Cisco SCE 1000 2xGBE User's Guide Page 409

  • Download
  • Add to my manuals
  • Print
  • Page
    / 490
  • Table of contents
  • TROUBLESHOOTING
  • BOOKMARKS
  • Rated. / 5. Based on customer reviews
Page view 408
Appendix B
SCE Events: pcubeSeEvents
SCE 1000 2xGBE Release 2.0.10 User Guide
OL-7117-02 B-15
Source of the attack is detected (at the subscriber side, IP address = 10.1.4.134,
attacking the network side using UDP., number of open flows = 10000, configured action
is ‘report’):
Attack detected: Attack from IP address 10.1.4.134, from
subscriber side, protocol UDP. 10000 concurrent open flows
detected, 57 concurrent Ddos-suspected flows detected.
Action is: Report.
Target of the attack is detected (at the network side, IP address = 10.1.4.135, being
attacked from the subscriber side using ICMP, number of ddos-suspected flows = 500,
configured action is ‘block’):
Attack detected: Attack on IP address 10.1.4.135, from
subscriber side, protocol ICMP. 745 concurrent open flows
detected, 500 concurrent Ddos-suspected flows detected.
Action is: Block.
Forced filtering using the ‘force-filter’ command:
Action is ‘block’, attack-direction is attack-source, side is subscriber, IP address =
10.1.1.1, and protocol is TCP:
Attack filter: Forced block of flows from IP address
10.1.1.1, from subscriber side, protocol TCP. Attack forced
using a force-filter command.
When the action is ‘report’, attack-direction is attack-destination, side is subscriber, IP
address = 10.1.1.1, and protocol is Other:
Attack filter: Forced report to IP address 10.1.1.1, from
network side, protocol Other. Attack forced using a force-
filter command.
moduleAttackFilterDeactivatedTrap (pcubeSeEvents 26)
The attack filter module has removed a filter that was previously activated.
Attack filter type: in pcubeSeEventGenericString1 (refer to corresponding
moduleAttackFilterActivatedTrap)
Reason for deactivating the filter: in pcubeSeEventGenericString2
Following are several examples of pcubeSeEventGenericString1 for various scenarios:
Attack end detected automatically (the number of open flows or ddos-suspected flows drops
below the minimum value configured for the attack detector):
End-of-attack detected: Attack on IP address 10.1.4.135, from subscriber side, protocol UDP.
Action is: Report. Duration 20 seconds, attack comprised of 11736 flows.
End-of-attack detected: Attack from IP address 10.1.4.134, from subscriber side, protocol
ICMP. Action is: Block. Duration 10 seconds, attack comprised of 2093 flows.
Attack end forced by a ‘dont-filter’, or a previous ‘force-filter command is removed:
Attack filter: Forced to end block of flows from IP address 10.1.1.1, from subscriber side,
protocol TCP. Attack end forced using a 'no force-filter' or a 'dont-filter' command. Duration 6
seconds, 1 flows blocked.
Page view 408
1 ... 408 409 410 ... 490

Comments to this Manuals

No comments