No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of Local Attack Defense

Overview of Local Attack Defense


Local attack defense protects the CPU of a device and prevents service interruption caused by attacks from a large number of packets or malicious packets.

Device CPUs need to process a large number of packets including valid packets and malicious attack packets on a network. The malicious attack packets overwhelm the CPUs, and thus affect services and cause a system breakdown. In addition, excessive valid packets can also lead to high CPU usage, which degrades the CPU's performance and interrupts services.

To ensure that the CPU can process services in a timely manner, the device provides a local attack defense function. When a device is undergoing an attack, this function ensures uninterrupted service transmission and minimizes the impact on network services.

Basic Implementation

The device supports four types of local attack defense: CPU attack defense, attack source tracing, port attack defense, and user-level rate limiting.

  • CPU Attack Defense

    The device can limit the rate of all packets reaching the CPU, which means that only a specified number of packets can be sent to the CPU in a specified period. This protects the CPU and ensures its normal operation.

    The core of CPU attack defense is the Control Plane Committed Access Rate (CPCAR). CPU attack defense provides the dynamic link protection and blacklist functions.
    • CPCAR limits the rate of protocol packets sent to the control plane and schedules the packets to protect the control plane. CPCAR provides hierarchical device protection: rate limiting based on protocols, scheduling and rate limiting based on queues, and rate limiting for all packets, as shown in Figure 3-1.

      Figure 3-1  Rate limiting for packets sent to the CPU

      If the traffic volume of a protocol is too large, other protocol packets cannot be processed in a timely manner. The device supports CPCAR to limit the packet rate of each protocol. CPCAR includes the settings of Committed Information Rate (CIR) and Committed Burst Size (CBS) for each protocol. The device discards the protocol packets that exceed the corresponding rate limit. This ensures that all protocols can be processed and prevents interference between protocols.

      After rate limits for protocols are set, the device allocates a queue to each type of protocol. For example, the device allocates a queue to management protocols such as Telnet and SSH and a queue to routing protocols. Queues are scheduled based on weights or priorities. Services with the highest priority are processed first. You can also set a rate limit for packets in each queue sent to the CPU.

      After the rate limits are set for all packets sent to the CPU, the CPU can process more protocol packets without being overwhelmed.

      • If all the rate limits in Figure 3-1 are set, the smallest rate limit takes effect.
      • CPU attack defense cannot take effect on the packets that the management interface receives. If the network connected to the management interface initiates an attack, users may fail to log in to or manage the device through the management interface. In this situation, it is recommended that you scan for viruses on all computers located on the connected network or optimize the networking to mitigate attacks.
      • When multiple protocols are running, the protocol packets sent to the CPU may be dropped because they exceed the CIR/CBS, the maximum rate of sending packets from queues to CPU, or the maximum number of packets that can be processed by CPU. When protocol packets are dropped, protocol flapping occurs.
    • Dynamic link protection refers to session-based application data protection, such as FTP sessions, BGP sessions, and OSPF sessions. This function ensures normal services continue to run when an attack occurs. When a session is set up, protocol rate limiting does not take effect. The device limits the session rate based on the rate set in the dynamic link protection, ensuring reliability and stability of the session-related services.

    • CPU attack defense provides a blacklist function. A blacklist references an ACL. The device discards all packets that have the characteristics defined in the blacklist. You can add known attackers to the blacklist.

    • CPU attack defense supports user-defined flows defined through ACLs. The device limits the rate of packets matching the characteristics defined in user-defined flows sent to the CPU. The characteristics of attack flows can be flexibly defined in ACL rules, so you can configure user-defined flows for a network prone to unknown attacks.

  • Attack Source Tracing

    Attack source tracing protects the CPU against Denial of Service (DoS) attacks. The device enabled with attack source tracing analyzes packets sent to the CPU, collects statistics on the packets, and sets a rate threshold for the packets. The device considers excess packets as attack packets. The device finds the source user address or interface of the attack packets and generates logs or alarms for the attack. Accordingly, the network administrator can take measures to defend against the attacks, for example, discarding packets from the attack source.

    Attack source tracing involves four processes shown in Figure 3-2: packet parsing, traffic analysis, attack source identification, log & alarm generation as well as taking punish actions.

    1. Parse packets based on IP addresses, MAC addresses, and ports. The ports are identified by physical port numbers and VLAN IDs.
    2. The system counts the number of received protocol packets based on IP addresses, MAC addresses, or port numbers.
    3. When the rate of packets sent to the CPU exceeds the threshold, the system considers that an attack has occurred.
    4. When detecting an attack, the system reports a log and an alarm, or takes punish actions. For example, the system discards the packets.
    Figure 3-2  Attack source tracing processes

    Attack source tracing provides the whitelist function. After an ACL is configured to permit the packets from a port or a port is added to the whitelist, the device does not trace the source of the packets from this port. You can add authorized users or ports to the whitelist to ensure that packets from these users can be sent to the CPU.

  • Port Attack Defense

    Port attack defense is an anti-DoS attack method. If a port receives a lot of protocol packets, the protocol packets occupy bandwidth and the protocol packets received by other ports cannot be sent to the CPU. The port attack defense function prevents attacks based on ports.

    The process for port attack defense is as follows:

    1. Analyze packets received by each port.
    2. Count the protocol packets to which port attack defense is applied based on ports.
    3. Consider that an attack has occurred when the rate of packets sent to the CPU exceeds the rate threshold.
    4. Record a log, and move the packets within the protocol rate limit to a low-priority queue waiting for CPU processing and discard the excess packets. For a description about protocol rate limiting and queue-based scheduling, see CPU Attack Defense.

      The rate limiting actions taken by port attack defense have a minor impact compared to the punish actions taken by attack source tracing.

    Port attack defense provides a whitelist function. After an ACL is configured to permit the packets from a port or a port is added to the whitelist, the device does not trace the source of or limit the rate of the packets from this port. You can add authorized users or ports to the whitelist to ensure that packets from these users can be sent to the CPU.

  • User-Level Rate Limiting

    User-level rate limiting identifies users based on MAC address, and rates the limits of specified protocol packets, such as ARP, ND, DHCP Request, DHCPV6 Request, IGMP and HTTPS-SYN. If a user undergoes a DoS attack, other users are not affected. The core of user-level rate limiting is HOST CAR.

    The procedure of user-level rate limiting is as follows:
    1. When receiving preceding packets, the switch performs a hash calculation on the source MAC addresses and places the packets into different buckets.
    2. When the number of packets placed in a bucket within one second exceeds the rate limit, the bucket discards the packets. The switch counts the number of discarded packets every 10 minutes. When the number of discarded packets within 10 minutes exceeds 2000, the switch reports a packet discard log for this bucket. If the numbers of discarded packets in many buckets exceed 2000, the switch records the packet discard logs for the top 10 buckets.
Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 231075

Downloads: 746

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next