Understanding IDS Screens for Network Attack Protection
Intrusion Detection Services
Intrusion detection services (IDS) screens give you a way to identify and drop traffic that is part of a network attack.
In an IDS screen, you can specify:
The limits on the number of sessions that originate from individual sources or that terminate at individual destinations
The types of suspicious packets
You can also choose to log an alarm when an IDS screen identifies a packet, rather than drop the packet.
In addition to IDS screens, you can use firewall filters and policers to stop illegal TCP flags and other bad flag combinations, and to specify general rate limiting (see the Routing Policies, Firewall Filters, and Traffic Policers User Guide). IDS screens add a more granular level of filtering.
Use firewall filters and stateful firewall filters to filter out traffic that does not need to be processed by an IDS screen.
Provides protection against several types of network attacks.
You can use IDS screens to set session limits for traffic from an individual source or to an individual destination. This protects against network probing and flooding attacks. Traffic that exceeds the session limits is dropped. You can specify session limits either for traffic with a particular IP protocol, such as ICMP, or for traffic in general.
You decide whether the limits apply to individual addresses or to an aggregation of traffic from individual subnets of a particular prefix length. For example, if you aggregate limits for IPv4 subnets with a prefix length of 24, traffic from 192.0.2.2 and 192.0.2.3 is counted against the limits for the 192.0.2.0/24 subnet.
Some common network probing and flooding attacks that session limits protect against include:
Session limits for traffic from a source or to a destination include:
maximum number of concurrent sessions
maximum number of packets per second
maximum number of connections per second
IDS screens also install a dynamic filter on the PFEs of line cards for suspicious activity when the following conditions occur:
Either the packets per second or the number of connections per second for an individual source or destination address exceeds four times the session limit in the IDS screen. (Dynamic filters are not created from IDS screens that use subnet aggregation.)
The services card CPU utilization percentage exceeds a configured value (default value is 90 percent).
The dynamic filter drops the suspicious traffic at the PFE, without the traffic being processed by the IDS screen. When the packet or connection rate no longer exceeds four times the limit in the IDS screen, the dynamic filter is removed.
Suspicious Packet Patterns
You can use IDS screens to identify and drop traffic with a suspicious packet pattern. This protects against attackers that craft unusual packets to launch denial-of-service attacks.
Suspicious packet patterns and attacks that you can specify in an IDS screen are: