Cisco Cisco Firepower Management Center 4000
28-18
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Preventing Rate-Based Attacks
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
Rate-Based Attack Prevention
under Specific Threat Detection
is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The Rate-Based Attack Prevention page appears. A message at the bottom of the page identifies the
intrusion policy layer that contains the configuration. See
intrusion policy layer that contains the configuration. See
for more information.
Step 5
You have two options:
•
To prevent incomplete connections intended to flood a host, click
Add
under
SYN Attack Prevention
.
The SYN Attack Prevention dialog box appears.
•
To prevent excessive numbers of connections, click
Add
under
Control Simultaneous Connections
.
The Control Simultaneous Connections dialog box appears.
Step 6
Select how you want to track traffic:
•
To track all traffic from a specific source or range of sources, select
Source
from the
Track By
drop-down list and type a single IP address or address block in the
Network
field.
•
To track all traffic to a specific destination or range of destinations, select
Destination
from the
Track
By
drop-down list and type an IP address or address block in the
Network
field.
Note that the system tracks traffic separately for each IP address included in the Network field. Traffic
from an IP address that exceeds the configured rate results in generated events only for that IP address.
As an example, you might set a source CIDR block of
from an IP address that exceeds the configured rate results in generated events only for that IP address.
As an example, you might set a source CIDR block of
10.1.0.0/16
for the network setting and configure
the system to generate events when there are ten simultaneous connections open. If eight connections
are open from 10.1.4.21 and six from 10.1.5.10, the system does not generate events, because neither
source has the triggering number of connections open. However, if eleven simultaneous connections are
open from 10.1.4.21, the system generates events only for the connections from 10.1.4.21.
are open from 10.1.4.21 and six from 10.1.5.10, the system does not generate events, because neither
source has the triggering number of connections open. However, if eleven simultaneous connections are
open from 10.1.4.21, the system generates events only for the connections from 10.1.4.21.
For information on using CIDR notation and prefix lengths in the FireSIGHT System, see
.
Step 7
Indicate the triggering rate for the rate tracking setting:
•
For SYN attack configuration, indicate the number of SYN packets per number of seconds in the
Rate
fields.
•
For simultaneous connection configuration, indicate the number of connections in the
Count
field.
Step 8
To drop packets matching the rate-based attack prevention settings, select
Drop
.
Step 9
In the
Timeout
field, indicate the time period after which to stop generating events, and if applicable,
dropping, for traffic with the matching pattern of SYNs or simultaneous connections.
Caution
Timeout values can be integers from 1 to 1,000,000. However, setting a high timeout value may entirely
block connection to a host in an inline deployment.
block connection to a host in an inline deployment.
Step 10
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.