Jump to content
Калькуляторы

Вопрос по Cisco SCE 2000. Отключение фильтров.

Необходимо отключить фильтрацию пакетов при обнаружении атак.

 

UPD: Решено. Фильтры отключаются через sanity-checks.

 

Версия ПО 3.6.0.

"Anomaly detection" и "Spam zombies" отключены в настройках SCA BB Console.

 

#> show interface linecard 0 attack-detector all
Default detector:                                                      

Protocol|Side|Direction  ||Action|     Thresholds                |Sub- |Alarm
       |    |           ||      |Open flows|Ddos-Suspected flows|notif|     
       |    |           ||      |rate      |rate        |ratio  |     |     
--------|----|-----------||------|----------|------------|-------|-----|-----
TCP     |net.|source-only||Report|      1000|         250|50     |No   |No   
TCP     |net.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP     |sub.|source-only||Report|      1000|         250|50     |No   |No   
TCP     |sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP     |net.|source+dest||Report|       100|          50|50     |No   |No   
TCP     |sub.|source+dest||Report|       100|          50|50     |No   |No   
TCP+port|net.|source-only||Report|      1000|         250|50     |No   |No   
TCP+port|net.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP+port|sub.|source-only||Report|      1000|         250|50     |No   |No   
TCP+port|sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP+port|net.|source+dest||Report|       100|          50|50     |No   |No   
TCP+port|sub.|source+dest||Report|       100|          50|50     |No   |No   
UDP     |net.|source-only||Report|      1000|         250|50     |No   |No   
UDP     |net.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP     |sub.|source-only||Report|      1000|         250|50     |No   |No   
UDP     |sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP     |net.|source+dest||Report|       100|          50|50     |No   |No   
UDP     |sub.|source+dest||Report|       100|          50|50     |No   |No   
UDP+port|net.|source-only||Report|      1000|         250|50     |No   |No   
UDP+port|net.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP+port|sub.|source-only||Report|      1000|         250|50     |No   |No   
UDP+port|sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP+port|net.|source+dest||Report|       100|          50|50     |No   |No   
UDP+port|sub.|source+dest||Report|       100|          50|50     |No   |No   
ICMP    |net.|source-only||Report|       500|         125|50     |No   |No   
ICMP    |net.|dest-only  ||Report|       500|         125|50     |No   |No   
ICMP    |sub.|source-only||Report|       500|         125|50     |No   |No   
ICMP    |sub.|dest-only  ||Report|       500|         125|50     |No   |No   
other   |net.|source-only||Report|       500|         125|50     |No   |No   
other   |net.|dest-only  ||Report|       500|         125|50     |No   |No   
other   |sub.|source-only||Report|       500|         125|50     |No   |No   
other   |sub.|dest-only  ||Report|       500|         125|50     |No   |No   

Detector #1 is disabled.
Detector #2 is disabled.
Detector #3 is disabled.
Detector #4 is disabled.
Detector #5 is disabled.
Detector #6 is disabled.
Detector #7 is disabled.
Detector #8 is disabled.
Detector #9 is disabled.
Detector #10 is disabled.
Detector #11 is disabled.
Detector #12 is disabled.
Detector #13 is disabled.
Detector #14 is disabled.
Detector #15 is disabled.
Detector #16 is disabled.
Detector #17 is disabled.
Detector #18 is disabled.
Detector #19 is disabled.
Detector #20 is disabled.
Detector #21 is disabled.
Detector #22 is disabled.
Detector #23 is disabled.
Detector #24 is disabled.
Detector #25 is disabled.
Detector #26 is disabled.
Detector #27 is disabled.
Detector #28 is disabled.
Detector #29 is disabled.
Detector #30 is disabled.
Detector #31 is disabled.
Detector #32 is disabled.
Detector #33 is disabled.
Detector #34 is disabled.
Detector #35 is disabled.
Detector #36 is disabled.
Detector #37 is disabled.
Detector #38 is disabled.
Detector #39 is disabled.
Detector #40 is disabled.
Detector #41 is disabled.
Detector #42 is disabled.
Detector #43 is disabled.
Detector #44 is disabled.
Detector #45 is disabled.
Detector #46 is disabled.
Detector #47 is disabled.
Detector #48 is disabled.
Detector #49 is disabled.
Detector #50 is disabled.
Detector #51 is disabled.
Detector #52 is disabled.
Detector #53 is disabled.
Detector #54 is disabled.
Detector #55 is disabled.
Detector #56 is disabled.
Detector #57 is disabled.
Detector #58 is disabled.
Detector #59 is disabled.
Detector #60 is disabled.
Detector #61 is disabled.
Detector #62 is disabled.
Detector #63 is disabled.
Detector #64 is disabled.
Detector #65 is disabled.
Detector #66 is disabled.
Detector #67 is disabled.
Detector #68 is disabled.
Detector #69 is disabled.
Detector #70 is disabled.
Detector #71 is disabled.
Detector #72 is disabled.
Detector #73 is disabled.
Detector #74 is disabled.
Detector #75 is disabled.
Detector #76 is disabled.
Detector #77 is disabled.
Detector #78 is disabled.
Detector #79 is disabled.
Detector #80 is disabled.
Detector #81 is disabled.
Detector #82 is disabled.
Detector #83 is disabled.
Detector #84 is disabled.
Detector #85 is disabled.
Detector #86 is disabled.
Detector #87 is disabled.
Detector #88 is disabled.
Detector #89 is disabled.
Detector #90 is disabled.
Detector #91 is disabled.
Detector #92 is disabled.
Detector #93 is disabled.
Detector #94 is disabled.
Detector #95 is disabled.
Detector #96 is disabled.
Detector #97 is disabled.
Detector #98 is disabled.
Detector #99 is disabled.
Detector #100 is disabled.

 

#>do show interface linecard 0 attack-filter

Enabled state :                                  
------------------

Protocol  |Direction   |State       
----------|------------|------------
TCP       |source-only |disabled    
TCP       |dest-only   |disabled    
TCP       |dest+source |disabled    
TCP+port  |source-only |disabled    
TCP+port  |dest-only   |disabled    
TCP+port  |dest+source |disabled    
UDP       |source-only |disabled    
UDP       |dest-only   |disabled    
UDP       |dest+source |disabled    
UDP+port  |source-only |disabled    
UDP+port  |dest-only   |disabled    
UDP+port  |dest+source |disabled    
ICMP      |source-only |disabled    
ICMP      |dest-only   |disabled    
other     |source-only |disabled    
other     |dest-only   |disabled 

Тем не менее, в логах SCE пишется о включении фильтров при обнаружении атак.

Лог:

2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:04:08 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Started filtering due to attack detection
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events

Edited by d3m1gd

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this