Updated on 2024-01-25 GMT+08:00

ALM-3276800092 Port attack occurred

Description

SECE/4/STRACKPORT: OID [OID] An attack occurred. (Interface=[OCTET], InnerVlan=[INTEGER], OuterVlan=[INTEGER], EndTime=[OCTET], TotalPackets=[INTEGER])

The system detects an attack on an interface.

Attribute

Alarm ID

Alarm Severity

Alarm Type

3276800092

Warning

securityServiceOrMechanismViolation(10)

Parameters

Name

Meaning

OID

Indicates the MIB object ID of the alarm.

Interface

Indicates the access interface of the attacker.

InnerVlan

Indicates the inner VLAN ID of the attacker.

OuterVlan

Indicates the outer VLAN ID of packets sent from the attacker.

EndTime

Indicates the end time of the attack.

TotalPackets

Indicates the number of packets received from the attacker.

Impact on the System

The CPU is busy processing attack packets. As a result, normal service packets cannot be processed in time or even discarded.

Possible Causes

The rate of packets with the specified interface and VLAN ID sent to the CPU exceeds the alarm threshold specified by the auto-defend threshold command. By default, the alarm threshold is 60 pps.

Procedure

  1. Run the display auto-defend attack-source detail command to check the possible attack source on an interface and check whether the interface is normal according to the packet increase rate in entries.
  2. If an attack is initiated by a user and the user is the only one connected to the interface, you can shut down the interface and check whether the interface is normal.
  3. If the interface is connected to multiple users and some users initiate attacks, you can configure attack source tracing and set the action taken on attack packets to deny, or configure a traffic policy to discard attack packets.
  4. If only entries exist on the interface or entries cannot be determined, collect device configurations, alarms, and logs, and then contact technical support personnel.
  5. End.

Related Information

None