Example for Configuring Attack Source Tracing

Networking Requirements

As shown in Figure 1, users on different network segments access the Internet through SwitchA. Because there are a large number of access users, SwitchA often processes a large number of ARP packets, leading to a high CPU usage and hence affecting services. The administrator requires that the device analyze the ARP packets sent to the CPU, identify the packets whose rate exceeds the threshold as attack packets, find out the attack source user or source interface, and send logs and alarms to notify the administrator so that the administrator can take security measures to protect the CPU. Users on Net2 are fixed authorized users, so the administrator needs to ensure that ARP packets of these users can be sent to the CPU.

Figure 1 Networking diagram of attack source tracing

Configuration Roadmap

Configure the attack source tracing function, threshold, and type of the packets to be defended against, and enable the device to trace and analyze the ARP packets whose rate exceeds the threshold.
Configure the attack source tracing mode based on the source IP address and source MAC address.
Configure the attack source tracing alarm function so that the device can send an alarm to the administrator when detecting an attack source. Configure the attack source tracing punishment function and specify the punishment action to discard attack packets.
Add users on Net2 to the whitelist to exclude them from attack source tracing analysis and punishment.

Procedure

Configure an attack defense policy.

# Create an attack defense policy.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] cpu-defend policy policy1

# Configure attack source tracing.

[SwitchA-cpu-defend-policy-policy1] auto-defend enable

# Configure the attack source tracing threshold.

[SwitchA-cpu-defend-policy-policy1] auto-defend threshold 60

# Configure the type of packets to which attack source tracing is applied.

[SwitchA-cpu-defend-policy-policy1] auto-defend protocol arp

# Configure the attack source tracing mode.

[SwitchA-cpu-defend-policy-policy1] auto-defend trace-type source-ip source-mac

# Enable the alarm function for attack source tracing.

[SwitchA-cpu-defend-policy-policy1] auto-defend alarm enable

# Enable the punishment function for attack source tracing.

Before configuring the punishment action, ensure that the device is under attack; otherwise, the device may discard a lot of valid protocol packets according to the configured punishment action.

[SwitchA-cpu-defend-policy-policy1] auto-defend action deny timer 300
[SwitchA-cpu-defend-policy-policy1] quit

# Configure a whitelist for attack source tracing.

You are advised to add the IP addresses of valid servers, interconnected interfaces, and IP address of the network management device to the whitelist.

[SwitchA] acl number 2001
[SwitchA-acl-basic-2001] rule permit source 10.2.2.0 0.0.0.255
[SwitchA-acl-basic-2001] quit
[SwitchA] cpu-defend policy policy1
[SwitchA-cpu-defend-policy-policy1] auto-defend whitelist 1 acl 2001
[SwitchA-cpu-defend-policy-policy1] quit

Apply the attack defense policy globally.

[SwitchA] cpu-defend-policy policy1 global
[SwitchA] quit

Verify the configuration.

# Display the configuration of attack source tracing.

<SwitchA> display auto-defend configuration
 ----------------------------------------------------------------------------   
 Name  : policy1
 Related slot : <0>
 auto-defend                      : enable
 auto-defend attack-packet sample : 5
 auto-defend threshold            : 60 (pps)
 auto-defend alarm                : enable
 auto-defend trace-type           : source-mac source-ip 
 auto-defend protocol             : arp   
 auto-defend action               : deny (Expired time : 300 s)
 auto-defend whitelist 1          : acl number 2001
 ----------------------------------------------------------------------------

# Display information about the attack source after a period of time.

<SwitchA> display auto-defend attack-source
  Attack Source User Table (slot 0):
  -----------------------------------------------------------------------------
  MacAddress       InterfaceName               Vlan:Outer/Inner    TotalPackets
  -----------------------------------------------------------------------------
  0000-c103-0102   GigabitEthernet0/0/1        10                  1395
  -----------------------------------------------------------------------------
  Total: 1

  Attack Source Port Table (slot 0):
  ------------------------------------------------------------
  InterfaceName               Vlan:Outer/Inner    TotalPackets
  ------------------------------------------------------------
  GigabitEthernet0/0/1        10                  605
  ------------------------------------------------------------
  Total: 1

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#
acl number 2001
 rule 5 permit source 10.2.2.0 0.0.0.255
#
cpu-defend policy policy1                                
 auto-defend alarm enable
 auto-defend protocol arp
 auto-defend action deny     
 auto-defend whitelist 1 acl 2001
#
cpu-defend-policy policy1 global
# 
return

Example for Configuring Attack Source Tracing

Networking Requirements

Configuration Roadmap

Procedure

Configuration Files

Related Content