1 files changed, 419 insertions, 0 deletions
diff --git a/MIBS/allied/AT-DOS-MIB b/MIBS/allied/AT-DOS-MIB
new file mode 100644
index 0000000..1d20cae
--- /dev/null
+++ b/MIBS/allied/AT-DOS-MIB
@@ -0,0 +1,419 @@
+--
+-- at-dos.mib
+-- MIB generated by MG-SOFT Visual MIB Builder Version 3.0 Build 285
+-- Wednesday, May 07, 2008 at 15:39:48
+--
+
+	AT-DOS-MIB DEFINITIONS ::= BEGIN
+ 
+		IMPORTS
+			modules			
+				FROM AT-SMI-MIB			
+			IpAddress, Counter32, BITS, OBJECT-TYPE, MODULE-IDENTITY, 
+			NOTIFICATION-TYPE			
+				FROM SNMPv2-SMI			
+			TruthValue			
+				FROM SNMPv2-TC;
+	
+	
+-- ============================================================================
+-- AT-DOS.MIB, Allied Telesis enterprise MIB: Denial of Service defense
+-- 
+-- Copyright (c) 2008 by Allied Telesis, Inc.
+-- All rights reserved.
+-- 
+-- ============================================================================
+		-- 1.3.6.1.4.1.207.8.4.4.4.143
+		dosDefense MODULE-IDENTITY 
+			LAST-UPDATED "200804291125Z"		-- April 29, 2008 at 11:25 GMT
+			ORGANIZATION 
+				"Allied Telesis, Inc"
+			CONTACT-INFO 
+				"http://www.alliedtelesis.com"
+			DESCRIPTION 
+				"The Denial of Service defense MIB for managing
+				defenses against denial of service attacks.
+				"
+			::= { modules 143 }
+-- 
+-- 
+-- -- -----------------------------------
+-- -- Global Settings
+-- -- -----------------------------------
+		
+	
+	
+--
+-- Node definitions
+--
+	
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.1
+		dosDefenseStatus OBJECT-TYPE
+			SYNTAX INTEGER
+				{
+				enabled(1),
+				disabled(2)
+				}
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"Whether or not the DoS defense module is
+				currently enabled"
+			::= { dosDefense 1 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.2
+		dosDefenseDebugMode OBJECT-TYPE
+			SYNTAX BITS
+				{
+				none(0),
+				packet(1),
+				attack(2),
+				packet/attack(3),
+				diagnostics(4),
+				packet/diagnostics(5),
+				attack/diagnostics(6),
+				packet/attack/diagnostics(7)
+				}
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"The debugging options enabled for DoS defense.  Output goes
+				to the asynchronous port or telnet session that enabled
+				debugging.
+				
+				The bit 'None(0)' indicates that no debugging is enabled.
+				
+				The bit 'Attack(1)' indicates that information about the
+				start and finish of attacks is displayed.
+				
+				The bit 'Packet(2)' indicates that a hexadecimal dump of
+				the IP header of all suspect packets is displayed.
+				
+				The bit 'Diagnostics(3)' indicates that additional
+				debugging and diagnostic messages may be displayed."
+			::= { dosDefense 2 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.3
+		dosDefenseNumDebugPackets OBJECT-TYPE
+			SYNTAX INTEGER { continuous(0) }
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"When packet debugging is enabled, this is the maximum
+				number of packets that will be displayed before debugging
+				is automatically disabled.  A value of 0 means no limit
+				(i.e. continuous)."
+			::= { dosDefense 3 }
+
+		
+-- ----------------------------------------------------------
+-- The DoS Defense Table
+-- 
+-- Each row of the table contains the configuration for the
+-- defense against one attack type on one port.
+-- ----------------------------------------------------------
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4
+		dosDefenseTable OBJECT-TYPE
+			SYNTAX SEQUENCE OF DosDefenseEntry
+			MAX-ACCESS not-accessible
+			STATUS current
+			DESCRIPTION
+				"A table of configuration and status information for
+				each defense configured on a port."
+			::= { dosDefense 4 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1
+		dosDefenseEntry OBJECT-TYPE
+			SYNTAX DosDefenseEntry
+			MAX-ACCESS not-accessible
+			STATUS current
+			DESCRIPTION
+				"The configuration and status of the defense against 
+				a single attack type on a single port."
+			INDEX { dosDefensePort, dosDefenseAttackType }
+			::= { dosDefenseTable 1 }
+
+		
+		DosDefenseEntry ::=
+			SEQUENCE { 
+				dosDefensePort
+					INTEGER,
+				dosDefenseAttackType
+					INTEGER,
+				dosDefenseDefenseStatus
+					INTEGER,
+				dosDefenseThreshold
+					INTEGER,
+				dosDefenseBlockTime
+					INTEGER,
+				dosDefenseMirroring
+					TruthValue,
+				dosDefensePortType
+					INTEGER,
+				dosDefenseSubnetAddress
+					IpAddress,
+				dosDefenseSubnetMask
+					IpAddress,
+				dosDefenseAttackState
+					INTEGER,
+				dosDefenseAttackCount
+					Counter32,
+				dosDefenseRemainingBlockTime
+					INTEGER
+			 }
+
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.1
+		dosDefensePort OBJECT-TYPE
+			SYNTAX INTEGER (1..1023)
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"The port index on which the defense is configured."
+			::= { dosDefenseEntry 1 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.2
+		dosDefenseAttackType OBJECT-TYPE
+			SYNTAX INTEGER
+				{
+				synFlood(1),
+				pingOfDeath(2),
+				smurf(3),
+				ipOptions(4),
+				land(5),
+				teardrop(6),
+				none(7)
+				}
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"The type of attack this defense protects against."
+			::= { dosDefenseEntry 2 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.3
+		dosDefenseDefenseStatus OBJECT-TYPE
+			SYNTAX INTEGER
+				{
+				enabled(1),
+				disabled(2),
+				set(3)
+				}
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"Whether or not this attack is currently enabled
+				on this port."
+			::= { dosDefenseEntry 3 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.4
+		dosDefenseThreshold OBJECT-TYPE
+			SYNTAX INTEGER (0..1023)
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"The threshold, in packets per second, at which an
+				attack is deemed to be in progress.
+				
+				If dosDefenseAttackType is SYNFlood(1), a value of 0 means
+				no threshold has been set and the default thresholds apply.
+				An attack is suspected when the SYN:ACK ratio exceeds 2:1
+				above 20 packets per second, in any one-second interval.
+				An attack is in progress when the SYN:ACK ratio exceeds 3:1
+				above 20 packets per second, in any one-second interval, or
+				an attack is suspected more than once within a 
+				dosDefenseBlockTime interval.
+				
+				If dosDefenseAttackType is Smurf(3), a value of 0 means
+				the filter will block all broadcast ICMP requests.
+				A threshold greater than 0 will block after that number of
+				ICMP requests are received in a 1 second interval."
+			::= { dosDefenseEntry 4 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.5
+		dosDefenseBlockTime OBJECT-TYPE
+			SYNTAX INTEGER (1..65535)
+			UNITS "seconds"
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"The time, in seconds, that must elapse after the last 
+				malicious packet is seen, before an attack is deemed
+				to have finished and the port stops blocking traffic.
+				
+				If dosDefenseAttackType is SYNFlood(1), it is also
+				the maximum time an attack is suspected before it
+				returns to a state of no attack."
+			::= { dosDefenseEntry 5 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.6
+		dosDefenseMirroring OBJECT-TYPE
+			SYNTAX TruthValue
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"Whether or not suspect traffic received by this port
+				is copied to the pre-configured mirror port."
+			::= { dosDefenseEntry 6 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.7
+		dosDefensePortType OBJECT-TYPE
+			SYNTAX INTEGER
+				{
+				notApplicable(0),
+				client(1),
+				gateway(2)
+				}
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"If dosDefenseAttackType is Land(6), the type of port.
+				For other values of dosDefenseAttackType, this object
+				returns notapplicable(0).
+				
+				A device connected to a client(1) port should have an IP
+				address in the local subnet, and be the original source or
+				ultimate destination of packets transiting the network.
+				Incoming packets should have a source address in the local
+				subnet.  Outgoing packets should have a destination address
+				in the local subnet.
+				
+				A gateway(2) port is connected directly to a gateway device
+				attached to external networks.  Apart from a small number of
+				packets from the gateway device itself, all packets arriving
+				at the gateway port should be from other subnets.  Incoming
+				packets should have a source address not in the local
+				subnet. Outgoing packets should have a destination address
+				not in the local subnet."
+			::= { dosDefenseEntry 7 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.8
+		dosDefenseSubnetAddress OBJECT-TYPE
+			SYNTAX IpAddress
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"If dosDefenseAttackType is Smurf(3), the subnet address
+				is used to determine the local broadcast address.
+				
+				If dosDefenseAttackType is Land(6), the subnet address
+				used to determine which addresses are local or remote.
+				
+				For other values of dosDefenseAttackType, this object
+				returns 0.0.0.0."
+			::= { dosDefenseEntry 8 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.9
+		dosDefenseSubnetMask OBJECT-TYPE
+			SYNTAX IpAddress
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"If dosDefenseAttackType is Smurf(3), the subnet mask
+				is used to determine the local broadcast address.
+				
+				If dosDefenseAttackType is Land(6), the subnet mask
+				used to determine which addresses are local or remote.
+				
+				For other values of dosDefenseAttackType, this object
+				returns 0.0.0.0."
+			::= { dosDefenseEntry 9 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.10
+		dosDefenseAttackState OBJECT-TYPE
+			SYNTAX INTEGER
+				{
+				none(0),
+				suspected(1),
+				inProgress(2)
+				}
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"Whether or not an attack is currently in progress on the
+				port.
+				
+				None(0) means no attack is in progress.
+				
+				If dosDefenseAttackType is SYNFlood(1), Suspected(1)
+				means a SYN Flood attack is suspected. A threshold has
+				not been set, and the default threshold of a SYN:ACK
+				ratio of 2:1 above 20 packets per second has been
+				reached.
+				
+				If dosDefenseAttackType is PingOfDeath(2), Teardrop(5)
+				or Land(6), Suspected means that some suspect packets
+				have been received but have not yet been analysed to
+				determine if an attack exists.
+				
+				InProgress(2) means an attack is in progress."
+			::= { dosDefenseEntry 10 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.11
+		dosDefenseAttackCount OBJECT-TYPE
+			SYNTAX Counter32
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"The number of attacks (attacked seconds) detected
+				on this port."
+			::= { dosDefenseEntry 11 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.4.1.12
+		dosDefenseRemainingBlockTime OBJECT-TYPE
+			SYNTAX INTEGER (0..65535)
+			UNITS "seconds"
+			MAX-ACCESS read-only
+			STATUS current
+			DESCRIPTION
+				"The time remaining"
+			::= { dosDefenseEntry 12 }
+
+		
+-- -------------------------------------------
+-- DoS Attack Start and End traps
+-- -------------------------------------------
+-- 
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.5
+		dosDefenseTraps OBJECT IDENTIFIER::= { dosDefense 5 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.5.1
+		dosDefenseAttackStart NOTIFICATION-TYPE
+			OBJECTS { dosDefensePort, dosDefenseAttackType }
+			STATUS current
+			DESCRIPTION 
+				"Triggered when an attack is detected on a port."
+			::= { dosDefenseTraps 1 }
+
+		
+		-- 1.3.6.1.4.1.207.8.4.4.4.143.5.2
+		dosDefenseAttackEnd NOTIFICATION-TYPE
+			OBJECTS { dosDefensePort, dosDefenseAttackType }
+			STATUS current
+			DESCRIPTION 
+				"Triggered when an attack is finished on a port.
+				
+				This occurs after an attack packet has not been
+				seen for a complete BlockTime period."
+			::= { dosDefenseTraps 2 }
+
+		
+	
+	END
+
+--
+-- at-dos.mib
+--