11-29
Cisco SCE 2000 and SCE 1000 Software Configuration Guide
OL-7827-12
Chapter 11 Identifying and Preventing Distributed-Denial-Of-Service Attacks
Monitoring Attack Filtering
How to display the list of ports selected for subscriber notification
Step 1
From the SCE> prompt, type
show interface linecard 0 attack-filter subscriber-notification ports
and
press
Enter
.
How to find out whether hardware attack filtering has been activated
Step 1
From the SCE> prompt, type
show interface linecard 0 attack-filter current-attacks
and press
Enter
.
In the output from this command, look for the "HW-filter" field. If this field is "yes", the user must take
into account the probable inaccuracies in the attack reporting.
Note that this information also appears in the attack log file.
|---------------|-----------|------------|----------|------|------|------
|Source IP -> |Side / |Open rate / |Handled |Action|HW- |force-
| Dest IP|Protocol |Susp. rate | flows / | |filter|filter
| | | |Duration | | |
|---------------|-----------|------------|----------|------|------|------
|10.1.1.1
| Subscriber| 523| 4045|Report|No |No
| *|TCP | 0| 9| | |
|---------------|-----------|------------|----------|------|------|------
The Attack Log
•
How to View the Attack Log, page 11-30
•
How to Copy the Attack Log to a File, page 11-30
The attack-log contains a message for each specific-IP detection of attack beginning and attack end.
Messages are in CSV format.
The message for detecting attack beginning contains the following data:
•
IP address (Pair of addresses, if detected)
•
Protocol Port number (If detected)
•
Attack-direction (Attack-source or Attack-destination)
•
Interface of IP address (subscriber or network)
•
Open-flows-rate, suspected-flows-rate and suspected-flows-ratio at the time of attack detection
•
Threshold values for the detection
•
Action taken