No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security of the Forwarding Plane

Security of the Forwarding Plane

An IP-based device routes packets mainly based on the destination MAC address and IP address. Routers forward the packets through the NP or application-specific integrated circuit (ASIC) engine. Major attack methods are described as follows:

  • Attacking a target device through traffic flooding.

    A large number of abnormal bridge protocol data unit (BPDU) packets including STP, MSTP, and LACP packets are sent to network devices with the Layer 2 function. BPDU packets are Layer 2 packets and therefore must be forwarded to the control plane for processing. If no protection measure is taken, the traffic may cause the control plane to fail.

    A large number of abnormal packets such as IGP, BGP, FTP, and Ping packets whose destination addresses are the target device are sent with the Layer 3 function. These packets must be forwarded to the control plane for processing. If no protection measure is taken, the traffic may cause the control plane to fail.

  • Attacking a target device through abnormal packets.

    Contents of packets bound for a specific target host are tampered with to conduct attacks based on vulnerabilities in protocol processing. For example, in DHCP packets, the Option field can be flexibly customized. Therefore, attackers can set this field in a special way. If the software on the target host is not robust enough, data access becomes abnormal due to software bugs when packets with this field are received.

  • Attacking a target device through segmented IP packets.

    When an IPv4 packet passes an interface where the maximum transmission unit (MTU) path is shorter than the packet length, the device fragments the packet. The target device reconstructs the packet after receiving all packet fragments. That is, a fragmentation and reconstruction mechanism is applied for IPv4 packets. Hackers can conduct ping o' death and jolt2 attacks, and attacks with incomplete packet fragments. In the ping o' death attack, attackers send an Echo Request message longer than 65535 characters, which causes the allocated buffer to overflow when the target host reconstructs packet fragments. As a result, the system breaks down or becomes suspended. In the jolt2 attack, attackers send an ICMP or UDP IP fragment repeatedly in an infinite loop. This may cause the memory of some devices to be used up.

Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4759

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next