Attack Detection for a client can be triggered two different ways:

1. A client exceeds the connection limit
2. A client exceeds the failure limit and receives the configured number of warnings

Default limits are shown below:
Warning: In a service provider environment the default limits may be unacceptably low.

Default client limits:
 Client connection limit: 100
 Client failure limit: 50
 Client warning limit: 10
 Blocked client action: Drop
 Client connection unblock time: unlimited

If a client exceeds the number of configured connections any additional connections will be blocked and the following syslog message will be recorded. It will remain blocked until the number of connections drops below the configured limit.

#show syslog entries start "2013-08-30 16:00:00" regex ".*connection limit.*"

2013-08-30 16:13:34-04:00EDT  "Connection denied for 10.167.0.144 due to connection limit"  0 30212:96 event_logger.cpp:34
2013-08-30 16:13:34-04:00EDT  "Connection denied for 10.167.0.144 due to connection limit"  0 30212:96 event_logger.cpp:34

If a client exceeds the the number of failures and receives the configured number of warnings any additional connections will be blocked and the following syslog message will be recorded. It will remain blocked for the configured amount of time.

#show syslog entries start "2013-08-30 16:00:00" regex ".*failure limit.*"

2013-08-30 16:26:08-04:00EDT  "Blocking client IP address 10.167.0.144, exceeded request failure limit "  0 450000:1E logging.cpp:52

Once it has been determined what clients have been blocked the next step would be to take a packet capture. It may be possible to find out if the client is infected or trying to launch an attack based on what the destination IP address is(are). Either way the client is utilizing resources on the CacheFlow and performance may be degraded. The client should be blocked at the source or the intended destination should be diverted from the CacheFlow.

#pcap filter expr "host 10.167.0.144"