When Layer 3 DHCP users accessed the MA5200G, the Discover and Request packets of some users failed to be responded, causing the users unable to get online or to be disconnected from the MA5200G.
View the logs of attacks that were recorded when the problem occurred. The logs show that 24 alarms were generated from 18:00 to 20:00, and an alarm was displayed every five minutes during which more than 512 packets were discarded by the token bucket HOST CAR.
Apr 13 2010 18:02:40 bng0 %%01SRM/4/USER_ATTACK(l): Alert of user attack. (Source IP=94.72.22.XX, …)
Apr 13 2010 20:05:17 bng0 %%01SRM/4/USER_ATTACK(l): Alert of user attack. (Source IP=94.72.22.XX, …)
1. customer feed back problem only the second day after the problem happened
2. Engineer login the device and found information as follows,
[bng0-diag]display efu counter idiscard slot 2 1 1 HOST CAR drop based on user info 0x3d ---- 0x0 0x00409d73
[bng0-diag]display efu counter ediscard 2 153: CP CAR:egress cp car drop ------ 0x0 00027a59
[bng0-diag]display efu counter idiscard slot 2 1 1
HOST CAR drop based on user info
0x3d ---- 0x0 0x0000ca04
[bng0-diag]display efu counter ediscard 2
153: CP CAR:egress cp car drop ------ 0x0 000272e7
3. contact with R&D to confirm the problem and suggestion
1. View the statistics on the discarded packets that were recorded when the problem occurred.
The token bucket HOST CAR discarded 4,182,895 packets. The token bucket HOST CAR cannot identify packet types, so it discarded both DHCP packets and attack packets.
As shown in the figure CP car.jpg, both DHCP packets and IP Trigger packets enter the first token bucket HOST CAR, and then enter token buckets CP CAR 36 and CP CAR 38 respectively. The size of the token bucket HOST CAR is not large enough, so the excess packets are discarded.
The DHCP packets are discarded due to the small size of the token bucket HOST CAR. Therefore, you can set a larger size for the token bucket HOST CAR so that the token buckets CP CAR can control the packets to be sent to the host. In this manner, attack packets can be restricted by the token bucket CP CAR 38; DHCP packets can be sent to the host by token bucket CP CAR 36.
Set the size of HOST CAR to 10000.
hostcar cir 10000
vc-host-car 1 cir 10000