12-32
Cisco SCE 8000 10GBE Software Configuration Guide
OL-30621-02
Chapter 12 Identifying and Preventing Distributed Denial-of-Service Attacks
Monitoring Attack Filtering
How to Find out Whether Hardware Attack Filtering has been Activated
Step 1
From the SCE> prompt, type
show interface linecard 0 attack-filter current-attacks
and press
Enter
.
In the output from this command, look for the "HW-filter" field. If this field is "yes", the user must take
into account the probable inaccuracies in the attack reporting.
Note that this information also appears in the attack log file.
---|---------------|-----------|------------|----------|------|------|------
---|Source IP -----|Side / |Open rate / |Handled |Action|HW- |force-
---| Dest IP|Protocol |Susp. rate | flows / | |filter|filter
---|
|Duration |
|
|
---|---------------|-----------|------------|----------|------|------|------
|10.1.1.1 |Subscriber| 523| 4045|Report|No |No
| *|TCP | 0| 9| | |
---|----------------|-----------|------------|------------|------|------|-------
Viewing the Attack Log
•
•
How to View the Attack Log, page 12-33
•
How to Copy the Attack Log to a File, page 12-33
The Attack Log
The attack-log contains a message for each specific-IP detection of attack beginning and attack end.
Messages are in CSV format.
The message for detecting attack beginning contains the following data:
•
IP address (Pair of addresses, if detected)
•
Protocol Port number (If detected)
•
Attack-direction (Attack-source or Attack-destination)
•
Interface of IP address (subscriber or network)
•
Open-flows-rate, suspected-flows-rate and suspected-flows-ratio at the time of attack detection
•
Threshold values for the detection
•
Action taken
The message for detecting attack end contains the following data:
•
IP address (Pair of addresses, if detected)
•
Protocol Port number (If detected)
•
Attack-direction (Attack-source or Attack-destination)
•
Interface of IP address
•
Number of attack flows reported/blocked
•
Action taken