Binding the filter to an interface, Clearing dos attack statistics, Clearing all ddos filter & attack counters – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 147: Logging for dos attacks

Advertising
background image

ServerIron ADX Security Guide

133

53-1002440-03

DDoS protection

5

Binding the filter to an interface

To implement a filter, it must be bound to an interface. It will then be applied globally to all
interfaces on the ServerIron ADX. To bind a filter to an interface, use the following command:

ServerIronADX(config-if-e1000-1/2)# security apply-filter filter1

Syntax: security apply-filter <filter-name>

The <filter-name> variable specifies filter that you want to apply on the ServerIron ADX. A maximum
or 10 filters can be bound to a single interface.

Clearing DOS attack statistics

Use clear statistics dos-attack to reset counters for ICMP and TCP SYN packet burst thresholds.

Syntax: clear statistics dos-attack

Clearing all DDOS Filter & Attack Counters

Use security clear all-dos-filter-counters to reset all DDOS Filter and Attack Counters.

Syntax: security clear all-dos-filter-counters

Logging for DoS attacks

Use the show log command to display the logging information and notice the attack type hits:

For each log event taking place for software rules, the ServerIron ADX sends a syslog message and
an SNMP trap. The system logs every 1 second time period, but only the difference is logged (not
cumulative totals). For example, assume 5 packets are dropped within 1 second. The system logs
5. Then, 2 packets are dropped during the next second. The system logs 2 (not 7).

Use show security hold:

Use show security net-scan-sessions:

BP # show sec net-scan-sessions <number to be skipped>

IP address Attack Type Number Scanned

10.10.1.101->10.10.1.151 port-scan 1

The number scanned indicate the number of ports client 10.10.1.101 has accessed on IP
10.10.1.151 (which is the VIP in the example).

Similarly for address-sweep:

BP #show sec net-scan-sessions 0

IP address Attack Type Number Scanned

10.10.1.101 address-sweep 2

The above example tells you that client 10.10.1.101 has accessed 2 destination IPs in the past 1
monitoring interval.

Advertising
Popular Brands
Popular manuals