11-11
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Configuring Attack Detectors
Options
The following options are available:
•
attack-detector
— The attack detector being configured; in this case, the default attack detector.
•
protocol
— Defines the protocol to which the default attack detector applies.
•
attack-direction
— Defines whether the default attack detector applies to single sided or dual sided
attacks.
•
destination port
{TCP and UDP protocols only) — Defines whether the default attack detector
applies to port-based or port-less detections.
•
side
— Defines whether the default attack detector applies to attacks originating at the subscriber
or network side.
•
action
— Default action:
–
report
(default) — Report beginning and end of the attack by writing to the attack-log.
–
block
— Block all further flows that are part of this attack, the SCE platform drops the packets.
•
Thresholds
:
–
open-flows-rate
— Default threshold for rate of open flows. suspected-flows-rate — Default
threshold for rate of suspected DDoS flows.
–
suspected-flows-ratio
— Default threshold for ratio of suspected flow rate to open flow rate.
•
Use the appropriate keyword to enable or disable subscriber notification by default:
–
notify-subscriber
— Enable subscriber notification.
–
don't-notify-subscriber
— Disable subscriber notification.
•
Use the appropriate keyword to enable or disable sending an SNMP trap by default:
–
alarm
— Enable sending an SNMP trap.
–
no-alarm
— Disable sending an SNMP trap.
How to Define the Default Action and Optionally the Default Thresholds
Defaults
The default values for the default attack detector are:
•
Action — Report
•
Thresholds — Varies according to the attack type
•
Subscriber notification — Disabled
•
Sending an SNMP trap — Disabled