Checking Whether Network Attacks Exist

Procedure

1. Run the display cpu-defend statistics command to check statistics about packets sent to the CPU. According to the statistics, determine whether many protocol packets have been discarded because the CPU is too busy to process them. Then, run the reset cpu-defend statistics command to clear the statistics. After several seconds, run the display cpu-defend statistics command again to re-check the statistics.

   If packets of a protocol are numerous, determine whether this is a normal phenomenon based on the networking. If this is abnormal, a protocol packet attack occurs.

   <HUAWEI> reset cpu-defend statistics
   <HUAWEI> display cpu-defend statistics all
   Statistics on slot 2:
   -----------------------------------------------------------------------------------------------------------
   Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)
   -----------------------------------------------------------------------------------------------------------
   arp-miss            0            0             0               0
   arp-request         40800        35768         600             52600
   bgp                 0            0             0               0
   ......
   -----------------------------------------------------------------------------------------------------------

   The preceding command output shows that many ARP request packets have been discarded. If the live network has no possibility to produce so many ARP request packets, the switch is under an ARP attack.

   Huawei switches provide local attack defense functions to protect CPUs from being overloaded or attacked. The local attack defense policies include attack source tracing, port attack defense, CPCAR, and blacklist. The following provides a method to trace and handle attack sources.

   1. Use the attack source tracing function to locate attack sources.

      1. Create a local attack defense policy based on attack source tracing.

         Create an ACL to add the gateway IP address to the attack source whitelist.

         <HUAWEI> system-view
         [HUAWEI] acl number 2000
         [HUAWEI-acl-basic-2000] rule 5 permit source 10.1.1.1 0  //10.1.1.1 is the gateway IP address.
         [HUAWEI-acl-basic-2000] quit
         Create a local attack defense policy based on attack source tracing.
         [HUAWEI] cpu-defend policy policy1
         [HUAWEI-cpu-defend-policy-policy1] auto-defend enable  //Enable attack source tracing.
         [HUAWEI-cpu-defend-policy-policy1] undo auto-defend trace-type source-portvlan  //Configure attack source tracing based on source MAC and IP addresses.
         [HUAWEI-cpu-defend-policy-policy1] undo auto-defend protocol 8021x dhcp icmp igmp tcp telnet ttl-expired udp  //Delete packet types from attack source tracing.
         [HUAWEI-cpu-defend-policy-policy1] auto-defend whitelist 1 acl 2000  //Add the gateway IP address to the whitelist.
         [HUAWEI-cpu-defend-policy-policy1] quit

      2. Apply the local attack defense policy.

         • Modular switch

           A modular switch has CPUs both on its MPUs and LPUs. The configuration and application of a local attack defense policy must be distinguished between MPUs and LPUs.

           Before creating and applying an attack defense policy, check attack information on the MPUs and LPUs. If the attack information on the MPUs and LPUs is similar, apply the same attack defense policy to the MPUs and LPUs; otherwise, create and apply different policies to them.

           Apply an attack defense policy to an MPU.

           <HUAWEI> system-view
           [HUAWEI] cpu-defend-policy policy1
           [HUAWEI] quit

           Apply an attack defense policy to LPUs.

           If an attack defense policy has been applied to all LPUs, a different attack defense policy cannot be applied to a specified LPU. Similarly, if an attack defense policy has been applied to a specified LPU, a different attack defense policy cannot be applied in the global view.

           If all LPUs process the same service, apply one attack defense policy to all the LPUs.

           <HUAWEI> system-view
           [HUAWEI] cpu-defend-policy policy2 global

           If LPUs process different services, apply distinctive attack defense policies to them.

           <HUAWEI> system-view
           [HUAWEI] slot 1
           [HUAWEI-slot-1] cpu-defend-policy policy2

         • Fixed switch

           If fixed switches are not stacked, apply an attack defense policy to each switch.

           <HUAWEI> system-view
           [HUAWEI] cpu-defend-policy policy1 global

           If fixed switches are stacked:

           Apply an attack defense policy to the master switch.

           <HUAWEI> system-view
           [HUAWEI] cpu-defend-policy policy1

           Apply an attack defense policy to all the member switches.

           <HUAWEI> system-view
           [HUAWEI] cpu-defend-policy policy1 global

      3. Check attack source information.

         After a local attack defense policy is configured based on attack source tracing, you can run the display auto-defend attack-source and display auto-defend attack-source slot slot-id commands to check attack source information.

         NOTE:

         If the MAC addresses of identified attack sources include the gateway MAC address, exclude the gateway MAC address.

   2. Handle the attack sources.

      Select one of the following methods to handle the attack sources.

      • Configure ARP security.

        ARP security can be configured to protect switches from ARP and ARP-Miss message attacks.

        Huawei switches support various ARP security solutions. For details, see ARP Security Configuration in Configuration Guide - Security.

      • Configure an attack defense action based on attack source tracing in either of the following methods:

        • Configure a switch to discard identified attack packets within a specified interval (for example, the default 300s).

          <HUAWEI> system-view
          [HUAWEI] cpu-defend policy policy1
          [HUAWEI-cpu-defend-policy-policy1] auto-defend enable  //Enable attack source tracing. (By default, the function is disabled.)
          [HUAWEI-cpu-defend-policy-policy1] auto-defend action deny timer 300  //(By default, an attack defense action based on attack source tracing is not configured.)

        • Configure a switch to shut down its interface that receives attack packets.

          This method is viable if the interface receives only attack packets.

          If the interface also carries services from authorized users, their services will also be interrupted. Therefore, exercise caution when shutting down the interface.

          Configuration example:

          <HUAWEI> system-view
          [HUAWEI] cpu-defend policy policy1
          [HUAWEI-cpu-defend-policy-policy1] auto-defend enable  //Enable attack source tracing.
          [HUAWEI-cpu-defend-policy-policy1] auto-defend action error-down

      • Configure a blacklist.

        If a user (for example, 1.1.1.0/24) is identified as an attack source, an ACL can be used to direct the user traffic to a blacklist. Packets from the user are then discarded after arriving at the switch.

        For example, configure ACL 2001 to match the packets carrying the source IP address 1.1.1.0/24. The switch then discards matched packets.

        [HUAWEI] acl number 2001
        [HUAWEI-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255
        [HUAWEI-acl-basic-2001] quit
        [HUAWEI] cpu-defend policy policy1
        [HUAWEI-cpu-defend-policy-policy1] blacklist 1 acl 2001