Chapter 11
Identifying and Preventing Distributed-Denial-Of-Service Attacks
Options
The following options are available:
•
•
•
•
•
•
•
•
•
How to Define the Default Action and Optionally the Default Thresholds
Defaults
The default values for the default attack detector are:
•
•
•
•
OL-7827-12
attack-detector — The attack detector being configured; in this case, the default attack detector.
protocol — Defines the protocol to which the default attack detector applies.
attack-direction — Defines whether the default attack detector applies to single sided or dual sided
attacks.
destination port {TCP and UDP protocols only) — Defines whether the default attack detector
applies to port-based or port-less detections.
side — Defines whether the default attack detector applies to attacks originating at the subscriber
or network side.
action — Default action:
report (default) — Report beginning and end of the attack by writing to the attack-log.
–
block — Block all further flows that are part of this attack, the SCE platform drops the packets.
–
Thresholds :
open-flows-rate — Default threshold for rate of open flows. suspected-flows-rate — Default
–
threshold for rate of suspected DDoS flows.
suspected-flows-ratio — Default threshold for ratio of suspected flow rate to open flow rate.
–
Use the appropriate keyword to enable or disable subscriber notification by default:
notify-subscriber — Enable subscriber notification.
–
–
don't-notify-subscriber — Disable subscriber notification.
Use the appropriate keyword to enable or disable sending an SNMP trap by default:
–
alarm — Enable sending an SNMP trap.
–
no-alarm — Disable sending an SNMP trap.
Action — Report
Thresholds — Varies according to the attack type
Subscriber notification — Disabled
Sending an SNMP trap — Disabled
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
Configuring Attack Detectors
11-11