No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S V800R010C10SPC500 Feature Description - IP Multicast 01

This is NE20E-S V800R010C10SPC500 Feature Description - IP Multicast
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IGMP VlAN CAR

IGMP VlAN CAR

Principles

Internet Group Management Protocol (IGMP) VLAN Committed Access Rate (CAR) is a network security technology that protects the system against attacks from unauthorized users that are sending bogus IGMP messages.

If a device receives host packets, such as routing protocol packets, user login or logout packets, or malformed or errored packets, the interface board sends the host packets to the main control board's CPU for processing.

IGMP messages are a type of host packet. Therefore, if a device receives a large number of IGMP messages, the device becomes busy processing these packets, affecting its normal operation. If an attacker simulates IGMP messages to attack a device, the device considers these packets valid and processes them on the main control board, causing high CPU usage. To prevent IGMP attacks, configure IGMP VLAN CAR on interfaces to perform traffic policing on received IGMP messages. The interfaces then drop excess IGMP messages, protecting the CPU against attacks.

Implementation

After IGMP VLAN CAR is configured on an interface, the system collects statistics about IGMP messages sent by the interface to the main control board's CPU at an interval of 5s and compares the rate at which IGMP messages are sent to the CPU with the preconfigured committed information rate (CIR). The system then performs the following operations:
  • If the rate is greater than the CIR, the system considers the interface under attack. The system performs a CAR operation and drops the IGMP messages exceeding the CIR. The system then generates an IGMP attack alarm.

  • If the rate is less than 75% of the CIR, there are three possibilities:
    • If the system has never been attacked before, the system considers the interface unattacked and does not perform a CAR operation.

    • If the system has been attacked 30 seconds before, the system considers that the attack has stopped and does not perform a CAR operation. The system then generates an IGMP attack stop alarm.

    • If the system has been attacked within the last 30 seconds, the system continues monitoring the IGMP messages until the IGMP messages are sent to the CPU at a rate less than 75% of the CIR for 30 seconds. By then, the system considers that the attack has stopped and does not perform a CAR operation. The system then generates an IGMP attack stop alarm.

Application

On the network shown in Figure 3-11, multicast services are deployed on the Internet, and hosts use IGMP to join the multicast groups on the routing network.

As network devices send IGMP messages to the main control board's CPU for processing, unauthorized hosts employ bogus IGMP messages to attack the network devices. As a result, a large number of IGMP messages are sent to the CPU, which causes high CPU usage and performance deterioration and affects the normal running of services.

To protect the CPU against IGMP attacks and ensure normal network operation, deploy IGMP VLAN CAR on device's interfaces.

Figure 3-11 IGMP VLAN CAR networking
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055119

Views: 12192

Downloads: 19

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next