The attack-trace reason command configures the threshold for determining the cause of an attack event.
The undo attack-trace reason command deletes the configured threshold for determining the cause of an attack event.
The default parameters for configuring the threshold for determining the cause of an attack event are described in the parameter description.
attack-trace reason { broadcast-flood percentage percentage-value1 | change-source-packet percentage percentage-value2 | app-packet percentage percentage-value3 }
undo attack-trace reason { broadcast-flood percentage [ percentage-value1 ] | change-source-packet percentage [ percentage-value2 ] | app-packet percentage [ percentage-value3 ] }
| Parameter | Description | Value |
|---|---|---|
| broadcast-flood |
Broadcast packet number accumulative. |
- |
| percentage percentage-value2 |
Specifies the threshold for the percentage of packets with varied source addresses to the total number of sampled packets. If the percentage is less than the threshold, the attack event is caused by packets with varied source addresses. |
The value is an integer that ranges from 2 to 10. The default value is 5. |
| percentage percentage-value3 |
Specifies the threshold for the percentage of the specified protocol packets to the total number of sampled packets. If the percentage is greater than or equal to the threshold, the attack event is caused by the specified protocol packets. |
The value is an integer that ranges from 20 to 80. The default value is 50. |
| percentage percentage-value1 |
Specifies the threshold for the percentage of broadcast packets to the total number of sampled packets. If the percentage is greater than or equal to the threshold, the attack event is caused by broadcast packets. |
The value is an integer that ranges from 30 to 80. The default value is 50. |
| change-source-packet |
Top1 change source address packet percentage. |
- |
| app-packet |
Application packet percent. |
- |
Usage Scenario
If the threshold for determining the cause of an attack event does not satisfy the existing network conditions, and attack event reports present incorrect or missing decisions on attack events, run the attack-trace reason command to adjust the threshold for determining the cause of an attack event based on actual conditions to allow attack source tracing to function precisely.
NOTE: app-packet, broadcast-flood, and change-source-packet parameters can be separately configured in different command instances, and the configurations do not override.Configuration Impact
Inappropriate attack source tracing thresholds may cause incorrect or missing decisions on attack events.
Precautions
It is recommended that you run this command with assistance from Huawei engineers.
In VS mode, this command is supported only by the admin VS.
<HUAWEI> system-view [~HUAWEI] soc [*HUAWEI-soc] attack-trace reason broadcast-flood percentage 70