Cisco Cisco FirePOWER Appliance 7020
28-10
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Preventing Rate-Based Attacks
You can configure your intrusion policy to include rate-based filters that detect excessive activity
directed at hosts on your network. You can use this feature on managed devices deployed in inline mode
to block rate-based attacks for a specified time and then revert to only generating events and not drop
traffic.
directed at hosts on your network. You can use this feature on managed devices deployed in inline mode
to block rate-based attacks for a specified time and then revert to only generating events and not drop
traffic.
Rate-based attack prevention identifies abnormal traffic patterns and attempts to minimize the impact of
that traffic on legitimate requests. Rate-based attacks usually have one of the following characteristics:
that traffic on legitimate requests. Rate-based attacks usually have one of the following characteristics:
•
any traffic containing excessive incomplete connections to hosts on the network, indicating a SYN
flood attack
flood attack
To configure SYN attack detection, see
•
any traffic containing excessive complete connections to hosts on the network, indicating a TCP/IP
connection flood attack
connection flood attack
To configure simultaneous connection detection, see
•
excessive rule matches in traffic going to a particular destination IP address or addresses or coming
from a particular source IP address or addresses.
from a particular source IP address or addresses.
To configure source or destination-based dynamic rule states, see
•
excessive matches for a particular rule across all traffic.
To configure rule-based dynamic rule states, see
.
In an intrusion policy, you can either configure SYN flood or TCP/IP connection flood detection for the
entire policy, or set rate-based filters for individual intrusion or preprocessor rules. Note that manually
adding a rate-based filter to rules 135:1 and 135:2 has no effect. Rules with GID:135 use the client as
the source value and the server as the destination value. See
entire policy, or set rate-based filters for individual intrusion or preprocessor rules. Note that manually
adding a rate-based filter to rules 135:1 and 135:2 has no effect. Rules with GID:135 use the client as
the source value and the server as the destination value. See
and
for more information.
Each rate-based filter contains several components:
•
for policy-wide or rule-based source or destination settings, the network address designation
•
the rule matching rate, which you configure as a count of rule matches within a specific number of
seconds
seconds
•
a new action to be taken when the rate is exceeded
When you set a rate-based setting for the entire policy, the system generates events when it detects
a rate-based attack, and optionally can drop the traffic in an inline deployment. When setting
rate-based actions for individual rules, you have three available actions: Generate Events, Drop and
Generate Events, and Disable.
a rate-based attack, and optionally can drop the traffic in an inline deployment. When setting
rate-based actions for individual rules, you have three available actions: Generate Events, Drop and
Generate Events, and Disable.
•
the duration of the action, which you configure as a timeout value
Note that when started, the new action occurs until the timeout is reached, even if the rate falls below
the configured rate during that time period. When the timeout period expires, if the rate has fallen below
the threshold, the action for the rule reverts to the action initially configured for the rule. For policy-wide
settings, the action reverts to the action of each rule the traffic matches or stops if it does not match any
rules.
the configured rate during that time period. When the timeout period expires, if the rate has fallen below
the threshold, the action for the rule reverts to the action initially configured for the rule. For policy-wide
settings, the action reverts to the action of each rule the traffic matches or stops if it does not match any
rules.
You can configure rate-based attack prevention in an inline deployment to block attacks, either
temporarily or permanently. Without rate-based configuration, rules set to Generate Events create
events, but the system does not drop packets for those rules. However, if the attack traffic matches rules
that have rate-based criteria configured, the rate action may cause packet dropping to occur for the period
of time that the rate action is active, even if those rules are not initially set to Drop and Generate Events.
temporarily or permanently. Without rate-based configuration, rules set to Generate Events create
events, but the system does not drop packets for those rules. However, if the attack traffic matches rules
that have rate-based criteria configured, the rate action may cause packet dropping to occur for the period
of time that the rate action is active, even if those rules are not initially set to Drop and Generate Events.