Configuring Advanced Threat Protection
Using the Instrumentation Monitor
Using the Instrumentation Monitor
The instrumentation monitor can be used to detect anomalies caused by
security attacks or other irregular operations on the switch. The following
table shows the operating parameters that can be monitored at pre-deter
mined intervals, and the possible security attacks that may trigger an alert:
Parameter Name
Description
pkts-to-closed-ports
The count of packets per minute sent to closed TCP/UDP ports.
An excessive amount of packets could indicate a port scan, in
which an attacker is attempting to expose a vulnerability in the
switch.
arp-requests
The count of ARP requests processed per minute. A large
amount of ARP request packets could indicate an host infected
with a virus that is trying to spread itself.
ip-address-count
The number of destination IP addresses learned in the IP
forwarding table. Some attacks fill the IP forwarding table
causing legitimate traffic to be dropped.
system-resource-usage
The percentage of system resources in use. Some Denial-of-
Service (DoS) attacks will cause excessive system resource
usage, resulting in insufficient resources for legitimate traffic.
login-failures/min
The count of failed CLI login attempts or SNMP management
authentication failures. This indicates an attempt has been
made to manage the switch with an invalid login or password.
Also, it might indicate a network management station has not
been configured with the correct SNMP authentication param
eters for the switch.
port-auth-failures/min
The count of times a client has been unsuccessful logging into
the network
system-delay
The response time, in seconds, of the CPU to new network
events such as BPDU packets or packets for other network
protocols. Some DoS attacks can cause the CPU to take too
long to respond to new network events, which can lead to a
breakdown of Spanning Tree or other features. A delay of
several seconds indicates a problem.
mac-address-count
The number of MAC addresses learned in the forwarding table.
Some attacks fill the forwarding table so that new conversa
tions are flooded to all parts of the network.
mac-moves/min
The average number of MAC address moves from one port to
another per minute. This usually indicates a network loop, but
can also be caused by DoS attacks.
learn-discards/min
Number of MAC address learn events per minute discarded to
help free CPU resources when busy.
10-23
Summary of Contents for PROCURVE 2910AL
Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Page 2: ......
Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Page 156: ...TACACS Authentication Operating Notes 4 30 ...
Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Page 592: ...12 Index ...
Page 593: ......