Cisco Cisco Firepower Management Center 4000

Page of 1844
 
28-11
FireSIGHT System User Guide
 
Chapter 28      Detecting Specific Threats
  Preventing Rate-Based Attacks
Note
Rate-based actions cannot enable disabled rules or drop traffic that matches disabled rules. However, if 
you set a rate-based filter at the policy level, you can generate events on or generate events on and drop 
traffic that contains an excessive number of SYN packets or SYN/ACK interactions within a designated 
time period.
You can define multiple rate-based filters on the same rule. The first filter listed in the intrusion policy 
has the highest priority. Note that when two rate-based filter actions conflict, the system implements the 
action of the first rate-based filter. Similarly, policy-wide rate-based filters override rate-based filters set 
on individual rules if the filters conflict. 
The following diagram shows an example where an attacker is attempting to access a host. Repeated 
attempts to find a password trigger a rule which has rate-based attack prevention configured. The 
rate-based settings change the rule attribute to Drop and Generate Events after rule matches occur five 
times in a 10-second span. The new rule attribute times out after 15 seconds. 
After the timeout, note that packets are still dropped in the rate-based sampling period that follows. If 
the sampled rate is above the threshold in the current or previous sampling period, the new action 
continues. The new action reverts to generating events only after a sampling period completes where the 
sampled rate is below the threshold rate.
Preventing SYN Attacks
License: 
Protection
The SYN attack prevention option helps you protect your network hosts against SYN floods. You can 
protect individual hosts or whole networks based on the number of packets seen over a period of time. 
If your device is deployed passively, you can generate events. If your device is placed inline, you can 
also drop the malicious packets. After the timeout period elapses, if the rate condition has stopped, the 
event generation and packet dropping stops.