FAQ-How does S9300 switch find the attack source fast by Ip source-trail function

Publication Date:  2012-10-30 Views:  135 Downloads:  0
Issue Description
A:
Can S9300 switch find the attack source IP address fast by shortcut traffic count?
Alarm Information
NULL
Handling Process
Q:
S9300 switches supply ip source-trail command, the command is used to open ip source-trail function for configured address, the traffic count information with this address for destination address will be recorded, and the system support mostly 32 address source-trail, configuration instance is as follows,it supposes that traffic of S9300 connecting IP as 222.223.127.174 is abnormal, configure on S9300 switch.
[S9300]ip source-trail ip-address  222.223.127.174

Make the traffic count function base on source IP:
[S9300]disp ip source-trail 222.223.127.174 
Destination Address: 222.223.127.174
   SrcAddr         SrcIF      Bytes      Pkts       Bits/s     Pkts/s
   ----------------------------------------------------------------------
   59.52.230.229   GE3/0/23   85.971M    60.234K    1.356M     121      
   123.165.60.190  GE3/0/23   15.462M    10.852K    203.984K   17       
   120.82.49.76    GE3/0/23   14.785M    10.577K    204.601K   18       
   59.55.58.215    GE3/0/23   3.432M     6.557K     118.164K   28       
   118.73.22.19    GE3/0/23   2.541M     4.600K     34.257K    7        
   124.116.166.35  GE3/0/23   244.030K   4.438K     3.101K     7        
   61.185.250.58   GE3/0/23   2.597M     4.253K     34.000K    6        
   114.104.47.28   GE3/0/23   4.061M     4.196K     69.617K    8      

We can find which source IP address traffic is big by the traffic count, find the attack source IP fast, configure the visit control list on S9300 for forbidding the attack flow from the source IP 222.223.127.174.
Root Cause
NULL
Suggestions
The function is convenient to handle the scene that S9300 connecting user be attacked with DDOS.

END