ONTAP Discussions

How ARP snapshots options work?

Leiz23
277 Views

In ONTAP ARP, the max snapshot copies is 8.

 

What happens if arw.surge.snap.interval.days is set to 100 days.

And there are multiple attacks, lets say, 100 attacks to same volume, how many ARP snapshots will be retained?  

 

If it is 8, then arw.surge.snap.interval.days is meanless.

 

https://docs.netapp.com/us-en/ontap/anti-ransomware/modify-automatic-snapshot-options-task.html

4 REPLIES 4

Ashun
177 Views

hi

The situation is exactly as you said, but each has its own advantages

 

If the attacks are frequent, the system may always generate new snapshots, causing the number of snapshots to exceed eight. In this case, the eight-snapshot limit becomes more important, and the 100-day time window is not very useful.

 

If the attacks are infrequent and the system does not frequently reach the 8-snapshot limit, then the 100-day retention window takes effect, ensuring that snapshots are not deleted during this time.

Leiz23
90 Views

Hi Ashun,

 

Thanks for the reply.

 

Is there any reason that we set a hard limit to 8?

My point is that we don't have to hard limit it, let users to decide the number of snapshots to keep.

 

If the attack is frequent, and ARP found it immeditely, take snapshots, and the first few snapshots are clean.

But they are deleted after more attacks, then the snapshots taken later are not usable or partial unsuable.

 

If the attacker knows how these options works, they can just attack more frequently and let ONTAP delete the good snapshots for them. 

 

I highly recommend that change this behavior, and keep the snapshots when user set the retention period.

 

br

Lei

Ashun
74 Views

lei bro

 

I'm sorry for the late reply


I think what you said is very reasonable. As for the 8 snapshots set by netapp, it may be considered to prevent the surge of snapshots and cause more system resources to be occupied.

The way I understand it, if all the rule Settings are defaults

 

case
arp snapshot is created at the beginning of the attack, and the arp snapshot is S1. If the attack continues, no arp snapshot is created. After more than 4 hours, the arp snapshot is created, and the snapshot is S2.
Six snapshots S1-S6 are created. 24 hours have passed. I believe that 24-hour response to attackers and data recovery is more than enough

 

If it is not fixed, the attack continues. The rule gradually changes to create arp snapshots at an eight-hour interval. Each ARP snapshot is retained for 48 hours, and snapshots are taken every five days for five days. If we get to that point, it's been a long time since the attack started, and if we can't fix it in the meantime, I think we can replace it with a better security team

Leiz23
176 Views

Hi Ashun,

 

Thanks for the reply.

 

Is there any reason that we set a hard limit to 8?

My point is that we don't have to hard limit it, let users to decide the number of snapshots to keep.

 

If the attack is frequent, and ARP found it immeditely, take snapshots, and the first few snapshots are clean.

But they are deleted after more attacks, then the snapshots taken later are not usable or partial unsuable.

 

If the attacker knows how these options works, they can just attack more frequently and let ONTAP delete the good snapshots for them. 

 

I highly recommend that change this behavior, and keep the snapshots when user set the retention period.

 

br

Lei

Public