SupportDocumentationSwitchesData Center SwitchCloudEngine 12800&16800Operation & MaintenanceSecurity Maintenance & Hardening Guide

CloudEngine 16800, 12800, 9800, 8800, 7800, 6800, and 5800 Series Switches Security Hardening Guide (V100 and V200)

CPU-Defend Policy: Local Attack Defense

CPU-Defend Policy: Local Attack Defense

The local attack defense function is used to protect the CPU by preventing service interruption caused by the CPU busy processing a large number of packets or malicious attack packets.

Security Policy Introduction

Local attack defense includes CPU attack defense, and attack source tracing.

The CPU attack defense function can limit the rate of all the packets sent to the CPU to protect the CPU and ensure that the CPU can properly process services.

  • The core of CPU attack defense is the Control Plane Committed Access Rate (CPCAR). The CPCAR limits the rate of protocol packets sent to the control plane to ensure security of the control plane. The rate of packets can be limited in the following ways:
    • Scheduling and limiting based on the queue
    • Limiting for all packets

    The device allocates a queue for packets of each protocol. Queues are scheduled based on weights. Services with the highest priority are processed first.

    After the rate limit for all packets is set, the number of packets sent to the CPU is limited and more protocol packets can be processed. This function cannot protect the CPU when the CPU exception occurs.

  • CPU attack defense provides the blacklist function. A blacklist references an ACL. The device discards all packets matching the characteristics in the blacklist. You can add the known attackers to the blacklist.

Attack Methods

Attackers may send a large number of protocol packets including ARP, DHCP, ICMP, and IGMP packets to the device. These packets occupy the channels originally for processing valid protocol packets and system resources originally for authorized users, leading to failures to access the Internet.
  • Attackers send ARP, DHCP, ICMP, and IGMP packets with fixed source MAC addresses to the device.
  • Attackers send ARP, DHCP, ICMP, and IGMP packets with fixed source IP addresses to the device.
  • Attackers send ARP, DHCP, ICMP, and IGMP packets with variable source IP addresses and variable source MAC addresses to the device.
  • Attackers send a large number of ping, tracert, and ICMP Destination Unreachable packets to the device so that the device becomes busy in processing low-priority packets and cannot process valid protocol packets.

Configuration and Maintenance Methods

  • Modify the CPCAR of protocol packets.

    Decrease the CPCAR of protocol packets or set the CPCAR action of protocol packets to deny to prevent packets that do not need to be processed or have low priorities from being sent to the CPU, ensuring proper system running.

    For example, set the rate of sending ICMP packets to the CPU to 1000 pps and configure the device to discard packets with time to live (TTL) of 1.

    <HUAWEI> system-view
[~HUAWEI] cpu-defend policy 1
[*HUAWEI-cpu-defend-policy-1] car packet-type icmp pps 1000
[*HUAWEI-cpu-defend-policy-1] deny packet-type ttl-expired
[*HUAWEI-cpu-defend-policy-1] quit
[*HUAWEI] cpu-defend-policy 1
[*HUAWEI] commit

  • Configure a blacklist to disable the device from sending protocol packets from specified users to the CPU.

    If the CPCAR of packets of a protocol increases unexpectedly, a user may send a large number of protocol packets to the device. In this case, use the debug or catch function to locate characteristics of the protocol packets. If the source IP address or source MAC address is fixed, configure a blacklist to disable the device from sending the protocol packets to the CPU.

    For example, disable the device from sending ARP packets with fixed source MAC addresses to the CPU.

    <HUAWEI> system-view
[~HUAWEI] acl number 4000
[*HUAWEI-acl-L2-4000] rule 10 permit type 0x0806 0xffff source-mac 00e0-fc00-00db ffff-ffff-ffff
[*HUAWEI-acl-L2-4000] quit
[*HUAWEI] cpu-defend policy 1
[*HUAWEI-cpu-defend-policy-1] blacklist 1 acl 4000
[*HUAWEI-cpu-defend-policy-1] quit
[*HUAWEI] cpu-defend-policy 1
[*HUAWEI] commit

  • Configure attack source tracing to automatically detect the attack source and defend against attack traffic.

    Attack source tracing allows the device to automatically detect the attack source and defend against attack traffic. The plan and deployment of attack source tracing can improve running security of the live network. When an attack occurs, the attack source is isolated, reducing attack impact on services.

    For example, configure attack source tracing to defend against ARP packets. Determine packets with a rate higher than 50 pps as attack packets and configure the device to automatically punish the user.

    <HUAWEI> system-view
[~HUAWEI] cpu-defend policy 1
[*HUAWEI-cpu-defend-policy-1] auto-defend enable
[*HUAWEI-cpu-defend-policy-1] auto-defend attack-packet sample 5
[*HUAWEI-cpu-defend-policy-1] auto-defend threshold 50
[*HUAWEI-cpu-defend-policy-1] auto-defend trace-type source-ip source-mac source-portvlan
[*HUAWEI-cpu-defend-policy-1] auto-defend protocol arp
[*HUAWEI-cpu-defend-policy-1] auto-defend action deny timeout 300
[*HUAWEI-cpu-defend-policy-1] quit
[*HUAWEI] cpu-defend-policy 1 
[*HUAWEI] commit

Configuration and Maintenance Suggestions

To isolate attack impact by user, enable attack source tracing.

Translation
Favorite
Download
Update Date:2022-12-29
Document ID:EDOC1100040161
Views:83015
Downloads:874
Average rating:0.0Points

Digital Signature File

digtal sigature tool