Product guide
11-22
Configuring Advanced Threat Protection
Using the Instrumentation Monitor
Using the Instrumentation Monitor
The instrumentation monitor can be used to detect anomalies caused by
security attacks or other irregular operations on the switch. The following
table shows the operating parameters that can be monitored at pre-deter-
mined intervals, and the possible security attacks that may trigger an alert:
ProCurve(config)# debug arp protect
1. ARP request is valid
"DARPP: Allow ARP request 000000-000001,10.0.0.1 for 10.0.0.2 port A1,
vlan "
2. ARP request detected with an invalid binding
"DARPP: Deny ARP request 000000-000003,10.0.0.1 port A1, vlan 1"
3. ARP response with a valid binding
"DARPP: Allow ARP reply 000000-000002,10.0.0.2 port A2, vlan 1"
4.ARP response detected with an invalid binding
"DARPP: Deny ARP reply 000000-000003,10.0.0.2 port A2, vlan 1"
Parameter Name Description
pkts-to-closed-ports The count of packets per minute sent to closed TCP/UDP ports.
An excessive amount of packets could indicate a port scan, in
which an attacker is attempting to expose a vulnerability in the
switch.
arp-requests The count of ARP requests processed per minute. A large
amount of ARP request packets could indicate an host infected
with a virus that is trying to spread itself.
ip-address-count The number of destination IP addresses learned in the IP
forwarding table. Some attacks fill the IP forwarding table
causing legitimate traffic to be dropped.
system-resource-usage The percentage of system resources in use. Some Denial-of-
Service (DoS) attacks will cause excessive system resource
usage, resulting in insufficient resources for legitimate traffic.