Необходимо отключить фильтрацию пакетов при обнаружении атак.
UPD: Решено. Фильтры отключаются через sanity-checks.
Версия ПО 3.6.0.
"Anomaly detection" и "Spam zombies" отключены в настройках SCA BB Console.
#> show interface linecard 0 attack-detector all
Default detector:
Protocol|Side|Direction ||Action| Thresholds |Sub- |Alarm
| | || |Open flows|Ddos-Suspected flows|notif|
| | || |rate |rate |ratio | |
--------|----|-----------||------|----------|------------|-------|-----|-----
TCP |net.|source-only||Report| 1000| 250|50 |No |No
TCP |net.|dest-only ||Report| 1000| 250|50 |No |No
TCP |sub.|source-only||Report| 1000| 250|50 |No |No
TCP |sub.|dest-only ||Report| 1000| 250|50 |No |No
TCP |net.|source+dest||Report| 100| 50|50 |No |No
TCP |sub.|source+dest||Report| 100| 50|50 |No |No
TCP+port|net.|source-only||Report| 1000| 250|50 |No |No
TCP+port|net.|dest-only ||Report| 1000| 250|50 |No |No
TCP+port|sub.|source-only||Report| 1000| 250|50 |No |No
TCP+port|sub.|dest-only ||Report| 1000| 250|50 |No |No
TCP+port|net.|source+dest||Report| 100| 50|50 |No |No
TCP+port|sub.|source+dest||Report| 100| 50|50 |No |No
UDP |net.|source-only||Report| 1000| 250|50 |No |No
UDP |net.|dest-only ||Report| 1000| 250|50 |No |No
UDP |sub.|source-only||Report| 1000| 250|50 |No |No
UDP |sub.|dest-only ||Report| 1000| 250|50 |No |No
UDP |net.|source+dest||Report| 100| 50|50 |No |No
UDP |sub.|source+dest||Report| 100| 50|50 |No |No
UDP+port|net.|source-only||Report| 1000| 250|50 |No |No
UDP+port|net.|dest-only ||Report| 1000| 250|50 |No |No
UDP+port|sub.|source-only||Report| 1000| 250|50 |No |No
UDP+port|sub.|dest-only ||Report| 1000| 250|50 |No |No
UDP+port|net.|source+dest||Report| 100| 50|50 |No |No
UDP+port|sub.|source+dest||Report| 100| 50|50 |No |No
ICMP |net.|source-only||Report| 500| 125|50 |No |No
ICMP |net.|dest-only ||Report| 500| 125|50 |No |No
ICMP |sub.|source-only||Report| 500| 125|50 |No |No
ICMP |sub.|dest-only ||Report| 500| 125|50 |No |No
other |net.|source-only||Report| 500| 125|50 |No |No
other |net.|dest-only ||Report| 500| 125|50 |No |No
other |sub.|source-only||Report| 500| 125|50 |No |No
other |sub.|dest-only ||Report| 500| 125|50 |No |No
Detector #1 is disabled.
Detector #2 is disabled.
Detector #3 is disabled.
Detector #4 is disabled.
Detector #5 is disabled.
Detector #6 is disabled.
Detector #7 is disabled.
Detector #8 is disabled.
Detector #9 is disabled.
Detector #10 is disabled.
Detector #11 is disabled.
Detector #12 is disabled.
Detector #13 is disabled.
Detector #14 is disabled.
Detector #15 is disabled.
Detector #16 is disabled.
Detector #17 is disabled.
Detector #18 is disabled.
Detector #19 is disabled.
Detector #20 is disabled.
Detector #21 is disabled.
Detector #22 is disabled.
Detector #23 is disabled.
Detector #24 is disabled.
Detector #25 is disabled.
Detector #26 is disabled.
Detector #27 is disabled.
Detector #28 is disabled.
Detector #29 is disabled.
Detector #30 is disabled.
Detector #31 is disabled.
Detector #32 is disabled.
Detector #33 is disabled.
Detector #34 is disabled.
Detector #35 is disabled.
Detector #36 is disabled.
Detector #37 is disabled.
Detector #38 is disabled.
Detector #39 is disabled.
Detector #40 is disabled.
Detector #41 is disabled.
Detector #42 is disabled.
Detector #43 is disabled.
Detector #44 is disabled.
Detector #45 is disabled.
Detector #46 is disabled.
Detector #47 is disabled.
Detector #48 is disabled.
Detector #49 is disabled.
Detector #50 is disabled.
Detector #51 is disabled.
Detector #52 is disabled.
Detector #53 is disabled.
Detector #54 is disabled.
Detector #55 is disabled.
Detector #56 is disabled.
Detector #57 is disabled.
Detector #58 is disabled.
Detector #59 is disabled.
Detector #60 is disabled.
Detector #61 is disabled.
Detector #62 is disabled.
Detector #63 is disabled.
Detector #64 is disabled.
Detector #65 is disabled.
Detector #66 is disabled.
Detector #67 is disabled.
Detector #68 is disabled.
Detector #69 is disabled.
Detector #70 is disabled.
Detector #71 is disabled.
Detector #72 is disabled.
Detector #73 is disabled.
Detector #74 is disabled.
Detector #75 is disabled.
Detector #76 is disabled.
Detector #77 is disabled.
Detector #78 is disabled.
Detector #79 is disabled.
Detector #80 is disabled.
Detector #81 is disabled.
Detector #82 is disabled.
Detector #83 is disabled.
Detector #84 is disabled.
Detector #85 is disabled.
Detector #86 is disabled.
Detector #87 is disabled.
Detector #88 is disabled.
Detector #89 is disabled.
Detector #90 is disabled.
Detector #91 is disabled.
Detector #92 is disabled.
Detector #93 is disabled.
Detector #94 is disabled.
Detector #95 is disabled.
Detector #96 is disabled.
Detector #97 is disabled.
Detector #98 is disabled.
Detector #99 is disabled.
Detector #100 is disabled.
#>do show interface linecard 0 attack-filter
Enabled state :
------------------
Protocol |Direction |State
----------|------------|------------
TCP |source-only |disabled
TCP |dest-only |disabled
TCP |dest+source |disabled
TCP+port |source-only |disabled
TCP+port |dest-only |disabled
TCP+port |dest+source |disabled
UDP |source-only |disabled
UDP |dest-only |disabled
UDP |dest+source |disabled
UDP+port |source-only |disabled
UDP+port |dest-only |disabled
UDP+port |dest+source |disabled
ICMP |source-only |disabled
ICMP |dest-only |disabled
other |source-only |disabled
other |dest-only |disabled
Тем не менее, в логах SCE пишется о включении фильтров при обнаружении атак.
Лог:
2011-03-09 21:25:09 | INFO | CPU #000 | Started filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO | CPU #000 | Started filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO | CPU #000 | Started filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:04:08 | INFO | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Started filtering due to attack detection
2011-03-09 22:27:17 | INFO | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:28:19 | INFO | CPU #000 | Started filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO | CPU #000 | Started filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO | CPU #000 | Started filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 23:30:26 | INFO | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:31:03 | INFO | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events