DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-77
12.9.1.7 Host-based rate-limit and attack detection
The host detection method shall be determined according to the guard policy, including host
detection based on source IP/VID/Port (per-src-ip) and host detection based on source
MAC/VID/Port (per-src-mac). These two methods can apply or not at the same time. To effect
host detection, the user must configure the rate-limiting threshold and attack threshold for such
method. Each host has rate-limiting threshold and attack threshold (also called the alert
threshold), and the rate-limiting threshold shall be lower than the attack threshold. When the
data rate of defined type of packets from a single host exceeds the rate-limiting threshold, the
excessive packets will be discarded. If the data rate of defined type of packets from a single
host exceeds the attack threshold, the host will be isolated and logged, and the Trap will be
sent as well.
When attack is detected, the following log information will be displayed:
%NFPP_DEFINE_GUARD-4- DOS_DETECTED: Host<IP=1.1.1.1,MAC=
N/A,port=Gi4/1,VLAN=1> was detected by name(name of defined guard).
(2009-07-01 13:00:00)
The Traps sent will include the following descriptive information:
Name (guard name) DoS attack from host<IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1> was
detected.
If the administrator sets the isolation period to a non-zero value, the following log information
will be displayed when hardware isolation is successful:
%NFPP_DEFINE_GUARD-4-ISOLATED: Host<IP=1.1.1.1, MAC= N/A ,port=Gi4/1,VLAN=1>
was isolated by name (name of defined guard). (2009-07-01 13:00:00)
The Traps sent will include the following descriptive information:
Host<IP=1.1.1.1,MAC=N/A,port=Gi4/1,VLAN=1> was isolated by name (name of defined
guard).
If hardware isolation is failed (generally due to insufficient memory of insufficient hardware
resources), the following log information will be displayed:
%NFPP_DEFINE_GUARD-4-ISOLATE_FAILED:Failed to isolate host<IP=1.1.1.1, MAC=
N/A ,port=Gi4/1,VLAN=1> by name (name of defined guard).(2009-07-01 13:00:00)
The Traps sent will include the following descriptive information:
Failed to isolate host<IP=1.1.1.1,MAC= N/A,port=Gi4/1,VLAN=1> by name (name of defined
guard).
The administrator can configure in NFPP defined guard configuration mode and interface