Hi all,
I found the logs "swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>" in our core switch(OS6860E). Does it mean it is already affected DOS attack or just get the log of DOS attack and nothing impacted to the switch? How do I identify further ? Please advise and appreciate in advance for your kind help.
Best regards,
Myat
DOS attack detected
Re: DOS attack detected
The switch has detected packets with a wrong source ip (not the same like in the vlan used).
So you have to find out what device is using the wrong address and solve the problem there.
BR Silvio
So you have to find out what device is using the wrong address and solve the problem there.
BR Silvio
Re: DOS attack detected
Hi Silvio, Please see below logs. Realized everyday 7am got alert for DOS attack detection. How to find out the device using the wrong address? There is no clue in the logs at all.
2024 Feb 20 06:49:19.035 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
2024 Feb 20 06:49:29.040 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 rising above receive threshold.
2024 Feb 20 06:50:39.080 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
2024 Feb 20 06:50:59.090 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 rising above receive threshold.
2024 Feb 20 06:51:09.097 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
2024 Feb 20 07:00:01.797 C swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>
2024 Feb 20 07:30:30.474 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 rising above receive threshold.
2024 Feb 20 07:33:20.591 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
2024 Feb 20 07:33:40.598 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 rising above receive threshold.
2024 Feb 20 07:33:50.605 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
2024 Feb 20 06:49:19.035 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
2024 Feb 20 06:49:29.040 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 rising above receive threshold.
2024 Feb 20 06:50:39.080 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
2024 Feb 20 06:50:59.090 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 rising above receive threshold.
2024 Feb 20 06:51:09.097 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
2024 Feb 20 07:00:01.797 C swlogd ipv4 dos EVENT: CUSTLOG CMM Denial of Service attack detected: <invalid ip>
2024 Feb 20 07:30:30.474 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 rising above receive threshold.
2024 Feb 20 07:33:20.591 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
2024 Feb 20 07:33:40.598 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 rising above receive threshold.
2024 Feb 20 07:33:50.605 C swlogd healthCmm main EVENT: CUSTLOG CMM Port 2/1/1 falling below receive threshold.
-
Gleylancer
- Member
- Posts: 156
- Joined: 08 May 2013 03:14
Re: DOS attack detected
You need a sniffer like Wireshark to analyze stuff like this. The switch is capable of capturing packets, but the payload is cut off, so it might be better to capture traffic with a real sniffer.
Re: DOS attack detected
Hi Gley,
Thank you so much for your kind help. I just need to put the switch ip or how do I sniff the traffic with wireshirk ? can you please guide me as I am not that familiar with Wireshirk. Appreciate for your kind assistance.
Best regards,
Myat
Thank you so much for your kind help. I just need to put the switch ip or how do I sniff the traffic with wireshirk ? can you please guide me as I am not that familiar with Wireshirk. Appreciate for your kind assistance.
Best regards,
Myat
You do not have the required permissions to view the files attached to this post.
-
Gleylancer
- Member
- Posts: 156
- Joined: 08 May 2013 03:14
Re: DOS attack detected
Sorry, but I'm not gonna write a Wireshark guide here, there's plenty of those on the internet already.
Re: DOS attack detected
Hi Gley,
It's okay. I will find it out. thanks for your information.
best regards,
Myat
It's okay. I will find it out. thanks for your information.
best regards,
Myat
