-- ***************************************************************** -- CISCO-SERVICE-CONTROL-ATTACK-MIB.my -- -- MIB file for Service Control entity Attack Detecting Mechanism. -- May 2009, Or Dubnov-Raz. -- -- Copyright (c) 2007-2009 by Cisco Systems Inc. -- All rights reserved. -- -- *************************************************************** CISCO-SERVICE-CONTROL-ATTACK-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, NOTIFICATION-TYPE, Gauge32, Counter64, Integer32 FROM SNMPv2-SMI MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP FROM SNMPv2-CONF entPhysicalIndex, entPhysicalName FROM ENTITY-MIB InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB TruthValue, TimeStamp, TimeInterval, TEXTUAL-CONVENTION FROM SNMPv2-TC ciscoMgmt FROM CISCO-SMI; ciscoServiceControlAttackMIB MODULE-IDENTITY LAST-UPDATED "200905050000Z" ORGANIZATION "Cisco Systems, Inc." CONTACT-INFO "Cisco Systems Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: cs-excelsior-dev@cisco.com" DESCRIPTION "This MIB provides data related to different types of attacks detected by a service control entity. A service control entity is a network device which monitors and controls traffic. The service control entity is used as a platform for different service control applications which may perform monitoring operations beyond packet counting and delve deeper into the contents of network traffic. It provides programmable stateful inspection of bidirectional traffic flows and maps these flows with user/subscriber ownership. An attack is a malicious network activity with certain traffic characteristics and which is targeted on a certain network entity. An attack can be identified by its type, direction, source address, destination address and ports. Once an attack is detected, an attack filter is activated based on the type of the attack and corresponding actions are taken in the monitored network - this is referred to as attack start. For example the attack filter can drop the attacking traffic. When the attack detector identifies that the attack characteristics are no longer exist, it ends the mitigation action - what is referred to as attack end. The attack mitigation action is also referred to as attack filtering in this MIB. The time duration of attack filtering between attack start to attack end along with the direction (upstream, downstream) is also maintained by the service control entity. Attack filtering can be applied from the subscriber side to the network side, in the upstream direction. The downstream attack filtering is done from the network side to the subscriber side. This MIB also defines notifications generated by the service control entity when an attack is detected on a monitored network." REVISION "200905050000Z" DESCRIPTION "Initial version of this MIB module." ::= { ciscoMgmt 693 } CscaAttackType ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "A value which identifies the various attack types which may be detected by the service control entity." SYNTAX Integer32 ciscoServiceControlAttackMIBNotifs OBJECT IDENTIFIER ::= { ciscoServiceControlAttackMIB 0 } ciscoServiceControlAttackMIBObjects OBJECT IDENTIFIER ::= { ciscoServiceControlAttackMIB 1 } ciscoServiceControlAttackMIBConform OBJECT IDENTIFIER ::= { ciscoServiceControlAttackMIB 2 } cscaFilterMIBObjects OBJECT IDENTIFIER ::= { ciscoServiceControlAttackMIBObjects 1 } cscaTypeTable OBJECT-TYPE SYNTAX SEQUENCE OF CscaTypeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the aggregated statistics for each detected attack in a network controlled by a service control entity." ::= { ciscoServiceControlAttackMIBObjects 2 } cscaTypeEntry OBJECT-TYPE SYNTAX CscaTypeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains information for an attack detected by the service control entity. The service control entity can report a number of attack types, the cscaTypeTable is created during the initialization of the service control entity and is valid while the service control entity is operational." INDEX { entPhysicalIndex, cscaTypeIndex } ::= { cscaTypeTable 1 } CscaTypeEntry ::= SEQUENCE { cscaTypeIndex CscaAttackType, cscaTypeCurrentNumAttacks Gauge32, cscaTypeTotalNumAttacks Counter32, cscaTypeTotalNumFlows Counter64, cscaTypeTotalNumSeconds Counter32, cscaTypeOriginatedByNetworkSide TruthValue, cscaTypeProtocol Integer32, cscaTypeIsPortSpecific TruthValue, cscaTypeIPsDetected Integer32 } cscaTypeIndex OBJECT-TYPE SYNTAX CscaAttackType (1..64) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object uniquely identifies the attack type." ::= { cscaTypeEntry 1 } cscaTypeCurrentNumAttacks OBJECT-TYPE SYNTAX Gauge32 UNITS "attacks" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the current number of ongoing attacks of this type, that the service control entity has detected in the network." ::= { cscaTypeEntry 2 } cscaTypeTotalNumAttacks OBJECT-TYPE SYNTAX Counter32 UNITS "attacks" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the total number of attacks of this type since the last discontinuity." ::= { cscaTypeEntry 3 } cscaTypeTotalNumFlows OBJECT-TYPE SYNTAX Counter64 UNITS "IP flows" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the total number of IP flows on which this type of attack has been detected, since the last discontinuity." ::= { cscaTypeEntry 4 } cscaTypeTotalNumSeconds OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the accumulated duration in seconds belonging to this attack type, since the last discontinuity." ::= { cscaTypeEntry 5 } cscaTypeOriginatedByNetworkSide OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates whether this attack type is originated from the Network side or from the Subscriber side." ::= { cscaTypeEntry 6 } cscaTypeProtocol OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This enumerated object indicates the protocol type for this type of attack (TCP/UDP/ICMP/etc). The values for this object are: (1) TCP (2) UDP (3) ICMP (4) Other" ::= { cscaTypeEntry 7 } cscaTypeIsPortSpecific OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates whether the attack type is port-specific or not." ::= { cscaTypeEntry 8 } cscaTypeIPsDetected OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates which IPs are detected in this type of attack. The enumerated values are: (1) Originating Side IP is detected. (2) Attacked Side IP is detected. (3) Both side IPs are detected." ::= { cscaTypeEntry 9 } cscaInfoTable OBJECT-TYPE SYNTAX SEQUENCE OF CscaInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists information for attack mitigation, also referred to as attack filtering, done by a service control entity in the monitored network." ::= { ciscoServiceControlAttackMIBObjects 3 } cscaInfoEntry OBJECT-TYPE SYNTAX CscaInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains information about attack mitigation done by a physical service control entity, for attacks which it has detected." INDEX { entPhysicalIndex } ::= { cscaInfoTable 1 } CscaInfoEntry ::= SEQUENCE { cscaInfoUpStreamAttackFilteringTime Counter32, cscaInfoUpStreamLastAttackFilteringTime TimeInterval, cscaInfoDownStreamAttackFilteringTime Counter32, cscaInfoDownStreamLastAttackFilteringTime TimeInterval } cscaInfoUpStreamAttackFilteringTime OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the cumulative time during which attacks in the up-stream direction were filtered." ::= { cscaInfoEntry 1 } cscaInfoUpStreamLastAttackFilteringTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the time since the previous attack in the upstream direction has ended. Attack end is reached when the service control entity attack detector identifies that the attack characteristics (like high flow rate) no longer exist, and the attack is suppressed in the up-stream traffic." ::= { cscaInfoEntry 2 } cscaInfoDownStreamAttackFilteringTime OBJECT-TYPE SYNTAX Counter32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the cumulative time during which attacks in the down-stream direction were filtered." ::= { cscaInfoEntry 3 } cscaInfoDownStreamLastAttackFilteringTime OBJECT-TYPE SYNTAX TimeInterval MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the time since the previous attack in the downstream direction has ended. Attack end is reached when the service control entity attack detector identifies that the attack characteristics (like high flow rate) no longer exist, and the attack is suppressed in the down-stream traffic." ::= { cscaInfoEntry 4 } cscaType OBJECT-TYPE SYNTAX CscaAttackType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object indicates the type of an attack detected and reported by the service control entity. There are numerous attack types, based on the service control entity's definition. The service control entity monitors and mitigates a predefined set of attack type. The value of this object should be used as index to table cscaTypeTable in order to query for information regarding this attack type, such as its name and other statistics." ::= { cscaFilterMIBObjects 1 } cscaSourceAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object indicates the address type for cscaSourceAddress." ::= { cscaFilterMIBObjects 2 } cscaSourceAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object indicates the network address that is the source end point of this attack." ::= { cscaFilterMIBObjects 3 } cscaDestinationAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object indicates the address type for cscaDestinationAddress." ::= { cscaFilterMIBObjects 4 } cscaDestinationAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object indicates the network address that is the destination end point of this attack." ::= { cscaFilterMIBObjects 5 } cscaAttackedPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object indicates the port on which this attack occurs, if relevant for this type of attack." ::= { cscaFilterMIBObjects 6 } cscaFilterStatus OBJECT-TYPE SYNTAX INTEGER { activated(1), deactivated(2) } MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object indicates the status of the filter for this attack. The values for this object are '1' (activated) and '2' (de-activated)." ::= { cscaFilterMIBObjects 7 } cscaNotifsEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether the system generates the cscaFilterChange notification." ::= { cscaFilterMIBObjects 8 } cscaLastDiscontinuityTimeStamp OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the value of sysUpTime when the last discontinuity occurred." ::= { cscaFilterMIBObjects 9 } cscaFilterChange NOTIFICATION-TYPE OBJECTS { entPhysicalName, cscaType, cscaSourceAddressType, cscaSourceAddress, cscaDestinationAddressType, cscaDestinationAddress, cscaAttackedPort, cscaFilterStatus } STATUS current DESCRIPTION "The system generates this notification to indicate that the cscaFilterStatus of the attack filter for cscaType has changed due to the reason determined by cscaDescription. The system limits the generation of this notifications for the same cscaType to a five-second interval." ::= { ciscoServiceControlAttackMIBNotifs 1 } -- Conformance cscaMIBCompliances OBJECT IDENTIFIER ::= { ciscoServiceControlAttackMIBConform 1 } cscaMIBGroups OBJECT IDENTIFIER ::= { ciscoServiceControlAttackMIBConform 2 } cscaMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP Agents which implement this MIB." MODULE -- this module MANDATORY-GROUPS { cscaMIBAttackTypeObjectGroup, cscaMIBNotificationGroup, cscaMIBAttackInfoObjectGroup, cscaFilterObjectGroup, cscaMIBNotifControlGroup } ::= { cscaMIBCompliances 1 } -- Units of Conformance cscaMIBAttackTypeObjectGroup OBJECT-GROUP OBJECTS { cscaTypeCurrentNumAttacks, cscaTypeTotalNumAttacks, cscaTypeTotalNumFlows, cscaTypeTotalNumSeconds, cscaTypeOriginatedByNetworkSide, cscaTypeProtocol, cscaTypeIsPortSpecific, cscaTypeIPsDetected } STATUS current DESCRIPTION "A collection of objects which provides attack information." ::= { cscaMIBGroups 1 } cscaMIBAttackInfoObjectGroup OBJECT-GROUP OBJECTS { cscaInfoUpStreamAttackFilteringTime, cscaInfoUpStreamLastAttackFilteringTime, cscaInfoDownStreamAttackFilteringTime, cscaInfoDownStreamLastAttackFilteringTime } STATUS current DESCRIPTION "A collection of objects which provides attack filtering times for upstream and down stream attacks." ::= { cscaMIBGroups 2 } cscaMIBNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { cscaFilterChange } STATUS current DESCRIPTION "A collection of notification which provides status change information for attack filters." ::= { cscaMIBGroups 3 } cscaFilterObjectGroup OBJECT-GROUP OBJECTS { cscaType, cscaSourceAddressType, cscaSourceAddress, cscaDestinationAddressType, cscaDestinationAddress, cscaAttackedPort, cscaFilterStatus, cscaLastDiscontinuityTimeStamp } STATUS current DESCRIPTION "A collection of objects which define each attack filter and its status." ::= { cscaMIBGroups 4 } cscaMIBNotifControlGroup OBJECT-GROUP OBJECTS { cscaNotifsEnabled } STATUS current DESCRIPTION "A collection of object(s) to control the enable/disable state of notification generation." ::= { cscaMIBGroups 5 } END