Chapter 9 Identifying And Preventing Distributed-Denial-Of-Service Attacks
Managing Attack Filtering
SCE 1000 2xGBE Release 2.0.10 User Guide
9-12 OL-7117-02
Managing Attack Filtering
After configuring the attack detectors, the SCE Platform automatically detects attacks and handles
them according to the configuration. However, there are scenarios in which a manual intervention
is desired, either for debug purposes, or because it is not trivial to reconfigure the SCE attack-
detectors properly. For example:
• The SCE Platform has detected an attack, but the user knows this to be a false alarm. The
proper action that should be taken by the user is to configure the system with higher
thresholds (for the whole IP range, or maybe for specific IP addresses). However, this might
take time, and, if attack handling is specified as ‘Block’, the user may wish to stop the block
action for this specific attack quickly, leaving the configuration changes for a future time
when there is time to plan the needed changes properly.
Use the dont-filter command described below for this type of case.
• An ISP is informed that one of his subscribers is being attacked by a UDP attack from the
network side. The ISP wants to protect the subscriber from this attack by blocking all UDP
traffic to the subscriber, but unfortunately the SCE Platform did not recognize the attack.
(Alternatively, it could be that the attack was recognized, but the configured action was
‘report’ and not ‘block’).
Use the force-filter command described below for this type of case.
The user can use the CLI attack filtering commands to do the following:
• Prevent/stop filtering of an attack related to a specified IP address
• Force filtering of an attack related to a specified IP address
Use the following commands to either force or prevent attack filtering:
• attack-filter slot 0 dont-filter
• attack-filter slot 0 force-filter
• no attack-filter slot 0 dont-filter all
• no attack-filter slot 0 force-filter all
Note
All the above CLI commands are privileged exec commands. If in line interface configuration mode,
you must exit to the privileged exec mode and see the SCE 1000# prompt displayed
Comments to this Manuals