If packets of a protocol are numerous, determine whether this is a normal phenomenon based on the networking. If this is abnormal, a protocol packet attack occurs.
<HUAWEI> reset cpu-defend statistics <HUAWEI> display cpu-defend statistics all Statistics on slot 2: ----------------------------------------------------------------------------------------------------------- Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets) ----------------------------------------------------------------------------------------------------------- arp-miss 0 0 0 0 arp-request 40800 35768 600 52600 bgp 0 0 0 0 ...... -----------------------------------------------------------------------------------------------------------
The preceding command output shows that many ARP request packets have been discarded. If the live network has no possibility to produce so many ARP request packets, the switch is under an ARP attack.
Create a local attack defense policy based on attack source tracing.
Create an ACL to add the gateway IP address to the attack source whitelist.
<HUAWEI> system-view [HUAWEI] acl number 2000 [HUAWEI-acl-basic-2000] rule 5 permit source 10.1.1.1 0 //10.1.1.1 is the gateway IP address. [HUAWEI-acl-basic-2000] quit Create a local attack defense policy based on attack source tracing. [HUAWEI] cpu-defend policy policy1 [HUAWEI-cpu-defend-policy-policy1] auto-defend enable //Enable attack source tracing. [HUAWEI-cpu-defend-policy-policy1] undo auto-defend trace-type source-portvlan //Configure attack source tracing based on source MAC and IP addresses. [HUAWEI-cpu-defend-policy-policy1] undo auto-defend protocol 8021x dhcp icmp igmp tcp telnet ttl-expired udp //Delete packet types from attack source tracing. [HUAWEI-cpu-defend-policy-policy1] auto-defend whitelist 1 acl 2000 //Add the gateway IP address to the whitelist. [HUAWEI-cpu-defend-policy-policy1] quit
Modular switch
A modular switch has CPUs both on its MPUs and LPUs. The configuration and application of a local attack defense policy must be distinguished between MPUs and LPUs.
Before creating and applying an attack defense policy, check attack information on the MPUs and LPUs. If the attack information on the MPUs and LPUs is similar, apply the same attack defense policy to the MPUs and LPUs; otherwise, create and apply different policies to them.
Apply an attack defense policy to an MPU.
<HUAWEI> system-view [HUAWEI] cpu-defend-policy policy1 [HUAWEI] quit
Apply an attack defense policy to LPUs.
If an attack defense policy has been applied to all LPUs, a different attack defense policy cannot be applied to a specified LPU. Similarly, if an attack defense policy has been applied to a specified LPU, a different attack defense policy cannot be applied in the global view.
If all LPUs process the same service, apply one attack defense policy to all the LPUs.
<HUAWEI> system-view [HUAWEI] cpu-defend-policy policy2 global
If LPUs process different services, apply distinctive attack defense policies to them.
<HUAWEI> system-view [HUAWEI] slot 1 [HUAWEI-slot-1] cpu-defend-policy policy2
Fixed switch
If fixed switches are not stacked, apply an attack defense policy to each switch.
<HUAWEI> system-view [HUAWEI] cpu-defend-policy policy1 global
If fixed switches are stacked:
Apply an attack defense policy to the master switch.
<HUAWEI> system-view [HUAWEI] cpu-defend-policy policy1
Apply an attack defense policy to all the member switches.
<HUAWEI> system-view [HUAWEI] cpu-defend-policy policy1 global
Check attack source information.
After a local attack defense policy is configured based on attack source tracing, you can run the display auto-defend attack-source and display auto-defend attack-source slot slot-id commands to check attack source information.
If the MAC addresses of identified attack sources include the gateway MAC address, exclude the gateway MAC address.
Handle the attack sources.
Configure ARP security.
ARP security can be configured to protect switches from ARP and ARP-Miss message attacks.
Huawei switches support various ARP security solutions. For details, see ARP Security Configuration in Configuration Guide - Security.
Configure an attack defense action based on attack source tracing in either of the following methods:
Configure a switch to discard identified attack packets within a specified interval (for example, the default 300s).
<HUAWEI> system-view [HUAWEI] cpu-defend policy policy1 [HUAWEI-cpu-defend-policy-policy1] auto-defend enable //Enable attack source tracing. (By default, the function is disabled.) [HUAWEI-cpu-defend-policy-policy1] auto-defend action deny timer 300 //(By default, an attack defense action based on attack source tracing is not configured.)
Configure a switch to shut down its interface that receives attack packets.
This method is viable if the interface receives only attack packets.
If the interface also carries services from authorized users, their services will also be interrupted. Therefore, exercise caution when shutting down the interface.
Configuration example:
<HUAWEI> system-view [HUAWEI] cpu-defend policy policy1 [HUAWEI-cpu-defend-policy-policy1] auto-defend enable //Enable attack source tracing. [HUAWEI-cpu-defend-policy-policy1] auto-defend action error-down
Configure a blacklist.
If a user (for example, 1.1.1.0/24) is identified as an attack source, an ACL can be used to direct the user traffic to a blacklist. Packets from the user are then discarded after arriving at the switch.
For example, configure ACL 2001 to match the packets carrying the source IP address 1.1.1.0/24. The switch then discards matched packets.
[HUAWEI] acl number 2001 [HUAWEI-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255 [HUAWEI-acl-basic-2001] quit [HUAWEI] cpu-defend policy policy1 [HUAWEI-cpu-defend-policy-policy1] blacklist 1 acl 2001