Cisco SCE 1000 2xGBE User's Guide Page 234

  • Download
  • Add to my manuals
  • Print
  • Page
    / 490
  • Table of contents
  • TROUBLESHOOTING
  • BOOKMARKS
  • Rated. / 5. Based on customer reviews
Page view 233
Chapter 9 Identifying And Preventing Distributed-Denial-Of-Service Attacks
Attack Detection
SCE 1000 2xGBE Release 2.0.10 User Guide
9-2 OL-7117-02
The above two metrics are maintained for each IP address, and the system tracks the values
against pre- defined (and user- configurable) thresholds (an attack is defined when the threshold is
breached for a certain IP address).
Note that the system makes a distinction between an Attack- Source & Attack-Destination. As
each attack is associated with an IP address, the IP- address is classified as either the attack source
(i. e. it is generating the attack traffic) or its destination (i.e. it is being attacked). This parameter is
later reported, and can also be used in creating filtering and action rules for the DoS mechanism.
Once an attack is identified, the system can be instructed to perform any of the following actions:
Report: The system will generate an SNMP trap each time an attack ‘starts’ and ‘stops’. The
SNMP trap contains the following information fields:
A specific IP address
Protocol (TCP, UDP, ICMP or Other)
Interface (User/Network) behind which the detected IP address is found. This is referred
to below as the attack ‘side’
Attack direction (whether the IP address is the attack source or the attack destination).
Type of threshold breached (open- flows / ddos- suspected- flows) [‘ attack- start’ traps
only]
Threshold value breached [‘ attack- start’ traps only]
Action taken (report, block) indicating what was the action taken by the SCE 1000 in
response to the detection
Amount of attack flows blocked/ reported providing the total number of flows blocked
by the protection mechanism during the attack [‘ attack- stop’ traps only]
Block: The system will block all suspected traffic from / to the attack IP address (depending
on whether the IP address is an Attack- Source or Attack-Destination)
Subscriber notification: When the IP address identified is mapped to a particular subscriber
context, the system can be configured to notify the subscriber of the fact that he is under an
attack (or a machine in his network is generating such an attack), using HTTP Redirect.
Attack Detection
The attack interface, protocol and specific IP address are detected. When one specific IP address
is attacking a different specific IP address, two separate attack detections should be identified, one
for the attacking host and one for the attacked host. The system can identify a maximum of 1000
independent, simultaneous attacks.
Attack detections are identified using the following parameters:
A specific IP address
Protocol (TCP, UDP, ICMP or Other)
Interface (User / Network) behind which the detected IP address is found.
This is referred to below as the attack side.
Attack direction (whether the IP address is the attack source or the attack destination address).
Page view 233
1 ... 233 234 235 ... 490

Comments to this Manuals

No comments