Cisco Cisco Firepower Management Center 4000
28-9
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Preventing Rate-Based Attacks
Preventing Rate-Based Attacks
License:
Protection
Rate-based attacks are attacks that depend on frequency of connection or repeated attempts to perpetrate
the attack. You can use rate-based detection criteria to detect a rate-based attack as it occurs and respond
to it when it happens, then return to normal detection settings after it stops. For more information on
configuring rate-based detection, see the following topics:
the attack. You can use rate-based detection criteria to detect a rate-based attack as it occurs and respond
to it when it happens, then return to normal detection settings after it stops. For more information on
configuring rate-based detection, see the following topics:
•
•
•
•
•
Understanding Rate-Based Attack Prevention
License:
Protection
Priority Count
The number of negative responses (for example, TCP RSTs and ICMP
unreachables) from the scanned host. The higher the number of negative
responses, the higher the priority count.
unreachables) from the scanned host. The higher the number of negative
responses, the higher the priority count.
Connection Count
The number of active connections on the hosts. This value is more accurate
for connection-based scans such as TCP and IP.
for connection-based scans such as TCP and IP.
IP Count
The number of times that the IP addresses that contact the scanned host
changes. For example, if the first IP address is 10.1.1.1, the second IP is
10.1.1.2, and the third IP is 10.1.1.1, then the IP count is 3.
changes. For example, if the first IP address is 10.1.1.1, the second IP is
10.1.1.2, and the third IP is 10.1.1.1, then the IP count is 3.
This number is less accurate for active hosts such as proxies and DNS
servers.
servers.
Scanner/Scanned IP
Range
Range
The range of IP addresses for the scanned hosts or the scanning hosts,
depending on the type of scan. For portsweeps, this field shows the IP range
of scanned hosts. For portscans, this shows the IP range of the scanning
hosts.
depending on the type of scan. For portsweeps, this field shows the IP range
of scanned hosts. For portscans, this shows the IP range of the scanning
hosts.
Port/Proto Count
For TCP and UDP portscans, the number of times that the port being scanned
changes. For example, if the first port scanned is 80, the second port scanned
is 8080, and the third port scanned is again 80, then the port count is 3.
changes. For example, if the first port scanned is 80, the second port scanned
is 8080, and the third port scanned is again 80, then the port count is 3.
For IP protocol portscans, the number of times that the protocol being used
to connect to the scanned host changes.
to connect to the scanned host changes.
Port/Proto Range
For TCP and UDP portscans, the range of the ports that were scanned.
For IP protocol portscans, the range of IP protocol numbers that were used
to attempt to connect to the scanned host.
to attempt to connect to the scanned host.
Open Ports
The TCP ports that were open on the scanned host. This field appears only
when the portscan detects one or more open ports.
when the portscan detects one or more open ports.
Table 28-6
Portscan Packet View (continued)
Information
Description