A large number of VRRP packets are sent in a specified period of time and incorrect VRRP packets are constructed to attack a switch.
To defend against the preceding attack, configure the following security policies on a switch:
Protocol security policy
Authentication: VRRP supports different authentication methods and keys in Advertisement packets. There are no authentication, simple text authentication, and MD5 authentication. Currently, only VRRPv2 supports authentication. For security purposes, you are advised to use MD5 as the VRRP authentication algorithm.
Packet check: VRRP checks the backup group ID, checksum, TTL, version number, packet type, timer, number of virtual addresses, virtual addresses, and packet length. Switches support packet check by default.
System security policy
Attack packet suppression: If a switch receives more than 20 packets within the specified period or receives packets sent from itself, the switch considers the packets as attack packets and discards them. Switches support attack packet suppression by default.
Set the authentication method of the VRRP group with VRID 2 on VLANIF100 to MD5 authentication and the authentication key to Huawei-1.
<HUAWEI> system-view [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.1 [HUAWEI-Vlanif100] vrrp vrid 1 authentication-mode md5 Huawei-1