Attack Source Tracing

Prerequisites

Each functional module can detect potential attack packets and send them to the attack source tracing module for information recording. The attack source tracing module is responsible for recording information, rather than detecting attack packets.

Implementation

Upon receiving a packet, the attack source tracing module records the packet according to the configured sampling ratio and packet length. The module can arrange attack packets according to timestamp. The module maintains a large cache. When an interface board resets, the information will not be lost. Attack source tracing supports both exact query and fuzzy query. You can save information about attack packets to the CF card on the main control board in a standard Wireshark file format.

Application Scope

Attack source tracing can record attack packets detected by modules such as application layer association, management and service layer protection, and CPCAR.

Processing Procedure

• Upon receiving a packet, the attack source tracing module checks the sampling ratio.

  • If the sampling ratio does not reach the threshold, no action is taken.
  • If the sampling ratio reaches the threshold, the packet is kept in memory.
• To view the packets kept in the memory, you need to resolve them. The data in the memory and the file can be displayed. The information kept in the attack source tracing module can be displayed in any of three modes: detailed display, summarized display, and original information display.

  • Detailed display refers to selecting information according to any of 10 conditions or a combination of these conditions.
  • Summarized display refers to selecting information according to any of seven conditions or the combination of these conditions.
  • Original information display refers to displaying the data as it is in the memory without making a selection.

• Using commands, you can save the attack packet information in memory to a file on the CF card.