No injection flow and interruption of business after the diversion

Publication Date:  2013-12-10 Views:  373 Downloads:  0
Issue Description
In Bypass mode  all business impassability after diversion  , no injection flow.

Alarm Information
There are following log information on the terminal:

%2013-09-12 16:56:09 Clean %%01SEC/4/ATCKDF(l): AttackType="IP spoof attack", slot="0", receive interface="GigabitEthernet0/0/1 ", proto="TCP", src="1.1.2.106:10059 1.1.2.107:10060 1.1.2.108:10061 1.1.2.109:10062 1.1.2.110:10063 1.1.2.111:10064 1.1.2.112:10065 1.1.2.113:10066 1.1.2.114:10067 1.1.2.115:10068 1.1.2.116:10069 1.1.2.117:10070 ", dst="210.5.156.2:80 ", begin time="2013-09-12 16:55:39", end time="2013-09-12 16:56:09", total packets="265803", max speed="0".
Handling Process
 Execute ‘undo firewall defend ip-spoofing enable’ return to normal state.
Root Cause
The log indicate that the system was attacked by the IP spoof attack , the system detects address spoofing attack, all the packets was discarded, check the configuration, the address spoofing check is enable in firewall ‘defend ip-spoofing enable’ , enable it will do the reverse route inspection, to bypass model, is not suitable for enable reverse route inspection, therefore,  need to disable the address spoofing attack.
Suggestions
NA

END