ATIC detected that traffic was anomaly, and diversion, but the traffic state did not changed from the abnormal into the attacked.
Check the cleaning device configuration and ATIC Server system, found the ATIC IP was modified, lead to the cleaning equipment log-server-ip does not corresponding with the actual ATIC IP, ATIC did not received the cleaning equipment’s log, and then the flow state could not change to attacked from abnormal.
The abnormal flow does not change into attacked, generally have the following two reasons.
(1) The flow is only overload to the threshold, not attack.
(2) The cleaning equipment could not communicate with ATIC, It is not because the interruption of link or route, therefore more subtle, although cleaning equipment is online, because the IP and port of the reporting attack is unreachable, it is easily overlooked.
Similarly, if the cleaning equipment in the log-server-ip configuration has been modified, will also lead to similar failures, although the network element management state is online, because the system use different protocols to detect, so the management state online could not explain the reported data to ATIC is normal.