-- -- at-dos.mib -- MIB generated by MG-SOFT Visual MIB Builder Version 3.0 Build 285 -- Wednesday, May 07, 2008 at 15:39:48 -- AT-DOS-MIB DEFINITIONS ::= BEGIN IMPORTS modules FROM AT-SMI-MIB IpAddress, Counter32, BITS, OBJECT-TYPE, MODULE-IDENTITY, NOTIFICATION-TYPE FROM SNMPv2-SMI TruthValue FROM SNMPv2-TC; -- ============================================================================ -- AT-DOS.MIB, Allied Telesis enterprise MIB: Denial of Service defense -- -- Copyright (c) 2008 by Allied Telesis, Inc. -- All rights reserved. -- -- ============================================================================ -- 1.3.6.1.4.1.207.8.4.4.4.143 dosDefense MODULE-IDENTITY LAST-UPDATED "200804291125Z" -- April 29, 2008 at 11:25 GMT ORGANIZATION "Allied Telesis, Inc" CONTACT-INFO "http://www.alliedtelesis.com" DESCRIPTION "The Denial of Service defense MIB for managing defenses against denial of service attacks. " ::= { modules 143 } -- -- -- -- ----------------------------------- -- -- Global Settings -- -- ----------------------------------- -- -- Node definitions -- -- 1.3.6.1.4.1.207.8.4.4.4.143.1 dosDefenseStatus OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "Whether or not the DoS defense module is currently enabled" ::= { dosDefense 1 } -- 1.3.6.1.4.1.207.8.4.4.4.143.2 dosDefenseDebugMode OBJECT-TYPE SYNTAX BITS { none(0), packet(1), attack(2), packet/attack(3), diagnostics(4), packet/diagnostics(5), attack/diagnostics(6), packet/attack/diagnostics(7) } MAX-ACCESS read-only STATUS current DESCRIPTION "The debugging options enabled for DoS defense. Output goes to the asynchronous port or telnet session that enabled debugging. The bit 'None(0)' indicates that no debugging is enabled. The bit 'Attack(1)' indicates that information about the start and finish of attacks is displayed. The bit 'Packet(2)' indicates that a hexadecimal dump of the IP header of all suspect packets is displayed. The bit 'Diagnostics(3)' indicates that additional debugging and diagnostic messages may be displayed." ::= { dosDefense 2 } -- 1.3.6.1.4.1.207.8.4.4.4.143.3 dosDefenseNumDebugPackets OBJECT-TYPE SYNTAX INTEGER { continuous(0) } MAX-ACCESS read-only STATUS current DESCRIPTION "When packet debugging is enabled, this is the maximum number of packets that will be displayed before debugging is automatically disabled. A value of 0 means no limit (i.e. continuous)." ::= { dosDefense 3 } -- ---------------------------------------------------------- -- The DoS Defense Table -- -- Each row of the table contains the configuration for the -- defense against one attack type on one port. -- ---------------------------------------------------------- -- 1.3.6.1.4.1.207.8.4.4.4.143.4 dosDefenseTable OBJECT-TYPE SYNTAX SEQUENCE OF DosDefenseEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of configuration and status information for each defense configured on a port." ::= { dosDefense 4 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1 dosDefenseEntry OBJECT-TYPE SYNTAX DosDefenseEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The configuration and status of the defense against a single attack type on a single port." INDEX { dosDefensePort, dosDefenseAttackType } ::= { dosDefenseTable 1 } DosDefenseEntry ::= SEQUENCE { dosDefensePort INTEGER, dosDefenseAttackType INTEGER, dosDefenseDefenseStatus INTEGER, dosDefenseThreshold INTEGER, dosDefenseBlockTime INTEGER, dosDefenseMirroring TruthValue, dosDefensePortType INTEGER, dosDefenseSubnetAddress IpAddress, dosDefenseSubnetMask IpAddress, dosDefenseAttackState INTEGER, dosDefenseAttackCount Counter32, dosDefenseRemainingBlockTime INTEGER } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.1 dosDefensePort OBJECT-TYPE SYNTAX INTEGER (1..1023) MAX-ACCESS read-only STATUS current DESCRIPTION "The port index on which the defense is configured." ::= { dosDefenseEntry 1 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.2 dosDefenseAttackType OBJECT-TYPE SYNTAX INTEGER { synFlood(1), pingOfDeath(2), smurf(3), ipOptions(4), land(5), teardrop(6), none(7) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of attack this defense protects against." ::= { dosDefenseEntry 2 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.3 dosDefenseDefenseStatus OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2), set(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "Whether or not this attack is currently enabled on this port." ::= { dosDefenseEntry 3 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.4 dosDefenseThreshold OBJECT-TYPE SYNTAX INTEGER (0..1023) MAX-ACCESS read-only STATUS current DESCRIPTION "The threshold, in packets per second, at which an attack is deemed to be in progress. If dosDefenseAttackType is SYNFlood(1), a value of 0 means no threshold has been set and the default thresholds apply. An attack is suspected when the SYN:ACK ratio exceeds 2:1 above 20 packets per second, in any one-second interval. An attack is in progress when the SYN:ACK ratio exceeds 3:1 above 20 packets per second, in any one-second interval, or an attack is suspected more than once within a dosDefenseBlockTime interval. If dosDefenseAttackType is Smurf(3), a value of 0 means the filter will block all broadcast ICMP requests. A threshold greater than 0 will block after that number of ICMP requests are received in a 1 second interval." ::= { dosDefenseEntry 4 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.5 dosDefenseBlockTime OBJECT-TYPE SYNTAX INTEGER (1..65535) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The time, in seconds, that must elapse after the last malicious packet is seen, before an attack is deemed to have finished and the port stops blocking traffic. If dosDefenseAttackType is SYNFlood(1), it is also the maximum time an attack is suspected before it returns to a state of no attack." ::= { dosDefenseEntry 5 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.6 dosDefenseMirroring OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "Whether or not suspect traffic received by this port is copied to the pre-configured mirror port." ::= { dosDefenseEntry 6 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.7 dosDefensePortType OBJECT-TYPE SYNTAX INTEGER { notApplicable(0), client(1), gateway(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "If dosDefenseAttackType is Land(6), the type of port. For other values of dosDefenseAttackType, this object returns notapplicable(0). A device connected to a client(1) port should have an IP address in the local subnet, and be the original source or ultimate destination of packets transiting the network. Incoming packets should have a source address in the local subnet. Outgoing packets should have a destination address in the local subnet. A gateway(2) port is connected directly to a gateway device attached to external networks. Apart from a small number of packets from the gateway device itself, all packets arriving at the gateway port should be from other subnets. Incoming packets should have a source address not in the local subnet. Outgoing packets should have a destination address not in the local subnet." ::= { dosDefenseEntry 7 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.8 dosDefenseSubnetAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "If dosDefenseAttackType is Smurf(3), the subnet address is used to determine the local broadcast address. If dosDefenseAttackType is Land(6), the subnet address used to determine which addresses are local or remote. For other values of dosDefenseAttackType, this object returns 0.0.0.0." ::= { dosDefenseEntry 8 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.9 dosDefenseSubnetMask OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "If dosDefenseAttackType is Smurf(3), the subnet mask is used to determine the local broadcast address. If dosDefenseAttackType is Land(6), the subnet mask used to determine which addresses are local or remote. For other values of dosDefenseAttackType, this object returns 0.0.0.0." ::= { dosDefenseEntry 9 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.10 dosDefenseAttackState OBJECT-TYPE SYNTAX INTEGER { none(0), suspected(1), inProgress(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "Whether or not an attack is currently in progress on the port. None(0) means no attack is in progress. If dosDefenseAttackType is SYNFlood(1), Suspected(1) means a SYN Flood attack is suspected. A threshold has not been set, and the default threshold of a SYN:ACK ratio of 2:1 above 20 packets per second has been reached. If dosDefenseAttackType is PingOfDeath(2), Teardrop(5) or Land(6), Suspected means that some suspect packets have been received but have not yet been analysed to determine if an attack exists. InProgress(2) means an attack is in progress." ::= { dosDefenseEntry 10 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.11 dosDefenseAttackCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of attacks (attacked seconds) detected on this port." ::= { dosDefenseEntry 11 } -- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.12 dosDefenseRemainingBlockTime OBJECT-TYPE SYNTAX INTEGER (0..65535) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "The time remaining" ::= { dosDefenseEntry 12 } -- ------------------------------------------- -- DoS Attack Start and End traps -- ------------------------------------------- -- -- 1.3.6.1.4.1.207.8.4.4.4.143.5 dosDefenseTraps OBJECT IDENTIFIER::= { dosDefense 5 } -- 1.3.6.1.4.1.207.8.4.4.4.143.5.1 dosDefenseAttackStart NOTIFICATION-TYPE OBJECTS { dosDefensePort, dosDefenseAttackType } STATUS current DESCRIPTION "Triggered when an attack is detected on a port." ::= { dosDefenseTraps 1 } -- 1.3.6.1.4.1.207.8.4.4.4.143.5.2 dosDefenseAttackEnd NOTIFICATION-TYPE OBJECTS { dosDefensePort, dosDefenseAttackType } STATUS current DESCRIPTION "Triggered when an attack is finished on a port. This occurs after an attack packet has not been seen for a complete BlockTime period." ::= { dosDefenseTraps 2 } END -- -- at-dos.mib --