11-3
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Attack Filtering and Attack Detection
Note that specific attack filtering is configured in two steps:
•
Enabling specific IP filtering for the particular attack type.
•
Configuring an attack detector for the relevant attack type. Each attack detector specifies the
thresholds that define an attack and the action to be taken when an attack is detected.
In addition to specific attack detectors, a default detector exists that can be configured with
user-defined thresholds and action, or system defaults may be retained.
In addition, the user can manually override the configured attack detectors to either force or prevent
attack filtering in a particular situation.
Specific IP filtering for selected attack types is enabled with the following parameters. These parameters
control which of the 32 attack types are being filtered for:
•
Protocol
— TCP, UDP, ICMP, or Other
•
Attack direction
— The direction of the attack may be identified by only one IP address or by two
IP addresses:
–
single side
— The attack is identified by either the source IP address or the destination address
only.
The filter definition may specify the specific side, or may include any single side attack, regardless
of side (both).
–
dual side
(TCP and UDP protocols only) — The attack is identified by both the source and
destination IP addresses. In other words, when a specific IP attacks a specific IP, this is detected
as one incident rather than as two separate incidents.
•
Destination port
(TCP and UDP protocols only) — Defines whether specific IP detection is enabled
or disabled for port-based or port-less detections. Enable port-based detection for TCP/UDP attacks
that have a fixed destination port or ports.
The list of destination ports for port-based detection is configured separately. (See
Specific Attack
Detectors, page 11-13
.)
Attack Detection
Specific IP detections are identified with the following parameters:
•
Specific IP address (or two IP addresses for dual-sided detections)
•
Protocol — TCP, UDP, ICMP or Other
•
Port — For TCP/UDP attacks that have a fixed destination port
•
Side — Interface (Subscriber/Network) from which attack packets are sent
•
Attack-direction — If a single IP address is specified, the IP address is an attack-source or an
attack-destination address.
The system can identify a maximum of 1000 independent, simultaneous attacks.