Local Attack Defense

Attack Behavior

A large number of packets, including malicious attack packets targeted at Central Processing Units (CPUs) and valid packets sent to CPUs, are transmitted on networks. The malicious attack packets overwhelm the CPUs, affecting services and causing a system breakdown. In addition, excessive valid packets can also lead to high CPU usage, which degrades the CPU's performance and interrupts services.

Security Policy

To ensure that CPUs process services properly, the switches provide the local attack defense function. When a switch is undergoing an attack, this function ensures uninterrupted service transmission and minimizes the impact on network services.

Local attack defense falls into CPU attack defense, attack source tracing, port attack defense, and user-level rate limiting.

• CPU attack defense

  A switch can limit the rate of all packets sent to the CPU to protect the CPU.

  The core of CPU attack defense is the Control Plane Committed Access Rate (CPCAR) function. CPCAR limits the rate of protocol packets sent to the control plane to ensure control plane security.

• Attack source tracing

  Attack source tracing defends against DoS attacks. A switch enabled with attack source tracing analyzes packets sent to the CPU, collects statistics about the packets, and specifies a threshold for the packets. The switch considers excess packets as attack packets, locates the attack source user or interface by analyzing the attack packets, and generates logs or alarms. Accordingly, the network administrator can take measures to defend against attacks or configure the switch to discard packets from the attack source.

• Port attack defense

  Port attack defense is an anti-DoS method. If a port receives a large number of protocol packets, the protocol packets occupy bandwidth and the protocol packets received by other ports cannot be sent to the CPU. The port attack defense function prevents attacks based on ports.

  By default, a switch is enabled with port attack defense for common protocol packets, such as Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), Dynamic Host Configuration Protocol (DHCP), and Internet Group Management Protocol (IGMP) packets. When an attack occurs, the switch isolates attack impact within the port that receives attack packets, reducing attack impact on other ports.

• User-level rate limiting

  User-level rate limiting identifies users based on MAC address and limits the rates of specified protocol packets, such as ARP, Neighbor Discovery (ND), DHCP Request, DHCPv6 Request, IGMP, 8021x, and HTTPS-SYN packets. If a user suffers a DoS attack, other users are not affected. The core of user-level rate limiting is Host Committed Access Rate (CAR). By default, user-level rate limiting is enabled.

Configuration Method

• Modify the CPCAR value of protocol packets.

  

  Improper CPCAR settings will affect services. If you need to adjust CPCAR settings, contact technical support personnel.

  Decrease the CPCAR value of protocol packets or set the CPCAR action to deny to prevent packets that have low priorities or do not need to be processed from being sent to the CPU, ensuring proper system running.

  Set the rate of sending ICMP packets to the CPU to 64 kbit/s and configure the switch to discard packets with the TTL-expired.

  <HUAWEI> system-view
  [HUAWEI] cpu-defend policy 1
  [HUAWEI-cpu-defend-policy-1] car packet-type icmp cir 64
  [HUAWEI-cpu-defend-policy-1] deny packet-type ttl-expired
  [HUAWEI-cpu-defend-policy-1] quit
  [HUAWEI] cpu-defend-policy 1 global
  [HUAWEI] cpu-defend-policy 1

• Configure a blacklist to disable the switch from sending protocol packets from specified users to the CPU.

  If the CPCAR value of packets of a protocol increases unexpectedly, a user may send a large number of protocol packets to the switch. If the analysis on these packets shows heave-traffic characteristics, such as a fixed source IP or MAC address, configure a blacklist to disable the switch from sending the protocol packets to the CPU.

  Disable the switch from sending ARP packets with fixed source MAC addresses to the CPU.

  <HUAWEI> system-view
  [HUAWEI] acl number 4000
  [HUAWEI-acl-L2-4000] rule 10 permit l2-protocol 0x0806 0xffff source-mac 0000-0000-00db ffff-ffff-ffff
  [HUAWEI-acl-L2-4000] quit
  [HUAWEI] cpu-defend policy 1
  [HUAWEI-cpu-defend-policy-1] blacklist 1 acl 4000
  [HUAWEI-cpu-defend-policy-1] quit
  [HUAWEI] cpu-defend-policy 1 global

• Configure attack source tracing to enable switches to automatically detect attack sources and defend against attack traffic.

  Attack source tracing allows switches to automatically detect the attack source and defend against attack traffic, improving network running security. When an attack occurs, the attack source can be isolated to reduce impact on services. In V200R009 and later versions, attack source tracing is enabled by default.

  Configure a switch to consider ARP packets with a rate higher than 50 pps as attack packets and automatically punish users sending the packets.

  <HUAWEI> system-view
  [HUAWEI] cpu-defend policy 1
  [HUAWEI-cpu-defend-policy-1] auto-defend enable
  [HUAWEI-cpu-defend-policy-1] auto-defend attack-packet sample 5
  [HUAWEI-cpu-defend-policy-1] auto-defend threshold 50
  [HUAWEI-cpu-defend-policy-1] auto-defend trace-type source-ip source-mac source-portvlan
  [HUAWEI-cpu-defend-policy-1] auto-defend protocol arp
  [HUAWEI-cpu-defend-policy-1] auto-defend action deny timer 300
  [HUAWEI-cpu-defend-policy-1] auto-defend whitelist 1 interface gigabitethernet 1/0/0
  [HUAWEI-cpu-defend-policy-1] quit
  [HUAWEI] cpu-defend-policy 1 global
  [HUAWEI] cpu-defend-policy 1