No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Some ICMP packets have been dropped by cpcar on the MPU

Publication Date:  2018-01-29 Views:  1494 Downloads:  0
Issue Description

Product: AR3260

Software version:V200R007C00SPCb00

Problem: On the Core Router AR3260, some ICMP packets have been dropped by cpcar on the MPU

Network Topology: 


Alarm Information

<AR3260> display logbuffer

Nov 21 2017 19:05:48+00:00 NBN_N0.24_Ministre des postes ,Tlcommunications et NTI_AR3260 %%01DEFD/4/CPCAR_DROP_MPU(l)[6274]:Some packets are dropped by cpcar on the MPU. (Packet-type=icmp, Drop-Count=39245)

Nov 21 2017 19:15:48+00:00 NBN_N0.24_Ministre des postes ,Tlcommunications et NTI_AR3260 %%01DEFD/4/CPCAR_DROP_MPU(l)[6285]:Some packets are dropped by cpcar on the MPU. (Packet-type=icmp, Drop-Count=39138)

Handling Process

1. Check the Network Topology.

 

2. Checked the diagnostic-information by running command "display diagnostic-information".

 

3. Check the Interfaces utilization in different time slots:

          I. At time slot 1:

[AR3260] dis int brief

PHY: Physical

InUti/OutUti: input utility/output utility

Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors

Cellular0/0/0               down  down         0%     0%          0          0

Cellular0/0/1               down  down         0%     0%          0          0

GigabitEthernet0/0/0        up    up        0.20%  0.14%          0          0

GigabitEthernet7/0/0       up    up       23.34%  4.46%          0          0

 

          II. At time slot 2:

[AR3260] dis int brief

PHY: Physical

*down: administratively down

InUti/OutUti: input utility/output utility

Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors

Cellular0/0/0               down  down         0%     0%          0          0

Cellular0/0/1               down  down         0%     0%          0          0

GigabitEthernet0/0/0        up    up        0.19%  0.18%          0          0

GigabitEthernet7/0/0        up    up       31.04%  4.43%          0          0

Conclusion:

The interface utilization for inbound traffic of core router's interface GigabitEthernet7/0/0 increased abnormally within less than 2 seconds, that mean the attack come on this interface.

 

4. Configure cpu-defend-policy to find the source of ICMP packet attacks as below:

cpu-defend policy SIP

auto-defend enable

auto-defend trace-type source-ip source-mac

auto-defend protocol icmp

auto-defend threshold 64

auto-defend alarm enable

cpu-defend-policy attack global


Conclusion:

[AR3260] display auto-defend attack-source ?

  detail  The detail information

  |       Matching output

  <cr>    Please press ENTER to execute command

[AR3260]disp auto-defend attack-source

  Attack Source User Table:

  -------------------------------------------------------------------------

      MacAddress       InterfaceName      Vlan:Outer/Inner      TOTAL 

  -------------------------------------------------------------------------

  e48d-8c08-xxxx   GigabitEthernet7/0/0         0               6448   

  -------------------------------------------------------------------------

  Total: 1

 

  Attack Source Port Table:

  -----------------------------------------------------

    InterfaceName        Vlan:Outer/Inner       TOTAL  

  -----------------------------------------------------

  GigabitEthernet7/0/0     0                    6448  

  -----------------------------------------------------

  Total: 1

 

  Attack Source IP Table:

  -------------------------------------

   IPAddress        TOTAL Packets 

  -------------------------------------

  41.xxx.49.xxx    1536   

  -------------------------------------

  Total: 1

 

The attack source IP "41.xxx.49.xxx" and MAC address"e48d-8c08-xxxx".

 

5. Enable lldp globally to get information about the peer devices.

<AR3260> display lldp neighbor interface GigabitEthernet 7/0/0

GigabitEthernet0/0/1 has 1 neighbors:                                                                                                                                              

Neighbor index : 1

Chassis type   :macAddress

Chassis ID     :e48d-8c08-xxxx

Port ID type   :interfaceName

Port ID        :bridge_RMC_Wan

Port description    :NA

System name         :GW_NOC_RMC

System description  :MikroTik RouterOS 6.39.3 (bugfix) CCR1036-12G-4S

System capabilities supported   :bridge router

System capabilities enabled     :bridge router

Management address type  :ipV4

Management address       : 41.xxx.49.xxxx

Management address type  :ipV4

Management address       : 41.xxx.49.xxx  

Expired time   :63s

 

Conclusion:

From the command output that this interface connected to MikroTik device “ISP” with MAC address “e48d-8c08-xxxx” and IP address “41.xxx.49.xxx” is the source of attacks.

 

6. Provide solition to limit the attacks.

Root Cause

The Core router's peer ISP router "MikroTik device" was sending ICMP packets to Core router's CPU with rate exceeds the CPCAR limit on the MPU, as a result CPCAR dropped the exceeded packets.

Solution

First Solutions:

To avoid this problem configure ICMP rate-limit to reduce the number of icmb packets that the CPU can handle per second to be 90pps to reduce the CPU usage and utilization as below:

[AR3260-GigabitEthernet7/0/0] icmp rate-limit enable
[AR3260-GigabitEthernet7/0/0] icmp rate-limit threshold 90

 

Second Solution:

1.      Filter all ICMP packets coming from the ISP router as below:

acl 3000

rule permit icmp 41.xxx.49.xxx   //ISP address

then use the traffic-filter

 

END