CISCO-SERVICE-CONTROL-ATTACK-MIB

File: CISCO-SERVICE-CONTROL-ATTACK-MIB.mib (24731 bytes)

Imported modules

SNMPv2-SMI SNMPv2-CONF ENTITY-MIB
INET-ADDRESS-MIB SNMPv2-TC CISCO-SMI

Imported symbols

MODULE-IDENTITY OBJECT-TYPE Counter32
NOTIFICATION-TYPE Gauge32 Counter64
Integer32 Unsigned32 OBJECT-IDENTITY
MODULE-COMPLIANCE NOTIFICATION-GROUP OBJECT-GROUP
entPhysicalIndex entPhysicalName InetAddressType
InetAddress InetPortNumber TruthValue
TimeStamp TimeInterval TEXTUAL-CONVENTION
AutonomousType ciscoMgmt

Defined Types

CscaAttackType  
TEXTUAL-CONVENTION    
  current Integer32

CscaTypeEntry  
SEQUENCE    
  cscaTypeIndex CscaAttackType
  cscaTypeCurrentNumAttacks Gauge32
  cscaTypeTotalNumAttacks Counter32
  cscaTypeTotalNumFlows Counter64
  cscaTypeTotalNumSeconds Counter32
  cscaTypeOriginatedByNetworkSide TruthValue
  cscaTypeProtocol Integer32
  cscaTypeIsPortSpecific TruthValue
  cscaTypeIPsDetected Integer32

CscaInfoEntry  
SEQUENCE    
  cscaInfoUpStreamAttackFilteringTime Counter32
  cscaInfoUpStreamLastAttackFilteringTime TimeInterval
  cscaInfoDownStreamAttackFilteringTime Counter32
  cscaInfoDownStreamLastAttackFilteringTime TimeInterval

Defined Values

ciscoServiceControlAttackMIB 1.3.6.1.4.1.9.9.693
This MIB provides data related to different types of attacks detected by a service control entity. A service control entity is a network device which monitors and controls traffic. The service control entity is used as a platform for different service control applications which may perform monitoring operations beyond packet counting and delve deeper into the contents of network traffic. It provides programmable stateful inspection of bidirectional traffic flows and maps these flows with user/subscriber ownership. An attack is a malicious network activity with certain traffic characteristics and which is targeted on a certain network entity. An attack can be identified by its type, direction, source address, destination address and ports. Once an attack is detected, an attack filter is activated based on the type of the attack and corresponding actions are taken in the monitored network - this is referred to as attack start. For example the attack filter can drop the attacking traffic. When the attack detector identifies that the attack characteristics are no longer exist, it ends the mitigation action - what is referred to as attack end. The attack mitigation action is also referred to as attack filtering in this MIB. The time duration of attack filtering between attack start to attack end along with the direction (upstream, downstream) is also maintained by the service control entity. Attack filtering can be applied from the subscriber side to the network side, in the upstream direction. The downstream attack filtering is done from the network side to the subscriber side. This MIB also defines notifications generated by the service control entity when an attack is detected on a monitored network.
MODULE-IDENTITY    

ciscoServiceControlAttackMIBNotifs 1.3.6.1.4.1.9.9.693.0
OBJECT IDENTIFIER    

ciscoServiceControlAttackMIBObjects 1.3.6.1.4.1.9.9.693.1
OBJECT IDENTIFIER    

ciscoServiceControlAttackMIBConform 1.3.6.1.4.1.9.9.693.2
OBJECT IDENTIFIER    

cscaFilterMIBObjects 1.3.6.1.4.1.9.9.693.1.1
OBJECT IDENTIFIER    

cscaTypeTable 1.3.6.1.4.1.9.9.693.1.2
This table lists the aggregated statistics for each detected attack in a network controlled by a service control entity.
OBJECT-TYPE    
  SEQUENCE OF  
    CscaTypeEntry

cscaTypeEntry 1.3.6.1.4.1.9.9.693.1.2.1
This entry contains information for an attack detected by the service control entity. The service control entity can report a number of attack types, the cscaTypeTable is created during the initialization of the service control entity and is valid while the service control entity is operational.
OBJECT-TYPE    
  CscaTypeEntry  

cscaTypeIndex 1.3.6.1.4.1.9.9.693.1.2.1.1
This object uniquely identifies the attack type.
OBJECT-TYPE    
  CscaAttackType 1..64  

cscaTypeCurrentNumAttacks 1.3.6.1.4.1.9.9.693.1.2.1.2
This object indicates the current number of ongoing attacks of this type, that the service control entity has detected in the network.
OBJECT-TYPE    
  Gauge32  

cscaTypeTotalNumAttacks 1.3.6.1.4.1.9.9.693.1.2.1.3
This object indicates the total number of attacks of this type since the last discontinuity.
OBJECT-TYPE    
  Counter32  

cscaTypeTotalNumFlows 1.3.6.1.4.1.9.9.693.1.2.1.4
This object indicates the total number of IP flows on which this type of attack has been detected, since the last discontinuity.
OBJECT-TYPE    
  Counter64  

cscaTypeTotalNumSeconds 1.3.6.1.4.1.9.9.693.1.2.1.5
This object indicates the accumulated duration in seconds belonging to this attack type, since the last discontinuity.
OBJECT-TYPE    
  Counter32  

cscaTypeOriginatedByNetworkSide 1.3.6.1.4.1.9.9.693.1.2.1.6
This object indicates whether this attack type is originated from the Network side or from the Subscriber side.
OBJECT-TYPE    
  TruthValue  

cscaTypeProtocol 1.3.6.1.4.1.9.9.693.1.2.1.7
This enumerated object indicates the protocol type for this type of attack (TCP/UDP/ICMP/etc). The values for this object are: (1) TCP (2) UDP (3) ICMP (4) Other
OBJECT-TYPE    
  Integer32  

cscaTypeIsPortSpecific 1.3.6.1.4.1.9.9.693.1.2.1.8
This object indicates whether the attack type is port-specific or not.
OBJECT-TYPE    
  TruthValue  

cscaTypeIPsDetected 1.3.6.1.4.1.9.9.693.1.2.1.9
This object indicates which IPs are detected in this type of attack. The enumerated values are: (1) Originating Side IP is detected. (2) Attacked Side IP is detected. (3) Both side IPs are detected.
OBJECT-TYPE    
  Integer32  

cscaInfoTable 1.3.6.1.4.1.9.9.693.1.3
This table lists information for attack mitigation, also referred to as attack filtering, done by a service control entity in the monitored network.
OBJECT-TYPE    
  SEQUENCE OF  
    CscaInfoEntry

cscaInfoEntry 1.3.6.1.4.1.9.9.693.1.3.1
This entry contains information about attack mitigation done by a physical service control entity, for attacks which it has detected.
OBJECT-TYPE    
  CscaInfoEntry  

cscaInfoUpStreamAttackFilteringTime 1.3.6.1.4.1.9.9.693.1.3.1.1
This object indicates the cumulative time during which attacks in the up-stream direction were filtered.
OBJECT-TYPE    
  Counter32  

cscaInfoUpStreamLastAttackFilteringTime 1.3.6.1.4.1.9.9.693.1.3.1.2
This object indicates the time since the previous attack in the upstream direction has ended. Attack end is reached when the service control entity attack detector identifies that the attack characteristics (like high flow rate) no longer exist, and the attack is suppressed in the up-stream traffic.
OBJECT-TYPE    
  TimeInterval  

cscaInfoDownStreamAttackFilteringTime 1.3.6.1.4.1.9.9.693.1.3.1.3
This object indicates the cumulative time during which attacks in the down-stream direction were filtered.
OBJECT-TYPE    
  Counter32  

cscaInfoDownStreamLastAttackFilteringTime 1.3.6.1.4.1.9.9.693.1.3.1.4
This object indicates the time since the previous attack in the downstream direction has ended. Attack end is reached when the service control entity attack detector identifies that the attack characteristics (like high flow rate) no longer exist, and the attack is suppressed in the down-stream traffic.
OBJECT-TYPE    
  TimeInterval  

cscaType 1.3.6.1.4.1.9.9.693.1.1.1
This object indicates the type of an attack detected and reported by the service control entity. There are numerous attack types, based on the service control entity's definition. The service control entity monitors and mitigates a predefined set of attack type. The value of this object should be used as index to table cscaTypeTable in order to query for information regarding this attack type, such as its name and other statistics.
OBJECT-TYPE    
  CscaAttackType  

cscaSourceAddressType 1.3.6.1.4.1.9.9.693.1.1.2
This object indicates the address type for cscaSourceAddress.
OBJECT-TYPE    
  InetAddressType  

cscaSourceAddress 1.3.6.1.4.1.9.9.693.1.1.3
This object indicates the network address that is the source end point of this attack.
OBJECT-TYPE    
  InetAddress  

cscaDestinationAddressType 1.3.6.1.4.1.9.9.693.1.1.4
This object indicates the address type for cscaDestinationAddress.
OBJECT-TYPE    
  InetAddressType  

cscaDestinationAddress 1.3.6.1.4.1.9.9.693.1.1.5
This object indicates the network address that is the destination end point of this attack.
OBJECT-TYPE    
  InetAddress  

cscaAttackedPort 1.3.6.1.4.1.9.9.693.1.1.6
This object indicates the port on which this attack occurs, if relevant for this type of attack.
OBJECT-TYPE    
  InetPortNumber  

cscaFilterStatus 1.3.6.1.4.1.9.9.693.1.1.7
This object indicates the status of the filter for this attack. The values for this object are '1' (activated) and '2' (de-activated).
OBJECT-TYPE    
  INTEGER activated(1), deactivated(2)  

cscaNotifsEnabled 1.3.6.1.4.1.9.9.693.1.1.8
This object specifies whether the system generates the cscaFilterChange notification.
OBJECT-TYPE    
  TruthValue  

cscaLastDiscontinuityTimeStamp 1.3.6.1.4.1.9.9.693.1.1.9
This object indicates the value of sysUpTime when the last discontinuity occurred.
OBJECT-TYPE    
  TimeStamp  

cscaGlobalAttackType 1.3.6.1.4.1.9.9.693.1.1.10
This object indicates the type of a global attack detected and reported by the service control entity. The list of the various global attack are: ICMP attack(1) UDP attack(2) UDP fragment attack(3) TCP SYN Attack(4) TCP RST Attack(5) TCP fragment Attack(6) TCP NON-SYN Attack(7)
OBJECT-TYPE    
  INTEGER icmpAttack(1), udpAttack(2), udpFragmentAttack(3), tcpSynAttack(4), tcpRstAttack(5), tcpFragmentAttack(6), tcpNonSynAttack(7)  

cscaGlobalAttackNotifsEnabled 1.3.6.1.4.1.9.9.693.1.1.11
This object specifies whether the system generates the cscaGlobalAttackFilterChange notification. Setting this object value to 'true' will enable generation of cscaGlobalAttackFilterChange notification. Setting this object value to 'false' will disable generation of cscaGlobalAttackFilterChange notification.
OBJECT-TYPE    
  TruthValue  

cscaFilterChange 1.3.6.1.4.1.9.9.693.0.1
The system generates this notification to indicate that the cscaFilterStatus of the attack filter for cscaType has changed due to the reason determined by cscaDescription. The system limits the generation of this notifications for the same cscaType to a five-second interval.
NOTIFICATION-TYPE    

cscaGlobalAttackFilterChange 1.3.6.1.4.1.9.9.693.0.2
The notification is generated when a start or end of a global attack is detected in the system. Below fields are sent with the trap: entPhysicalName indicates the name of the originating physical entity. cscaGlobalAttackType indicates the type of the global attack. cscaFilterStatus indicates whether the global attack is started or ended ie. the attack filter status is activated or deactivated. cscaTypeOriginatedByNetworkSide indicates the origin/source of the attack, whether it originated from network or subscriber side.
NOTIFICATION-TYPE    

cscaMIBCompliances 1.3.6.1.4.1.9.9.693.2.1
OBJECT IDENTIFIER    

cscaMIBGroups 1.3.6.1.4.1.9.9.693.2.2
OBJECT IDENTIFIER    

cscaMIBCompliance 1.3.6.1.4.1.9.9.693.2.1.1
The compliance statement for SNMP Agents which implement this MIB.
MODULE-COMPLIANCE    

cscaMIBComplianceRev1 1.3.6.1.4.1.9.9.693.2.1.2
The compliance statement for SNMP Agents which implement this generic filter (both Specific IP and global attack) MIB.
MODULE-COMPLIANCE    

cscaMIBAttackTypeObjectGroup 1.3.6.1.4.1.9.9.693.2.2.1
A collection of objects which provides attack information.
OBJECT-GROUP    

cscaMIBAttackInfoObjectGroup 1.3.6.1.4.1.9.9.693.2.2.2
A collection of objects which provides attack filtering times for upstream and down stream attacks.
OBJECT-GROUP    

cscaMIBNotificationGroup 1.3.6.1.4.1.9.9.693.2.2.3
A collection of notification which provides status change information for attack filters. cscaMIBNotificationGroup object is superseded by cscaMIBNotificationGroupRev1.
NOTIFICATION-GROUP    

cscaFilterObjectGroup 1.3.6.1.4.1.9.9.693.2.2.4
A collection of objects which define each attack filter and its status. cscaFilterObjectGroup object is superseded by cscaFilterObjectGroupRev1.
OBJECT-GROUP    

cscaMIBNotifControlGroup 1.3.6.1.4.1.9.9.693.2.2.5
A collection of object(s) to control the enable/disable state of notification generation. cscaMIBNotifControlGroup object is superseded by cscaMIBNotifControlGroupRev1.
OBJECT-GROUP    

cscaMIBNotificationGroupRev1 1.3.6.1.4.1.9.9.693.2.2.6
A collection of notification which provides status change information for both specific IP and global attack filters.
NOTIFICATION-GROUP    

cscaFilterObjectGroupRev1 1.3.6.1.4.1.9.9.693.2.2.7
A collection of objects which define each attack filter and its status.
OBJECT-GROUP    

cscaMIBNotifControlGroupRev1 1.3.6.1.4.1.9.9.693.2.2.8
A collection of object(s) to control the enable/disable state of notification generation.
OBJECT-GROUP