No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Abnormal Network Access of Some Users Caused by ARP Attacks on ARs

Abnormal Network Access of Some Users Caused by ARP Attacks on ARs

This section describes the troubleshooting case of abnormal network access of some users caused by ARP attacks on ARs.

Networking

Figure 28-8  Networking of abnormal network access of some users caused by ARP attacks on ARs

Fault Symptom

The ARs function as egress gateways, and some users who are connected to ARs fail to access the network frequently. According to the device logs, a large number of ARP packets were discarded after the CPU threshold was exceeded and interfaces were attacked.

AR logs are displayed as follows:

<Huawei> display logbuffer 
Sep  9 2014 16:01:55+00:00 Huawei %%01SECE/4/PORT_ATTACK(l)[0]:Port attack occurred.(Slot=MPU, SourceAttackInterface=GigabitEthernet0/0/0, OuterVlan/InnerVlan=0/0, AttackPackets=64 packets per second) 
Sep  9 2014 16:01:54+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1]:Some packets are dropped by cpcar on the MPU. (Packet-type=arp-miss, Drop-Count=770) 
Sep  9 2014 16:01:54+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[2]:Some packets are dropped by cpcar on the MPU. (Packet-type=arp-request, Drop-Count=3458)

Fault Analysis

  1. According to device logs, it is suspected that ARP attacks occurred on devices.

  2. Configure attack source tracing to locate the attack source users in the network.

  3. After killing the viruses on attack source users using antivirus software, the fault was rectified.

    Conclusion: Internal users, after being affected with viruses, sent a large number of ARP packets to the CPU, causing abnormal learning of ARP entries on devices and the failure of network access for some users.

Procedure

  1. Configure attack source tracing on devices.
    1. Create an attack defense policy.
      <Huawei> system-view
      [Huawei] cpu-defend policy 1
    2. Configure attack source tracing.
      [Huawei-cpu-defend-policy-1] auto-defend enable
      [Huawei-cpu-defend-policy-1] auto-defend threshold 40
      [Huawei-cpu-defend-policy-1] auto-defend protocol all
      [Huawei-cpu-defend-policy-1] auto-defend trace-type source-ip source-mac source-portvlan
      [Huawei-cpu-defend-policy-1] auto-defend alarm enable
      [Huawei-cpu-defend-policy-1] quit
    3. Apply the attack defense policy.
      [Huawei] cpu-defend-policy 1
      [Huawei] cpu-defend-policy 1 global
  2. Check whether the devices are attacked.
    <Huawei> display auto-defend attack-source
    Attack Source User Table:
      -------------------------------------------------------------------------
          MacAddress       InterfaceName      Vlan:Outer/Inner      TOTAL 
      -------------------------------------------------------------------------
      0cda-4156-cf00   GigabitEthernet0/0/1         0               368    
      1414-4b68-7696   GigabitEthernet0/0/0         0               7152  
      -------------------------------------------------------------------------
      Total: 2
    
      Attack Source Port Table:
      -----------------------------------------------------
        InterfaceName        Vlan:Outer/Inner       TOTAL  
      -----------------------------------------------------
      GigabitEthernet0/0/1     0                    368   
      GigabitEthernet0/0/0     0                    7152 
      -----------------------------------------------------
      Total: 2
    
      Attack Source IP Table:
      -------------------------------------
       IPAddress        TOTAL Packets 
      -------------------------------------
      172.16.1.1        368    
      192.168.1.1        7152   
      -------------------------------------  
      Total: 2
  3. Step 2 shows that the internal user with the source IP address 192.168.1.1 and the source MAC address 1414-4b68-7696 sent a large number of attack packets. Based on the attacked interface GigabitEthernet0/0/0, locate the attack source user, and use the antivirus software to rectify the fault.
    NOTE:

    There is a small number of packets on interface GigabitEthernet0/0/1 connecting to external users, and this condition can be ignored.

Conclusions and Suggestions

The CPU attack defense and attack source tracing functions can be configured to limit the number of protocol packets sent to the CPU, preventing the system breakdown caused by CPU overloading. Currently, the types of traced packets that can be identified by ARs include ARP, DHCP, ICMP, IGMP, Telnet, TCP, and TTL-expired packets. According to the device logs, if a large number of the preceding protocol packets are discarded, attack source tracing can be enabled to locate attack source users.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 450523

Downloads: 4307

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next