Solved: Re: How to decrease the time for filtering traffic on SCE8000 ?

Jack Lu · ‎12-06-2010

Hi All

I went through the support files and found such kind of log messages during peak hours as below,

2010-07-11 11:55:47 | INFO | CPU #000 | Started filtering packets of type 'TCP Non-SYN' received on interface # 0. Reason: Started filtering due to attack detection

2010-07-11 12:00:35 | INFO | CPU #000 | Started filtering packets of type 'TCP No-SYN + RST' received on interface # 0. Reason: Started filtering due to attack detection

2010-07-11 13:07:25 | INFO | CPU #000 | Stopped filtering packets of type 'TCP No-SYN + RST' received on interface # 0. Reason: Stopped filtering for an administrative pause

Basically those logs mean that SCE detect attacks and then in order to protect itself, it put those attack traffic in filter, one hour later, SCE remove the flows from filter and check again, if attack persist, SCE put attack traffic in filter again.

Could we decrease the time for filtering traffic ? like 10 minutes ?

Shelley Bhalla · ‎12-06-2010

configure
interface LineCard 0
sanity-checks attack-filter times filtering-cycle  max-attack-time 

To verify:
sh interface LineCard 0 attack-filter current-attacks

Regards
Shelley.

View solution in original post

Shelley Bhalla · ‎12-08-2010

Example
SCE#>show interface LineCard 0 sanity-checks attack-filter times
Filtering cycle: 3600 seconds.
Max attack time: 86400 seconds.

When such attack is detected and the system is in some kind of shortage it will start filtering that specific type for the "Filtering cycle" value seconds after this time it will stop for certain amount of time in order to test whether the attack is still on and whether we are still in shortage, if both conditions are still stand it will start filter again for another "Filtering cycle" seconds period of time

Assuming the attack and the shortage condition will still stand cycle after cycle after cycle we will stop filtering upon "Max Attack Time" seconds even if the attack and the shortage are still there.

Regards

Shelley

Please mark complete and rate if question has been answered.

View solution in original post

Shelley Bhalla · ‎12-06-2010

configure
interface LineCard 0
sanity-checks attack-filter times filtering-cycle  max-attack-time 

To verify:
sh interface LineCard 0 attack-filter current-attacks

Regards
Shelley.

Jack Lu · ‎12-06-2010

Thanks a lot !

Could you explain what is max-attack-time ?

Shelley Bhalla · ‎12-08-2010

Example
SCE#>show interface LineCard 0 sanity-checks attack-filter times
Filtering cycle: 3600 seconds.
Max attack time: 86400 seconds.

When such attack is detected and the system is in some kind of shortage it will start filtering that specific type for the "Filtering cycle" value seconds after this time it will stop for certain amount of time in order to test whether the attack is still on and whether we are still in shortage, if both conditions are still stand it will start filter again for another "Filtering cycle" seconds period of time

Assuming the attack and the shortage condition will still stand cycle after cycle after cycle we will stop filtering upon "Max Attack Time" seconds even if the attack and the shortage are still there.

Regards

Shelley

Please mark complete and rate if question has been answered.

Jack Lu · ‎12-08-2010

Thanks !

Will the system start filtering all traffic or traffic on specific CPU when only one CPU is in shortage ?

What it will do if the system is in some kind of shortage and no attack is detected ?

Is the shortage include cpu , memory and the others ? the threshold is 80% or 90% or others ?

Regards

Jack

Shelley Bhalla · ‎12-08-2010

The SCE will monitor all resources momory or CPU and any resource when taxed will trigger sanity check attack filter.

Shelley.

Hot to decrease the time for filtering traffic on SCE8000 ?