Перейти к содержимому
Калькуляторы

Вопрос по Cisco SCE 2000. Отключение фильтров.

Необходимо отключить фильтрацию пакетов при обнаружении атак.

 

UPD: Решено. Фильтры отключаются через sanity-checks.

 

Версия ПО 3.6.0.

"Anomaly detection" и "Spam zombies" отключены в настройках SCA BB Console.

 

#> show interface linecard 0 attack-detector all
Default detector:                                                      

Protocol|Side|Direction  ||Action|     Thresholds                |Sub- |Alarm
       |    |           ||      |Open flows|Ddos-Suspected flows|notif|     
       |    |           ||      |rate      |rate        |ratio  |     |     
--------|----|-----------||------|----------|------------|-------|-----|-----
TCP     |net.|source-only||Report|      1000|         250|50     |No   |No   
TCP     |net.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP     |sub.|source-only||Report|      1000|         250|50     |No   |No   
TCP     |sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP     |net.|source+dest||Report|       100|          50|50     |No   |No   
TCP     |sub.|source+dest||Report|       100|          50|50     |No   |No   
TCP+port|net.|source-only||Report|      1000|         250|50     |No   |No   
TCP+port|net.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP+port|sub.|source-only||Report|      1000|         250|50     |No   |No   
TCP+port|sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
TCP+port|net.|source+dest||Report|       100|          50|50     |No   |No   
TCP+port|sub.|source+dest||Report|       100|          50|50     |No   |No   
UDP     |net.|source-only||Report|      1000|         250|50     |No   |No   
UDP     |net.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP     |sub.|source-only||Report|      1000|         250|50     |No   |No   
UDP     |sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP     |net.|source+dest||Report|       100|          50|50     |No   |No   
UDP     |sub.|source+dest||Report|       100|          50|50     |No   |No   
UDP+port|net.|source-only||Report|      1000|         250|50     |No   |No   
UDP+port|net.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP+port|sub.|source-only||Report|      1000|         250|50     |No   |No   
UDP+port|sub.|dest-only  ||Report|      1000|         250|50     |No   |No   
UDP+port|net.|source+dest||Report|       100|          50|50     |No   |No   
UDP+port|sub.|source+dest||Report|       100|          50|50     |No   |No   
ICMP    |net.|source-only||Report|       500|         125|50     |No   |No   
ICMP    |net.|dest-only  ||Report|       500|         125|50     |No   |No   
ICMP    |sub.|source-only||Report|       500|         125|50     |No   |No   
ICMP    |sub.|dest-only  ||Report|       500|         125|50     |No   |No   
other   |net.|source-only||Report|       500|         125|50     |No   |No   
other   |net.|dest-only  ||Report|       500|         125|50     |No   |No   
other   |sub.|source-only||Report|       500|         125|50     |No   |No   
other   |sub.|dest-only  ||Report|       500|         125|50     |No   |No   

Detector #1 is disabled.
Detector #2 is disabled.
Detector #3 is disabled.
Detector #4 is disabled.
Detector #5 is disabled.
Detector #6 is disabled.
Detector #7 is disabled.
Detector #8 is disabled.
Detector #9 is disabled.
Detector #10 is disabled.
Detector #11 is disabled.
Detector #12 is disabled.
Detector #13 is disabled.
Detector #14 is disabled.
Detector #15 is disabled.
Detector #16 is disabled.
Detector #17 is disabled.
Detector #18 is disabled.
Detector #19 is disabled.
Detector #20 is disabled.
Detector #21 is disabled.
Detector #22 is disabled.
Detector #23 is disabled.
Detector #24 is disabled.
Detector #25 is disabled.
Detector #26 is disabled.
Detector #27 is disabled.
Detector #28 is disabled.
Detector #29 is disabled.
Detector #30 is disabled.
Detector #31 is disabled.
Detector #32 is disabled.
Detector #33 is disabled.
Detector #34 is disabled.
Detector #35 is disabled.
Detector #36 is disabled.
Detector #37 is disabled.
Detector #38 is disabled.
Detector #39 is disabled.
Detector #40 is disabled.
Detector #41 is disabled.
Detector #42 is disabled.
Detector #43 is disabled.
Detector #44 is disabled.
Detector #45 is disabled.
Detector #46 is disabled.
Detector #47 is disabled.
Detector #48 is disabled.
Detector #49 is disabled.
Detector #50 is disabled.
Detector #51 is disabled.
Detector #52 is disabled.
Detector #53 is disabled.
Detector #54 is disabled.
Detector #55 is disabled.
Detector #56 is disabled.
Detector #57 is disabled.
Detector #58 is disabled.
Detector #59 is disabled.
Detector #60 is disabled.
Detector #61 is disabled.
Detector #62 is disabled.
Detector #63 is disabled.
Detector #64 is disabled.
Detector #65 is disabled.
Detector #66 is disabled.
Detector #67 is disabled.
Detector #68 is disabled.
Detector #69 is disabled.
Detector #70 is disabled.
Detector #71 is disabled.
Detector #72 is disabled.
Detector #73 is disabled.
Detector #74 is disabled.
Detector #75 is disabled.
Detector #76 is disabled.
Detector #77 is disabled.
Detector #78 is disabled.
Detector #79 is disabled.
Detector #80 is disabled.
Detector #81 is disabled.
Detector #82 is disabled.
Detector #83 is disabled.
Detector #84 is disabled.
Detector #85 is disabled.
Detector #86 is disabled.
Detector #87 is disabled.
Detector #88 is disabled.
Detector #89 is disabled.
Detector #90 is disabled.
Detector #91 is disabled.
Detector #92 is disabled.
Detector #93 is disabled.
Detector #94 is disabled.
Detector #95 is disabled.
Detector #96 is disabled.
Detector #97 is disabled.
Detector #98 is disabled.
Detector #99 is disabled.
Detector #100 is disabled.

 

#>do show interface linecard 0 attack-filter

Enabled state :                                  
------------------

Protocol  |Direction   |State       
----------|------------|------------
TCP       |source-only |disabled    
TCP       |dest-only   |disabled    
TCP       |dest+source |disabled    
TCP+port  |source-only |disabled    
TCP+port  |dest-only   |disabled    
TCP+port  |dest+source |disabled    
UDP       |source-only |disabled    
UDP       |dest-only   |disabled    
UDP       |dest+source |disabled    
UDP+port  |source-only |disabled    
UDP+port  |dest-only   |disabled    
UDP+port  |dest+source |disabled    
ICMP      |source-only |disabled    
ICMP      |dest-only   |disabled    
other     |source-only |disabled    
other     |dest-only   |disabled 

Тем не менее, в логах SCE пишется о включении фильтров при обнаружении атак.

Лог:

2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 21:25:09 | INFO  | CPU #000 | Started filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:04:08 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Started filtering due to attack detection
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:27:17 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 22:28:19 | INFO  | CPU #000 | Started filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Resumed filtering following an administrative pause that contained shortage events
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:30:26 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Stopped filtering for an administrative pause
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0 (subscriber). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP SYN' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events
2011-03-09 23:31:03 | INFO  | CPU #000 | Stopped filtering packets of type 'TCP Fragment' received on interface # 1 (network). module # 1. Reason: Back to normal, no shortage events

Изменено пользователем d3m1gd

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Гость
Ответить в тему...

×   Вставлено в виде отформатированного текста.   Вставить в виде обычного текста

  Разрешено не более 75 смайлов.

×   Ваша ссылка была автоматически встроена.   Отобразить как ссылку

×   Ваш предыдущий контент был восстановлен.   Очистить редактор

×   Вы не можете вставить изображения напрямую. Загрузите или вставьте изображения по ссылке.