![background image](http://html.mh-extra.com/html/cisco/sce-1000-and/sce-1000-and_configuration-manual_64496298.webp)
11-14
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Configuring Attack Detectors
The following settings are configurable for each attack type in each attack detector. Each setting can
either be in a 'not configured' state (which is the default), or be configured with a specific value.
•
action
— action:
–
report
(default) — Report beginning and end of the attack by writing to the attack-log.
–
block
— Block all further flows that are part of this attack, the SCE platform drops the packets.
•
Thresholds
:
–
open-flows-rate
— Default threshold for rate of open flows. suspected-flows-rate — Default
threshold for rate of suspected DDoS flows.
–
suspected-flows-ratio
— Default threshold for ratio of suspected flow rate to open flow rate.
•
Use the appropriate keyword to enable or disable subscriber notification by default:
–
notify-subscriber
— Enable subscriber notification.
–
don't-notify-subscriber
— Disable subscriber notification.
•
Use the appropriate keyword to enable or disable sending an SNMP trap by default:
–
alarm
— Enable sending an SNMP trap.
–
no-alarm
— Disable sending an SNMP trap.
How to Enable a Specific Attack Detector and Assign it an ACL
Step 1
From the SCE(config if)# prompt, type
attack-detector
number
access-list (
aclnumber
|none)
[comment
comment
]
and press
Enter
.
Enables the attack detector and assigns it the specified ACL.
How to Define the Action and Optionally the Thresholds for a Specific Attack Detector
Step 1
From the SCE(config if)# prompt, type
attack-detector
number
protocol (((TCP|UDP) [dest-port
(specific|not- specific|both)])|ICMP|other|all) attack-direction
(single-side-source|single-side-destination|single-side-both|dual-sided|all) side
(subscriber|network|both) [action (report|block)] [open-flows-rate
number
suspected-flows-rate
rate
suspected-flows-ratio
ratio
]
and press
Enter
.
Defines the action of the specified attack detector