No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SOC

SOC

To ensure system reliability and protect services against attacks, the ME60 supports security techniques, such as rate limiting by committed access rate (CAR), attack detection, and attack defense. However, in absence of a global management center that can summarize and analyze all attack information, attack detection and defense are not comprehensive for the ME60.

To address this problem, the SOC has been developed to summarize and analyze information reported by all security detection modules in the system. Then the SOC presents attack event reports, attack sources, cause analysis, and solutions in a centralized and concise manner.

NOTE:

The SOC does not display information about minor attack events that affect only a function in the system. The SOC also does not display information about events that cause system breakdown by sending constructed malformed packets or a small number of packets to attack the system. Information about the events that cause system breakdown is displayed by service modules, the NMS, the log function, and the attack source tracing function.

The SOC displays only information about attack events that cause system risks. These attack events have the following characteristics:
  • CPU usage when the attack event occurs is much higher than that in normal cases.

  • The rate of packet loss caused by CPCAR exceeds a normal threshold.

  • A protocol module detects a large number of invalid packets or sessions, and the percentage of the number of invalid packets or sessions to the total number of packets or sessions exceeds a normal threshold.

Attack Detection

Attack detection allows the SOC to determine whether the ME60 is under attack based on the statistics it collects.

The SOC is triggered by timers to collect the CPU usage, protocol module's state data, including the number of invalid packets and sessions, and CPCAR-related packet loss statistics. After attack detection is enabled, when the CPU usage and the percentage of the number of invalid packets or sessions to the total number of packets or sessions or the packet loss rate exceeds the attack detection threshold, the SOC determines that the ME60 is being attacked and starts attack source tracing. If attack detection is left disabled, the SOC still collects statistics as triggered by timers, but does not determine an attack event or start attack source tracing.

Attack Source Tracing

Attack source tracing allows the SOC to locate an attack event and determine the probability and cause of the attack event.

If the ME60 is identified under attack by attack detection, the SOC samples attack packets and collects and analyzes statistics about the sampled attack packets based on multiple criteria, such as the source MAC address, source IP address, broadcast packets, packets with varied source addresses, protocol type, physical interface, logical interface, VLAN ID, and QinQ information. The SOC then lists the top N packets based on each criterion, filters the attack-related objects based on the attack source tracing thresholds, and generates attack event reports as well as alarms.

Attack Defense

Attack defense allows the SOC to automatically deliver attack defense policies and discard attack packets, protecting the ME60 against attacks.

After attack defense is enabled, the SOC classifies attack packets based on the packet characteristics and delivers ACL rules accordingly. The ACL rules specify the attack packet characteristics, interfaces under attack, and the mapping between the ACL rules and committed access rate (CAR) IDs. The CAR action can be sending packets to the CPU or discarding packets.

The SOC counts the number of discarded packets and packets sent to the CPU in real time and cancels the ACL rule if the rate of discarding packets is less than the specified threshold.

SOC Configuration Method and Procedure

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run soc

    Attack detection and attack source tracing are enabled, and the SOC view is displayed.

    By default, attack detection and attack source tracing are enabled.

  3. (Optional) Run attack-defend enable

    Attack defense is enabled.

    If the SOC determines that an attack event has occurred, enable attack defense.

  4. Run commit

    The configuration is committed.

  5. Check attack event reports.
    1. Run the display soc attack-event command to check a summary of attack events.
    2. Run the display soc attack-event slot slot-id [ verbose ] command to check information about attack events on the board in a specified slot.

      The specified slot is identified by checking the Location field in the attack event summary. Detailed information about attack events is displayed if verbose is configured.

    3. Run the display soc attack-event event-number event-number [ verbose ] command to check information about the specified attack event.

      The specified attack event is identified by checking the Seq. field in the attack event summary or information about attack events on the board in a specified slot.

  6. Check historical statistics.

    NOTE:

    In the following commands, slot-id must be the same as the slot-id specified in the display soc attack-event command, and protocol-name must be the same as the Reasons field value in the display soc attack-event command output.

    Check CPCAR statistics.

    1. Run the display soc attack-detect statistics car slot slot-id protocol protocol-name command to check all CPCAR statistics monitored by the SOC. Identify CarName of the CPCAR with the highest packet loss rate or the largest number of lost packets.

      NOTE:

      CAR is a traffic policing instance. CPCAR functions for packets to be sent to the CPU.

    2. Run the display soc attack-detect statistics car slot slot-id protocol protocol-name [ cpcar-name history { 15-minute | 60-minutes | 72-hour } ] command to check the packet loss rate of the protocol packets identified by cpcar-name within a specified period.
    3. Run the display soc attack-detect cpu-usage slot slot-id history { 15-minutes | 60-minutes | 72-hours } command to check the CPU usage within a specified period. If the CPU usage and packet loss rate within a specified period have similar tendencies, the CPU overload is caused by the protocol packets identified by cpcar-name.

    Check protocol statistics.

    1. Run the display soc attack-detect statistics application slot slot-id command to check statistics about the protocol packets and sessions on the board in a specified slot. Identify the protocol module that has the largest percentage of the number of invalid packets or sessions to the total number of packets or sessions. This protocol module can be considered to have the poorest security.
    2. Run the display soc attack-detect statistics application slot slot-id protocol protocol-name history { 15-minute | 60-minutes | 72-hour } command to check statistics about the protocol packets and sessions and the average CPU usage within the last 15 minutes, 1 hour, or 72 hours. If the CPU usage is high while the percentage of the number of invalid packets or sessions to the total number of packets or sessions is high, attacks to the protocol module cause the CPU overload. If you cannot identify the problem by querying the average CPU usage, run the following command to check detailed information about the CPU usage within the specified period.
    3. (Optional) Run the display soc attack-detect cpu-usage slot slot-id history { 15-minutes | 60-minutes | 72-hours } command to check detailed information about the CPU usage within a specified period.
  7. (Optional) Run the display soc attack-defend statistics slot slot-id port-vlan-car command to check statistics about the packets that pass through or are discarded by interfaces being attacked on the board in a specified slot.

    After attack defense is enabled and the ME60 is being attacked, you can run this command.

  8. Configure thresholds for determining attack events.
    • To configure the threshold for determining the location of an attack event, run the attack-trace location-type { interface | qinq | source-ip | source-mac | sub-interface | vlan } threshold threshold-value command.
    • To configure the threshold for determining the probability of an attack event, run the attack-trace probability { top5-user | top5-source-mac | top5-source-ip | broadcast-flood | app-error-percent } { determined | notification | suspicion } threshold-value command.
    • To configure the threshold for determining the cause of an attack event, run the attack-trace reason { app-packet | broadcast-flood | change-source-packet } percentage percentage-value command.
  9. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7397

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next