No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Local Attack Defense Overview

Local Attack Defense Overview

Local attack defense prevents the CPU from being attacked by a large number of packets or malicious packets.

Definition

A large number of packets including malicious attack packets are sent to the Central Processing Unit (CPU) on a network. If malicious attack packets are sent to the CPU, the CPU is busy with processing these attack packets for a long period. Services are interrupted and even the system fails. If a large number of packets are sent to the CPU, the CPU usage becomes high and CPU performance deteriorates. In this case, services cannot be processed in a timely manner.

To protect the CPU and ensure that the CPU can process services, the device provides local attack defense. Local attack defense protects the device against attacks. When an attack occurs, this function ensures uninterrupted services and minimizes the impact on network services.

Basic Principles

The device supports two types of local attack defense: CPU attack defense and attack source tracing.

The device can limit the rate of all packets sent to the CPU to protect the CPU.
  • The device provides hierarchical device protection:

    • Level 1: The device limits the rate of packets sent to the CPU based on the protocol type to prevent excess packets of a protocol from being sent to the CPU.
    • Level 2: The device schedules packets sent to the CPU based on priorities of protocol packets to ensure that packets with higher protocol priorities are processed first.
    • Level 3: The device uniformly limits the rate of packets with the same priority sent to the CPU and randomly discards the excess packets to protect the CPU.
  • When the device detects setup of a SSH. Telnet, or FTP session, ALP is enabled to protect the session. The packets matching characteristics of the session are sent at a high rate; therefore, reliability and stability of session-related services are ensured.

The attack source tracing function protects the CPU against Denial of Service (DoS) attacks. The device enabled with attack source tracing analyzes packets sent to the CPU, collects statistics on the packets, and applies a threshold to the packets. The device considers excess packets as attack packets. The device finds the source user address or source interface of the attack by analyzing the attack packets and generates logs or alarms. Accordingly, the network administrator can take measures to defend against the attacks, for example, discarding packets from the attack source.

As shown in Figure 26-1, attack source tracing involves the following processes: Parsing packets Analyzing traffic Identifying an attack source Generating logs or alarms to alert the network administrator

Figure 26-1  Attack source tracing processes

The device locates the attack source by attack source tracing processes in Figure 26-1, and the network administrator limits the rate of packets sent from the attack source by configuring ACLs or blacklists to protect the CPU.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116435

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next