Configuration Guide NFPP Configuration
Host-based rate-limit and attack detection
For the host-based attack detection, it can be classified into the following two
types: source IP address/VID/port-based and source MAC
address/VID/port-based. For each attack detection, you can configure the
rate-limit threshold and attack threshold (also called warning threshold). The
ARP packet will be dropped when the packet rate exceeds the rate-limit
threshold. When the ARP packet rate exceeds the warning threshold, it will
prompt the warning messages and send the TRAP message.
ARP-guard supports to detect the ARP scan, which is in 10s, 15s by default. If
15 or more than 15 ARP packets have been received within 10s, and the source
MAC address on link layer is fixed while the source IP address is changing, or
the source MAC address and source IP address are fixed while the destination
IP address is changing, ARP scan is detected and recorded in the syslog and
the TRAP messages are sent.
It prompts the following message if the ARP DoS attack was detected:
%NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=0000.0000.0004,port=Gi4
/1,VLAN=1> was detected.(2009-07-01 13:00:00)
The content in brackets is the attack detection time.
The following example shows the describing information included in the sent
TRAP messages:
ARP DoS attack from host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> wa
s detected.
If the isolated time is not set as 0 by the administrator, when the hardware
isolation succeeds, it prompts:
%NFPP_ARP_GUARD-4-ISOLATED:Host <IP=N/A,MAC=0000.0000.0004,port=Gi4/1,V
LAN=1> was isolated. (2009-07-01 13:00:00)
The following example shows the describing information included in the sent
TRAP messages:
Host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was isolated.
When it fails to isolate the hardware due to a lack of memory or hardware
resources, it prompts:
%NFPP_ARP_GUARD-4-ISOLATE_FAILED: Failed to isolate host <IP=N/A,MAC=0000.
0000.0004,port=Gi4/1,VLAN=1>. (2009-07-01 13:00:00)
To Next Page
Loading...
