No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ - S9300 switch how to quickly find attack source through the IP source - trail function

Publication Date:  2019-07-11 Views:  464 Downloads:  0

Issue Description

Q: Can the S9300 switch quickly find attack source IP address through quick flow statistics function?

Alarm Information

None.

Handling Process

A:
S9300 switch provides IP source - trail order, this command function is open source IP tracking function to the configured address. Use this address for the destination address of the flow statistics information will be saved, and the system maximum  supports 32 addresses source tracking. The configuration examples as follows, if the IP X.X.127.174 flow is abnormal, we can configure it in S9300 switch:
[S9300]ip source-trail ip-address  X.X.127.174
Then we will through the flow statistics function based on the source IP:
[S9300]disp ip source-trail X.X.127.174
Destination Address: X.X.127.174
   SrcAddr         SrcIF      Bytes      Pkts       Bits/s     Pkts/s
   ----------------------------------------------------------------------
    X.X.230.229   GE3/0/23   85.971M    60.234K    1.356M     121      
    X.X.60.190  GE3/0/23   15.462M    10.852K    203.984K   17       
    X.X.49.76    GE3/0/23   14.785M    10.577K    204.601K   18       
    X.X.58.215    GE3/0/23   3.432M     6.557K     118.164K   28       
    X.X.22.19    GE3/0/23   2.541M     4.600K     34.257K    7        
    X.X.166.35  GE3/0/23   244.030K   4.438K     3.101K     7        
    X.X.250.58   GE3/0/23   2.597M     4.253K     34.000K    6        
    X.X.47.28   GE3/0/23   4.061M     4.196K     69.617K    8      
Through the above flow statistics we can find which source IP address’s flow is very big quickly and can quickly find the attack source IP. Then we can prohibit the attack flow from the source IP to X.X.127.174 through configuring access control list in S9300 switch. 

Root Cause

None.

Suggestions

This function is convenient for us to deal with the scene S9300 hang users attacked by DDOS. We hope that through this way to improve everybody's fault handling ability. 

END