When a large number of protocol packets attack the CPU interface board to see how the attack source

Publication Date:  2014-12-30 Views:  519 Downloads:  0
Issue Description
Q:
VPN customers find the VPN instance that configured “import route-policy” and “export route-policy” the routes coming from neighbors and sent to neighbors do not take effort.
Solution
The first step in the command display health board to see which specific CPU occupancy rate, as shown in the following example, the 2nd interface board CPU occupancy rate has reached 99%.

<E8000E>display  health
Slot                CPU Usage  Memory Usage(Used/Total)
---------------------------------------------------------
9 MPU(Master)          9%           52%  968MB/1845MB
1 LPU                 10%           47%  400MB/839MB
2 LPU                 99%           36%  310MB/841MB
3 LPU                  9%           47%  400MB/839MB
7 SPU                 29%           44%  209MB/475MB
8 SPU                 27%           43%  208MB/475MB
10 MPU(Slave)           6%           51%  943MB/1845MB

Step two:  through the “display cpu-usage slot <slot id>” to see whether the board is the highest SOCK task, the following example can be seen SOCK highest task, SOCK task is CPU processing protocol packets sent and received task, we can see that there are a large number of the protocol packets in the attack CPU.

<E8000E>dis cpu-usage slot 2
CPU Usage Stat. Cycle: 60 (Second)
CPU Usage            : 99% Max: 99%
CPU Usage Stat. Time : 2014-01-11  22:58:50
CPU utilization for five seconds: 99%: one minute: 99%: five minutes: 99%.

TaskName        CPU  Runtime(CPU Tick High/Tick Low)  Task Explanation
BOX              0%         0/    c1f2       BOX Output                  
DelPtTask        0%         0/       0                                   
CrtPtTask        0%         0/       0                                   
VCLK             0%         0/  196966                                    
TICK             0%         0/  6b48ad                                   
LOAD             0%         0/   13c02       LOAD                        
IPCR             0%         0/   65f6f       IPCR                        
VPR              0%         0/    61a8       VPR                         
VPS              0%         0/    537e       VPS                         
LCM              0%         0/   f5cbd       LCM                         
BK1              0%         0/       0       BK1                         
BK2              0%         0/       0       BK2                         
Loam             0%         0/   e2e17       LoamQue                     
upct             0%         0/       0       upct                        
AseT             0%         0/       0       AseT                        
RTMR             0%         0/  1d2d27       RTMR                        
CPRL             0%         0/  26d419       CPRL                         
FPIX             0%         0/    169e       FPIX                        
FPID             0%         0/    60f1       FPIDHCP                     
IPCQ             0%         0/  a4ec5b       IPCQIPC task for single queue
VP               0%         0/    3579       VP  Virtual path task       
RPCQ             0%         0/   5d97d       RPCQRemote procedure call   
RTPR             0%         0/       0       RTPR                        
IPCB             0%         0/  17f306       IPCBIPC task for broadcast queue
VMON             0%         0/   5fe34       VMONSystem monitor          
VMSH             0%         0/       0       VMSH                        
STND             0%         0/   28c71       STNDStandby task             
INFO             0%         0/    5bb4       INFOInformation center      
SAPP             0%         0/       0       SAPP                        
L2IF             0%         0/       0       L2IF                        
MNMA             0%         0/       0       MNMAMac in Mac Agent        
APS              0%         0/   42336       APS Automatic Protection Switch
FIB6             0%         0/       0       FIB6IPv6 FIB                
BFD              0%         0/   504ee       BFD Bidirection Forwarding Detect
OAM              0%         0/   3c653       OAM OAM                     
LSPA             0%         0/       0       LSPA                        
L2V              0%         0/       0       L2V Layer 2 VPN              
SNPG             0%         0/   1fe93       SNPG                        
RBP              0%         0/       0       RBP                         
ADPT             0%         0/  10c58d       ADPT                        
FW               0%         0/   1e2a5       FW                          
FWVP             0%         0/   48068       FWVP                        
FIPA             0%         0/   c7eaa       FIPA                        
FIPC             0%         0/       0       FIPC                        
Mpxy             0%         0/   3f52a       Mpxy                        
IGMP             0%         0/   30f61       IGMP                        
PES             24%         0/2417983d       PES                          
PEST             0%         0/   c9dee       PEST                        
PESP             0%         0/   33538       PESP                        
MCIA             0%         0/       0       MCIA                        
MIDU             0%         0/       0       MIDU                        
VOSA             0%         0/       0       VOSAVirtual OS adaption     
EAPO             0%         0/    c97f       EAPOL                       
IMS              0%         0/   2f1f7       IMS                         
TRNK             0%         0/       0       TRNK                        
PIA              0%         0/       0       PIA                         
NSA              0%         0/   11ac1       NSA                          
ATMA             0%         0/   1257d       ATMA                        
LLDP             0%         0/   1724f       LLDP                        
PIPE             0%         0/       0       PIPE   Pipe task            
VRFP             0%         0/       0       VRFP                        
VSIP             0%         0/       0       VSIP                        
ARPA             0%         0/       0       ARPAT                       
SECL             0%         0/    3e08       SECL                        
FLD              0%         0/   2abd5       FLD                         
BTRC             0%         0/   3f129       BTRC                        
MSE              0%         0/   52fba       MSE                          
DHPA             0%         0/       0       DHPA                        
PTPO             0%         0/   14ddb       PTPO                        
CESR             0%         0/   2708f       CESR                        
NDB              0%         0/    6021       NDB                         
ArpB             0%         0/       0       ArpB                        
PTAL             0%         0/       0       PTAL                        
POXS             0%         0/       0       POXS                        
EOAM             0%         0/       0       EOAMEthernet OAM 802.1ag    
1731             0%         0/       0       1731Ethernet OAM Y1731      
TRAF             0%         0/   5056e       TRAFTraffic Statistics      
CDM              0%         0/   1ecc3       CDM                         
SOCK            63%         0/5e2ee7c1       SOCKPacket schedule and process
VTRU             0%         0/       0       VTRUNK                      
SDHA             0%         0/       0       SDHAPS Automatic Protection Switch
FIB              0%         0/       0       FIB Forward Information Base
MFIB             0%         0/   48edb       MFIBMulticast forward info  
IFNT             0%         0/    e3d7       IFNTIfnet task              
RSA              0%         0/       0       RSA RSA public-key algorithms
FMAT             0%         0/    654c       FMATFault Manage task       
ISSU             0%         0/       0       ISSU                         
SNP              0%         0/       0       SNP DHCP snooping function  
DIAG             0%         0/  e0d0b7       DIAG                        
SSC              0%         0/       0       SSC                         
SRM              2%         0/ 38d3444       SRM                         
BEAT             0%         0/   8481e       BEAT                        
BMON             0%         0/   148f2       BMON                        
HALT             0%         0/   9be9d       HALT                        
SPMT             0%         0/  111358       SPMT                        
MACL             0%         0/   37935       MACL                        
MACS             0%         0/  1c97f1       MACS                        
TEST             0%         0/       0       TESTTest communication      
Ne50             0%         0/       0       Ne5000Stat                  
ARPV             0%         0/  15f54d       ARPV                        
MACF             0%         0/  2bb358       MACF                        
TSTA             0%         0/   46edb       TSTATest task agent         
CPPS             0%         0/       0       CPPS                         
UTSK             0%         0/       0       UTSK                        
APP              0%         0/       0       APP                         
IP               0%         0/   93703       IP                          
LINK             0%         0/   c2188       LINK                        
VRPT             0%         0/   253cf       VRPT                        
TNQA             0%         0/   1acef       TNQAC                       
TTNQ             0%         0/       0       TTNQAS                      
TARP             0%         0/       0       TARPING                     
L2               0%         0/    3f9a       L2                          
VRRP             0%         0/   6966b       VRRP                         
L2_P             0%         0/  16355d       L2_PR                       
ARP              0%         0/       0       ARP                         
FIBP             0%         0/       0       FIBP                        
HQOS             0%         0/  791e47       HQOS                        
QOS              0%         0/    f5d4       QOS NE5000QOS               
QOS-             0%         0/       0       QOS-PROFILE                 
MIRR             0%         0/       0       MIRRMirror_Job              
STAT             0%         0/  4dcdd4       STAT                        
SQOS             0%         0/  dc33bf       SQOS                        
QOSA             0%         0/  37344c       QOSADA                       
DEFD             0%         0/  96e9ac       DEFD                        
FARP             0%         0/   2f4aa       FARP                        
FWPT             0%         0/   11b6e       FWPT                        
FMT              0%         0/  1f4933       FMT                         
TMQN             0%         0/       0       TMQN                        
TMQI             0%         0/       0       TMQI                        
TMQP             0%         0/       0       TMQP                        
TAD              0%         0/       0       TAD Transmission Alarm Damping
VIDL             0%         0/  474ac1       System idle                 
OS              11%         0/105ff888       Operation System             

The third step command display cpu-defend all statistics slot <slot id> to see what the specific protocol packets over the CP-CAR bandwidth, in order to determine what kind of protocol packets in the attack, in addition to the need to use ARP protocol packets command display cpu-defend car protocol arp statistics slot <slot id> view alone. the following example can be seen there is a VRRP, IGMP, ARP exceeded the CP-CAR bandwidth, there are a lot of discarded, we can see that there are a large number of VRRP, IGMP, ARP attack.

<E8000E>display cpu-defend all statistics slot 2
Slot/Intf Attack-Type               Total-Packets Passed-Packets Dropped-Packets
--------------------------------------------------------------------------------
2         Application-Apperceive        805588269      108943428      696644841
--------------------------------------------------------------------------------
          SSH SERVER                            0              0              0
          SNMP                                  0              0              0
          BGP                                   0              0              0
          LDP                                   0              0              0
          RSVP                                  0              0              0
          OSPF                                  0              0              0
          RIP                                   0              0              0
          ISIS                                  0              0              0
          ICMP                                  0              0              0
          MSDP                                  0              0              0
          PIM                                   0              0              0
          DHCP                                  0              0              0
          LACP                           14041618       14041618              0
          NTP                                   0              0              0
          RADIUS                                0              0              0
          HWTACACS                              0              0              0
          LSPPING                               0              0              0
          IGMP                             780204       81485    698719
          RRPP                                  0              0              0
          VRRP                          790766447       94820325    695946122
          BFD                                   0              0              0
          MPLSOAM                               0              0              0
          802.1AG                               0              0              0
          SSH CLIENT                            0              0              0
          DNS CLIENT                            0              0              0
--------------------------------------------------------------------------------
2         MA-Defend                             0              0              0
--------------------------------------------------------------------------------
          SSH                                   0              0              0
          SNMP                                  0              0              0
          BGP                                   0              0              0
          LDP                                   0              0              0
          RSVP                                  0              0              0
          OSPF                                  0              0              0
          RIP                                   0              0              0
--------------------------------------------------------------------------------
2         URPF                                  0              0              0
--------------------------------------------------------------------------------
2         Tcpip-defend                          0              0              0
--------------------------------------------------------------------------------
          Abnormal-packet                       0              0              0
          Fragment-packet                       0              0              0
          Tcpsyn-packet                         0              0              0
          Udp-packet                            0              0              0
--------------------------------------------------------------------------------


<E8000E>display  cpu-defend  car  protocol  arp statistics  slot 2
Slot               : 2
Application switch : Open
Default Action     : Min-to-cp
--------------------------------------------
IPV4 ARP packet
Protocol switch: N/A
Packet information:
  Passed packet(s)  : 14719806           
  Dropped packet(s) : 134858500          
Configuration information:
  Configged CIR : 2000    kbps       Actual CIR in NP : 2000    kbps
  Configged CBS : 20000   bytes      Actual CBS in NP : 20000   bytes
  Priority : The index on this board can not be shown . Please see the NP Priority.
  Min-packet-length : NA

The fourth step command display attack-source-trace slot <slot id> brief view of the specific content of the attack packets, you can see the port from which the attack packets from entering to find driving further into the attack and attack the source IP port attack source as shown in the example below you can see the attack packets as ARP, VRRP and IGMP packets, enter the port attack GigabitEthernet2 / 1/0.


<E8000E>display attack-source-trace slot 2 brief
Info: Please waiting......
  No 1 Packet Info:
  Interface Name   : GigabitEthernet2/1/0
  PeVlanid         : 0
  CeVlanid         : 0
  Attack Type      : CPCAR
  Source Ip        : 10.30.246.80
  Dest Ip          : 10.30.246.84
  Source Port      : 0
  Dest Port        : 0
  Protocol Num     : 0
  Attack Pack Time : 2014-01-11 21:49:00
  Attack Trace Data:    
     ff ff ff ff ff ff 10 c3 7b 46 5a 05 08 06 00 01 08 00 06 04 00 01 10 c3 7b
     46 5a 05 0a 1e f6 50 00 00 00 00 00 00 0a 1e f6 54 00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00 00
  ----------------------------------
  No 2 Packet Info:
  Interface Name   : GigabitEthernet2/1/0
  PeVlanid         : 0
  CeVlanid         : 0
  Attack Type      : Application apperceive
  Source Ip        : 10.30.246.66
  Dest Ip          : 224.0.0.18         
  Source Port      : 0
  Dest Port        : 0
  Protocol Num     : 112
  Attack Pack Time : 2014-01-11 21:49:00
  Attack Trace Data:    
     01 00 5e 00 00 12 00 00 5e 00 01 0a 08 00 45 c0 00 28 f4 e9 00 00 ff 70 e5
     48 0a 1e f6 42 e0 00 00 12 21 0a 78 01 00 01 66 93 0a 1e f6 41 00 00 00 00
     00 00 00 00 00 00 00 00 00
  ----------------------------------
  No 3 Packet Info:
  Interface Name   : GigabitEthernet2/1/0
  PeVlanid         : 0
  CeVlanid         : 0
  Attack Type      : Application apperceive
  Source Ip        : 10.30.246.66
  Dest Ip          : 224.0.0.18
  Source Port      : 0
  Dest Port        : 0
  Protocol Num     : 112
  Attack Pack Time : 2014-01-11 21:49:00
  Attack Trace Data:                    
     01 00 5e 00 00 12 00 00 5e 00 01 0a 08 00 45 c0 00 28 f4 91 00 00 ff 70 e5
     a0 0a 1e f6 42 e0 00 00 12 21 0a 78 01 00 01 66 93 0a 1e f6 41 00 00 00 00
     00 00 00 00 00 00 00 00 00

END