SCE 1000 2xGBE Release 2.0.10 User Guide
OL-7117-02 9-1
This chapter describes the ability of the SCE 1000 to identify and prevent DoS and DDoS attacks,
and the various procedures for configuring and monitoring the Attack Filter Module.
Step 2 This chapter contains the following sections:
• Attack Filtering 9-1
• Attack Detection 9-2
• Attack Detection Thresholds 9-3
• Attack Handling 9-3
• Configuring Attack Detectors 9-5
• Configuring Subscriber Notifications 9-11
• Managing Attack Filtering 9-12
• Monitoring Attack Filtering 9-14
Attack Filtering
The SCE 1000 includes enhanced capabilities of identifying DoS and DDoS attacks, and
protecting against them. Previous versions of the SEos provided a means to monitor the entire link
and identify a global increase in flow-open rate, indicative of a DoS attack.
The new SEos that runs on the SCE 1000 extends this concept by improving the detection
mechanism, adding individual IP address granularity, and providing a set of actions to report (to
the operator), block, and notify (the subscriber) of the attack.
The system tracks the following two metrics in an attempt to identify abnormal flow/ connection
increase:
• open-flows: Total number of flows (TCP, UDP, ICMP, other) that are concurrently open
• ddos-suspected-flows: Total number of flows that are possible suspects of being part of a
denial- of- service attack because they are un- established (in TCP the 3-way handshake is
incomplete, in UDP/ ICMP/ OTHER, less than 3 packets have been transmitted on a flow).
CHAPTER 9
Identifying And Preventing Distributed-Denial-Of-
Service Attacks
Comments to this Manuals