Chapter 9 Identifying And Preventing Distributed-Denial-Of-Service Attacks
Configuring Attack Detectors
SCE 1000 2xGBE Release 2.0.10 User Guide
OL-7117-02 9-5
Configuring Attack Detectors
The Cisco attack detection mechanism is controlled by defining and configuring special entities
called Attack Detectors.
There is one attack detector called ‘default’, which is always enabled, and 99 attack detectors
(numbered 1-99), which are disabled by default. Each detector (both the default and detectors 1-
99) can be configured with a separate action and threshold values for all possible combinations of
protocol, direction and side.
When detectors 1-99 are disabled, the default attack detector configuration determines the
thresholds used for detecting an attack, and the action taken by the SCE Platform when an attack
is taken. For each combination of protocol (TCP/UDP/ICMP/Other), attack-direction
(source/destination) and side (Network/Subscriber), a different set of thresholds and action can be
set. In addition, subscriber-notification can be enabled or disabled in the same granularity.
The default attack detector should be configured with values that reflect the desired SCE Platform
behavior for the majority of the traffic flows flowing through it. However, it is not feasible to use
the same set of values for all the traffic that traverses through the SCE 1000, since there might be
some network entities for which the characteristics of their normal traffic should be considered as
an attack when coming from most other network elements. Here are two common examples:
• A DNS server is expected to be the target of many short DNS queries. These queries are
typically UDP flows, each flow consisting of two packets: The request and the response.
Normally, the SCE considers all UDP flows that are opened to the DNS server as DDoS-
suspected flows, since these flows include less than 3 packets. A DNS server might serve
hundreds of DNS requests at peak times, and so the system should be configured with a
suitable threshold for DDos-suspected flows for protocol = UDP and direction = attack-
destination. A threshold value of 1000 would probably be suitable for the DNS server.
However, this threshold would be unsuitable for almost all other network elements, since, for
them, being the destination of such large number of UDP flows would be considered an
attack. Therefore setting a threshold of 1000 for all traffic is not a good solution.
• The subscriber side of the SCE 1000 might contain many residential subscribers, each having
several computers connected through an Internet connection, and each computer having a
different IP address. In addition, there might be a few business subscribers, each using a NAT
that hides hundreds of computers behind a single IP address. Clearly, the traffic seen for an IP
address of a business subscriber contains significantly more flows than the traffic of an IP
address belonging to a residential subscriber. The same threshold cannot be adequate in both
cases.
Comments to this Manuals