Understanding IDS on an MS-MPC
Intrusion Detection Services
Intrusion detection services (IDS) rules on an MS-MPC give you a way to identify and drop traffic that is part of a network attack.
IDS rules provide a more granular level of filtering than firewall filters and policers, which can stop illegal TCP flags and other bad flag combinations, and can enforce general rate limiting (see the Routing Policies, Firewall Filters, and Traffic Policers User Guide). You can use firewall filters and policers along with IDS to reduce the traffic that needs to be processed by an IDS rule.
In an IDS rule, you can specify:
Limits on the sessions that originate from individual sources or that terminate at individual destinations. This protects against network probing and flooding attacks.
Types of suspicious packets to drop.
To protect against header anomaly attacks, a header integrity check is automatically performed if you configure an IDS rule, stateful firewall rule, or a NAT rule and apply it to the service set. You can also explicitly configure a header integrity check for the service set if you do not assign the service set an IDS rule, stateful firewall rule, or a NAT rule.
Provides protection against several types of network attacks.
You can use IDS rules to set session limits for traffic from an individual source or to an individual destination. This protects against network probing and flooding attacks. Traffic that exceeds the session limits is dropped. You can specify session limits either for traffic with a particular IP protocol, such as ICMP, or for traffic in general.
You decide whether the limits apply to individual addresses or to an aggregation of traffic from individual subnets of a particular prefix length. For example, if you aggregate limits for IPv4 subnets with a prefix length of 24, traffic from 192.0.2.2 and 192.0.2.3 is counted against the limits for the 192.0.2.0/24 subnet.
Some common network probing and flooding attacks that session limits protect against include:
Session limits for traffic from a source or to a destination include:
maximum number of concurrent sessions
maximum number of packets per second
maximum number of connections per second
IDS also installs a dynamic filter on the PFEs of line cards for suspicious activity when the following conditions occur:
Either the packets per second or the number of connections per second for an individual source or destination address (not for a subnet) exceeds four times the session limit in the IDS rule. This session limit is the general source or destination limit for the IDS rule, not the limit specified for a particular protocol.
The services card CPU utilization percentage exceeds a configured value (default value is 90 percent).
The dynamic filter drops the suspicious traffic at the PFE, and the traffic is not sent to the MS-MPC to be processed by the IDS rule. When the packet or connection rate no longer exceeds four times the limit in the IDS rule, the dynamic filter is removed.
Suspicious Packet Patterns
You can use IDS rules to identify and drop traffic with a suspicious packet pattern. This protects against attackers that craft unusual packets to launch denial-of-service attacks.
Suspicious packet patterns and attacks that you can specify in an IDS rule are:
Header Anomaly Attacks
To protect against header anomaly attacks, a header integrity check is automatically performed if you configure an IDS rule, a stateful firewall rule, or a NAT rule and apply it to the service set. You can also explicitly configure a header integrity check for the service set if you do not assign the service set an IDS rule, stateful firewall rule, or a NAT rule.
The header integrity check provides protection against the following header anomaly attacks: