as 1-4 but for Other protocols instead of TCP
Rate of new flows
Rate of suspected flows (In general, suspected flows are flows for which the SCOS did not see
proper establishment (TCP) or saw only a single packet (all other protocols)).
The new flows rate exceeds a certain threshold
The suspected flows rate exceeds a configured threshold and the ratio of suspected flows rate to total
new flow rate exceeds a configured threshold.
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
OL-7827-12