On my CSS 11506, logs are full of these kind of error messages:
"NETMAN-5: Enterprise:DOS Attack:Illegal Src -> 5 times". It also generates a trap every seconds, flooding our syslogd and trapd server.
The first information one would obviously require is which IP address, and on which interface, is causing this error message.
I had a look at the "sh dos" command and I can see the counter for "Illegal Src Attacks" increasing (quite logical), BUT then in the detailed events, I can't see any of these events, I only see few SYN Attacks detailed events.
So does anyone know where I can get the details for these "Illegal Src Attacks" events ?
Many Thanks for any help,
As the log clearly says, this message appears due many packets that tries to get across the CSS with illegal source addresses, most of the times this are illegal broadcasts, the details about source and destination addresses should appear with the "show DoS" unless the SYN attacks are overriding the illegal src logs.
Try to clean the DoS counters (#zero dos statistics) and monitor the CSS for a while using the Show DoS, you should be able to get the details for the illegal src attack.
I have had experiences with this messages and in most of the cases this logs appear when one of two thing happens:
1- If there is any kind of loop where a broadcast packet emitted by the CSS arrive to the same CSS but on a different interface.
2-Some firewalls generate heartbeat packets addressed to 0.0.0.0, if this heart beat get to the CSS, it will be log as an attack. Due your case the logs appear very often you may consider looking for any firewall over there.
If you keep having issues finding the source of this attacks I will advise you to run some sniffer captures on the interfaces of the CSS and look for any strange broadcast or multicast packets.
Let me know if you have any other information we can use to find the source of this logs.