Cisco Cisco Packet Data Gateway (PDG)
PSF Changes in Release 16
PSF Enhancements for 16.0 ▀
Release Change Reference, StarOS Release 16 ▄
315
Total Ruledef(s)
Total Default SFW Ruledef(s)
CSCue70886 - src-ip based flood attack detection
Applicable Products: GGSN, HA, IPSG, PDSN, P-GW
Feature Changes
Source-IP based Flood Attack Detection
The Source-IP based flood attack detection feature is implemented to limit the number of new flows originating from a
source IP per unit time to various destinations in both uplink and downlink directions. Limiting the number of
connections from a single source IP to different destinations will be applied only per SMGR instance.
source IP per unit time to various destinations in both uplink and downlink directions. Limiting the number of
connections from a single source IP to different destinations will be applied only per SMGR instance.
CLI support is added for enabling and disabling uplink/downlink IP Sweep protection. Statistics support is added to
show details of packets dropped due to IP Sweep protection and the list of internet hosts doing a flood attack.
show details of packets dropped due to IP Sweep protection and the list of internet hosts doing a flood attack.
Command Changes
firewall dos-protection ip-sweep
The
ip-sweep
keyword is new and is configured to detect Source IP-based flooding for uplink direction.
configure
active-charging service acs_name
firewall dos-protection ip-sweep { icmp | tcp-syn | udp } protect-servers { all |
host-pool hostpool_name } packet limit packet_limit | downlink-server-limit server_limit
| inactivity-timeout timeout | sample-interval interval }
host-pool hostpool_name } packet limit packet_limit | downlink-server-limit server_limit
| inactivity-timeout timeout | sample-interval interval }
default firewall dos-protection ip-sweep { downlink-server-limit | icmp |
inactivity-timeout | sample-interval | tcp-syn | udp }
inactivity-timeout | sample-interval | tcp-syn | udp }
no firewall dos-protection ip-sweep { icmp | tcp-syn | udp }
end
Notes:
This command is used to enable or disable IP Sweep Protection in the uplink direction for mobile subscribers
and internet hosts on a per protocol basis.
IP Sweep attacks detected in the downlink direction can be configured using the
firewall dos-protection
ip-sweep
command in the FW-and-NAT Policy Configuration mode.
The configuration values of packet limit and sampling interval are common for both uplink and downlink.
firewall dos-protection
The
ip-sweep
keyword is new and is configured to detect Source IP-based flooding for downlink direction.