How does CA Spectrum protect against Trap Storms

Document ID : KB000020955
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

As of the current documentation provided in Spectrum 9.2.3 in the Modeling and Managing your IT Infrastructure Guide we document the following:

Trap Storm Rate

Defines the number of traps received per second that will disable trap handling, if the rate is sustained for the amount of time specified by the Trap Storm Length attribute.

Storms for unmanaged traps are determined on the combined number of traps received from all unmodeled devices, whereas storms for modeled devices are determined on a model-by-model basis.

Default: 20

Solution:

CA Spectrum no longer functions this way and from Spectrum 9.2 and up to currently as of Spectrum 9.2.3 Trap Storm protection works as the following:

We use a PIM table (reverse lookup of IP to Model handle), and for each entry there is an object doing storm detection for that IP. All known IPs for models result in a PIM entry, and each unknown trap address is also added as a separate PIM (as you can see by dumping the PIM table, via the 0x10248 action). These unknown addresses are mapped to the VNM model, but, as they are all separate entries in the table, will only do storm detection per address. If one unknown address exceeds the rate, traps from that source will be blocked, but it won't affect other unknown sources. Also if the sum of all unknown rates is higher than an individual threshold, but each one is below it, nothing will happen. So theoretically you can end up with unlimited amounts of unknown SNMP device events, if enough devices send them with just the right rate.

The Modeling and Managing your IT Infrastructure Guide will be updated in a future release or service pack.