DOS protect log message

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi, i have a problem... I see this messages in the log



I read in extreme documents but its not clear to my. in the ExtremeXOS 16.1 EMS Message Catalog i read what this messages is only informative and in the DOS protect log message article say what "Once the threshold is exceeded, it will stop the packets from reaching the CPU".
So my quetion is: 

is there a locking action in the SW? or definitely is only information....
Photo of Daniel Valera

Daniel Valera

  • 734 Points 500 badge 2x thumb
  • very confused

Posted 2 years ago

  • 0
  • 1
Photo of Hernandez, Joshua

Hernandez, Joshua, Employee

  • 1,564 Points 1k badge 2x thumb
Hello Daniel,

Dos-protect is a simulated process that will send packets to the CPU for examination based on the amount specified in the configuration (show configuration dosprotect).  Once the configured amount is exceeded it will inform with log messages.  Dos-protect checks a specified amount of packets for patterns.  If none are found it will also notify of this in the log. 

What type of locking action are you referring to?  It will help if you can provided output to "show config dosprotoect".
Photo of Daniel Valera

Daniel Valera

  • 734 Points 500 badge 2x thumb
thanks for you commets... i'm referiring to blocking complete the LAN services for about 5 seg.


Photo of EtherMAN

EtherMAN, Embassador

  • 6,456 Points 5k badge 2x thumb
An important key to understanding how the DDOS to cpu works is knowing what packets are sent to the cpu versus switched in hardware.  You can run this in active mode which will create the acl on the fly and block packets it is targeting in the acl from the cpu or you can run in simulated mode (we do this) where you get same traps but no acl is created.  If you are lucky you get mac address or ip address in the info.  This does not stop a flood on your interfaces it only protects the cpu from being overrun... 
Photo of EtherMAN

EtherMAN, Embassador

  • 6,456 Points 5k badge 2x thumb
Maybe this will help... here is  a snip of log messages from a core IPTV switch that had an EAPS ring event and there was a flood of mcast joins when ring fails over which is processed by the cpu.  You see the port affected and the ip address that was generating the traffic.  In our case this did not affect network traffic as this was only mcast joins.... If this were a flood or broadcast storm where the links would be over run then it would still create and acl but it would not stop the traffic on the interface it only protects the traffic from over whelming the cpu... 

02/17/2016 14:36:41.77 <Info:DOSProt.DelACLOK> MSM-A: Removed ACL from port 2:2, srcIP 172.16.150.60 to destIP 0.0.0.0, protocol udp02/17/2016 14:36:37.12 <Info:DOSProt.PktCntExcd>
 MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached
02/17/2016 14:36:36.15 <Info:DOSProt.AddACLOK> MSM-A: Added an ACL to port 2:2, srcIP 172.16.150.60 to destIP 0.0.0.0, protocol udp
02/17/2016 14:36:36.05 <Info:DOSProt.PktCntExcd> MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached
02/17/2016 14:36:35.06 <Info:DOSProt.PtrnNotFnd> MSM-A: No traffic pattern found
02/17/2016 14:36:34.97 <Info:DOSProt.PktCntExcd> MSM-A: Notify-threshold for L3 Protect packet count of 3500 reached

If this were a bcast storm the destination address would be the bcast address for subnet and not 0.0.0.0 ...