CPU Protection by Limiting the Packet Rate Based on the CP-CAR

The packet rate is limited based on the CP-CAR as follows:

• Packets sent to the CPU are classified based on protocol types.
• The bandwidth, priority, length of packets that are sent from the forwarding plane to the CPU are controlled based on the CP-CAR.
• The total forwarding bandwidth is controlled.

In this manner, the number of packets sent to the CPU is under control, and the bandwidth is ensured preferentially for services with higher priorities. In addition, CPU overload is prevented and an alarm is generated when an attack occurs.

Currently, services are negatively affected when the CPU is attacked because of the following reasons:

1. Valid protocol packets are not distinguished from invalid protocol packets. The CPU is busy in processing a large number of invalid protocol packets. Consequently, the CPU usage rises sharply and valid packets cannot be processed properly.
2. Packets of some protocols are sent to the CPU through the same channel. When a loopback occurs on a certain type of protocol packet, the channel is blocked, affecting the transmission of other protocol packets.
3. The bandwidth of a channel is not set appropriately. When an attack occurs, processing of protocol packets on other channels is affected. To prevent security accidents caused by man-made errors or IT management, the following measures must be taken:
   1. Collect and classify protocols related to services running on equipment.
   2. Use ACLs to filter Layer 3 packets. Valid protocol packets are put into the whitelist and a user-defined flow, other packets are put into the blacklist.
   3. Plan the priorities, channel bandwidth, and alarm function of the preceding three lists.
   4. Restrict the bandwidths for non-Layer-3 services, and disable services that are not deployed on the equipment.