Cisco Cisco Firepower Management Center 4000
28-14
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Preventing Rate-Based Attacks
You can use thresholding and suppression to reduce excessive events by limiting the number of event
notifications for a rule or by suppressing notifications altogether for that rule. For more information on
the available options for thresholding and suppression, see
notifications for a rule or by suppressing notifications altogether for that rule. For more information on
the available options for thresholding and suppression, see
and
If you apply suppression to a rule, the system suppresses event notifications for that rule for all
applicable IP addresses even if a rate-based action change occurs. However, the interaction between
thresholding and rate-based criteria is more complex.
applicable IP addresses even if a rate-based action change occurs. However, the interaction between
thresholding and rate-based criteria is more complex.
The following example shows an attacker attempting a brute-force login. Repeated attempts to find a
password trigger a rule that has rate-based attack prevention configured. The rate-based settings change
the rule attribute to Drop and Generate Events for 15 seconds when there are five hits on the rule in 10
seconds. In addition, a limit threshold limits the number of events the rule can generate to 10 events in
23 seconds.
password trigger a rule that has rate-based attack prevention configured. The rate-based settings change
the rule attribute to Drop and Generate Events for 15 seconds when there are five hits on the rule in 10
seconds. In addition, a limit threshold limits the number of events the rule can generate to 10 events in
23 seconds.
As shown in the diagram, the rule generates events for the first five matching packets. After five packets,
the rate-based criteria trigger the new action of Drop and Generate Events, and for the next five packets
the rule generates events and the system drops the packet. After the tenth packet, the limit threshold has
been reached, so for the remaining packets the system does not generate events but does drop the packets.
the rate-based criteria trigger the new action of Drop and Generate Events, and for the next five packets
the rule generates events and the system drops the packet. After the tenth packet, the limit threshold has
been reached, so for the remaining packets the system does not generate events but does drop the packets.
After the timeout, note that packets are still dropped in the rate-based sampling period that follows. If
the sampled rate is above the threshold rate in the current or previous sampling period, the new action
continues. The new action reverts to Generate Events only after a sampling period completes where the
sampled rate is below the threshold rate.
the sampled rate is above the threshold rate in the current or previous sampling period, the new action
continues. The new action reverts to Generate Events only after a sampling period completes where the
sampled rate is below the threshold rate.
Note that although it is not shown in this example, if a new action triggers because of rate-based criteria
after a threshold has been reached, the system generates a single event to indicate the change in action.
So, for example, when the limit threshold of 10 is reached and the system stops generating events and
the action changes from Generate Events to Drop and Generate Events on the 14th packet, the system
generates an eleventh event to indicate the change in action.
after a threshold has been reached, the system generates a single event to indicate the change in action.
So, for example, when the limit threshold of 10 is reached and the system stops generating events and
the action changes from Generate Events to Drop and Generate Events on the 14th packet, the system
generates an eleventh event to indicate the change in action.