Instrumentation Monitor - HP ProCurve J8766A Release Note

Enhancements
Release L.10.20 Enhancements
Enabling/Disabling Stacking
To enable/disable stacking, use the following command.
Syntax: [no] stack
Enables stacking (SNMP) on the switch. (Default: disabled)
Note
The stack command exists in previous software versions. In this implementation, however, both
stacking and SNMP must be enabled to open the port on the switch. If either feature is disabled, the
port will remain closed.

Instrumentation Monitor

The 3400cl switches have instrumentation to monitor many operating parameters at pre-determined
intervals. Beginning with software release L.10.20, this capability can be used to detect anomalies
caused by security attacks or other irregular operations on the switch. The following table shows the
parameters that can be monitored, and the possible security attacks that may trigger an alert:
Parameter Name
pkts-to-closed-ports
arp-requests
ip-address-count
system-resource-usage
(Denial of Service logging)
login-failures/min
port-auth-failures/min
system-delay
mac-address-count
56
Description
The count of packets per minute sent to closed TCP/UDP ports. An excessive amount
of packets could indicate a port scan, in which an attacker is attempting to expose a
vulnerability in the switch.
The count of ARP requests processed per minute. A large amount of ARP request
packets could indicate a host infected with a virus that is trying to spread itself.
The number of destination IP addresses learned in the IP forwarding table. Some
attacks fill the IP forwarding table causing legitimate traffic to be dropped.
The percentage of system resources in use. Some Denial-of-Service (DoS) attacks
will cause excessive system resource usage, resulting in insufficient resources for
legitimate traffic.
The count of failed CLI login attempts or SNMP management authentication failures.
This indicates an attempt has been made to manage the switch with an invalid login
or password. Also, it might indicate a network management station has not been
configured with the correct SNMP authentication parameters for the switch.
The count of times a client has been unsuccessful logging into the network
The response time, in seconds, of the CPU to new network events such as BPDU
packets or packets for other network protocols. Some DoS attacks can cause the
CPU to take too long to respond to new network events, which can lead to a
breakdown of Spanning Tree or other features. A delay of several seconds indicates
a problem.
The number of MAC addresses learned in the forwarding table. Some attacks fill the
forwarding table so that new conversations are flooded to all parts of the network.