Defense Against Attacks Launched Using IP Packets with Route Options

Attack Behavior

An attacker sends a large number of IP packets carrying route options to a switch, degrading its forwarding performance and exhausting its resources. As a result, the switch fails to process valid packets.

Security Policy

Switches support the following route options in IP packets:

• Record-route (RR): records the IP address of every switch on the forwarding path.
• Time-stamp (TS): records the IP address and time of every switch on the forwarding path.
• Source and record route (SRR): includes loose SRR (LSRR) and strict SRR (SSRR).
  • LSRR: specifies a list of IP addresses that IP packets must traverse.
  • SSRR: specifies the exact path that IP packets must follow.
• Route-alert (RA): indicates that packets must be sent to the routing protocol layer.

To protect switches against attacks launched using IP packets with route options, run the discard { srr | rr | ra | ts } command in the interface view.

Configuration Method

Configure a switch to discard IP packets carrying route options. Perform the following operations based on different route options:

• Configure the switch to discard packets carrying the RR option on VLANIF100.

  <HUAWEI> system-view
  [HUAWEI] interface vlanif 100
  [HUAWEI-Vlanif100] discard rr
  [HUAWEI-Vlanif100] quit
  

• Configure the switch to discard packets carrying the TS option on VLANIF100.

  <HUAWEI> system-view
  [HUAWEI] interface vlanif 100
  [HUAWEI-Vlanif100] discard ts
  [HUAWEI-Vlanif100] quit
  

• Configure the switch to discard packets carrying the SRR option on VLANIF100.

  <HUAWEI> system-view
  [HUAWEI] interface vlanif 100
  [HUAWEI-Vlanif100] discard srr
  [HUAWEI-Vlanif100] quit
  

• Configure the switch to discard packets carrying the RA option on VLANIF100.

  <HUAWEI> system-view
  [HUAWEI] interface vlanif 100
  [HUAWEI-Vlanif100] discard ra
  [HUAWEI-Vlanif100] quit