No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Local Attack Defense Overview

Local Attack Defense Overview

Local attack defense prevents the CPU from being attacked by a large number of packets or malicious packets.


A large number of packets including malicious attack packets are sent to the Central Processing Unit (CPU) on a network. If malicious attack packets are sent to the CPU, the CPU is busy with processing these attack packets for a long period. Services are interrupted and even the system fails. If a large number of packets are sent to the CPU, the CPU usage becomes high and CPU performance deteriorates. In this case, services cannot be processed in a timely manner.

To protect the CPU and ensure that the CPU can process services, the device provides local attack defense. Local attack defense protects the device against attacks. When an attack occurs, this function ensures uninterrupted services and minimizes the impact on network services.

Basic Principles

The device supports two types of local attack defense: CPU attack defense and attack source tracing.

  • The device can limit the rate of all packets sent to the CPU so that a specified number of packets are sent to the CPU in a specified period. This protects the CPU and ensures normal operation of the CPU.

    The core of CPU attack defense is the Control Plane Committed Access Rate (CPCAR). In addition, CPU attack defense provides the blacklist function.
    • Control Plane Committed Access Rate (CPCAR) limits the rate of protocol packets sent to the control plane and schedules the packets to protect the control plane. CPCAR provides hierarchical device protection: scheduling and rate limit based on queues and rate limit for all packets, as shown in Figure 12-27.

      Figure 12-27 Rate limit for packets sent to the CPU

      The device allocates a queue to each protocol by default. Fair scheduling is performed among the queues. That is, all services are scheduled with similar probabilities.

      After the rate limit for all packets is set, the number of packets sent to the CPU is limited and more protocol packets can be processed. This function cannot protect the CPU when the CPU exception occurs.

      The preceding functions cannot be used on a management interface. After the rate limit is configured on the management interface, the device may fail to be managed when severe attacks occur. Users cannot log in from the management interface. Remove viruses on the host or re-plan the networking.

    • CPU attack defense provides the blacklist function. A blacklist references an ACL. The device discards all packets matching the characteristics in the blacklist. You can add the known attackers to the blacklist.

  • Attack source tracing protects the CPU against Denial of Service (DoS) attacks. The device enabled with attack source tracing analyzes packets sent to the CPU, collects statistics on the packets, and applies a threshold to the packets. The device considers excess packets as attack packets. The device finds the source user address or source interface of the attack by analyzing the attack packets and generates logs or alarms. Accordingly, the network administrator can take measures to defend against the attacks, for example, discarding packets from the attack source.

    As shown in Figure 12-28, attack source tracing involves the following processes: Parsing packets, Analyzing traffic, Identifying an attack source, and Generating logs or alarms to alert the network administrator

    1. Users are identified by Internet Protocol (IP) addresses, Media Access Control (MAC) addresses, and ports. Ports are identified by physical port numbers and VLAN IDs (including inner VLAN IDs).
    2. The system counts the number of received protocol packets based on IP addresses, MAC addresses, or port information.
    3. When the number of packets sent to the CPU exceeds the threshold, the system considers that an attack occurs.
    4. When detecting an attack, the system reports a log and an alarm, or carries out punishment. For example, the system discards the packets.
    Figure 12-28 Attack source tracing processes

    Attack source tracing provides the whitelist function. After an ACL is configured to permit the packets from a port or a port is added to the whitelist, the device does not trace the source of the packets from this port. Therefore, packets from authorized users can be sent to the CPU. You can add the authorized users or ports to the whitelist if necessary.

Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59631

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next