attack-detect protocol car

Function

The attack-detect protocol car command sets the rate threshold for sending protocol packets to the CPU and the packet loss percentage threshold for attack detection.

The undo attack-detect protocol car command restores the default rate threshold for sending protocol packets to the CPU and packet loss percentage threshold for attack detection.

Table 1 lists the default rate thresholds for sending protocol packets to the CPU and packet loss percentage thresholds for attack detection.

Format

attack-detect protocol protocol-name car { min-rate rate-value | drop-packet-percent percentage } ^*

undo attack-detect protocol protocol-name car { min-rate rate-value | drop-packet-percent percentage } ^*

Parameters

Parameter	Description	Value
min-rate rate-value	Specifies a rate threshold for CP-CAR.	The value is an integer ranging from 20 to 4000, in pps.
drop-packet-percent percentage	Specifies a packet loss percentage threshold for CP-CAR.	The value is an integer ranging from 0 to 99, in percentage.
protocol protocol-name	Specifies the name of a protocol that supports CAR. The value can be the name of a protocol such as 802.1ag, ARP, BFD, BGP, Telnet-client, Telnet-server, or TFTP.	The actual protocol may vary.

Parameter

Description

Value

min-rate rate-value

Specifies a rate threshold for CP-CAR.

The value is an integer ranging from 20 to 4000, in pps.

drop-packet-percent percentage

Specifies a packet loss percentage threshold for CP-CAR.

The value is an integer ranging from 0 to 99, in percentage.

protocol protocol-name

Specifies the name of a protocol that supports CAR. The value can be the name of a protocol such as 802.1ag, ARP, BFD, BGP, Telnet-client, Telnet-server, or TFTP.

The actual protocol may vary.

Views

SOC view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
soc	write

Usage Guidelines

Usage Scenario

The security Operating Center (SOC) determines whether the system is being attacked based on the statistics analysis. To correctly obtain these statistics on a live network, you must set proper alarm thresholds for security attack events. The traffic models vary with different networkings in different scenarios.

On small-scale networks where the traffic rate is low, router bandwidth is low, and the number of users is small, setting a low alarm threshold is recommended.
On large-scale networks where the traffic rate is high, router bandwidth is high, and the number of users is great, setting a high alarm threshold is recommended.
Additionally, you can also adjust the threshold based on the security attack event reports. If false alarms are frequently reported, you can increase the alarm threshold. However, if some security attacks are ignored (the security attacks are detected by other monitoring systems but not reported by the SOC), you can lower the alarm threshold.
Table1 Default rate thresholds for sending protocol packets to the CPU and packet loss percentage thresholds for attack detection

protocol	min-rate	drop-packet-percent
atm-inarp	500	30
unicast-vrrp	500	30
dlp-bgp	500	30
dlp-ldp	500	30
dlp-ospf	500	30
dlp-rsvp	500	30
dlp-isis	500	30
dlp-radius	500	30
dlp-ipv6-bgp	500	30
dlp-ipv6-ospf	500	30
dcn-pkt-fin	500	30
pcep	500	30
vrrpv6	500	30
radiusv6	500	30
hwtacacsv6	500	30
lsppingv6	500	30
syslogv6	500	30
web-auth-serverv6	500	30
ipv6-ndh-miss	500	30
802.1ag	500	30
ttl-expiredv6	500	30
udp	500	30
unknown	500	30
vgmp	500	30
vrrp	500	30
web	500	30
web_auth_server	500	30
white-list	500	30
arp	500	30
arpmiss	500	30
bfd	500	30
bfdv6	500	30
bgp	500	30
bgpv6	500	30
dhcp	500	20
dhcpv6	500	30
diameter	500	30
dns-client	500	30
dnsv6	500	30
eapol	500	30
fib-miss	500	30
fib-missv6	500	30
ftp-client	500	30
ftp-server	300	30
ftpv6-client	500	30
ftpv6-server	500	30
hgmp	500	30
http-redirect-chasten	500	30
hwtacacs	500	30
icmp	300	30
icmp-broadcast-address-echo	500	30
icmpv6	500	30
igmp	500	30
ipfpm	500	30
ipv6	500	30
isis	500	30
l2tp	500	30
lacp	500	30
ldp	500	30
lldp	500	30
lspping	500	30
mka	500	30
mld	500	30
mpls-oam	500	30
msdp	500	30
multicast	500	30
multicastv6	500	30
na	500	30
nd	500	30
ns	500	30
ntp	500	30
openflow	500	30
ospfv2	500	30
ospfv3	500	30
padi	500	30
pim	500	30
pim_mc	500	30
pimv6	500	30
portal	500	30
pppoe	500	20
ra	500	30
radius	500	30
rip	500	30
rrpp	500	30
rs	500	30
rsvp	500	30
sftp-client	500	30
sftp-server	500	30
snmp	500	30
snmpv6	500	30
ssh-client	500	30
ssh-server	500	30
sshv6-server	500	30
tcp	500	30
tcp-65410	500	30
telnet-client	500	30
telnet-server	500	30
telnetv6-client	500	30
telnetv6-server	500	30
tftp	500	30
tftpv6-client	500	30
ttl-expired	500	30
802.3ah	500	30

In VS mode, this command is supported only by the admin VS.

Example

# Set the rate threshold of the ARP protocol to 200 pps for attack detection.

<HUAWEI> system-view
[~HUAWEI] soc
[*HUAWEI-soc] attack-detect protocol arp car min-rate 200
Warning: The default drop-packet-percent threshold is 30, default min-rate threshold is 500.Continue? [Y/N]: Y