display soc attack-detect statistics application
Function
The display soc attack-detect statistics application command displays statistics about invalid packets and sessions collected by SOC-monitored protocol modules.
Parameters
| Parameter | Description | Value |
|---|---|---|
| protocol protocol-name |
Specifies the protocol type. |
The supported protocols can be queried using a question mark (?). |
| history |
History Statistics information. |
- |
| 15-minutes |
Displays statistics within the last 15 minutes. |
- |
| 60-minutes |
Displays statistics within the last 1 hour. |
- |
| 72-hours |
Displays statistics within the last 72 hours. |
- |
| slot slot-id |
Specifies the slot ID of a board. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
Usage Guidelines
Usage Scenario
The SOC determines the health status of services running on a device by monitoring data, such as the rate of invalid packets or sessions and the percentage of the number of invalid packets or sessions to the total number of packets or sessions. Maintenance personnel can use the SOC to view statistics about service security. Based on the statistics, maintenance personnel can determine a protocol module with the poorest service availability and service unavailability causes and types to find attack sources.
NOTE: Each protocol module checks the validity of received packets and sessions. After detecting an invalid packet or session, the protocol module records information about the invalid packet or session. A packet is generally considered invalid when any of the following conditions is met:- A semantic error occurs. For example, the protocol type field in the packet does not comply with protocols.
- A syntax error occurs. For example, a message in the packet does not comply with protocol specifications, or the order of sending messages does not comply with protocol stack specifications.
- The packet's behavior is abnormal. For example, in normal cases, a user sends a maximum of one ARP packet per second on average. If a user sends 100 or more ARP packets per second on average, these packets' behaviors are considered abnormal. A session is generally considered invalid when any of the following conditions is met:
- The session fails to be established because malicious attacks run out of socket resources or the session request is deliberately constructed.
- The session fails to be processed. For example, interaction messages for the session are not authorized or are deliberately constructed or interrupted.
- The session fails to be closed. For example, the session is deliberately constructed and partially closed, or the session is not released.
Implementation Procedure
To analyze system security events, perform the following operations:
- Run the display soc attack-detect statistics application slot <slot-id> command to check statistics about the protocol packets and sessions on the board in a specified slot. Identify the protocol module that has the largest percentage of the number of invalid packets or sessions to the total number of packets or sessions. This protocol module can be considered to have the poorest security.
- Run the display soc attack-detect statistics application slot <slot-id> <protocol-name> history { 15-minutes | 60-minutes | 72-hours } command to check statistics about invalid packets and sessions collected by the protocol module within the last 15 minutes, 1 hour, or 72 hours as well as the CPU usage within this period. If the CPU usage is high while the percentage of the number of invalid packets or sessions to the total number of packets or sessions is high, attacks to the protocol module cause the CPU overload. If you cannot identify the problem by querying the average CPU usage, run the following command to check detailed information about the CPU usage within the specified period.
- (Optional) Run the display soc attack-detect cpu-usage slot <slot-id> history { 15-minutes | 60-minutes | 72-hours } command to check detailed information about the CPU usage within a specified period.
In VS mode, this command is supported only by the admin VS.
Example
The actual command output varies according to the device. The command output here is only an example.
# Display summary statistics about all application modules monitored by the SOC.
[HUAWEI] display soc attack-detect statistics application slot 1 ------------------------------------------------------------------------------ | Packet Statistics | Session Statistics Protocol |Total Illegal PCT|Total Illegal PCT arp 0 0 0 0 0 0 icmp 0 0 0 0 0 0 dhcp 0 0 0 0 0 0 pppoe 0 0 0 0 0 0 ftp-server 0 0 0 0 0 0 ssh-server 0 0 0 0 0 0 snmp 0 0 0 0 0 0 telnet-server 0 0 0 0 0 0 tftp 0 0 0 0 0 0 bgp 0 0 0 0 0 0 ldp 0 0 0 0 0 0 rsvp 0 0 0 0 0 0 ospfv2 0 0 0 0 0 0 rip 0 0 0 0 0 0 ripng 0 0 0 0 0 0 ospfv3 0 0 0 0 0 0 msdp 0 0 0 0 0 0 pim_mc 0 0 0 0 0 0 igmp 0 0 0 0 0 0 mld 0 0 0 0 0 0 isis 0 0 0 0 0 0 pimv6 0 0 0 0 0 0 sftp-server 0 0 0 0 0 0 ftp-client 0 0 0 0 0 0 telnet-client 0 0 0 0 0 0 ssh-client 0 0 0 0 0 0 sftp-client 0 0 0 0 0 0 ntp 0 0 0 0 0 0 radius 0 0 0 0 0 0 hwtacacs 0 0 0 0 0 0 lspping 0 0 0 0 0 0 vgmp 0 0 0 0 0 0 vrrp 0 0 0 0 0 0 bfd 0 0 0 0 0 0 nqa-udp-client 0 0 0 0 0 0 nqa-udp-server 0 0 0 0 0 0 nqa-tcp-client 0 0 0 0 0 0 nqa-tcp-server 0 0 0 0 0 0 dns-client 0 0 0 0 0 0 telnetv6-server 0 0 0 0 0 0 telnetv6-client 0 0 0 0 0 0 tftpv6-client 0 0 0 0 0 0 icmpv6 0 0 0 0 0 0 dnsv6 0 0 0 0 0 0 sshv6-server 0 0 0 0 0 0 sshv6-client 0 0 0 0 0 0 mpls-oam 0 0 0 0 0 0 rrpp 0 0 0 0 0 0 802.1ag 0 0 0 0 0 0 802.3ah 0 0 0 0 0 0 lacp 0 0 0 0 0 0 http-client 0 0 0 0 0 0 http-server 0 0 0 0 0 0 acr 0 0 0 0 0 0 unknown 0 0 0 0 0 0 hgmp 0 0 0 0 0 0 bgpv6 0 0 0 0 0 0 ftpv6-client 0 0 0 0 0 0 ftpv6-server 0 0 0 0 0 0 ipfpm 0 0 0 0 0 0 snmpv6 0 0 0 0 0 0 multicast 0 0 0 0 0 0 multicastv6 0 0 0 0 0 0 ip 0 0 0 0 0 0 ipv6 0 0 0 0 0 0 tcp 0 0 0 0 0 0 udp 0 0 0 0 0 0 eapol 0 0 0 0 0 0 portal 0 0 0 0 0 0 web 0 0 0 0 0 0 l2tp 0 0 0 0 0 0 dhcpv6 0 0 0 0 0 0 nd 0 0 0 0 0 0 fibmiss 0 0 0 0 0 0 fibmissv6 0 0 0 0 0 0 ttlexpired 0 0 0 0 0 0 ttlexpiredv6 0 0 0 0 0 0 ospfv6 0 0 0 0 0 0 lldp 0 0 0 0 0 0 bfdv6 0 0 0 0 0 0 arpmiss 0 0 0 0 0 0 pim 0 0 0 0 0 0 openflow 0 0 0 0 0 0 ra 0 0 0 0 0 0 rs 0 0 0 0 0 0 na 0 0 0 0 0 0 ns 0 0 0 0 0 0 web_auth_server 0 0 0 0 0 0 diameter 0 0 0 0 0 0 http-redirect-chast 0 0 0 0 0 0 atm-inarp 0 0 0 0 0 0 unicast-vrrp 0 0 0 0 0 0 dlp-bgp 0 0 0 0 0 0 dlp-ldp 0 0 0 0 0 0 dlp-ospf 0 0 0 0 0 0 tcp-65410 0 0 0 0 0 0 padi 0 0 0 0 0 0 mka 0 0 0 0 0 0 icmp-broadcast-addr 0 0 0 0 0 0 dlp-rsvp 0 0 0 0 0 0 dlp-isis 0 0 0 0 0 0 dlp-radius 0 0 0 0 0 0 dlp-ipv6-bgp 0 0 0 0 0 0 dlp-ipv6-ospf 0 0 0 0 0 0 dcn-pkt-fin 0 0 0 0 0 0 pcep 0 0 0 0 0 0 vrrpv6 0 0 0 0 0 0 radiusv6 0 0 0 0 0 0 hwtacacsv6 0 0 0 0 0 0 lsppingv6 0 0 0 0 0 0 syslogv6 0 0 0 0 0 0 web-auth-serverv6 0 0 0 0 0 0 ipv6-ndh-miss 0 0 0 0 0 0 ------------------------------------------------------------------------------
# Display statistics about invalid packets and sessions collected by the ICMP module on the board in slot 1 within the last 1 hour.
<HUAWEI> display soc attack-detect statistics application slot 1 protocol icmp history 60-minutes icmp in 1 hour(every 5 minutes) ------------------------------------------------------------------------------ | Packet Statistics | Session Statistics |CPU Time|Total Illegal PCT|Total Illegal PCT|CPU 1 0 0 0 0 0 0 25 2 4 0 0 4 0 0 25 3 0 0 0 0 0 0 25 4 0 0 0 0 0 0 25 5 0 0 0 0 0 0 25 6 0 0 0 0 0 0 25 7 0 0 0 0 0 0 24 8 1 0 0 1 0 0 21 9 0 0 0 0 0 0 21 10 0 0 0 0 0 0 21 11 0 0 0 0 0 0 21 12 0 0 0 0 0 0 21 ------------------------------------------------------------------------------
# Display statistics about invalid packets and sessions collected by SOC-monitored protocol modules on the board in slot 1.
<HUAWEI> display soc attack-detect statistics application slot 1 ----------------------------------------------------------------------------------- | Packet Statistics | Session Statistics Protocol |Total Illegal PCT|Total Illegal PCT arp 541 0 0 0 0 0 icmp 0 0 0 0 0 0 dhcp 0 0 0 0 0 0 pppoe 0 0 0 0 0 0 ftp-server 0 0 0 0 0 0 ssh-server 0 0 0 0 0 0 snmp 0 0 0 0 0 0 telnet-server 0 0 0 0 0 0 tftp 0 0 0 0 0 0 bgp 0 0 0 0 0 0 ldp 0 0 0 0 0 0 rsvp 0 0 0 0 0 0 ospfv2 0 0 0 0 0 0 rip 0 0 0 0 0 0 ospfv3 0 0 0 0 0 0 msdp 0 0 0 0 0 0 pim 0 0 0 0 0 0 igmp 0 0 0 0 0 0 mld 0 0 0 0 0 0 isis 0 0 0 0 0 0 pimv6 0 0 0 0 0 0 ftp-client 0 0 0 0 0 0 telnet-client 0 0 0 0 0 0 ssh-client 0 0 0 0 0 0 ntp 0 0 0 0 0 0 radius 0 0 0 0 0 0 hwtacacs 0 0 0 0 0 0 lspping 0 0 0 0 0 0 vrrp 0 0 0 0 0 0 bfd 0 0 0 0 0 0 dns-client 0 0 0 0 0 0 telnetv6-server 0 0 0 0 0 0 telnetv6-client 0 0 0 0 0 0 tftpv6-client 0 0 0 0 0 0 icmpv6 0 0 0 0 0 0 dnsv6 0 0 0 0 0 0 sshv6-server 0 0 0 0 0 0 rrpp 0 0 0 0 0 0 802.1ag 0 0 0 0 0 0 lacp 0 0 0 0 0 0 unknown 0 0 0 0 0 0 white-list 0 0 0 0 0 0 hgmp 0 0 0 0 0 0 bgpv6 0 0 0 0 0 0 ftpv6-client 0 0 0 0 0 0 ftpv6-server 0 0 0 0 0 0 ipfpm 0 0 0 0 0 0 snmpv6 0 0 0 0 0 0 multicastv6 0 0 0 0 0 0 ipv6 0 0 0 0 0 0 tcp 0 0 0 0 0 0 udp 0 0 0 0 0 0 eapol 0 0 0 0 0 0 portal 0 0 0 0 0 0 web 0 0 0 0 0 0 l2tp 0 0 0 0 0 0 dhcpv6 0 0 0 0 0 0 nd 0 0 0 0 0 0 fibmiss 0 0 0 0 0 0 fibmissv6 0 0 0 0 0 0 ttlexpired 0 0 0 0 0 0 ttlexpiredv6 0 0 0 0 0 0 lldp 0 0 0 0 0 0 arpmiss 0 0 0 0 0 0 pim_mc 0 0 0 0 0 0 openflow 0 0 0 0 0 0 ra 0 0 0 0 0 0 rs 0 0 0 0 0 0 na 0 0 0 0 0 0 ns 0 0 0 0 0 0 web_auth_server 0 0 0 0 0 0 diameter 0 0 0 0 0 0 http-redirect-chasten 0 0 0 0 0 0 atm-inarp 0 0 0 0 0 0 unicast-vrrp 0 0 0 0 0 0 dlp-bgp 0 0 0 0 0 0 dlp-ldp 0 0 0 0 0 0 dlp-ospf 0 0 0 0 0 0 tcp-65410 0 0 0 0 0 0 padi 0 0 0 0 0 0 mka 0 0 0 0 0 0 icmp-broadcast-address-echo 0 0 0 0 0 0 dlp-rsvp 0 0 0 0 0 0 dlp-isis 0 0 0 0 0 0 dlp-radius 0 0 0 0 0 0 dlp-ipv6-bgp 0 0 0 0 0 0 dlp-ipv6-ospf 0 0 0 0 0 0 dcn-pkt-fin 0 0 0 0 0 0 pcep 0 0 0 0 0 0 vrrpv6 0 0 0 0 0 0 radiusv6 0 0 0 0 0 0 hwtacacsv6 0 0 0 0 0 0 lsppingv6 0 0 0 0 0 0 syslogv6 0 0 0 0 0 0 web-auth-serverv6 0 0 0 0 0 0 ipv6-ndh-miss 0 0 0 0 0 0 ------------------------------------------------------------------------------
| Item | Description |
|---|---|
| Protocol | Protocol module. |
| Total | Total number of received packets or sessions. |
| Illegal | Total number of received invalid packets or sessions. |
| PCT | Percentage of the number of invalid packets or sessions to the total number of packets or sessions. |
| CPU | Average CPU usage within 5 minutes. |
| Time | Time sequence number. In this example, the system collects statistics about invalid packets and sessions every 5 minutes. The smaller the time sequence number, the closer to the current time. For example, time sequence number 3 indicates the third 5 minutes from the current time. |