FAQ - S9300 switch how to quickly find attack source through the IP source - trail function

Publication Date:  2012-09-13 Views:  181 Downloads:  0
Issue Description
Q: Can the S9300 switch quickly find attack source IP address through quick flow statistics function?
Alarm Information
None.
Handling Process
A:
S9300 switch provides IP source - trail order, this command function is open source IP tracking function to the configured address. Use this address for the destination address of the flow statistics information will be recorded, and the system maximum  supports 32 addresses source tracking. The configuration examples as follows, if the IP 222.223.127.174 flow is abnormal, we can configure it in S9300 switch:
[S9300]ip source-trail ip-address  222.223.127.174
Then we will through the flow statistics function based on the source IP:
[S9300]disp ip source-trail 222.223.127.174 
Destination Address: 222.223.127.174
   SrcAddr         SrcIF      Bytes      Pkts       Bits/s     Pkts/s
   ----------------------------------------------------------------------
   59.52.230.229   GE3/0/23   85.971M    60.234K    1.356M     121      
   123.165.60.190  GE3/0/23   15.462M    10.852K    203.984K   17       
   120.82.49.76    GE3/0/23   14.785M    10.577K    204.601K   18       
   59.55.58.215    GE3/0/23   3.432M     6.557K     118.164K   28       
   118.73.22.19    GE3/0/23   2.541M     4.600K     34.257K    7        
   124.116.166.35  GE3/0/23   244.030K   4.438K     3.101K     7        
   61.185.250.58   GE3/0/23   2.597M     4.253K     34.000K    6        
   114.104.47.28   GE3/0/23   4.061M     4.196K     69.617K    8      
Through the above flow statistics we can find which source IP address’s flow is very big quickly and can quickly find the attack source IP. Then we can prohibit the attack flow from the source IP to 222.223.127.174 through configuring access control list in S9300 switch. 

Root Cause
None.
Suggestions
This function is convenient for us to deal with the scene S9300 hang users attacked by DDOS. We hope that through this way to improve everybody's fault handling ability. 

END