Reset Search
 

 

Article

DOS-PROTECT dynamic ACL is not cleared after a DOS attack

« Go Back

Information

 
TitleDOS-PROTECT dynamic ACL is not cleared after a DOS attack
Symptoms
TCP/UDP traffic to a specific destination is blocked by the switch after a DOS attack. 

In the log are these kind of messages:
01/21/2015 09:20:25.93 <Warn:ACL.Policy.IntAppConfFail> MSM-A: Failed to install dynmic acl DOSrule1 for internal applicaton Dos on vlan * port 7:1 .Error: Rule rule has already been applied to inst.
01/21/2015 09:20:25.93 <Warn:ACL.Policy.IntAppConfFail> MSM-A: Failed to install dynmic acl DOSrule1 for internal applicaton Dos on vlan * port 7:1 .Error: Rule rule has already been applied to inst
.


Following dynamic rule is seen in the switch. 
sh access-list dynamic rule "DOSrule1" 

entry DOSrule1 { 
if match all {
    destination-address xx.xx.xx.xx/xxx.xxx.xxx.xxx ;
    protocol <Protocol No> ;
} then {
    deny  ;} }

 
Environment
  • Black Diamond series.
  • EXOS 15.3.3.5 patch 1-3
  • DOS Protect enabled. 
Cause
  • When DOS attack happens, the switch determines the traffic pattern and applies a dynamic ACL (for a specified time) in the switch to block the identified traffic. 
  • In this case, the applied ACL was never removed even after the DOS attack is completed. This behavior is identified as a bug. 
Resolution
This is known software issue covered under CR xos0059789.  Please Upgrade firmware to the following releases:

15.3.4.6-patch1-14
15.5.3.4-patch1-6
15.7.2.1
15.6.2.12-patch1-1

Workaround:
The dynamic ACL entry created by the system cannot be removed through CLI. Reboot of the switch will be a work-around. 


 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255