11-2
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Attack Filtering and Attack Detection
Attack Filtering
The SCE platform includes extensive capabilities for identifying DDoS attacks, and protecting against
them.
Attack filtering is performed using specific-IP attack detectors. A specific-IP attack detector tracks the
rate of flows (total open and total suspected) in the SCE platform for each combination of IP address (or
pair of IP addresses), protocol (TCP/UDP/ICMP/Other), destination port (for TCP/UDP), interface and
direction. When the rates satisfy user-configured criteria, it is considered an attack, and a configured
action can take place (report/block, notify subscriber, send SNMP trap).
This mechanism is enabled by default, and can be disabled and enabled for each attack type
independently.
There are 32 different attack types:
•
1
— TCP flows from a specific IP address on the subscriber side, regardless of destination port
•
2
— TCP flows to a specific IP address on the subscriber side, regardless of destination port
•
3-4
— Same as 1 and 2, but for the opposite direction (subscriber network)
•
5
— TCP flows from a specific IP address on the subscriber side to a specific IP address on the
network side
•
6
— Same as 5, but for the opposite direction (from the network side to the subscriber side)
•
7-12
— Same as 1-6 but with a specific destination port common to all flows of the attack (1-6 are
port-less attack types, 7-12 are port-based attack types)
•
13-24
— Same as 1-12 but for UDP instead of TCP
•
25-28
— Same as 1-4 but for ICMP instead of TCP
•
29-32
— Same as 1-4 but for Other protocols instead of TCP
Specific Attack Filtering
When the specific IP attack filter is enabled for a certain attack type, two rates are measured per defined
entity:
•
Rate of new flows
•
Rate of suspected flows (In general, suspected flows are flows for which the SCOS did not see
proper establishment (TCP) or saw only a single packet (all other protocols)).
Separate rate meters are maintained both for each IP address separately (single side) and for IP address
pairs (the source and destination of a given flow), so when a specific IP is attacking a specific IP, this
pair of IP addresses defines a single incident (dual-sided).
Based on these two metrics, a specific-IP attack is declared if either of the following conditions is
present:
•
The new flows rate exceeds a certain threshold
•
The suspected flows rate exceeds a configured threshold and the ratio of suspected flows rate to total
new flow rate exceeds a configured threshold.
When the rates stop satisfying this criterion, the end of that attack is declared.