Use the IP source trail function on S series switches to quickly locate attack sources


S series fixed switches do not support this function. S series modular switches provide the ip source-trail command that enables the source IP address tracing function for the specified IP addresses. After this command is executed on a switch, the switch records statistics on the traffic destined for the specified addresses. A maximum of 32 IP addresses can be configured in the command.
For example, traffic on the host with IP address is detected to be abnormal. You can enable the source IP address tracing function for, then check statistics on the traffic destined for the host, and quickly locate the attack source. The configuration is as follows:
[HUAWEI] ip source-trail ip-address
[HUAWEI] display ip source-trail ip-address
Destination Address:
SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s
----------------------------------------------------------------------------------- GE3/0/23 85.971M 60.234K 1.356M 121 GE3/0/23 15.462M 10.852K 203.984K 17 GE3/0/23 14.785M 10.577K 204.601K 18 GE3/0/23 3.432M 6.557K 118.164K 28 GE3/0/23 2.541M 4.600K 34.257K 7
Based on statistics on the traffic destined for the host with IP address The source IP address has sent heavy traffic to the host, so attack source the host with IP address is located. You can then configure an ACL on the switch to block the traffic from to

Other related questions:
Query of the attack source IP address on the USG6000 series
Run the display anti-ddos source-ip [ ipv4 ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address ] command on the USG6000 to view the DDoS traffic source IP address monitoring table.

For S series switches, what ARP attack defense methods can be used on packets with the same source IP address
For S series switches: If excessive protocol packets are sent to the CPU, the CPU may be overloaded. Therefore, the switch limits the rate of ARP packets sent to the CPU and has default attack defense policies configured. To view ARP attack defense methods, run the display arp anti-attack configuration all command.

What functions on S series switches can analyze source and destination IP addresses in data packets
NetStream and sFlow supported by S series switches (except S1700 switches) can analyze information about network flows, such as source and destination IP addresses, port numbers, and interfaces in data packets.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top