DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-10
12.3.6 Host-based
rate-limit and
attack detection
For the host-based attack detection, it can be classified into the following two types: source IP
address/VID/port-based and source MAC address/VID/port-based. For each attack detection,
you can configure the rate-limit threshold and attack threshold (also called warning threshold).
The ARP packet will be dropped when the packet rate exceeds the rate-limit threshold. When
the ARP packet rate exceeds the warning threshold, it will prompt the warning messages and
send the TRAP message.
ARP-guard supports to detect the ARP scan, which is in 10s, 15s by default. If 15 or more than
15 ARP packets have been received within 10s, and the source MAC address on link layer is
fixed while the source IP address is changing, or the source MAC address and source IP
address are fixed while the destination IP address is changing, ARP scan is detected and
recorded in the syslog and the TRAP messages are sent.
It prompts the following message if the ARP DoS attack was detected:
%NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=0000.0000.0004,port=Gi4/
1,VLAN=1> was detected.(2009-07-01 13:00:00)
The content in brackets is the attack detection time.
The following example shows the describing information included in the sent TRAP messages:
ARP DoS attack from host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> wa
s detected.
If the isolated time is not set as 0 by the administrator, when the hardware isolation succeeds,
it prompts:
%NFPP_ARP_GUARD-4-ISOLATED:Host <IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VL
AN=1> was isolated. (2009-07-01 13:00:00)
The following example shows the describing information included in the sent TRAP messages:
Host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was isolated.
When it fails to isolate the hardware due to a lack of memory or hardware resources, it
prompts:
%NFPP_ARP_GUARD-4-ISOLATE_FAILED: Failed to isolate host <IP=N/A,MAC=0000.
0000.0004,port=Gi4/1,VLAN=1>. (2009-07-01 13:00:00)
The following example shows the describing information included in the sent TRAP messages:
Failed to isolate host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1>.