Cisco Cisco Firepower Management Center 2000
28-12
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Preventing Rate-Based Attacks
For example, you could configure a setting to allow a maximum of 10 SYN packets from any one IP
address, and block further connections from that IP address for 60 seconds.
address, and block further connections from that IP address for 60 seconds.
Enabling this option also activates rule 135:1. Manually activating this rule has no effect. The rule state
is always displayed as Disabled, and never changes. The rule generates events when this option is
enabled and a defined rate condition is exceeded.
is always displayed as Disabled, and never changes. The rule generates events when this option is
enabled and a defined rate condition is exceeded.
Controlling Simultaneous Connections
License:
Protection
You can limit TCP/IP connections to or from hosts on your network to prevent denial of service (DoS)
attacks or excessive activity by users. When the system detects the configured number of successful
connections to or from a specified IP address or range of addresses, it generates events on additional
connections. The rate-based event generation continues until the timeout period elapses without the rate
condition occurring. In an inline deployment you can choose to drop packets until the rate condition
times out.
attacks or excessive activity by users. When the system detects the configured number of successful
connections to or from a specified IP address or range of addresses, it generates events on additional
connections. The rate-based event generation continues until the timeout period elapses without the rate
condition occurring. In an inline deployment you can choose to drop packets until the rate condition
times out.
For example, you could configure a setting to allow a maximum of 10 successful simultaneous
connections from any one IP address, and block further connections from that IP address for 60 seconds.
connections from any one IP address, and block further connections from that IP address for 60 seconds.
Enabling this option also activates rule 135:2. Manually activating this rule has no effect. The rule state
is always displayed as Disabled, and never changes. The rule generates events when this option is
enabled and a defined rate condition is exceeded.
is always displayed as Disabled, and never changes. The rule generates events when this option is
enabled and a defined rate condition is exceeded.
Rate-Based Attack Prevention and Other Filters
License:
Protection
The
detection_filter
keyword and the thresholding and suppression features provide other ways to
filter either the traffic itself or the events that the system generates. You can use rate-based attack
prevention alone or in any combination with thresholding, suppression, or the
prevention alone or in any combination with thresholding, suppression, or the
detection_filter
keyword.
See the following examples for more information:
•
•
•
•
Rate-Based Attack Prevention and Detection Filtering
License:
Protection
The
detection_filter
keyword prevents a rule from triggering until a threshold number of rule matches
occur within a specified time. When a rule includes the
detection_filter
keyword, the system tracks
the number of incoming packets matching the pattern in the rule per timeout period. The system can
count hits for that rule from particular source or destination IP addresses. After the rate exceeds the rate
in the rule, event notification for that rule begins.
count hits for that rule from particular source or destination IP addresses. After the rate exceeds the rate
in the rule, event notification for that rule begins.
The following example shows an attacker attempting a brute-force login. Repeated attempts to find a
password trigger a rule that also includes the
password trigger a rule that also includes the
detection_filter
keyword, with a count set to 5. This
rule has rate-based attack prevention configured. The rate-based settings change the rule attribute to
Drop and Generate Events for 20 seconds when there are five hits on the rule in a 10-second span.
Drop and Generate Events for 20 seconds when there are five hits on the rule in a 10-second span.