No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Configuration Examples

Typical Configuration Examples

This section describes typical configuration examples in typical application scenarios, helping users complete various operations based on the actual scenarios.

Example for Using NTA to Quickly Locate the Source Host That Sends Attack Packets

This section describes how to use the traffic analysis function provided by the NTA component to quickly locate the source host that sends attack packets, and restore normal network operations.

Applicable Products and Versions

V200R005C00 or later versions

Networking Requirements

Devices on the campus network of a company have been added to eSight. The network administrator Thomas finds that the user number and network scale remain stable in the recent two years. However, access speed to the email server becomes slow. Thomas also receives an alarm from eSight, indicating that the interface usage of the access device connected to the email server is high. Thomas needs to locate the fault based on the detailed alarm information.

Figure 12-24 Networking of the company

Configuration Roadmap
  1. Switch from the topology view to the NTA traffic analysis page to view detailed traffic data of the access switch connected to the email server.
  2. Create a traffic forensics task to view detailed information about original flows.
  3. Execute the traffic forensics task.
  4. View detailed data in the task execution result, and save the data to a local device. This enables network security specialists to view data.
Prerequisites
  • You have the operator user rights or higher.
  • Communication has been established between eSight and the devices, and eSight can manage and maintain the devices. For details, see Example for Configuring Automatic Device Discovery Using SNMPv2c.
  • eSight NTA can normally monitor the devices, and you have received NTA traffic alarms from eSight.
Procedure
  1. Click the icon indicating critical alarms on the eSight home page to display the current alarm list.

  2. Click next to the desired traffic alarm to display the topology page.
  3. Switch from the topology view to the NTA traffic analysis page to view detailed traffic data of the access switch connected to the email server.

    1. In the topology view, right-click the link that reports an alarm and choose View Interface Traffic > Last 15 minutes from the shortcut menu.

    2. On the displayed NTA interface traffic analysis page, you can view top N source hosts with high interface traffic volume in TOP N Host - From. Click the link of the host name with the highest interface traffic volume to display the traffic analysis page of the source host.

    3. In TOP N Conversation, you can find that the percentage of traffic from the source host to the access switch connected to the email server is 100%, indicating that the source host is consuming email server resources.

    4. Click Conversation to view detailed conversation information. You can find that the traffic and packet number of all the records are the same, indicating that attacks may exist.

  4. Create a traffic forensics task to view detailed information about original flows. Attacks do not exist if the original flows are of a specific protocol, with specific source and destination host ports, and have fixed flow size and packet number.

    1. In the navigation tree on the left, choose Traffic Monitor > Flow Forensic.
    2. Click Create. The page for creating a traffic forensics task is displayed.

    3. Set Name, Description, and Time Range.
    4. Set Interface and click Add Interface to specify an interface filter criterion. You can specify multiple interface filter criteria simultaneously.
    5. Set Filter and click Add to add an interface filter criterion to the list below. You can add multiple filter criteria simultaneously.
    6. Set Data Save Days. The value of the parameter ranges from 1 to 30 days, and the default value is 7 days.
    7. Click OK. A traffic forensics task is created.

  5. Click in the traffic forensics task list to perform a traffic forensics task manually.
  6. On the Flow Forensic page, click in the Operation column to view detailed traffic data.
  7. On the Traffic Forensics page, click Export Data to export the data to a local device. This enables network security specialists to view data.

Verification
  • Check the port number and TCP flag to determine whether the host initiates TCP Flood attacks to the email server.
  • After the fault is rectified, check whether the alarm is cleared and the link traffic restores.
Summary and Suggestions
  • Typical characteristics of virus-infected packets: The packets are of a specific protocol, with specific source and destination host ports, and have fixed flow size and packet number.
  • Attack characteristics: The attacker initiates the largest number of SMTP connections (generally, TCP connections) to the server from different ports, and sends packets with fixed length at a fixed speed.
Translation
Download
Updated: 2019-08-10

Document ID: EDOC1100011877

Views: 299100

Downloads: 616

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next