Use the IP source trail function on S series switches to quickly locate attack sources

1

S series fixed switches do not support this function. S series modular switches provide the ip source-trail command that enables the source IP address tracing function for the specified IP addresses. After this command is executed on a switch, the switch records statistics on the traffic destined for the specified addresses. A maximum of 32 IP addresses can be configured in the command.
For example, traffic on the host with IP address 10.0.0.1 is detected to be abnormal. You can enable the source IP address tracing function for 10.0.0.1, then check statistics on the traffic destined for the host, and quickly locate the attack source. The configuration is as follows:
[HUAWEI] ip source-trail ip-address 10.0.0.1
[HUAWEI] display ip source-trail ip-address 10.0.0.1
Destination Address: 10.0.0.1
SrcAddr SrcIF Bytes Pkts Bits/s Pkts/s
-----------------------------------------------------------------------------------
10.1.0.2 GE3/0/23 85.971M 60.234K 1.356M 121
10.1.0.3 GE3/0/23 15.462M 10.852K 203.984K 17
10.1.0.4 GE3/0/23 14.785M 10.577K 204.601K 18
10.1.0.5 GE3/0/23 3.432M 6.557K 118.164K 28
10.1.0.6 GE3/0/23 2.541M 4.600K 34.257K 7
Based on statistics on the traffic destined for the host with IP address 10.0.0.1. The source IP address 10.1.0.2 has sent heavy traffic to the host, so attack source the host with IP address 10.1.0.2 is located. You can then configure an ACL on the switch to block the traffic from 10.1.0.2 to 10.0.0.1.

Other related questions:
Query of the attack source IP address on the USG6000 series
Run the display anti-ddos source-ip [ ipv4 ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address ] command on the USG6000 to view the DDoS traffic source IP address monitoring table.

For S series switches, what ARP attack defense methods can be used on packets with the same source IP address
For S series switches: If excessive protocol packets are sent to the CPU, the CPU may be overloaded. Therefore, the switch limits the rate of ARP packets sent to the CPU and has default attack defense policies configured. To view ARP attack defense methods, run the display arp anti-attack configuration all command.

What functions on S series switches can analyze source and destination IP addresses in data packets
NetStream and sFlow supported by S series switches (except S1700 switches) can analyze information about network flows, such as source and destination IP addresses, port numbers, and interfaces in data packets.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top