No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of Local Attack Defense

Overview of Local Attack Defense

Definition

Local attack defense protects the CPU of a device and prevents service interruption caused by attacks from a large number of packets or malicious packets.

Device CPUs need to process a large number of packets including valid packets and malicious attack packets on a network. The malicious attack packets overwhelm the CPUs, and thus affect services and cause a system breakdown. In addition, excessive valid packets can also lead to high CPU usage, which degrades the CPU's performance and interrupts services.

To ensure that the CPU can process services in a timely manner, the device provides a local attack defense function. When a device is undergoing an attack, this function ensures uninterrupted service transmission and minimizes the impact on network services.

Basic Implementation

The device supports two types of local attack defense: CPU attack defense and attack source tracing.

  • The device can limit the rate of all packets sent to the CPU to protect the CPU.

    1. The device provides hierarchical device protection:

      • Level 1: The device filters invalid packets sent to the CPU using blacklists.
      • Level 2: The device limits the rate of packets sent to the CPU based on the protocol type to prevent excess packets of a protocol from being sent to the CPU.
      • Level 3: The device schedules packets sent to the CPU based on priorities of protocol packets to ensure that packets with higher protocol priorities are processed first.
      • Level 4: The device uniformly limits the rate of packets with the same priority sent to the CPU and randomly discards the excess packets to protect the CPU.
    2. When the device detects setup of a Telnet, SSH. HTTP, FTP, or BGP session, ALP is enabled to protect the session. The packets matching characteristics of the session are sent at a high rate; therefore, reliability and stability of session-related services are ensured.

  • The attack source tracing function protects the CPU against Denial of Service (DoS) attacks. The device enabled with attack source tracing analyzes packets sent to the CPU, collects statistics on the packets, and sets a rate threshold for the packets. The device considers excess packets as attack packets. The device finds the source user address or source interface of the attack by analyzing the attack packets and generates logs or alarms. Accordingly, the network administrator can take measures to defend against the attacks, for example, discarding packets from the attack source.

    Attack source tracing involves four processes shown in Figure 8-1: packet parsing, traffic analysis, attack source identification, log & alarm generation as well as taking punish actions.

    Figure 8-1  Attack source tracing processes

    The device locates the attack source, and the network administrator limits the rate of packets sent from the attack source by configuring ACLs or blacklists to protect the CPU.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 126113

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next