AT-DOS-MIB

File: AT-DOS-MIB.mib (11589 bytes)

Imported modules

AT-SMI-MIB SNMPv2-SMI SNMPv2-TC

Imported symbols

modules IpAddress Counter32
OBJECT-TYPE MODULE-IDENTITY NOTIFICATION-TYPE
TruthValue

Defined Types

DosDefenseEntry  
SEQUENCE    
  dosDefensePort INTEGER
  dosDefenseAttackType INTEGER
  dosDefenseDefenseStatus INTEGER
  dosDefenseThreshold INTEGER
  dosDefenseBlockTime INTEGER
  dosDefenseMirroring TruthValue
  dosDefensePortType INTEGER
  dosDefenseSubnetAddress IpAddress
  dosDefenseSubnetMask IpAddress
  dosDefenseAttackState INTEGER
  dosDefenseAttackCount Counter32
  dosDefenseRemainingBlockTime INTEGER

Defined Values

dosDefense 1.3.6.1.4.1.207.8.4.4.4.143
The Denial of Service defense MIB for managing defenses against denial of service attacks.
MODULE-IDENTITY    

dosDefenseStatus 1.3.6.1.4.1.207.8.4.4.4.143.1
Whether or not the DoS defense module is currently enabled
OBJECT-TYPE    
  INTEGER enabled(1), disabled(2)  

dosDefenseDebugMode 1.3.6.1.4.1.207.8.4.4.4.143.2
The debugging options enabled for DoS defense. Output goes to the asynchronous port or telnet session that enabled debugging. The bit 'None(0)' indicates that no debugging is enabled. The bit 'Attack(1)' indicates that information about the start and finish of attacks is displayed. The bit 'Packet(2)' indicates that a hexadecimal dump of the IP header of all suspect packets is displayed. The bit 'Diagnostics(3)' indicates that additional debugging and diagnostic messages may be displayed.
OBJECT-TYPE    
  BITS none(0), packet(1), attack(2), packet-attack(3), diagnostics(4), packet-diagnostics(5), attack-diagnostics(6), packet-attack-diagnostics(7)  

dosDefenseNumDebugPackets 1.3.6.1.4.1.207.8.4.4.4.143.3
When packet debugging is enabled, this is the maximum number of packets that will be displayed before debugging is automatically disabled. A value of 0 means no limit (i.e. continuous).
OBJECT-TYPE    
  INTEGER continuous(0)  

dosDefenseTable 1.3.6.1.4.1.207.8.4.4.4.143.4
A table of configuration and status information for each defense configured on a port.
OBJECT-TYPE    
  SEQUENCE OF  
    DosDefenseEntry

dosDefenseEntry 1.3.6.1.4.1.207.8.4.4.4.143.4.1
The configuration and status of the defense against a single attack type on a single port.
OBJECT-TYPE    
  DosDefenseEntry  

dosDefensePort 1.3.6.1.4.1.207.8.4.4.4.143.4.1.1
The port index on which the defense is configured.
OBJECT-TYPE    
  INTEGER 1..1023  

dosDefenseAttackType 1.3.6.1.4.1.207.8.4.4.4.143.4.1.2
The type of attack this defense protects against.
OBJECT-TYPE    
  INTEGER synFlood(1), pingOfDeath(2), smurf(3), ipOptions(4), land(5), teardrop(6), none(7)  

dosDefenseDefenseStatus 1.3.6.1.4.1.207.8.4.4.4.143.4.1.3
Whether or not this attack is currently enabled on this port.
OBJECT-TYPE    
  INTEGER enabled(1), disabled(2), set(3)  

dosDefenseThreshold 1.3.6.1.4.1.207.8.4.4.4.143.4.1.4
The threshold, in packets per second, at which an attack is deemed to be in progress. If dosDefenseAttackType is SYNFlood(1), a value of 0 means no threshold has been set and the default thresholds apply. An attack is suspected when the SYN:ACK ratio exceeds 2:1 above 20 packets per second, in any one-second interval. An attack is in progress when the SYN:ACK ratio exceeds 3:1 above 20 packets per second, in any one-second interval, or an attack is suspected more than once within a dosDefenseBlockTime interval. If dosDefenseAttackType is Smurf(3), a value of 0 means the filter will block all broadcast ICMP requests. A threshold greater than 0 will block after that number of ICMP requests are received in a 1 second interval.
OBJECT-TYPE    
  INTEGER 0..1023  

dosDefenseBlockTime 1.3.6.1.4.1.207.8.4.4.4.143.4.1.5
The time, in seconds, that must elapse after the last malicious packet is seen, before an attack is deemed to have finished and the port stops blocking traffic. If dosDefenseAttackType is SYNFlood(1), it is also the maximum time an attack is suspected before it returns to a state of no attack.
OBJECT-TYPE    
  INTEGER 1..65535  

dosDefenseMirroring 1.3.6.1.4.1.207.8.4.4.4.143.4.1.6
Whether or not suspect traffic received by this port is copied to the pre-configured mirror port.
OBJECT-TYPE    
  TruthValue  

dosDefensePortType 1.3.6.1.4.1.207.8.4.4.4.143.4.1.7
If dosDefenseAttackType is Land(6), the type of port. For other values of dosDefenseAttackType, this object returns notapplicable(0). A device connected to a client(1) port should have an IP address in the local subnet, and be the original source or ultimate destination of packets transiting the network. Incoming packets should have a source address in the local subnet. Outgoing packets should have a destination address in the local subnet. A gateway(2) port is connected directly to a gateway device attached to external networks. Apart from a small number of packets from the gateway device itself, all packets arriving at the gateway port should be from other subnets. Incoming packets should have a source address not in the local subnet. Outgoing packets should have a destination address not in the local subnet.
OBJECT-TYPE    
  INTEGER notApplicable(0), client(1), gateway(2)  

dosDefenseSubnetAddress 1.3.6.1.4.1.207.8.4.4.4.143.4.1.8
If dosDefenseAttackType is Smurf(3), the subnet address is used to determine the local broadcast address. If dosDefenseAttackType is Land(6), the subnet address used to determine which addresses are local or remote. For other values of dosDefenseAttackType, this object returns 0.0.0.0.
OBJECT-TYPE    
  IpAddress  

dosDefenseSubnetMask 1.3.6.1.4.1.207.8.4.4.4.143.4.1.9
If dosDefenseAttackType is Smurf(3), the subnet mask is used to determine the local broadcast address. If dosDefenseAttackType is Land(6), the subnet mask used to determine which addresses are local or remote. For other values of dosDefenseAttackType, this object returns 0.0.0.0.
OBJECT-TYPE    
  IpAddress  

dosDefenseAttackState 1.3.6.1.4.1.207.8.4.4.4.143.4.1.10
Whether or not an attack is currently in progress on the port. None(0) means no attack is in progress. If dosDefenseAttackType is SYNFlood(1), Suspected(1) means a SYN Flood attack is suspected. A threshold has not been set, and the default threshold of a SYN:ACK ratio of 2:1 above 20 packets per second has been reached. If dosDefenseAttackType is PingOfDeath(2), Teardrop(5) or Land(6), Suspected means that some suspect packets have been received but have not yet been analysed to determine if an attack exists. InProgress(2) means an attack is in progress.
OBJECT-TYPE    
  INTEGER none(0), suspected(1), inProgress(2)  

dosDefenseAttackCount 1.3.6.1.4.1.207.8.4.4.4.143.4.1.11
The number of attacks (attacked seconds) detected on this port.
OBJECT-TYPE    
  Counter32  

dosDefenseRemainingBlockTime 1.3.6.1.4.1.207.8.4.4.4.143.4.1.12
The time remaining
OBJECT-TYPE    
  INTEGER 0..65535  

dosDefenseTraps 1.3.6.1.4.1.207.8.4.4.4.143.5
OBJECT IDENTIFIER    

dosDefenseAttackStart 1.3.6.1.4.1.207.8.4.4.4.143.5.1
Triggered when an attack is detected on a port.
NOTIFICATION-TYPE    

dosDefenseAttackEnd 1.3.6.1.4.1.207.8.4.4.4.143.5.2
Triggered when an attack is finished on a port. This occurs after an attack packet has not been seen for a complete BlockTime period.
NOTIFICATION-TYPE