-- *****************************************************************
-- CISCO-SERVICE-CONTROL-ATTACK-MIB.my
--   
-- MIB file for Service Control entity Attack Detecting Mechanism.
-- May 2009, Or Dubnov-Raz.
--   
-- Copyright (c) 2007-2009, 2013 by Cisco Systems Inc.
-- All rights reserved.
--   
-- ***************************************************************

CISCO-SERVICE-CONTROL-ATTACK-MIB DEFINITIONS ::= BEGIN

IMPORTS
    MODULE-IDENTITY,
    OBJECT-TYPE,
    Counter32,
    NOTIFICATION-TYPE,
    Gauge32,
    Counter64,
    Integer32,
    Unsigned32,
    OBJECT-IDENTITY
        FROM SNMPv2-SMI
    MODULE-COMPLIANCE,
    NOTIFICATION-GROUP,
    OBJECT-GROUP
        FROM SNMPv2-CONF
    entPhysicalIndex,
    entPhysicalName
        FROM ENTITY-MIB
    InetAddressType,
    InetAddress,
    InetPortNumber
        FROM INET-ADDRESS-MIB
    TruthValue,
    TimeStamp,
    TimeInterval,
    TEXTUAL-CONVENTION,
    AutonomousType
        FROM SNMPv2-TC
    ciscoMgmt
        FROM CISCO-SMI;


ciscoServiceControlAttackMIB MODULE-IDENTITY
    LAST-UPDATED    "201308160000Z"
    ORGANIZATION    "Cisco Systems, Inc."
    CONTACT-INFO
            "Cisco Systems
            Customer Service

            Postal: 170 W Tasman Drive
            San Jose, CA  95134
            USA

            Tel: +1 800 553-NETS

            E-mail: cs-excelsior-dev@cisco.com"
    DESCRIPTION
        "This MIB provides data related to different types of
        attacks detected by a service control entity.

        A service control entity is a network device which monitors and
        controls traffic.  The service control entity is used as a
        platform for different service control applications which may
        perform monitoring operations beyond packet counting and delve 

        deeper into the contents of network traffic.  It provides
        programmable stateful inspection of bidirectional
        traffic flows and maps these flows with user/subscriber
        ownership.

        An attack is a malicious network activity with certain traffic
        characteristics and which is targeted on a certain network
        entity.  An attack can be identified by its type, direction,
        source address, destination address and ports.

        Once an attack is detected, an attack filter is activated based
        on the type of the attack and corresponding actions are taken
        in
        the monitored network - this is referred to as attack start. 
        For example the attack filter can drop the attacking traffic. 
        When the attack detector identifies that the attack
        characteristics are no longer exist, it ends the mitigation
        action - what is referred to as attack end.  The attack
        mitigation action is also referred to as attack filtering in
        this MIB.

        The time duration of attack filtering between attack start to
        attack end along with the direction (upstream, downstream) is
        also maintained by the service control entity.  Attack
        filtering
        can be applied from the subscriber side to the network side, in
        the upstream direction.  The downstream attack filtering is
        done
        from the network side to the subscriber side.

        This MIB also defines notifications generated by the service
        control entity when an attack is detected on a monitored
        network."
    REVISION        "201308160000Z"
    DESCRIPTION
        "Updates to support traps for global attacks. For this
        1. A new trap is introduced: cscaGlobalAttackFilterChange.
        2. A new object is introduced: cscaGlobalAtackType to describe
        the type of global attack.
        3. A 3 groups are introduced: 
                a. cscaMIBNotificationGroupRev1, deprecating
        cscaMIBNotificationGroup.
                b. cscaFilterObjectGroupRev1, deprecating
        cscaFilterObjectGroup.
                c. cscaMIBNotifControlGroupRev1, deprecating
        cscaMIBNotifControlGroup
        4. A new compliance is introduced:
        cscaMIBComplianceRev1, deprecating cscaMIBCompliance."
    REVISION        "200905050000Z"
    DESCRIPTION
        "Initial version of this MIB module."
    ::= { ciscoMgmt 693 }



CscaAttackType ::= TEXTUAL-CONVENTION
    DISPLAY-HINT    "d"
    STATUS          current
    DESCRIPTION
        "A value which identifies the various attack types which may be
        detected by the service control entity."
    SYNTAX          Integer32
ciscoServiceControlAttackMIBNotifs  OBJECT IDENTIFIER
    ::= { ciscoServiceControlAttackMIB 0 }

ciscoServiceControlAttackMIBObjects  OBJECT IDENTIFIER
    ::= { ciscoServiceControlAttackMIB 1 }

ciscoServiceControlAttackMIBConform  OBJECT IDENTIFIER
    ::= { ciscoServiceControlAttackMIB 2 }

cscaFilterMIBObjects  OBJECT IDENTIFIER
    ::= { ciscoServiceControlAttackMIBObjects 1 }


cscaTypeTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CscaTypeEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "This table lists the aggregated statistics for each detected
        attack in a network controlled by a service control entity."
    ::= { ciscoServiceControlAttackMIBObjects 2 }

cscaTypeEntry OBJECT-TYPE
    SYNTAX          CscaTypeEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "This entry contains information for an attack detected by the
        service control entity.

        The service control entity can report a number of attack types,
        the cscaTypeTable is created during the initialization of the
        service control entity and is valid while the service control
        entity is operational."
    INDEX           {
                        entPhysicalIndex,
                        cscaTypeIndex
                    } 
    ::= { cscaTypeTable 1 }

CscaTypeEntry ::= SEQUENCE {
        cscaTypeIndex                   CscaAttackType,
        cscaTypeCurrentNumAttacks       Gauge32,
        cscaTypeTotalNumAttacks         Counter32,
        cscaTypeTotalNumFlows           Counter64,
        cscaTypeTotalNumSeconds         Counter32,
        cscaTypeOriginatedByNetworkSide TruthValue,
        cscaTypeProtocol                Integer32,
        cscaTypeIsPortSpecific          TruthValue,
        cscaTypeIPsDetected             Integer32
}

cscaTypeIndex OBJECT-TYPE
    SYNTAX          CscaAttackType (1..64)
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "This object uniquely identifies the attack type." 
    ::= { cscaTypeEntry 1 }

cscaTypeCurrentNumAttacks OBJECT-TYPE
    SYNTAX          Gauge32
    UNITS           "attacks"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the current number of ongoing attacks of
        this type, that the service control entity has detected in the
        network." 
    ::= { cscaTypeEntry 2 }

cscaTypeTotalNumAttacks OBJECT-TYPE
    SYNTAX          Counter32
    UNITS           "attacks"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the total number of attacks of this type
        since the last discontinuity." 
    ::= { cscaTypeEntry 3 }

cscaTypeTotalNumFlows OBJECT-TYPE
    SYNTAX          Counter64
    UNITS           "IP flows"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the total number of IP flows on which
        this type of attack has been detected, since the last
        discontinuity." 
    ::= { cscaTypeEntry 4 }

cscaTypeTotalNumSeconds OBJECT-TYPE
    SYNTAX          Counter32
    UNITS           "seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the accumulated duration in seconds
        belonging to this attack type, since the last discontinuity." 
    ::= { cscaTypeEntry 5 }

cscaTypeOriginatedByNetworkSide OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates whether this attack type is originated
        from the Network side or from the Subscriber side." 
    ::= { cscaTypeEntry 6 }

cscaTypeProtocol OBJECT-TYPE
    SYNTAX          Integer32
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This enumerated object indicates the protocol type for this
        type of attack (TCP/UDP/ICMP/etc).  The values for this object
        are:

        (1) TCP
        (2) UDP
        (3) ICMP
        (4) Other" 
    ::= { cscaTypeEntry 7 }

cscaTypeIsPortSpecific OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates whether the attack type is port-specific
        or not." 
    ::= { cscaTypeEntry 8 }

cscaTypeIPsDetected OBJECT-TYPE
    SYNTAX          Integer32
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates which IPs are detected in this type of
        attack. The enumerated values are:
        (1) Originating Side IP is detected.
        (2) Attacked Side IP is detected.
        (3) Both side IPs are detected." 
    ::= { cscaTypeEntry 9 }
 


cscaInfoTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CscaInfoEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "This table lists information for attack mitigation, also
        referred to as attack filtering, done by a service control
        entity in the monitored network."
    ::= { ciscoServiceControlAttackMIBObjects 3 }

cscaInfoEntry OBJECT-TYPE
    SYNTAX          CscaInfoEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "This entry contains information about attack mitigation done by
        a physical service control entity, for attacks which it has
        detected."
    INDEX           { entPhysicalIndex } 
    ::= { cscaInfoTable 1 }

CscaInfoEntry ::= SEQUENCE {
        cscaInfoUpStreamAttackFilteringTime       Counter32,
        cscaInfoUpStreamLastAttackFilteringTime   TimeInterval,
        cscaInfoDownStreamAttackFilteringTime     Counter32,
        cscaInfoDownStreamLastAttackFilteringTime TimeInterval
}

cscaInfoUpStreamAttackFilteringTime OBJECT-TYPE
    SYNTAX          Counter32
    UNITS           "seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the cumulative time during which attacks
        in the up-stream direction were filtered." 
    ::= { cscaInfoEntry 1 }

cscaInfoUpStreamLastAttackFilteringTime OBJECT-TYPE
    SYNTAX          TimeInterval
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the time since the previous attack in the
        upstream direction has ended.  Attack end is reached when the
        service control entity attack detector identifies that the
        attack characteristics (like high flow rate) no longer exist,
        and the attack is suppressed in the up-stream traffic." 
    ::= { cscaInfoEntry 2 }

cscaInfoDownStreamAttackFilteringTime OBJECT-TYPE
    SYNTAX          Counter32
    UNITS           "seconds"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the cumulative time during which attacks
        in the down-stream direction were filtered." 
    ::= { cscaInfoEntry 3 }

cscaInfoDownStreamLastAttackFilteringTime OBJECT-TYPE
    SYNTAX          TimeInterval
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the time since the previous attack in the
        downstream direction has ended.  Attack end is reached when the
        service control entity attack detector identifies that the
        attack characteristics (like high flow rate) no longer exist,
        and the attack is suppressed in the down-stream traffic." 
    ::= { cscaInfoEntry 4 }
 


cscaType OBJECT-TYPE
    SYNTAX          CscaAttackType
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "This object indicates the type of an attack detected and
        reported by the service control entity.

        There are numerous attack types, based on the service control
        entity's definition.  The service control entity monitors and
        mitigates a predefined set of attack type.  The value of this
        object should be used as index to table cscaTypeTable in order
        to query for information regarding this attack type, such as
        its
        name and other statistics." 
    ::= { cscaFilterMIBObjects 1 }

cscaSourceAddressType OBJECT-TYPE
    SYNTAX          InetAddressType
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "This object indicates the address type for cscaSourceAddress." 
    ::= { cscaFilterMIBObjects 2 }

cscaSourceAddress OBJECT-TYPE
    SYNTAX          InetAddress
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "This object indicates the network address that is the source
        end point of this attack." 
    ::= { cscaFilterMIBObjects 3 }

cscaDestinationAddressType OBJECT-TYPE
    SYNTAX          InetAddressType
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "This object indicates the address type for
        cscaDestinationAddress." 
    ::= { cscaFilterMIBObjects 4 }

cscaDestinationAddress OBJECT-TYPE
    SYNTAX          InetAddress
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "This object indicates the network address that is the
        destination end point of this attack." 
    ::= { cscaFilterMIBObjects 5 }

cscaAttackedPort OBJECT-TYPE
    SYNTAX          InetPortNumber
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "This object indicates the port on which this attack occurs, if
        relevant for this type of attack." 
    ::= { cscaFilterMIBObjects 6 }

cscaFilterStatus OBJECT-TYPE
    SYNTAX          INTEGER  {
                        activated(1),
                        deactivated(2)
                    }
    MAX-ACCESS      accessible-for-notify
    STATUS          current
    DESCRIPTION
        "This object indicates the status of the filter for this attack.
        The values for this object are '1' (activated) and '2'
        (de-activated)." 
    ::= { cscaFilterMIBObjects 7 }

cscaNotifsEnabled OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-write
    STATUS          current
    DESCRIPTION
        "This object specifies whether the system generates the
        cscaFilterChange notification." 
    ::= { cscaFilterMIBObjects 8 }

cscaLastDiscontinuityTimeStamp OBJECT-TYPE
    SYNTAX          TimeStamp
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the value of sysUpTime when the last
        discontinuity occurred." 
    ::= { cscaFilterMIBObjects 9 }

cscaGlobalAttackType OBJECT-TYPE
    SYNTAX          INTEGER {
                        icmpAttack(1),
                        udpAttack(2),
                        udpFragmentAttack(3),
                        tcpSynAttack(4),
                        tcpRstAttack(5),
                        tcpFragmentAttack(6),
                        tcpNonSynAttack(7)
                    }
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "This object indicates the type of a global attack detected and
        reported by the service control entity.

        The list of the various global attack are:
          ICMP attack(1)
          UDP attack(2)
          UDP fragment attack(3)
          TCP SYN Attack(4)
          TCP RST Attack(5)
          TCP fragment Attack(6)
          TCP NON-SYN Attack(7)" 
    ::= { cscaFilterMIBObjects 10 }

cscaGlobalAttackNotifsEnabled OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-write
    STATUS          current
    DESCRIPTION
        "This object specifies whether the system generates the
        cscaGlobalAttackFilterChange notification.

        Setting this object value to 'true' will enable generation of
        cscaGlobalAttackFilterChange notification.

        Setting this object value to 'false' will disable generation of
        cscaGlobalAttackFilterChange notification." 
    ::= { cscaFilterMIBObjects 11 }

cscaFilterChange NOTIFICATION-TYPE
    OBJECTS         {
                        entPhysicalName,
                        cscaType,
                        cscaSourceAddressType,
                        cscaSourceAddress,
                        cscaDestinationAddressType,
                        cscaDestinationAddress,
                        cscaAttackedPort,
                        cscaFilterStatus
                    }
    STATUS          current
    DESCRIPTION
        "The system generates this notification to indicate that the
        cscaFilterStatus of the attack filter for cscaType has changed
        due to the reason determined by cscaDescription.  The system
        limits the generation of this notifications for the same
        cscaType to a five-second interval."
   ::= { ciscoServiceControlAttackMIBNotifs 1 }

-- Here the current MIB supports well for SIP(specific IP) attacks, but
-- for describing Global attacks it needs few modifications.
--   
-- In our product CISCO SCE8000, we are monitoring some characteristics
-- like for example the ratio of "TCP SYN packets / Total TCP packets" ,
-- "ICMP FIF packets /  Total ICMP packets", and if it goes beyond some
-- configured threshold value, it infers a TCP SYN attack , ICMP attack
-- respectively, which are types of Global attack. Here we don?t have a
-- specific IP related to attack. So the main attributes for the Global
-- attack are the protocol (TCP/UDP/ICMP etc), attack type (TCP SYN
-- attack  , ICMP attack , UDP attack etc), and the interface or
-- direction from where attack is being originated.

cscaGlobalAttackFilterChange NOTIFICATION-TYPE
    OBJECTS         {
                        entPhysicalName,
                        cscaGlobalAttackType,
                        cscaFilterStatus,
                        cscaTypeOriginatedByNetworkSide
                    }
    STATUS          current
    DESCRIPTION
        "The notification is generated when a start or end of a global
        attack is detected in the system. 

        Below fields are sent with the trap:
        entPhysicalName indicates the name of the 
        originating physical entity.
        cscaGlobalAttackType indicates the type of the global
        attack.
        cscaFilterStatus indicates whether the global attack is
        started or ended ie. the attack filter status is activated or
        deactivated.
        cscaTypeOriginatedByNetworkSide indicates the origin/source
        of the attack, whether it originated from network or subscriber
        side."
   ::= { ciscoServiceControlAttackMIBNotifs 2 }
-- Conformance

cscaMIBCompliances  OBJECT IDENTIFIER
    ::= { ciscoServiceControlAttackMIBConform 1 }

cscaMIBGroups  OBJECT IDENTIFIER
    ::= { ciscoServiceControlAttackMIBConform 2 }


cscaMIBCompliance MODULE-COMPLIANCE
    STATUS          deprecated
    DESCRIPTION
        "The compliance statement for SNMP Agents which implement this
        MIB."
    MODULE          -- this module
    MANDATORY-GROUPS {
                        cscaMIBAttackTypeObjectGroup,
                        cscaMIBNotificationGroup,
                        cscaMIBAttackInfoObjectGroup,
                        cscaFilterObjectGroup,
                        cscaMIBNotifControlGroup
                    }
    ::= { cscaMIBCompliances 1 }

cscaMIBComplianceRev1 MODULE-COMPLIANCE
    STATUS          current
    DESCRIPTION
        "The compliance statement for SNMP Agents which implement this
        generic filter (both Specific IP and global attack) MIB."
    MODULE          -- this module
    MANDATORY-GROUPS {
                        cscaMIBAttackTypeObjectGroup,
                        cscaMIBNotificationGroupRev1,
                        cscaMIBAttackInfoObjectGroup,
                        cscaFilterObjectGroupRev1,
                        cscaMIBNotifControlGroupRev1
                    }
    ::= { cscaMIBCompliances 2 }

-- Units of Conformance

cscaMIBAttackTypeObjectGroup OBJECT-GROUP
    OBJECTS         {
                        cscaTypeCurrentNumAttacks,
                        cscaTypeTotalNumAttacks,
                        cscaTypeTotalNumFlows,
                        cscaTypeTotalNumSeconds,
                        cscaTypeOriginatedByNetworkSide,
                        cscaTypeProtocol,
                        cscaTypeIsPortSpecific,
                        cscaTypeIPsDetected
                    }
    STATUS          current
    DESCRIPTION
        "A collection of objects which provides attack information."
    ::= { cscaMIBGroups 1 }

cscaMIBAttackInfoObjectGroup OBJECT-GROUP
    OBJECTS         {
                        cscaInfoUpStreamAttackFilteringTime,
                        cscaInfoUpStreamLastAttackFilteringTime,
                        cscaInfoDownStreamAttackFilteringTime,
                        cscaInfoDownStreamLastAttackFilteringTime
                    }
    STATUS          current
    DESCRIPTION
        "A collection of objects which provides attack filtering times
        for upstream and down stream attacks."
    ::= { cscaMIBGroups 2 }

cscaMIBNotificationGroup NOTIFICATION-GROUP
   NOTIFICATIONS    { cscaFilterChange }
    STATUS          deprecated
    DESCRIPTION
        "A collection of notification which provides status change
        information for attack filters.
        cscaMIBNotificationGroup object is superseded by
        cscaMIBNotificationGroupRev1."
    ::= { cscaMIBGroups 3 }

cscaFilterObjectGroup OBJECT-GROUP
    OBJECTS         {
                        cscaType,
                        cscaSourceAddressType,
                        cscaSourceAddress,
                        cscaDestinationAddressType,
                        cscaDestinationAddress,
                        cscaAttackedPort,
                        cscaFilterStatus,
                        cscaLastDiscontinuityTimeStamp
                    }
    STATUS          deprecated
    DESCRIPTION
        "A collection of objects which define each attack filter and
        its status.
        cscaFilterObjectGroup object is superseded by
        cscaFilterObjectGroupRev1."
    ::= { cscaMIBGroups 4 }

cscaMIBNotifControlGroup OBJECT-GROUP
    OBJECTS         { cscaNotifsEnabled }
    STATUS          deprecated
    DESCRIPTION
        "A collection of object(s) to control the enable/disable
        state of notification generation.
        cscaMIBNotifControlGroup object is superseded by
        cscaMIBNotifControlGroupRev1."
    ::= { cscaMIBGroups 5 }

cscaMIBNotificationGroupRev1 NOTIFICATION-GROUP
   NOTIFICATIONS    {
                        cscaFilterChange,
                        cscaGlobalAttackFilterChange
                    }
    STATUS          current
    DESCRIPTION
        "A collection of notification which provides status change
        information for both specific IP and global attack filters."
    ::= { cscaMIBGroups 6 }

cscaFilterObjectGroupRev1 OBJECT-GROUP
    OBJECTS         {
                        cscaType,
                        cscaSourceAddressType,
                        cscaSourceAddress,
                        cscaDestinationAddressType,
                        cscaDestinationAddress,
                        cscaAttackedPort,
                        cscaFilterStatus,
                        cscaLastDiscontinuityTimeStamp,
                        cscaGlobalAttackType
                    }
    STATUS          current
    DESCRIPTION
        "A collection of objects which define each attack filter and
        its status."
    ::= { cscaMIBGroups 7 }

cscaMIBNotifControlGroupRev1 OBJECT-GROUP
    OBJECTS         {
                        cscaNotifsEnabled,
                        cscaGlobalAttackNotifsEnabled
                    }
    STATUS          current
    DESCRIPTION
        "A collection of object(s) to control the enable/disable
        state of notification generation."
    ::= { cscaMIBGroups 8 }

END


























































































































