Query of the attack source IP address on the USG6000 series

3

Run the display anti-ddos source-ip [ ipv4 ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address ] command on the USG6000 to view the DDoS traffic source IP address monitoring table.

Other related questions:
Query of session entries with specified IP addresses
You can view session entries with specified source or destination IP addresses on the web UI or CLI. For the USG6000 series, on the web UI, choose Monitor > Session Table to view the session table. Then, click Advanced Search and enter the specified IP address in Source Address or Destination Address. For the USG2000&5000 series, on the web UI, choose Firewall > Monitor > Session Table to view the session table. Then, click Advanced Search, select Source or Destination from the IP Address drop-down list, and enter the specified IP address. For the USG2000&5000 and USG6000 series, you can run the display firewall session table source [ verbose ] { inside ip-address | global ip-address } or display firewall session table destination { inside ip-address | global ip-address command to view session information about the specified source or destination IP address.

Enabling IP spoofing attack defense on the USG6000 series
The USG6000 looks up the routing table for the outgoing interfaces of reverse traffic destined to the source. If the incoming interface of the traffic and the outgoing interface of the reverse traffic are different, the packets are considered IP spoofing packets and discarded. Run the firewall defend ip-spoofing enable command to enable IP spoofing attack defense.

Use the IP source trail function on S series switches to quickly locate attack sources
S series fixed switches do not support this function. S series modular switches provide the ip source-trail command that enables the source IP address tracing function for the specified IP addresses. After this command is executed on a switch, the switch records statistics on the traffic destined for the specified addresses. A maximum of 32 IP addresses can be configured in the command. For example, traffic on the host with IP address 10.0.0.1 is detected to be abnormal. You can enable the source IP address tracing function for 10.0.0.1, then check statistics on the traffic destined for the host, and quickly locate the attack source. The configuration is as follows: [HUAWEI] ip source-trail ip-address 10.0.0.1 [HUAWEI] display ip source-trail ip-address 10.0.0.1 Destination Address: 10.0.0.1 SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s ----------------------------------------------------------------------------------- 10.1.0.2 GE3/0/23 85.971M 60.234K 1.356M 121 10.1.0.3 GE3/0/23 15.462M 10.852K 203.984K 17 10.1.0.4 GE3/0/23 14.785M 10.577K 204.601K 18 10.1.0.5 GE3/0/23 3.432M 6.557K 118.164K 28 10.1.0.6 GE3/0/23 2.541M 4.600K 34.257K 7 Based on statistics on the traffic destined for the host with IP address 10.0.0.1. The source IP address 10.1.0.2 has sent heavy traffic to the host, so attack source the host with IP address 10.1.0.2 is located. You can then configure an ACL on the switch to block the traffic from 10.1.0.2 to 10.0.0.1.

Query of IPS logs on the USG6000 series
By checking threat logs, you can view detection and defense records for network threats such as viruses, learn historical and ongoing threat events, and adjust security policies or implement active defense in a timely manner. You can view IPS logs only when the current device model supports hard disks and has hard disks installed. For the USG6000 series, you can view IPS log details on the web UI. 1. Choose Monitor > Log > Threat Log to view threat logs such as IPS logs. 2. Choose Customize and select/deselect conditions for threat log display. The following items can be customized: time, threat type, threat ID, threat name, source zone, destination zone, attacker, target, source address:source port, destination address:destination port, application, protocol, action, security policy, profile, source region, destination region, and virtual system.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top