Huawei S Series Campus Switches Troubleshooting Guide(V100 and V200)
Case Study: A Switch Is Attacked by Specific Multicast Packets, Causing a High CPU Usage
Symptom
The switch running the multicast service has a high CPU usage, and many forwarding entries of multicast group 239.255.255.250 exist on the switch, occupying many forwarding entry resources. However, in actual multicast deployment, this multicast group does not exist.
Example: After the IPTV service is enabled on a subnet on a carrier's network, the switch on the subnet creates a large number of multicast routing entries in which the group address is 239.255.255.250 and source addresses are IP addresses of set top boxes (STBs) from a specific vendor. These multicast entries are propagated to other user subnets, so devices on the network all have a large number of such entries.
Cause Analysis
Group address 239.255.255.250 is used by the Simple Service Discovery Protocol (SSDP). Therefore, when SSDP is enabled on any servers or PCs, the servers or PCs send multicast packets with group address 239.255.255.250 to the switch.
239.255.255.250 is not a permanent multicast group address. (A permanent multicast group address is also called reserved address, which identifies a group of network devices. It is used for routing protocols and topology searching, not for multicast forwarding.) The switch treats the multicast group addresses within the range of 224.0.0.X as ordinary multicast groups. Therefore, the switch generates the corresponding multicast forwarding entries.
STBs from this vendor have the SSDP service enabled by default and send SSDP Discover messages to the source DR, which then creates multicast forwarding entries with group address 239.255.255.250. After the STBs register with the RP successfully, hosts on other subnets send Report messages with group address 239.255.255.250. Finally, switches on these subnets create a large number of multicast entries with this group address and different source IP addresses.
Identification Method
- Run the display cpu-usage command to view the CPU usage of the switch. The CPU usage is above 80%. Check the top tasks. The tasks bcmRx/FTS/VPR/SOCK have high CPU usage.
- Run the display cpu-defend statistics command to view statistics about the packets sent to the CPU, determining whether too many IGMP packets exist.
- Run the reset cpu-defend statistics command to clear statistics about the packets sent to the CPU.
- Run the display cpu-defend statistics packet-type igmp all command to view statistics about IGMP packets sent to the CPU.
<HUAWEI> reset cpu-defend statistics <HUAWEI> display cpu-defend statistics packet-type igmp all Statistics on mainboard: -------------------------------------------------------------------------------- Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time -------------------------------------------------------------------------------- igmp 40800 35758 - NA NA -------------------------------------------------------------------------------- Statistics on slaveboard: -------------------------------------------------------------------------------- Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time -------------------------------------------------------------------------------- igmp 0 0 - NA NA --------------------------------------------------------------------------------
- Find out the multicast attack source.
Choose a method:
- Obtain packet information through port mirroring.
Port mirroring collects packet information without increasing the CPU load. It is recommended that you configure port mirroring on the inbound interface of the packets sent to the CPU. For the configuration of port mirroring, see "Mirroring Configuration" in the Configuration Guide - Network Management and Monitoring.
- View multicast entries.
- If Layer 2 multicast is configured, the display igmp-snooping port-info command output shows that multiple host ports have received Report messages with group address 239.255.255.250.
If Layer 3 multicast is configured, the display multicast forwarding-table command output shows that the switch has created many multicast forwarding entries with different source addresses and group address 239.255.255.250.
- If Layer 2 multicast is configured, the display igmp-snooping port-info command output shows that multiple host ports have received Report messages with group address 239.255.255.250.
- Configure the local attack defense policy based on attack source tracing.
[HUAWEI] cpu-defend policy policy1 [HUAWEI-cpu-defend-policy-policy1] auto-defend enable //Enable attack source tracing. By default, this function is disabled. [HUAWEI-cpu-defend-policy-policy1] undo auto-defend trace-type source-ip source-mac //Set the attack source tracing mode to source interface + VLAN. By default, the system supports three attack source tracing modes. [HUAWEI-cpu-defend-policy-policy1] undo auto-defend protocol 8021x arp dhcp icmp tcp telnet ttl-expired udp //Set the packet type in attack source tracing to IGMP. By default, the system performs attack source tracing for nine types of packets. [HUAWEI-cpu-defend-policy-policy1] quit [HUAWEI] cpu-defend-policy policy1 global //Apply the local attack defense policy to all LPUs. (Generally, multicast packets are sent to the MPUs from LPUs). A modular switch is used as an example here.
Run the display auto-defend attack-source and display auto-defend attack-source slot slot-id commands to view attack source information on MPUs and LPUs.
- Obtain packet information through port mirroring.
- According to the preceding information, it is confirmed that the switch suffers an attack from multicast group 239.255.255.250.
Solution
There are two solutions: 1. Filter out the packets from this multicast group (recommended); 2. Disable SSDP on the server or PC where the attack source resides.
- Filter out the packets from this multicast group.
- Filter out the IGMP packets from 239.255.255.250.
# Configure an advanced ACL that denies packets from multicast group 239.255.255.250 and permits the packets from other IP addresses.
[HUAWEI]acl number 3000 [HUAWEI-acl-adv-3000]rule 5 deny ip destination 239.255.255.250 0 [HUAWEI-acl-adv-3000]rule 10 permit ip [HUAWEI-acl-adv-3000]quit
# Configure an advanced ACL to filter out the packets from multicast group 239.255.255.250.
[HUAWEI]acl number 3100 [HUAWEI-acl-adv-3100]rule 10 deny igmp destination 239.255.255.250 0 [HUAWEI-acl-adv-3100]quit
# Filter out Layer 3 multicast packets.
[HUAWEI]interface vlanif100 [HUAWEI-Vlanif100]ip address 10.100.100.1 255.255.255.0 [HUAWEI-Vlanif100]pim sm //Enable PIM-SM on the interface. [HUAWEI-Vlanif100]igmp enable //Enable IGMP on the interface. [HUAWEI-Vlanif100]igmp group-policy 3000 //Configure an IGMP multicast group filter on the interface to limit the range of multicast groups that hosts can join. [HUAWEI-Vlanif100]quit
# Filter out Layer 2 multicast packets.
[HUAWEI]vlan 100 [HUAWEI-vlan100]igmp-snooping enable //Enable IGMP snooping in the VLAN. [HUAWEI-vlan100]igmp-snooping group-policy 3000 //Configure a multicast group filter policy in the VLAN. [HUAWEI-Vlan100]quit
# Configure a blacklist to filter IGMP packets from multicast group 239.255.255.250 to avoid multicast forwarding entries for this group.
[HUAWEI]cpu-defend policy igmp-deny [HUAWEI-cpu-defend-policy-igmp-deny]blacklist 1 acl 3100 [HUAWEI-cpu-defend-policy-igmp-deny]quit [HUAWEI]cpu-defend-policy igmp-deny global //In this example, an LPU on a modular switch suffers an IGMP attack.
# Configure a multicast source group policy to filter packets from multicast group 239.255.255.250 to prevent (S, G) entries from being generated.
[HUAWEI]pim [HUAWEI-pim]source-policy 3000 [HUAWEI-pim]quit
- Filter out multicast data packets with group address 239.255.255.250.
# Configure a traffic classifier that matches destination IP address 239.255.255.250.
[HUAWEI]acl number 3200 [HUAWEI-acl-adv-3200]rule 5 permit ip destination 239.255.255.250 0 [HUAWEI-acl-adv-3200]quit [HUAWEI]traffic classifier ssdp [HUAWEI-classifier-ssdp]if-match acl 3200 [HUAWEI-classifier-ssdp]quit
# Configure a traffic behavior.
[HUAWEI]traffic behavior ssdp [HUAWEI-behavior-ssdp]deny [HUAWEI-behavior-ssdp]quit
# Configure a traffic policy.
[HUAWEI]traffic policy ssdp [HUAWEI-trafficpolicy-ssdp]classifier ssdp behavior ssdp [HUAWEI-trafficpolicy-ssdp]quit
# Apply the traffic policy to incoming packets on the interface.
[HUAWEI-GigabitEthernet4/0/30]traffic-policy ssdp inbound
- Filter out the IGMP packets from 239.255.255.250.
- Disable the SSDP service on the server or PC.
- On the Control Panel, click the Administrative Tools icon, and then click the Services icon.
- Find SSDP Discovery Service in the service list and disable the service.
Suggestion and Summary
Group address 239.255.255.250 is used by the SSDP service, which is enabled by default on Windows servers. Therefore, multicast devices will create forwarding entries for this group.
The switch considers this group as an ordinary multicast group. If the switch has a high CPU usage and an attack is initiated from 239.255.255.250, which is not a planned IP address, configure packet filtering on the switch or disable the SSDP service on the PC, to prevent the switch from generating a large number of multicast forwarding entries.
Relevant Information
The Simple Service Discovery Protocol (SSDP) is an application-layer protocol, one of the key protocols that implement Universal Plug and Play (UPnP). SSDP enables network clients to discover network services by sending multicast discovery messages.
SSDP uses multicast IPv4 address 239.255.255.250:1900 or multicast IPv6 address FF0x::C to transmit messages.
When connecting to a network, a network client sends an SSDP Discovery message in M-SEARCH mode via a given SSDP port with a specific multicast group address. When an upstream device receives the Discovery message, it checks whether it provides the service required by the client. If so, the device sends a unicast response message to the client.
Figure 17-8 and Figure 17-9 show information about UDP packets and IGMP Report messages of SSDP.
