Using Alarms To Monitor Potential Security Issues - Extreme Networks EPICenter Guide Manual

Using Alarms to Monitor Potential Security Issues

The EPICenter Alarm Manager allows you to create custom alarm conditions on any supported MIB
object known to EPICenter. Using the Alarm Manager, you can set up alarms for alerting you to critical
security problems within your network. An example of this would be creating an alarm to notify you of
a potential Denial of Service (DoS) attack.
A DoS attack occurs when a critical network or computing resource is overwhelmed so that legitimate
requests for service cannot succeed. In its simplest form, a DoS attack is indistinguishable from normal
heavy traffic. Extreme Network switches are not vulnerable to this simple attack because they are
designed to process packets in hardware at wire speed. However, there are some operations in any
switch or router that are more costly than others, and although normal traffic is not a problem,
exception traffic must be handled by the switch's CPU in software.
Some packets that the switch processes in the CPU software include:
Learning new traffic
●
Routing and control protocols including ICMP, BGP and OSPF
●
Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc.)
●
Other packets directed to the switch that must be discarded by the CPU
●
If any one of these functions is overwhelmed, the CPU may become too busy to service other functions
and switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm
the CPU by with packets requiring costly processing.
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the
problem and filter out the offending traffic so that other functions can continue. When a flood of
packets is received from the switch, DoS Protection will count these packets. When the packet count
nears the alert threshold, packets headers are saved. If the threshold is reached, then these headers are
analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the
CPU. With the ACL in place, the CPU will have the cycles to process legitimate traffic and continue
other services.
Once DoS Protection is setup on the switches, you could define an Alarm for the traps "DOS Threshold
cleared" and "DOS Threshold reached", and have it take an action such as an Email notification or
sending a page to a network administrator.
Refer to the ExtremeWare Software User Guide for information on configuring DoS Protection on your
Extreme switches.
Another example would be to detect a TCP SYN flood as indicating a potential DoS attack. A SYN flood
occurs when a malicious entity sends a flood of TCP SYN packets to a host. For each of these SYN
requests, the host reserves system resources for the potential TCP connection. If many of these SYN
packets are received, the victim host runs out of resources, effectively denying service to any legitimate
TCP connection.
Using the Alarms Manager, you can detect a potential SYN flood by defining a threshold alarm, using a
delta rising threshold rule on the TCP-MIB object tcpPassiveOpens. If this MIB object rises quickly in a
short delta period, the system may be under a DoS attack.
See "Using the EPICenter Alarm System" on page 42
as these.
EPICenter Concepts and Solutions Guide

Using Alarms to Monitor Potential Security Issues

for more information about creating alarms such
117