Monitoring Attack Filtering
The format of the attack-information string sent when an attack begins is:
If attack was detected in the traffic:
•
Attack detected: Attack 'IP-info>from 'side>side, protocol 'protocol>. 'rate1>open
flows per second detected, 'rate2' Ddos-suspected flows per second detected. Action
is: 'action'.
If attack was declared as a result of a force-filter command:
•
Attack Filter: Forced 'forced-action' 'IP-info' from 'side' side, protocol 'protocol'.
Attack forced using a force-filter command.
The format of the attack-information string sent when an attack ends is:
•
If attack was detected in the traffic:
End-of-attack detected: Attack 'IP-info' from 'side' side, protocol 'protocol'. Action
is: 'action' Duration 'duration' seconds, 'total-flows' 'hw-filter'
If the end of the attack was declared as a result of a no force-filter command or a new don't-filter
•
command:
Attack Filter: Forced to end 'action2' 'IP-info' from 'side' side, protocol
'protocol'. Attack end forced using a 'no force-filter' or a 'don't-filter' command.
The format of the reason string sent when an attack begins is:
If attack end was detected in the traffic:
•
Detected attack end
If the end of the attack was declared as a result of a no force-filter command or a new don't-filter
•
command:
Forced attack end
Following are the possible values that may appear in the fields indicated in the information strings (''):
'action'
•
'forced-action' is one of the following values, depending on the configured force-filter action.
•
'IP-info' is in one of the following formats, depending on the direction of the attack, and whether
•
one or two IP addresses were detected
'side'
•
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
11-22
Report
–
Block
–
block of flows
–
report
–
from IP address A.B.C.D
–
on IP address A.B.C.D
–
from IP address A.B.C.D to IP address A.B.C.D
–
–
subscriber
–
network
Chapter 11
Identifying and Preventing Distributed-Denial-Of-Service Attacks
OL-7827-12