Вопрос по Cisco SCE 2000. Отключение фильтров.

d3m1gd · March 10, 2011

Необходимо отключить фильтрацию пакетов при обнаружении атак.

UPD: Решено. Фильтры отключаются через sanity-checks.

Версия ПО 3.6.0.

"Anomaly detection" и "Spam zombies" отключены в настройках SCA BB Console.

#> show interface linecard 0 attack-detector all
Default detector:                                                      

Protocol|Side|Direction  ||Action|     Thresholds                |Sub- |Alarm
       |    |           ||      |Open flows|Ddos-Suspected flows|notif|     
       |    |           ||      |rate      |rate        |ratio  |     |     
--------|----|-----------||------|----------|------------|-------|-----|-----
TCP     |net.|source-only||Report|      1000|         250|50     |No   |No   
TCP     |net.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP     |sub.|source-only||Report|      1000|         250|50     |No   |No   
TCP     |sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP     |net.|source+dest||Report|       100|          50|50     |No   |No   
TCP     |sub.|source+dest||Report|       100|          50|50     |No   |No   
TCP+port|net.|source-only||Report|      1000|         250|50     |No   |No   
TCP+port|net.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP+port|sub.|source-only||Report|      1000|         250|50     |No   |No   
TCP+port|sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP+port|net.|source+dest||Report|       100|          50|50     |No   |No   
TCP+port|sub.|source+dest||Report|       100|          50|50     |No   |No   
UDP     |net.|source-only||Report|      1000|         250|50     |No   |No   
UDP     |net.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP     |sub.|source-only||Report|      1000|         250|50     |No   |No   
UDP     |sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP     |net.|source+dest||Report|       100|          50|50     |No   |No   
UDP     |sub.|source+dest||Report|       100|          50|50     |No   |No   
UDP+port|net.|source-only||Report|      1000|         250|50     |No   |No   
UDP+port|net.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP+port|sub.|source-only||Report|      1000|         250|50     |No   |No   
UDP+port|sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP+port|net.|source+dest||Report|       100|          50|50     |No   |No   
UDP+port|sub.|source+dest||Report|       100|          50|50     |No   |No   
ICMP    |net.|source-only||Report|       500|         125|50     |No   |No   
ICMP    |net.|dest-only  ||Report|       500|         125|50     |No   |No   
ICMP    |sub.|source-only||Report|       500|         125|50     |No   |No   
ICMP    |sub.|dest-only  ||Report|       500|         125|50     |No   |No   
other   |net.|source-only||Report|       500|         125|50     |No   |No   
other   |net.|dest-only  ||Report|       500|         125|50     |No   |No   
other   |sub.|source-only||Report|       500|         125|50     |No   |No   
other   |sub.|dest-only  ||Report|       500|         125|50     |No   |No   

Detector #1 is disabled.
Detector #2 is disabled.
Detector #3 is disabled.
Detector #4 is disabled.
Detector #5 is disabled.
Detector #6 is disabled.
Detector #7 is disabled.
Detector #8 is disabled.
Detector #9 is disabled.
Detector #10 is disabled.
Detector #11 is disabled.
Detector #12 is disabled.
Detector #13 is disabled.
Detector #14 is disabled.
Detector #15 is disabled.
Detector #16 is disabled.
Detector #17 is disabled.
Detector #18 is disabled.
Detector #19 is disabled.
Detector #20 is disabled.
Detector #21 is disabled.
Detector #22 is disabled.
Detector #23 is disabled.
Detector #24 is disabled.
Detector #25 is disabled.
Detector #26 is disabled.
Detector #27 is disabled.
Detector #28 is disabled.
Detector #29 is disabled.
Detector #30 is disabled.
Detector #31 is disabled.
Detector #32 is disabled.
Detector #33 is disabled.
Detector #34 is disabled.
Detector #35 is disabled.
Detector #36 is disabled.
Detector #37 is disabled.
Detector #38 is disabled.
Detector #39 is disabled.
Detector #40 is disabled.
Detector #41 is disabled.
Detector #42 is disabled.
Detector #43 is disabled.
Detector #44 is disabled.
Detector #45 is disabled.
Detector #46 is disabled.
Detector #47 is disabled.
Detector #48 is disabled.
Detector #49 is disabled.
Detector #50 is disabled.
Detector #51 is disabled.
Detector #52 is disabled.
Detector #53 is disabled.
Detector #54 is disabled.
Detector #55 is disabled.
Detector #56 is disabled.
Detector #57 is disabled.
Detector #58 is disabled.
Detector #59 is disabled.
Detector #60 is disabled.
Detector #61 is disabled.
Detector #62 is disabled.
Detector #63 is disabled.
Detector #64 is disabled.
Detector #65 is disabled.
Detector #66 is disabled.
Detector #67 is disabled.
Detector #68 is disabled.
Detector #69 is disabled.
Detector #70 is disabled.
Detector #71 is disabled.
Detector #72 is disabled.
Detector #73 is disabled.
Detector #74 is disabled.
Detector #75 is disabled.
Detector #76 is disabled.
Detector #77 is disabled.
Detector #78 is disabled.
Detector #79 is disabled.
Detector #80 is disabled.
Detector #81 is disabled.
Detector #82 is disabled.
Detector #83 is disabled.
Detector #84 is disabled.
Detector #85 is disabled.
Detector #86 is disabled.
Detector #87 is disabled.
Detector #88 is disabled.
Detector #89 is disabled.
Detector #90 is disabled.
Detector #91 is disabled.
Detector #92 is disabled.
Detector #93 is disabled.
Detector #94 is disabled.
Detector #95 is disabled.
Detector #96 is disabled.
Detector #97 is disabled.
Detector #98 is disabled.
Detector #99 is disabled.
Detector #100 is disabled.

#>do show interface linecard 0 attack-filter

Enabled state :                                  
------------------

Protocol  |Direction   |State       
----------|------------|------------
TCP       |source-only |disabled    
TCP       |dest-only   |disabled    
TCP       |dest+source |disabled    
TCP+port  |source-only |disabled    
TCP+port  |dest-only   |disabled    
TCP+port  |dest+source |disabled    
UDP       |source-only |disabled    
UDP       |dest-only   |disabled    
UDP       |dest+source |disabled    
UDP+port  |source-only |disabled    
UDP+port  |dest-only   |disabled    
UDP+port  |dest+source |disabled    
ICMP      |source-only |disabled    
ICMP      |dest-only   |disabled    
other     |source-only |disabled    
other     |dest-only   |disabled

Тем не менее, в логах SCE пишется о включении фильтров при обнаружении атак.

Лог:

2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:04:08 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Started filtering due to attack detection
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events

Edited March 11, 2011 by d3m1gd

Sign In

Вопрос по Cisco SCE 2000. Отключение фильтров.

Recommended Posts

d3m1gd

Join the conversation