Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

Using clear-flow to log when there is malicious traffic to a destination server coming into the switch

« Go Back

Information

 
TitleUsing clear-flow to log when there is malicious traffic to a destination server coming into the switch
Objective
  • If there is too much unwanted traffic to a particular server (connected to an EXOS switch) in the network at random times, we need a mechanism to identify on which port, the traffic comes into the EXOS switch.
  • This article focuses on the ACL with clear-flow to log a message about the incoming port when there is malicious traffic to the destination at an alarming rate.
Environment
  • EXOS all
  • Summit and Blackdiamond series
Procedure
Step 1: Create the ACL policy file as below:
Policy to be used: (POLICY-NAME: test1_clearflow)

entry traffic_in {
if match all {
protocol tcp;
destination-address 198.51.100.1/32
}
then {
count traffic_in ;
meter test ;
}
}
entry log_notify {
if match all {
delta traffic_in > 2000 ; (here we are checking if there is more than 2000 pps coming into the switch ports)
period 1;
}
then {
syslog traffic_to_5_exceeded_the_rate_in_port$port info;
}
}
Refer the link below for additional help in creating a policy file and applying the acl.
How to create and apply an ACL in EXOS

Step 2: Apply the policy file on all the ports of the switch and enable clear-flow.
configure access-list test1_clearflow ports <port-list> ingress
enable clear-flow
Once applied, when the rate to this destination increases beyond 2000 packets per second on any port, we will get a log message as below:
X670V-48x.19 # sh log
10/30/2015 22:05:35.28 <Info:ACL.CLEARFlow.Info> traffic_to_5_exceeded_the_rate_in_port3

TCP SYN Flood CLEAR-Flow rule example:

entry tcpSynFloodacl {
    if {
        protocol TCP;
        tcp-flags SYN;
    }
    then {
        count tcpsyncounter;
    }
}
# TCP SYN Flood CLEAR-Flow rules.
entry tcpSynFloodflowMAX {
    if {
        delta tcpsyncounter > 100000;
        period 2;
        hysteresis 99000;
    }
    then {
        syslog "TCP SYN FLOOD traffic exceeded Maximum Threshold, clearFlow rule $ruleName, applying rate limit for $policyName on VLAN $vlanName" WARN;
        qosprofile tcpSynFloodacl QP3;
    }
    else {
        syslog "TCP SYN FLOOD traffic dropped below Maximum Threshold, clearFlow rule $ruleName, removing rate limit for $policyName on VLAN $vlanName" WARN;
        qosprofile tcpSynFloodacl QP1;
    }
}
entry tcpSynFloodflowMin {
    if {
        delta tcpsyncounter > 1000;
        period 2;
        hysteresis 900;
    }
    then {
        syslog "TCP SYN FLOOD traffic exceeded Minimum Threshold, clearFlow rule $ruleName, mirroring traffic for $policyName on VLAN $vlanName" WARN;
        mirror add tcpSynFloodacl;
    }
    else {
        syslog "TCP SYN FLOOD traffic dropped below Minimum Threshold, clearFlow rule $ruleName, removing mirror from $policyName on VLAN $vlanName" WARN;
        mirror delete tcpSynFloodacl;
    }
}
Additional notes
Clear-flow is available only on BlackDiamond X8 series switches, BlackDiamond 8000 c-, e-, xl-, and xm-series modules, E4G-200 and E4G-400 switches, and Summit X440, X460, X480, X670, and X770 series switches.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255