FAQ-How does S9300 switch find the attack source fast by Ip source-trail function

Publication Date:  2012-10-30 Views:  135 Downloads:  0
Issue Description
Can S9300 switch find the attack source IP address fast by shortcut traffic count?
Alarm Information
Handling Process
S9300 switches supply ip source-trail command, the command is used to open ip source-trail function for configured address, the traffic count information with this address for destination address will be recorded, and the system support mostly 32 address source-trail, configuration instance is as follows,it supposes that traffic of S9300 connecting IP as is abnormal, configure on S9300 switch.
[S9300]ip source-trail ip-address

Make the traffic count function base on source IP:
[S9300]disp ip source-trail 
Destination Address:
   SrcAddr         SrcIF      Bytes      Pkts       Bits/s     Pkts/s
   ----------------------------------------------------------------------   GE3/0/23   85.971M    60.234K    1.356M     121  GE3/0/23   15.462M    10.852K    203.984K   17     GE3/0/23   14.785M    10.577K    204.601K   18     GE3/0/23   3.432M     6.557K     118.164K   28     GE3/0/23   2.541M     4.600K     34.257K    7    GE3/0/23   244.030K   4.438K     3.101K     7     GE3/0/23   2.597M     4.253K     34.000K    6     GE3/0/23   4.061M     4.196K     69.617K    8      

We can find which source IP address traffic is big by the traffic count, find the attack source IP fast, configure the visit control list on S9300 for forbidding the attack flow from the source IP
Root Cause
The function is convenient to handle the scene that S9300 connecting user be attacked with DDOS.