the diversion flow could not change the state from abnormal to attacked

Publication Date:  2013-12-10 Views:  177 Downloads:  0
Issue Description
ATIC detected that traffic was anomaly, and diversion, but the traffic state did not changed from the abnormal into the attacked.

Alarm Information
NA
Handling Process
Check the cleaning device configuration and ATIC Server system, found the ATIC IP was modified, lead to the cleaning equipment log-server-ip does not corresponding with the actual ATIC IP, ATIC did not received the cleaning equipment’s log, and then the flow state could not change to attacked from abnormal.
Root Cause
The abnormal flow does not change into attacked, generally have the following two reasons.
(1) The flow is only overload to the threshold, not attack.
(2) The cleaning equipment could not communicate with ATIC, It is not because the interruption of link or route, therefore more subtle, although cleaning equipment is online, because the IP and port of the reporting attack is unreachable, it is easily overlooked.

Suggestions
Similarly, if the cleaning equipment in the log-server-ip configuration has been modified, will also lead to similar failures, although the  network element management state is online, because the system use different protocols to detect, so the management state online  could not explain the reported data to ATIC is normal.

END