FAQ - S9300 switch how to quickly find attack source through the IP source - trail function

Publication Date:  2012-09-13 Views:  192 Downloads:  0
Issue Description
Q: Can the S9300 switch quickly find attack source IP address through quick flow statistics function?
Alarm Information
Handling Process
S9300 switch provides IP source - trail order, this command function is open source IP tracking function to the configured address. Use this address for the destination address of the flow statistics information will be recorded, and the system maximum  supports 32 addresses source tracking. The configuration examples as follows, if the IP flow is abnormal, we can configure it in S9300 switch:
[S9300]ip source-trail ip-address
Then we will through the flow statistics function based on the source IP:
[S9300]disp ip source-trail 
Destination Address:
   SrcAddr         SrcIF      Bytes      Pkts       Bits/s     Pkts/s
   ----------------------------------------------------------------------   GE3/0/23   85.971M    60.234K    1.356M     121  GE3/0/23   15.462M    10.852K    203.984K   17     GE3/0/23   14.785M    10.577K    204.601K   18     GE3/0/23   3.432M     6.557K     118.164K   28     GE3/0/23   2.541M     4.600K     34.257K    7    GE3/0/23   244.030K   4.438K     3.101K     7     GE3/0/23   2.597M     4.253K     34.000K    6     GE3/0/23   4.061M     4.196K     69.617K    8      
Through the above flow statistics we can find which source IP address’s flow is very big quickly and can quickly find the attack source IP. Then we can prohibit the attack flow from the source IP to through configuring access control list in S9300 switch. 

Root Cause
This function is convenient for us to deal with the scene S9300 hang users attacked by DDOS. We hope that through this way to improve everybody's fault handling ability.