Chapter 9 Identifying And Preventing Distributed-Denial-Of-Service Attacks
Configuring Attack Detectors
SCE 1000 2xGBE Release 2.0.10 User Guide
9-10 OL-7117-02
Use the following command to set the subscriber notification setting for a given attack detector
and a given combination of protocol, direction and side.
To define the subscriber notification setting for a specific attack detector:
Step 1 From the SCE 1000(config if)# prompt, type attack-detector <number>
protocol (TCP|UDP|ICMP|other) attack-direction (attack-
source|attack-destination|both) side
(subscriber|network|both) (notify-subscriber|dont-notify-
subscriber) and press Enter.
Use the following command to remove settings of action, thresholds and subscriber notification
for a specific attack detector and combination of protocol, direction and side.
Use the following command to remove the specific user-defined default values for this attack
detector and reinstate the default values.
To delete user-defined values for a specific situation:
Step 1 From the SCE 1000(config if)# prompt, type default attack-detector
<number> protocol (TCP|UDP|ICMP|other) attack-direction
(attack-source|attack-destination|both) side
(subscriber|network|both) (notify-subscriber|dont-notify-
subscriber) and press Enter.
Sample Attack Detector Configuration
The following configuration changes the default user threshold values used for detecting ICMP
attacks, and configures an attack-detector with high thresholds for UDP attacks, preventing false
detections of two DNS servers (10.1.1.10 and 10.1.1.13) as being attacked.
(First enter the linecard interface configuration mode)
SCE 1000(config)# interface linecard 0
(Configure the default ICMP threshold and action.)
SCE 1000(config if)# attack-detector default protocol ICMP attack-direction
attack-source action report open-flows 100 ddos-suspected-flows 100
(Enable attack detector #1 and assign ACL #3 to it.)
SCE 1000(config if)# attack-detector 1 access-list 3 comment "DNS servers"
(Define the thresholds and action for attack detector #1)
SCE 1000(config if)# attack-detector 1 protocol UDP attack-direction attack-
destination action report open-flows 1000000 ddos-suspected-flows 1000000
(Enable subscriber notification for attack detector #1)
SCE 1000(config if)# attack-detector 1 protocol UDP attack-direction attack-
destination side subscriber notify-subscriber
(Exit the linecard interface configuration mode)
Comments to this Manuals