Table of Contents
Advertisement
Chapter 11
Identifying and Preventing Distributed-Denial-Of-Service Attacks
Configuring Attack Detectors
•
•
•
•
The Cisco attack detection mechanism is controlled by defining and configuring special entities called
Attack Detectors.
There is one attack detector called 'default', which is always enabled, and 99 attack detectors (numbered
1-99), which are disabled by default. Each detector (both the default and detectors 1-99) can be
configured with a separate action and threshold values for all 32 possible attack types.
When detectors 1-99 are disabled, the default attack detector configuration determines the thresholds
used for detecting an attack, and the action taken by the SCE platform when an attack is detected. For
each attack type, a different set of thresholds and action can be set. In addition, subscriber-notification
and SNMP traps (alarm) can be enabled or disabled in the same granularity.
The default attack detector should be configured with values that reflect the desired SCE platform
behavior for the majority of the traffic flows flowing through it. However, it is not feasible to use the
same set of values for all the traffic that traverses through the SCE platform, since there might be some
network entities for which the characteristics of their normal traffic should be considered as an attack
when coming from most other network elements. Here are two common examples:
•
•
To let the SCE platform treat such special cases differently, the user can configure non-default attack
detectors in the range of 1-99. Like the default attack detector, non-default attack detectors can be
configured with different sets of values of action and thresholds for every attack type. However, to be
effective, a non-default attack detector must be enabled and must be assigned an ACL (access control
list). The action and thresholds configured for such attack detector are effective only for IP addresses
permitted by the ACL. Non-default attack-detectors can be assigned a label for describing their purpose,
such as 'DNS servers' or 'Server farm'.
Non-default attack detectors are effective only for attack types that have been specifically configured.
This eliminates the need to duplicate the default attack detector configuration into the configuration
non-default attack detectors, and is best illustrated with an example: Suppose an HTTP server on the
subscriber side of the SCE platform is getting many requests, which requires the use of a non-default
attack detector for configuring high threshold values for incoming TCP flow rates. Assume attack
OL-7827-12
How to Enable Specific-IP Detection, page 11-9
How to Configure the Default Attack Detector, page 11-10
Specific Attack Detectors, page 11-13
Sample Attack Detector Configuration, page 11-17
A DNS server is expected to be the target of many short DNS queries. These queries are typically
UDP flows, each flow consisting of two packets: The request and the response. Normally, the SCE
platform considers all UDP flows that are opened to the DNS server as DDoS-suspected flows, since
these flows include less than 3 packets. A DNS server might serve hundreds of DNS requests per
second at peak times, and so the system should be configured with a suitable threshold for
DDoS-suspected flows for protocol = UDP and direction = attack-destination. A threshold value of
1000 flows/second would probably be suitable for the DNS server. However, this threshold would
be unsuitable for almost all other network elements, since, for them, being the destination of such
large rate of UDP flows would be considered an attack. Therefore setting a threshold of 1000 for all
traffic is not a good solution.
The subscriber side of the SCE platform might contain many residential subscribers, each having
several computers connected through an Internet connection, and each computer having a different
IP address. In addition, there might be a few business subscribers, each using a NAT that hides
hundreds of computers behind a single IP address. Clearly, the traffic seen for an IP address of a
business subscriber contains significantly more flows than the traffic of an IP address belonging to
a residential subscriber. The same threshold cannot be adequate in both cases.
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
Configuring Attack Detectors
11-7
Advertisement
Table of Contents
