Forum Discussion

Roger_101461's avatar
Icon for Nimbostratus rankNimbostratus
Dec 15, 2011

"Blocking DOS attack" showed on ltm led,How to tracked attack surce?

Hey everyone,







A alert "Blocking DOS attack" showed on ltm led



And the Local Traffic log only have two logs which looks related.




"sweeper_update: aggressive mode activated. 372313/438016 pages sweeper_update: aggressive mode activated. 372313/438016 pages"




"sweeper_update: aggressive mode deactivated. 371799/438016 pages sweeper_update: aggressive mode deactivated. 371799/438016 pages"



The system performance and connection looks normally in that time.




I want to track the attack source,what should i do?



1 Reply

  • Hi Roger,



    I don't think LTM logs any info on source IP address(es) when it goes into sweeper mode. These alerts are triggered when LTM runs low on memory. Here are a few related solutions:



    sol4611: Overview of adaptive reaping




    sol7301: Protecting the BIG-IP LTM against denial of service attacks