No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of Local Attack Defense

Overview of Local Attack Defense


Local attack defense protects the CPU of a device and prevents service interruption caused by attacks from a large number of packets or malicious packets.

Device CPUs need to process a large number of packets including valid packets and malicious attack packets on a network. The malicious attack packets overwhelm the CPUs, and thus affect services and cause a system breakdown. In addition, excessive valid packets can also lead to high CPU usage, which degrades the CPU's performance and interrupts services.

To ensure that the CPU can process services in a timely manner, the device provides a local attack defense function. When a device is undergoing an attack, this function ensures uninterrupted service transmission and minimizes the impact on network services.

Basic Implementation

The device supports two types of local attack defense: CPU attack defense and attack source tracing.

  • CPU Attack Defense

    The device can limit the rate of all packets reaching the CPU, which means that only a specified number of packets can be sent to the CPU in a specified period. This protects the CPU and ensures its normal operation.

    The core of CPU attack defense is the Control Plane Committed Access Rate (CPCAR). In addition, CPU attack defense supports blacklists.
    • CPCAR limits the rate of protocol packets sent to the control plane and schedules the packets to protect the control plane. CPCAR provides hierarchical device protection: scheduling and rate limiting based on queues and rate limiting for all packets, as shown in Figure 6-1.

      Figure 6-1 Rate limiting for packets sent to the CPU

      The queues on the device include exclusive queues and shared queues (also called common queues). Fair scheduling is performed among the queues. That is, all services are equally scheduled.
      • Exclusive queue: When a service is enabled on a device, the device dynamically allocates a queue to the service. When the service is disabled, the device withdraws the queue of the service.
      • Shared queue: A shared queue is provided to cope with insufficiency of exclusive queues. When all exclusive queues are allocated, the device adds all the newly enabled services to the shared queue to limit their rates.
      After the rate limits are set for all packets sent to the CPU, the CPU can process more protocol packets without being overwhelmed.

      CPU attack defense cannot take effect on the packets received by the management interface. If the network connected to the management interface initiates an attack, users may fail to log in to or manage the device through the management interface. In this situation, it is recommended that you scan for viruses on all computers located on the connected network or optimize the networking to mitigate attacks.

    • CPU attack defense provides a blacklist function. A blacklist references an ACL. The device discards all packets that have the characteristics defined in the blacklist. You can add known attackers to the blacklist.

  • Attack Source Tracing

    Attack source tracing protects the CPU against Denial of Service (DoS) attacks. The device enabled with attack source tracing analyzes packets sent to the CPU, collects statistics on the packets, and sets a rate threshold for the packets. The device considers excess packets as attack packets. The device finds the source user address or interface of the attack packets and generates logs or alarms for the attack. Accordingly, the network administrator can take measures to defend against the attacks, for example, discarding packets from the attack source.

    Attack source tracing involves four processes shown in Figure 6-2: packet parsing, traffic analysis, attack source identification, log & alarm generation as well as taking punish actions.

    1. Parse packets based on IP addresses, MAC addresses, and ports. The ports are identified by physical port numbers and VLAN IDs.
    2. The system counts the number of received protocol packets based on IP addresses, MAC addresses, or port numbers.
    3. When the rate of packets sent to the CPU exceeds the threshold, the system considers that an attack has occurred.
    4. When detecting an attack, the system reports a log and an alarm, or takes punish actions. For example, the system discards the packets.
    Figure 6-2 Attack source tracing processes

    Attack source tracing provides the whitelist function. After an ACL is configured to permit the packets from a port or a port is added to the whitelist, the device does not trace the source of the packets from this port. You can add the authorized users or ports to the whitelist to ensure that packets from these users can be sent to the CPU.

Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 22639

Downloads: 92

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next