attack-detect drop-rate
Function
The hostcar attack-detect drop-rate command configures the attack detection threshold for the rate at which packets are dropped by Host-CAR. After the threshold is exceeded, attack detection is started.
The undo hostcar attack-detect drop-rate command restores the default attack detection threshold for the rate at which packets are dropped by Host-CAR.
The http-hostcar attack-detect drop-rate command configures the threshold for the rate at which packets are dropped by HTTP-Host-CAR.
The undo http-hostcar attack-detect drop-rate command restores the default threshold for the rate at which packets are dropped by HTTP-Host-CAR.
The vlan-host-car attack-detect drop-rate command configures the threshold for the rate at which packets are dropped by VLAN-Host-CAR.
The undo vlan-host-car attack-detect drop-rate command restores the default threshold for the rate at which packets are dropped by VLAN-Host-CAR.
By default, the attack detection threshold for the rate at which packets are dropped by Host-CAR, HTTP-Host-CAR, VLAN-Host-CAR is 1 pps.
This command is supported only on the NetEngine 8000 F1A.
Parameters
| Parameter | Description | Value |
|---|---|---|
| hostcar |
Configure the attack detection threshold for the rate at which packets are dropped by Host-CAR. |
- |
| http-hostcar |
Configure the threshold for the rate at which packets are dropped by HTTP-Host-CAR. |
- |
| vlan-host-car |
Configure the threshold for the rate at which packets are dropped by VLAN-Host-CAR. |
- |
| drop-rate rate-value |
Specifies the threshold for the rate at which packets are dropped. If the packet dropping rate is lower than the configured threshold, no deadly attacks exist, or no attack source tracing is performed. |
The value is an integer ranging from 1 to 400, in pps. The default value is 1. |
Usage Guidelines
Usage Scenario
The security Operating Center (SOC) determines whether the system security is being attacked based on the statistics analysis. To correctly obtain these statistics on a live network, you must set proper alarm thresholds for security attack events. For different networkings in different scenarios, the traffic statistics modules, however, vary from one another.
- On small-scale networks where the traffic rate is low, router bandwidth is low, and number of users is small, setting a small rate-value is recommended.
- On large-scale networks where the traffic rate is high, router bandwidth is high, and number of users is great, setting a high rate-value is recommended. You can adjust rate-value based on the traps.
- If a large number of unexpected attack traps are generated (some reported attacks are actually not attacks), setting a higher rate-value is recommended.
- If some attacks are not reported (attacks are detected by other detection systems but not reported in the SOC), setting a lower rate-value is recommended.
Precautions
In VS mode, this command is supported only by the admin VS.
If the packet dropping rate is lower than the configured rate-value, no deadly attacks exist, or no attack source tracing is performed. Setting a proper rate-value helps accurately locate attack events.- When the threshold is set too high, some not severe attacks are ignored and not reported.
- When the threshold is set too low, some events that cause high traffic rates may be mistaken for attacks. Therefore, choose a proper threshold based on the live network situation. For example, if a router has two physical interfaces, the attack source tracing threshold must be set to 50% or higher. Otherwise, attack locating is fruitless. In most cases, this command does not require manual configuration. If this command is required, run this command with assistance from Huawei engineers.
Example
<HUAWEI> system-view [~HUAWEI] slot 1 [*HUAWEI-slot-1] vlan-host-car attack-detect drop-rate 123
<HUAWEI> system-view [~HUAWEI] slot 1 [*HUAWEI-slot-1] http-hostcar attack-detect drop-rate 123
<HUAWEI> system-view [~HUAWEI] slot 1 [*HUAWEI-slot-1] hostcar attack-detect drop-rate 123