S9306 端口防攻击告警,无法查看到攻击源

发布时间:  2017-03-16 浏览次数:  1220 下载次数:  0
问题描述
S9306 全局配置安全防御,设备有端口攻击告警,但是无法查看到攻击源,配置如下:

cpu-defend policy source-attack
 auto-defend enable
 auto-defend trace-type source-mac source-ip source-portvlan
 auto-defend protocol arp tcp telnet
#

cpu-defend-policy source-attack
cpu-defend-policy source-attack global

设备一直打印端口攻击告警:


Mar 13 2017 13:37:51 JY-S9300-ChengJiang-1 %%01SECE/4/PORT_ATTACK_OCCUR(l)[4]:Auto port-defend started.(SourceAttackInterface=GigabitEthernet6/0/14, AttackProtocol=ARP-REQUEST)

查询结果为0:

[JY-S9300-ChengJiang-1]display auto-defend attack-source slot 1
  Attack Source User Table (LPU1):
  -----------------------------------------------------------------------------
  MacAddress       InterfaceName               Vlan:Outer/Inner    TotalPackets
  -----------------------------------------------------------------------------
  -----------------------------------------------------------------------------
  Total: 0

  Attack Source Port Table (LPU1):
  ------------------------------------------------------------
  InterfaceName               Vlan:Outer/Inner    TotalPackets
  ------------------------------------------------------------
  ------------------------------------------------------------
  Total: 0

  Attack Source IP Table (LPU1):
  -----------------------------
  IPAddress        TotalPackets
  -----------------------------
  -----------------------------
  Total: 0


告警信息
Mar 13 2017 13:37:51 JY-S9300-ChengJiang-1 %%01SECE/4/PORT_ATTACK_OCCUR(l)[4]:Auto port-defend started.(SourceAttackInterface=GigabitEthernet6/0/14, AttackProtocol=ARP-REQUEST)

处理过程
1、日志记录的是端口防攻击,缺省情况下在该物理端口上送的某种协议报文超过30pps时,认为可能是攻击;
2、如果查攻击源,需配置攻击溯源,攻击溯源缺省阈值为128pps,超过128pps时才认为可能是攻击,当前只触发了接口的阀值,未触发攻击溯源阀值,需调整攻击溯源配置,接口板和主控板都应用下,再监控查看
cpu-defend policy source-attack
   auto-defend enable
   auto-defend attack-packet sample 5
   auto-defend threshold 20
   auto-defend trace-type source-mac source-ip source-portvlan
   auto-defend protocol arp tcp telnet
cpu-defend-policy source-attack global
cpu-defend-policy source-attack
调整配置后,查看成功:

[JY-S9300-ChengJiang-1]display auto-defend attack-source history
  S : start time
  E : end time

  Attack History User Table (MPU):
  ------------------------------------------------------------------------------
  AttackTime            MacAddress     IFName         Vlan:O/I  Protocol    PPS
  ------------------------------------------------------------------------------
  S:2017-03-15 10:03:03 286e-d495-3d8f GE6/0/14       1030      TELNET      350
  E:2017-03-15 10:32:59
  ------------------------------------------------------------------------------
  Total: 1


根因

配置问题,触发端口安全阀值,未触发攻击溯源阀值

解决方案
把攻击溯源阀值改小

END