User guide
Chapter 9 Identifying And Preventing Distributed-Denial-Of-Service Attacks
Configuring Attack Detectors
SCE 1000 2xGBE Release 2.0.10 User Guide
9-6 OL-7117-02
To let the SCE Platform treat such special cases differently, the user can configure non-default
attack detectors in the range of 1-99. Like the default attack detector, non-default attack detectors
can be configured with different sets of values of action and thresholds for every combination of
Protocol, attack direction and side. However, in order to be effective, a non-default attack
detector must be enabled and must be assigned an ACL (access control list). The action and
thresholds configured for such attack detector are effective only for IP addresses permitted by the
ACL. Non-default attack-detectors can be assigned a label for describing their purpose, such as
‘DNS servers’ or ‘Server farm’.
Non-default attack detectors are effective only for combinations of protocol, attack direction and
sides that have been specifically configured. This eliminates the need to duplicate the default
attack detector configuration into the configuration non-default attack detectors, and is best
illustrated with an example: Suppose an HTTP server on the subscriber side of the SCE 1000 is
getting many requests, which requires the use of a non-default attack detector for configuring high
threshold values for incoming TCP flows. Assume attack detector number 4 is used for this
purpose; hence it is enabled, and assigned an ACL which permits the IP address of the HTTP
server. Also suppose that it is desirable to protect subscribers from UDP attacks, hence the default
attack detector is configured to block UDP attacks coming from the network (The default
configuration is only to report attacks, not block them). If the HTTP server is attacked by a UDP
attack from the network , the configuration of the default attack detector will hold for this HTTP
server as well, since attack detector number 4 was not configured for UDP attacks.
For each possible combination of protocol, attack direction, and side, the set of enabled attack
detectors, together with the default attack detector, forms a database used to determine the
threshold and action to take when an attack is detected. When the platform detects a possible
attack, it uses the following algorithm to determine the thresholds for attack detection.
• Enabled attack detectors are scanned from low to high numbers.
• If the IP address is permitted by the ACL specified by the attack detector, and a threshold is
configured for this combination of protocol, direction and side, then the threshold value
specified by this attack detector are used. If not, the scan continues to the next attack detector.
• If no attack detector matches the IP address/protocol combination, then the values of the
default attack detector are used.
The same logic is applied when deciding what action the platform should take in handling the
attack. The action that is used, is the one specified by the lowest-numbered enabled attack
detector that has a specific action setting for the attack protocol, direction and side is used. If none
exists, the configuration of the default attack detector is used.
Use the following commands to configure and enable attack detection:
• [no] attack-filter
• attack-detector (default|<number>) protocol <protocol> attack-
direction <direction> side <side> action <action> [open-flows
<number> ddos-suspected-flows <number>]
• attack-detector (default|<number>) protocol <protocol> attack-
direction <direction> side <side> (notify-subscriber|dont-notify-
subscriber)
• default attack-detector (default|<number>) protocol <protocol>
attack-direction <direction> side <side>
• attack-detector <number> access-list comment