Cisco Cisco FirePOWER Appliance 7010
28-11
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Preventing Rate-Based Attacks
Note
Rate-based actions cannot enable disabled rules or drop traffic that matches disabled rules. However, if
you set a rate-based filter at the policy level, you can generate events on or generate events on and drop
traffic that contains an excessive number of SYN packets or SYN/ACK interactions within a designated
time period.
you set a rate-based filter at the policy level, you can generate events on or generate events on and drop
traffic that contains an excessive number of SYN packets or SYN/ACK interactions within a designated
time period.
You can define multiple rate-based filters on the same rule. The first filter listed in the intrusion policy
has the highest priority. Note that when two rate-based filter actions conflict, the system implements the
action of the first rate-based filter. Similarly, policy-wide rate-based filters override rate-based filters set
on individual rules if the filters conflict.
has the highest priority. Note that when two rate-based filter actions conflict, the system implements the
action of the first rate-based filter. Similarly, policy-wide rate-based filters override rate-based filters set
on individual rules if the filters conflict.
The following diagram shows an example where an attacker is attempting to access a host. Repeated
attempts to find a password trigger a rule which has rate-based attack prevention configured. The
rate-based settings change the rule attribute to Drop and Generate Events after rule matches occur five
times in a 10-second span. The new rule attribute times out after 15 seconds.
attempts to find a password trigger a rule which has rate-based attack prevention configured. The
rate-based settings change the rule attribute to Drop and Generate Events after rule matches occur five
times in a 10-second span. The new rule attribute times out after 15 seconds.
After the timeout, note that packets are still dropped in the rate-based sampling period that follows. If
the sampled rate is above the threshold in the current or previous sampling period, the new action
continues. The new action reverts to generating events only after a sampling period completes where the
sampled rate is below the threshold rate.
the sampled rate is above the threshold in the current or previous sampling period, the new action
continues. The new action reverts to generating events only after a sampling period completes where the
sampled rate is below the threshold rate.
Preventing SYN Attacks
License:
Protection
The SYN attack prevention option helps you protect your network hosts against SYN floods. You can
protect individual hosts or whole networks based on the number of packets seen over a period of time.
If your device is deployed passively, you can generate events. If your device is placed inline, you can
also drop the malicious packets. After the timeout period elapses, if the rate condition has stopped, the
event generation and packet dropping stops.
protect individual hosts or whole networks based on the number of packets seen over a period of time.
If your device is deployed passively, you can generate events. If your device is placed inline, you can
also drop the malicious packets. After the timeout period elapses, if the rate condition has stopped, the
event generation and packet dropping stops.