Chapter 9 Identifying And Preventing Distributed-Denial-Of-Service Attacks
Attack Handling
SCE 1000 2xGBE Release 2.0.10 User Guide
9-4 OL-7117-02
• Attack end: Reported when both the number of concurrent open-flows and the number of
DDoS-suspected flows are below the threshold value for at least 3 seconds
• Configuring subscriber-notification:
• Enabled: If the subscriber IP address is detected to be attacked or attacking, the subscriber
is notified about the attack.
• Disabled: The subscriber is not notified about the attack.
Subscriber Notification
When an attack is identified, if the IP address is detected on the subscriber side and is mapped to a
subscriber, the system notifies the application about the attack. This enables the application to
notify the subscriber about the attack on-line by redirecting HTTP requests of this subscriber to a
server that will notify it of the attack.
In addition, when blocking TCP traffic, the system can be configured to not block certain ports in
order to make this redirection possible. A list of up to three port numbers can be configured to be
un-blockable.
Note that subscriber-notification can only function if supported by the Service Control
Application currently loaded to the SCE Platform, and the application is configured to activate
this capability. To verify whether the application you are using supports attack subscriber
notification, and for details about enabling attack subscriber notification in the application, please
refer to the documentation of the relevant Service Control Application.
Comments to this Manuals