No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ-How to quickly find ARP attack source on S9300?

Publication Date:  2012-09-18 Views:  64 Downloads:  0
Issue Description
Q: How to quickly find ARP attack source on S9300?
Alarm Information
None.
Handling Process
A:
1、Check the CPCAR statistics of S9306 firstly, do the next operation when the corresponding list of dropped packets counting is growing rapidly.
        display cpcar arp-request statistics slot X
        display cpcar arp-replay statistics slot X
For example:
[S9306-HZ]display cpcar arp-request statistics slot 2
CPCAR on slot 2
-------------------------------------------------------------------------------
Packet Type       Passed(Bytes) Dropped(Bytes) Passed(Packets) Dropped(Packets)
arp-request           107470700     5335105720         1582397         78459312
-------------------------------------------------------------------------------
2、Check statistics of the message sending CPU
[S9306-HZ]_h   //access to hidden mode
[S9306-HZ-hidecmd]catch receive statistic src-mac  //Enable the counting of source MAC sending CPU
[S9306-HZ-hidecmd]display catch receive statistic   //Check the counting of MAC sending CPU
[GS9306-HZ-hidecmd]
The packet statistic direction to display is RECEIVE!
Packet from all slot, all port !
Source mac address information list here!
Mac = 0004-6796-db8f ---- num = 1
Mac = 0004-6796-dc7b ---- num = 1
Mac = 0004-6796-dc8b ---- num = 1
Mac = 0004-6797-9d40 ---- num = 1
Mac = 0007-95ba-caba ---- num = 714
[S9306-HZ-hidecmd]catch stop    //After the view must run this command to stop system counting!
3、According to the MAC searching attack source
[S9306-HZ]display mac-address 0007-95ba-caba
MAC address table on slot 1:
-------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/      
               VSI/SI                                              MAC-Tunnel
-------------------------------------------------------------------------------
0007-95ba-caba 168         -      -      Eth2/0/3        dynamic   -               //can see that the attack source is on the ETH2/0/3 interface, the business VLAN is 168
-------------------------------------------------------------------------------
Total matching items on slot 1 displayed = 1
4、According to the MAC find out the poisoning host, and then do virus killing
Root Cause
None.
Suggestions
This function is convenient for us to deal with the S9300 hang users from ARP attack, hope that through this way to improve everybody’s fault handing ability.

END