11-17
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Configuring Attack Detectors
Sample Attack Detector Configuration
The following configuration changes the default user threshold values used for detecting ICMP attacks,
and configures an attack-detector with high thresholds for UDP attacks, preventing false detections of
two DNS servers (10.1.1.10 and 10.1.1.13) as being attacked.
Step 1
From the SCE(config)# prompt, type
interface linecard 0 a
nd press
Enter
.
Enters linecard interface configuration mode
Step 2
From the SCE(config if)# prompt, type
attack-detector default protocol
ICMP
attack-direction
single-side-source
action
report
open-flow-rate
1000
suspected-flows-rate
100
suspected-flows-ratio
10
and press
Enter
.
Configures the default ICMP threshold and action.
Step 3
From the SCE(config if)# prompt, type
attack-detector 1 access-list 3 UDP-ports-list
53
comment
"DNS servers"
and press
Enter
.
Enables attack detector #1, assigns ACL #3 to it, and defines the list of UDP destination ports with one
port, port 53.
Step 4
From the SCE(config if)# prompt, type
attack-detector 1 protocol UDP dest-port
specific
attack-direction
single-side-destination
action report open-flow-rate
1000000
suspected-flows-rate
1000000
and press
Enter
.
Defines the thresholds and action for attack detector #1
Step 5
From the SCE(config if)# prompt, type
attack-detector 1 protocol UDP dest-port specific
attack-direction
single-side-destination
side
subscriber
notify-subscriber
and press
Enter
.
Enables subscriber notification for attack detector #1.
Step 6
From the SCE(config if)# prompt, type
exit
and press
Enter
.
Exits the linecard interface configuration mode.
Step 7
Configure ACL #3, which has been assigned to the attack detector.
SCE(config)# access-list 3 permit 10.1.1.10
SCE(config)# access-list 3 permit 10.1.1.13