display soc attack-event
Usage Guidelines
Usage Scenario
When a device does not function properly because the CPU overload occurs, users go offline, routes are interrupted, or an NMS connection to the device has a slow response, you are advised to use the display soc attack-event command to view information about attack events and identify attack sources and causes.
The display soc attack-event command is a key command for determining attack events. It displays the time, location, probability, and cause of an attack event. Based on this information, you can isolate and rectify faults.Implementation Procedure
- Run the display soc attack-event command to check a summary of attack events. The information includes the sequence number, time, location, and cause of each attack event. This command can display a summary of a maximum of 10 latest attack events.
- Run the display soc attack-event { slot <slot-id>| event-number <event-number>} [ verbose ] command to check information about attack events on the slot in a specified slot or a specified attack event. Detailed information about attack events is displayed if verbose is configured.
In VS mode, this command is supported only by the admin VS.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display soc attack-event slot 1 event-number 65794 65794# security event report Start Time : 2017-08-22 14:33 End Time : 2017-08-22 16:02 Probability : Determined Location : GigabitEthernet0/1/2 Reasons : Access-user attack ------------------------------------------------------------------------------ Interface PCT GigabitEthernet0/1/2.1 100% ------------------------------------------------------------------------------ QinQ(PeVlan/CeVlan) PCT 1/1 100% ------------------------------------------------------------------------------ Source MAC PCT 00E0-FC12-3456 100% ------------------------------------------------------------------------------ Source IPv6 PCT fe80::7e00:5ff:fe60:2f08 100% ------------------------------------------------------------------------------ Agent Circuit ID PCT 2011 100% ------------------------------------------------------------------------------
<HUAWEI> display soc attack-event slot 1 verbose CPU overload key reason analysis:protocol and application bandwidth abuse list: ARP,ICMP,DHCP,PPPOE attack events and CPU usage trend analysis ------------------------------------------------------------------------------ ^ CPU(%) 100 | 90 | 80 | - 70 | - 60 | - 50 | - 40 | - - 30 | - --- 20 | * **- 10 | ****- ----------------------------------------------------------------->time(h) 1 18 36 54 72 ------------------------------------------------------------------------------ CPU% per hour (last 72 hours) - = Maximum CPU% * = Average CPU% ------------------------------------------------------------------------------ 1# security event report Start time : 2013-05-07 13:59 End time : 2013-05-07 15:00 Location : GE0/1/1 ; GE0/1/1.1 Probability: Determined Reasons : unknownFlood Vlan : 100 ------------------------------------------------------------------------------
<HUAWEI> display soc attack-event event-number 1 1# security event report Start Time : 2013-05-07 13:59 End Time : 2013-05-07 15:00 Probability : Determined Location : GigabitEthernet0/1/1 Reasons : unknownFlood ------------------------------------------------------------------------------ Interface PCT GigabitEthernet0/1/1.1 100% ------------------------------------------------------------------------------ Vlan PCT 100 100% ------------------------------------------------------------------------------ Vni PCT 100 100% ------------------------------------------------------------------------------ Source MAC PCT 00E0-FC12-3456 100% ------------------------------------------------------------------------------ Source IP PCT 1.1.1.2 100% ------------------------------------------------------------------------------ Application PCT unknown 100% ------------------------------------------------------------------------------
<HUAWEI> display soc attack-event security attack events summary ------------------------------------------------------------------------------ Seq. Time Interface Probability Reason 1 2013-05-07 15:00 GE0/1/1.1 Determined Flood ------------------------------------------------------------------------------
| Item | Description |
|---|---|
| CPU overload key reason analysis | Analysis of the key cause for the CPU overload. |
| attack events and CPU usage trend analysis | Diagram for the attack events and CPU usage trend. |
| - = Maximum CPU% | "-" indicates the highest CPU usage within a period on the x-coordinate. The rightmost column always displays the highest CPU usage but not the average CPU usage. |
| * = Average CPU% | "*" indicates the average CPU usage within a period on the x-coordinate. If only "*" is displayed for a column, the average CPU usage and highest CPU usage are the same. |
| CPU% per hour (last 72 hours) | CPU usage per hour within the last 72 hours. The curve of the CPU usage is presented in time order from right to left. For example, "72" on the x-coordinate indicates the highest CPU usage and average CPU usage within the latest 1 hour among the last 72 hours, and "54" on the x-coordinate indicates the highest CPU usage and average CPU usage within the latest 19th hour. |
| Start time | Time when the attack event starts. |
| End time | Time when the attack event ends. |
| Location | The physical interface where the attack event occurs. |
| Reasons | Indicates the reasons. |
| Vlan | VLAN ID of the attack event. |
| Time | Time when the attack event occurs. |
| Probability | Probability that the attack event occurs. |
| Interface | Name of the attacked logical interface. |
| QinQ(PeVlan/CeVlan) | Double VLAN IDs (inner VLAN ID/outer VLAN ID). |
| Source MAC | MAC address of the attack source. |
| Source IPv6 | IPv6 address of the attack source. |
| Agent Circuit ID | Agent circuit ID. |
| Application | Protocol module. |
| Seq. | Sequence number of the attack event. |
| Reason | Cause for the attack event. |
| list | List. |
| fe80 | Link-local address. |