Device Syslog History - Extreme Networks Ridgeline Guide Manual

Other packets directed to the switch that must be discarded by the CPU
●
If any one of these functions is overwhelmed, the CPU may become too busy to service other functions
and switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm
the CPU by with packets requiring costly processing.
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the
problem and filter out the offending traffic so that other functions can continue. When a flood of
packets is received from the switch, DoS Protection will count these packets. When the packet count
nears the alert threshold, packets headers are saved. If the threshold is reached, then these headers are
analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the
CPU. With the ACL in place, the CPU will have the cycles to process legitimate traffic and continue
other services.
Once DoS Protection is setup on the switches, you could define an Alarm for the traps "DOS Threshold
cleared" and "DOS Threshold reached", and have it take an action such as an Email notification or
sending a page to a network administrator.
Refer to the ExtremeWare Software User Guide for information on configuring DoS Protection on your
Extreme switches.
Another example would be to detect a TCP SYN flood as indicating a potential DoS attack. A SYN flood
occurs when a malicious entity sends a flood of TCP SYN packets to a host. For each of these SYN
requests, the host reserves system resources for the potential TCP connection. If many of these SYN
packets are received, the victim host runs out of resources, effectively denying service to any legitimate
TCP connection.
Using the Alarm Manager, you can detect a potential SYN flood by defining a threshold alarm, using a
delta rising threshold rule on the TCP-MIB object tcpPassiveOpens. If this MIB object rises quickly in a
short delta period, the system may be under a DoS attack.
See the Ridgeline Reference Guide for more information about creating alarms such as these.

Device Syslog History

Syslog messages report important information about events in your network. Each Extreme Networks
products acts as a syslog client, sending syslog messages to configured syslog servers. These messages
include information that reveals the security status of your network. Using syslog messages, you can
track events in your network that may affect security.
Ridgeline creates a dynamic log of syslog messages in the Reports feature. Use this log to scan for
critical security events such as:
Table 6: Security-based Syslog Messages
Error Message
<CRIT:IPHS> Possible spoofing
attack
Ridgeline Concepts and Solutions Guide
Explanation
You have a duplicate IP address on the network (same as an
address on a local interface).
or
The IP source address equals a local interface on the router and
the packet needs to go up the IP stack i.e., multicast/broadcast. In
the BlackDiamond, if a multicast packet is looped back from the
switch fabric, this message appears.
13
197