Attack Behavior

A large number of VRRP packets are sent in a specified period of time and incorrect VRRP packets are constructed to attack a switch.

Security Policy

To defend against the preceding attacks, configure the following security policies on a switch:

• Protocol security policy

  • Authentication: VRRP supports different authentication methods and keys in Advertisement packets. There is no authentication, simple text authentication, and MD5 authentication. Currently, only VRRPv2 supports authentication. For security purposes, you are advised to use MD5 as the VRRP authentication algorithm.

  • Packet check: VRRP checks the backup group ID, checksum, TTL, version number, packet type, timer, number of virtual addresses, virtual addresses, and packet length. Switches support packet check by default.

• System security policy

  Attack packet suppression: If a switch receives more than 20 packets within the specified period or receives packets sent from itself, the switch considers the packets as attack packets and discards them. Switches support attack packet suppression by default.

Configuration Method

Set the authentication method of the VRRP group with VRID 1 on VLANIF100 to MD5 authentication and the authentication key to Example-1.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.1
[HUAWEI-Vlanif100] vrrp vrid 1 authentication-mode md5 Example-1  

Verifying the Security Hardening Result

Run the display vrrp command to check the status and parameters of the VRRP group.