No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Attack Source Tracing

Configuring Attack Source Tracing

After being configured with attack source tracing, the router saves received attack packets to its memory for attack analysis and defense.

Usage Scenario

When being attacked, the router enabled with attack source tracing can save attack packets to its memory for attack analysis and defense. The attack source tracing module checks whether packet loss occurs at an interval of 1 minute. If packet loss is detected, the attack source tracing module records information about the attack packets in the memory.

This feature is supported only on the Admin-VS.

Pre-configuration Tasks

Before configuring the alarm function, configure the parameters of the link layer protocol and IP addresses for interfaces and ensure that the link layer protocol on the interfaces is Up.

Configuration Procedures

Figure 8-1 Flowchart for configuring attack source tracing

Creating an Attack Defense Policy

All local attack defense features must be added to an attack defense policy. These features take effect after the attack defense policy is applied to the interface board.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    An attack defense policy is created.

  3. (Optional) Run description text

    The description of the attack defense policy is configured.

  4. Run commit

    The configuration is committed.

Follow-up Procedure

You must run the cpu-defend-policy command on the interface board to apply the attack defense policy to the interface board. In this manner, the configured attack defense policy can take effect.

Enabling Attack Source Tracing

Attack source tracing is enabled by default. If attack source tracing is manually disabled, you need do as follows to enable it.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run attack-source-trace enable

    The attack source tracing function is enabled.

    After the attack-source-trace enable command is run, attack source tracing is enabled on all functional modules. After the undo attack-source-trace enable command is run, attack source tracing is disabled on all functional modules.

  4. Run attack-source-trace { car | tcpip-defend | ma-defend | application-apperceive | totalcar } enable

    Attack defense tracing is enabled for a certain local attack defense feature.

  5. Run commit

    The configuration is committed.

Configuring Sampling Parameters for Attack Source Tracing

Sampling parameters for attack source tracing have default values. You can do as follows to change the value of sampling parameters.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    An attack defense policy is created and the attack defense view is displayed.

  3. Run attack-source-trace sample-rate sample-rate-value

    The ratio for sampling the packet that records attack source tracing is set.

  4. Run save attack-source-trace slot { slot-id | all } [ file file-name ] linktype { hdlc | atm | ethernet | ppp }

    Information about attack source tracing saved in the memory of an interface board is saved as a file.

  5. Run commit

    The configuration is committed.

Applying the Attack Defense Policy

The configured attack defense policy takes effect only after being applied to the interface board.

Context

The NE20E defines a default attack defense policy. This policy cannot be modified or deleted. When the NE20E starts, this policy is automatically applied to the interface board. Configurations in the policy are default configurations of each feature. To apply a specified attack defense policy to the interface board, you need to run the cpu-defend-policy policy-number command on the interface board to bind the policy to be applied to the interface board. If the cpu-defend-policy policy-number command is not used, the default attack defense policy is applied to the interface board.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run cpu-defend-policy policy-number

    The attack defense policy is applied to the interface board.

    You must apply the attack defense policy to the interface board; otherwise, the policy does not take effect.

    The attack defense policy specified by policy-number must be a configured one. Otherwise, the policy cannot be applied.

  4. Run commit

    The configuration is committed.

Checking the Configurations

After configuring attack source tracing, you can view information about packets discarded by each functional module, including the interface that receives the packets, VLAN to which the interface that receives the packets belongs, and the time packets are discarded.

Procedure

  1. Run the following commands to view verbose information about attack source tracing.

    • display attack-source-trace slot { slot-id | all } verbose [ { attack-type { totalcar | car | application-apperceive | tcpip-defend | ma-defend } } | { source-mac source-mac source-mac-mask } | { destination-mac dest-mac dest-mac-mask } | { vlan vlan-id } | { source source-ip source-ip-mask } | { destination destination-ip destination-ip-mask } | { source-port source-port-number } | { destination-port dest-port-number } | { protocol-number protocol-number } | { time-range from start-time start-date [ to end-time end-date ] } | { car-index car-index } | { source-ipv6 source-ipv6-address source-ipv6-prefixlen } | { destination-ipv6 destination-ipv6-address destination-ipv6-prefixlen } | { next-header next-header } ] *

    • display attack-source-trace file filename verbose [ { source-mac source-mac source-mac-mask } | { destination-mac dest-mac dest-mac-mask } | { source source-ip source-ip-mask } | { destination destination-ip destination-ip-mask } | { source-port source-port-number } | { vlan vlan-id } | { destination-port destination-port-number } | { protocol-number protocol-number } | { time-range from start-time start-date [ to end-time end-date ] } | { source-ipv6 source-ipv6-address source-ipv6-prefixlen } | { destination-ipv6 destination-ipv6-address destination-ipv6-prefixlen } | { next-header next-header } ] *

  2. Run the following commands to view brief information about attack source tracing.

    • display attack-source-trace slot { slot-id | all } brief [ { source source-ip source-ip-mask } | { destination destination-ip destination-ip-mask } | { source-port source-port-number } | { destination-port dest-port-number } | { protocol-number protocol-number } | { time-range from start-time start-date [ to end-time end-date ] } | { attack-type { totalcar | car | application-apperceive | tcpip-defend | ma-defend } } | { car-index car-index } | { source-ipv6 source-ipv6-address source-ipv6-prefixlen } | { destination-ipv6 destination-ipv6-address destination-ipv6-prefixlen } | { next-header next-header } ] *

    • display attack-source-trace file filename brief [ { source source-ip source-ip-mask } | { destination destination-ip destination-ip-mask } | { source-port source-port-number } | { destination-port destination-port-number } | { protocol-number protocol-number } | { time-range from start-time start-date [ to end-time end-date ] } | { source-ipv6 source-ipv6-address source-ipv6-prefixlen } | { destination-ipv6 destination-ipv6-address destination-ipv6-prefixlen } | { next-header next-header } ] *

  3. Run the display attack-source-trace slot { slot-id | all } original-information command to check original information about attack source tracing on the interface board.

Example

Run the display attack-source-trace slot 1 verbose command. You can view that the interface board in slot 1 has saved detailed information about attack packets.

In IPv4 scenarios:
<HUAWEI> display attack-source-trace slot 1 verbose
-----------------------------
Slot            : 1                   
Buffer Size     : 1048576 Bytes         
Record Number   : 7 Packets  
Overwrite Flag  : No      
-----------------------------    
 No 1 Packet Info:        
 Interface Name   : GigabitEthernet0/1/1 
 PeVlanid : 0                                                                                                                       
 CeVlanid : 0                                                                                                                       
 CAR Index        : 8                                                                                                               
 Attack Type      : Application apperceive                                                                                          
 Attack Pack Time : 2017-07-13 15:10:19                                                                                             
L2 Type : Ethernet                                                                                                                  
   Source Mac      : 0000-5001-0363                                                                                                 
   Destination Mac : ffff-ffff-ffff                                                                                                 
   Ethernet type   : (0x0800)IP                                                                                                     
L3 Type : IP                                                                                                                        
   Version         : 4                                                                                                              
   Header Length   : 20                                                                                                             
   Type Of Service : 0                                                                                                              
   Total Length    : 114 (0x0072)                                                                                                   
   Identification  : 0                                                                                                              
   Fragment Offset : 0                                                                                                              
   TTL             : 64                                                                                                             
   Protocol Num    : 89(89)                                                                                                         
   Checksum        : 25977                                                                                                          
   Source Ip       : 80.1.3.99                                                                                                      
   Dest Ip         : 192.85.1.1                                                                                                     
 Attack Trace Data:                                                                                                                 
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00                                                                                     
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55                                                                                     
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                     
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

----------------------------------
In IPv6 scenarios:
<HUAWEI> display attack-source-trace slot 1 verbose
-----------------------------
Slot            : 1      
Buffer Size     : 1048576 Bytes
Record Number   : 7 Packets 
Overwrite Flag  : No     
----------------------------- 
 No 1 Packet Info: 
 Interface Name   : GigabitEthernet0/1/1
 PeVlanid : 0   
 CeVlanid : 0  
 CAR Index        : 8 
 Attack Type      : Application apperceive
 Attack Pack Time : 2017-07-13 15:10:19 
L2 Type : Ethernet
   Source Mac      : 0000-5001-0363
   Destination Mac : ffff-ffff-ffff 
   Ethernet type   : (0x86dd)IPV6 
L3 Type : IPV6
   Version              : 6
   Traffic Class       : 20
   Flow Label         : 86 
   Payload Length : 74
   Next Header     : 6
   Hop Limit         : 21
   Source IPv6     : 6100:0123:4567:89ab:0200:0:0808:0802
   Dest IPv6        : 6100:0123:4567:89ab::0001   
 Attack Trace Data:  
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00 
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

Run the display attack-source-trace file sun.cap verbose, you can view the detailed information about attack source tracing in the file named sun.cap.

In IPv4 scenarios:
<HUAWEI> display attack-source-trace file sun.cap verbose
 ----------------------------------                                                                                                 
Record number: 7 packets                                                                                                            
 ----------------------------------                                                                                                 
 No 1 Packet Info:                                                                                                                  
 PeVlanId         : 0                                                                                                               
 CeVlanId         : 0                                                                                                               
 Attack Pack Time : 2017-07-13 15:10:13                                                                                             
L2 Type : Ethernet                                                                                                                  
   Source Mac    : 0000-5001-0363                                                                                                   
   Dest Mac      : ffff-ffff-ffff                                                                                                   
   Ethernet type : (0x0800)IP                                                                                                       
L3 Type : IP                                                                                                                        
   Version         : 4                                                                                                              
   Header Length   : 20 byte                                                                                                        
   Type Of Service : 0                                                                                                              
   Total Length    : 114                                                                                                            
   Identification  : 0                                                                                                              
   Fragment Offset : 0                                                                                                              
   TTL             : 64                                                                                                             
   Protocol Num    : 89(89)                                                                                                         
   Checksum        : 25977                                                                                                          
   Source Ip       : 80.1.3.99                                                                                                      
   Dest Ip         : 192.85.1.1                                                                                                     
 Attack Trace Data:                                                                                                                 
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00                                                                                     
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55                                                                                     
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                     
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                     
 ----------------------------------
In IPv6 scenarios:
<HUAWEI> display attack-source-trace file sun.cap verbose
 ----------------------------------
Record number: 7 packets
 ----------------------------------
 No 1 Packet Info:
 PeVlanId         : 0
 CeVlanId         : 0
 Attack Pack Time : 2017-07-13 15:10:13
L2 Type : Ethernet 
   Source Mac    : 0000-5001-0363
   Dest Mac      : ffff-ffff-ffff
   Ethernet type : IPV6
L3 Type : IPV6
   Version              : 6
   Traffic Class       : 20
   Flow Label         : 86 
   Payload Length : 74
   Next Header     : 6
   Hop Limit         : 21
   Source IPv6     : 6100:0123:4567:89ab:0200:0:0808:0802
   Dest IPv6        : 6100:0123:4567:89ab::0001
 Attack Trace Data:
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55
 ----------------------------------

Run the display attack-source-trace slot 1 brief, and you can view brief information about attack packets saved on interface board 1.

In IPv4 scenarios:
<HUAWEI> display attack-source-trace slot 1 brief
-----------------------------
Slot            : 1
Buffer Size     : 1048576 Bytes
Record Number   : 5 Packets
Overwrite Flag  : No
-----------------------------
 No 1 Packet Info:
 Interface Name   : GigabitEthernet0/1/1
 PeVlanid : 0
 CeVlanid : 0
 Attack Type      : Application apperceive
 Source Ip        : ¡¤80.1.3.99
 Dest Ip          : 192.85.1.1
 Protocol Num     : 89
 CAR Index        : 8
 Attack Pack Time : 2017-07-13 15:10:17
 Attack Trace Data:
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
In IPv6 scenarios:
<HUAWEI> display attack-source-trace slot 1 brief
----------------------------- 
Slot            : 1           
Buffer Size     : 1048576 Bytes   
Record Number   : 5 Packets
Overwrite Flag  : No    
----------------------------- 
 No 1 Packet Info:   
 Interface Name   : GigabitEthernet0/1/1 
 PeVlanid : 0           
 CeVlanid : 0       
 Attack Type      : Application apperceive  
 Source IPv6      : 6100:0123:4567:89ab:0200:0:0808:0802  
 Dest IPv6        : 6100:0123:4567:89ab::0001 
 Next Header      : 89
 CAR Index        : 8 
 Attack Pack Time : 2017-07-13 15:10:17 
 Attack Trace Data:       
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00 
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55    
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

Run the display attack-source-trace file sun.cap brief command, you can view the brief information about the attack source tracing in the file named sun.cap.

In IPv4 scenarios:
<HUAWEI> display attack-source-trace file sun.cap brief
 No 1 Packet Info:
 PeVlanId         : 0
 CeVlanId         : 0
 Source Ip        : 10.1.1.1
 Dest Ip          : 10.1.1.2
 Protocol Num     : 6
 Attack Pack Time : 2000-01-02 07:11:30
 Attack Trace Data: 
28 6e d4 50 e8 06 78 1d ba 57 0a 85 08 00 45 00 
00 28 b1 6e 40 00 7f 06 7c 50 81 01 75 06 81 01 
57 08 04 cd 00 17 20 54 22 6f 4d aa 00 e0 50 10 
3c c0 0e d2 00 00 00 00 00 00 00 00 00 00 00 00
 ----------------------------------
 No 2 Packet Info:
 PeVlanId         : 0
 CeVlanId         : 0
 Source Ip        : 10.10.10.10
 Dest Ip          : 255.255.255.255
 Protocol Num     : 17
 Attack Pack Time : 2000-01-02 07:11:30
 Attack Trace Data: 
ff ff ff ff ff ff 00 e0 4c 90 2a 86 08 00 45 00 
00 64 d3 5c 00 00 80 11 54 a7 0a 6b 08 1b ff ff 
ff ff 08 14 18 56 00 50 87 10 53 65 61 72 63 68 
48 75 61 77 65 69 49 6e 73 74 72 75 00 00 00 00 
 ----------------------------------
In IPv6 scenarios:
<HUAWEI> display attack-source-trace file sun.cap brief
 No 1 Packet Info:         
 PeVlanid         : 0   
 CeVlanid         : 0  
 Source IPv6      : 6100:0123:4567:89ab:0200:0:0808:0802  
 Dest IPv6        : 6100:0123:4567:89ab::0001  
 Protocol Num     : 89 
 Attack Pack Time : 2017-07-13 15:10:13
 Attack Trace Data:  
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55 
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00 
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55

Run the display attack-source-trace slot 1 original-information command, and you can view the original information about attack packets saved on the router.

In IPv4 scenarios:
<HUAWEI> display attack-source-trace slot 1 original-information
-----------------------------
 Slot            : 1  
 Buffer Size     : 1048576 Bytes                                                                                                    
 Record Number   : 644 Packets                                                                                                      
 Overwrite Flag  : Yes                                                                                                              
----------------------------- 
No 1 packet Info:
 Interface Name    : GigabitEthernet0/1/2
 PeVlanid          : 0
 CeVlanid          : 0
 Attack Type       : Application apperceive
 Attack Pack Time  : 2000-01-01 12:59:06
 Attack Source Data: 
ff ff ff ff ff ff 00 00 50 01 01 63 08 00 45 00 
00 56 00 00 00 00 40 06 15 8d 0a 0a 0a 0a 50 01 
01 01 00 00 00 b3 00 00 00 00 00 00 00 00 50 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
----------------------------------
In IPv6 scenarios:
<HUAWEI> display attack-source-trace slot 1 original-information
-----------------------------
Slot            : 1  
Buffer Size     : 1048576 Bytes
Record Number   : 7 Packets
Overwrite Flag  : No 
-----------------------------
 No 1 packet Info: 
 Interface Name    : GigabitEthernet0/1/2
 PeVlanid          : 0 
 CeVlanid          : 0  
 Attack Type       : Application apperceive
 Attack Pack Time  : 2017-07-13 15:10:13
 Attack Source Data:
ff ff ff ff ff ff 00 00 50 01 03 63 08 00 45 00
00 72 00 00 00 00 40 59 65 79 50 01 03 63 c0 55
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ----------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19633

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next