Appendix B
SCE Events: pcubeSeEvents
SCE 1000 2xGBE Release 2.0.10 User Guide
OL-7117-02 B-15
• Source of the attack is detected (at the subscriber side, IP address = 10.1.4.134,
attacking the network side using UDP., number of open flows = 10000, configured action
is ‘report’):
Attack detected: Attack from IP address 10.1.4.134, from
subscriber side, protocol UDP. 10000 concurrent open flows
detected, 57 concurrent Ddos-suspected flows detected.
Action is: Report.
• Target of the attack is detected (at the network side, IP address = 10.1.4.135, being
attacked from the subscriber side using ICMP, number of ddos-suspected flows = 500,
configured action is ‘block’):
Attack detected: Attack on IP address 10.1.4.135, from
subscriber side, protocol ICMP. 745 concurrent open flows
detected, 500 concurrent Ddos-suspected flows detected.
Action is: Block.
• Forced filtering using the ‘force-filter’ command:
• Action is ‘block’, attack-direction is attack-source, side is subscriber, IP address =
10.1.1.1, and protocol is TCP:
Attack filter: Forced block of flows from IP address
10.1.1.1, from subscriber side, protocol TCP. Attack forced
using a force-filter command.
• When the action is ‘report’, attack-direction is attack-destination, side is subscriber, IP
address = 10.1.1.1, and protocol is Other:
Attack filter: Forced report to IP address 10.1.1.1, from
network side, protocol Other. Attack forced using a force-
filter command.
moduleAttackFilterDeactivatedTrap (pcubeSeEvents 26)
The attack filter module has removed a filter that was previously activated.
• Attack filter type: in pcubeSeEventGenericString1 (refer to corresponding
moduleAttackFilterActivatedTrap)
• Reason for deactivating the filter: in pcubeSeEventGenericString2
Following are several examples of pcubeSeEventGenericString1 for various scenarios:
• Attack end detected automatically (the number of open flows or ddos-suspected flows drops
below the minimum value configured for the attack detector):
End-of-attack detected: Attack on IP address 10.1.4.135, from subscriber side, protocol UDP.
Action is: Report. Duration 20 seconds, attack comprised of 11736 flows.
End-of-attack detected: Attack from IP address 10.1.4.134, from subscriber side, protocol
ICMP. Action is: Block. Duration 10 seconds, attack comprised of 2093 flows.
• Attack end forced by a ‘dont-filter’, or a previous ‘force-filter’ command is removed:
Attack filter: Forced to end block of flows from IP address 10.1.1.1, from subscriber side,
protocol TCP. Attack end forced using a 'no force-filter' or a 'dont-filter' command. Duration 6
seconds, 1 flows blocked.
Comments to this Manuals