User guide

ManualsBrandsCisco ManualsComputer equipmentSCE 1000 2xGBE

231

232

233

234

235

236

237

238

239

240

Chapter 9 Identifying And Preventing Distributed-Denial-Of-Service Attacks

Attack Detection Thresholds

SCE 1000 2xGBE Release 2.0.10 User Guide

OL-7117-02 9-3

Attack detection and handling are user-configurable. The remainder of this chapter explains how

to configure and monitor attack detection.

Attack Detection Thresholds

There are two counters that are used for attack detection. These counters are maintained by the

SCE Platform for each IP address, protocol, interface and attack-direction.

• Concurrently open flows: The number of flows that have been opened and have not yet been

closed by TCP FIN or by aging.

• DDoS-suspected open flows: The definition of a DDoS-suspected open flow varies according

to the protocol:

• TCP flows: A flow for which the first payload packet has not been detected. (Also called

un-established.)

• All other flows: A flow for which less than three packets have been detected.

Note that every flow begins life in the SCE 1000as a DDoS-suspected flow, and stops being

DDoS-suspected when the system determines that it is carrying a real TCP connection due or that

its length identifies it as a normal flow. When observing traffic related to a specific IP address, it

is expected that under normal conditions there will be not many DDoS-suspected flows, even

though there might be a lot of concurrently open flows.

The system has a separate default threshold for the number of concurrently open flows and

DDoS-suspected open flows. If either threshold is crossed for a particular IP address/interface

combination, an attack is declared for that IP address. When the number of flows decreases and

the threshold is crossed in the opposite direction for more than three seconds, the system declares

that the attack has ended.

The user may define values for these thresholds that override the preset defaults. It is also possible

to configure specific thresholds for certain conditions (per IP range, protocol, interface and attack

direction). This enables the user to set different detection criteria for different types of network

entities, such as a server farm, DNS server, or large enterprise customer.

Attack Handling

Attack handling can be configured as follows:

• Configuring the action:

• Report: Attack packets are processed as usual, and the occurrence of the attack is reported.

• Block: Attack packets are dropped by the SE200, and therefore do not reach their

destination.

Regardless of which action is configured, two reports are generated for every attack: one

when the start of an attack is detected, and one when the end of an attack is detected.

Attack start and end are defined as follows:

• Attack start: Reported as soon as the threshold value for concurrent open-flows or DDoS-

suspected flows is exceeded.