Cisco Cisco FirePOWER Appliance 7020
28-15
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Preventing Rate-Based Attacks
Policy-Wide Rate-Based Detection and Thresholding or Suppression
License:
Protection
You can use thresholding and suppression to reduce excessive events by limiting the number of event
notifications for a source or destination or by suppressing notifications altogether for that rule. For more
information on the available options for thresholding and suppression, see
notifications for a source or destination or by suppressing notifications altogether for that rule. For more
information on the available options for thresholding and suppression, see
If suppression is applied to a rule, event notifications for that rule for all applicable IP addresses are
suppressed even if a rate-based action change occurs because of a policy-wide or rule-specific rate-based
setting. However, the interaction between thresholding and rate-based criteria is more complex.
suppressed even if a rate-based action change occurs because of a policy-wide or rule-specific rate-based
setting. However, the interaction between thresholding and rate-based criteria is more complex.
The following example shows an attacker attempting denial of service (DoS) attacks on hosts in your
network. Many simultaneous connections to hosts from the same sources trigger a policy-wide Control
Simultaneous Connections setting. The setting generates events and drops malicious traffic when there
are five connections from one source in 10 seconds. In addition, a global limit threshold limits the
number of events any rule or setting can generate to 10 events in 20 seconds.
network. Many simultaneous connections to hosts from the same sources trigger a policy-wide Control
Simultaneous Connections setting. The setting generates events and drops malicious traffic when there
are five connections from one source in 10 seconds. In addition, a global limit threshold limits the
number of events any rule or setting can generate to 10 events in 20 seconds.
As shown in the diagram, the policy-wide setting generates events for the first ten matching packets and
drops the traffic. After the tenth packet, the limit threshold is reached, so for the remaining packets no
events are generated but the packets are dropped.
drops the traffic. After the tenth packet, the limit threshold is reached, so for the remaining packets no
events are generated but the packets are dropped.
After the timeout, note that packets are still dropped in the rate-based sampling period that follows. If
the sampled rate is above the threshold rate in the current or previous sampling period, the rate-based
action of generating events and dropping traffic continues. The rate-based action stops only after a
sampling period completes where the sampled rate is below the threshold rate.
the sampled rate is above the threshold rate in the current or previous sampling period, the rate-based
action of generating events and dropping traffic continues. The rate-based action stops only after a
sampling period completes where the sampled rate is below the threshold rate.