11-19
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Preventing and Forcing Attack Detection
Preventing and Forcing Attack Detection
•
Options, page 11-19
•
Preventing Attack Filtering, page 11-20
•
Forcing Attack Filtering, page 11-20
After configuring the attack detectors, the SCE platform automatically detects attacks and handles them
according to the configuration. However, there are scenarios in which a manual intervention is desired,
either for debug purposes, or because it is not trivial to reconfigure the SCE platform attack-detectors
properly. For example:
•
The SCE platform has detected an attack, but the user knows this to be a false alarm. The proper
action that should be taken by the user is to configure the system with higher thresholds (for the
whole IP range, or maybe for specific IP addresses or ports). However, this might take time, and, if
attack handling is specified as ‘Block’, the user may wish to stop the block action for this specific
attack quickly, leaving the configuration changes for a future time when there is time to plan the
needed changes properly.
Use the
dont-filter
command described below for this type of case.
•
An ISP is informed that one of his subscribers is being attacked by a UDP attack from the network
side. The ISP wants to protect the subscriber from this attack by blocking all UDP traffic to the
subscriber, but unfortunately the SCE platform did not recognize the attack. (Alternatively, it could
be that the attack was recognized, but the configured action was ‘report’ and not ‘block’).
Use the
force-filter
command described below for this type of case.
The user can use the CLI attack filtering commands to do the following:
•
Configure a
dont-filter
command to prevent or stop filtering of an attack related to a specified IP
address
•
Configure a
force-filter
command to force filtering (with a specific action) of an attack related to
a specified IP address
Use the following commands to either force or prevent attack filtering:
•
[no] attack-filter dont-filter
•
[no] attack-filter force-filter
Options
In addition to the attack detector options described above, the following options are available:
•
ip-address
— the IP address for which to prevent attack filtering.
If
attack -direction
is dual-sided, an IP address must be configured for both the source
(
source-ip-address
) and the destination (
dest-ip-address
) sides.