Professional Documents
Culture Documents
Switches
Configuration Guide - Security 3 Local Attack Defense Configuration
This chapter describes how to configure local attack defense to limit the rate of
packets reaching the CPU. This function protects device security and ensures
uninterrupted services.
Definition
Local attack defense protects the CPU of a device and prevents service interruption
caused by attacks from a large number of packets or malicious packets.
Device CPUs need to process a large number of packets including valid packets
and malicious attack packets on a network. The malicious attack packets
overwhelm the CPUs, and thus affect services and cause a system breakdown. In
addition, excessive valid packets can also lead to high CPU usage, which degrades
the CPU's performance and interrupts services.
To ensure that the CPU can process services in a timely manner, the device
provides a local attack defense function. When a device is undergoing an attack,
this function ensures uninterrupted service transmission and minimizes the impact
on network services.
Basic Implementation
The device supports four types of local attack defense: CPU attack defense, attack
source tracing, port attack defense, and user-level rate limiting.
Queue N
After rate limits for protocols are set, the device allocates a queue to
each type of protocol. For example, the device allocates a queue to
management protocols such as Telnet and SSH and a queue to routing
protocols. Queues are scheduled based on weights or priorities. Services
with the highest priority are processed first. You can also set a rate limit
for packets in each queue sent to the CPU.
After the rate limits are set for all packets sent to the CPU, the CPU can
process more protocol packets without being overwhelmed.
NOTE
● If all the rate limits in Figure 3-1 are set, the smallest rate limit takes effect.
● CPU attack defense cannot take effect on the packets that the management
interface receives. If the network connected to the management interface
initiates an attack, users may fail to log in to or manage the device through
the management interface. In this situation, it is recommended that you scan
for viruses on all computers located on the connected network or optimize
the networking to mitigate attacks.
● When multiple protocols are running, the protocol packets sent to the CPU
may be dropped because they exceed the CIR/CBS, the maximum rate of
sending packets from queues to CPU, or the maximum number of packets
that can be processed by CPU. When protocol packets are dropped, protocol
flapping occurs.
– Dynamic link protection refers to session-based application data
protection, such as FTP sessions, BGP sessions, and OSPF sessions. This
function ensures normal services continue to run when an attack occurs.
When a session is set up, protocol rate limiting does not take effect. The
device limits the session rate based on the rate set in the dynamic link
protection, ensuring reliability and stability of the session-related services.
– CPU attack defense provides a blacklist function. A blacklist references an
ACL. The device discards all packets that have the characteristics defined
in the blacklist. You can add known attackers to the blacklist.
– CPU attack defense supports user-defined flows defined through ACLs.
The device limits the rate of packets matching the characteristics defined
in user-defined flows sent to the CPU. The characteristics of attack flows
can be flexibly defined in ACL rules, so you can configure user-defined
flows for a network prone to unknown attacks.
● Attack Source Tracing
Attack source tracing protects the CPU against Denial of Service (DoS)
attacks. The device enabled with attack source tracing analyzes packets sent
to the CPU, collects statistics on the packets, and sets a rate threshold for the
packets. The device considers excess packets as attack packets. The device
finds the source user address or interface of the attack packets and generates
logs or alarms for the attack. Accordingly, the network administrator can take
measures to defend against the attacks, for example, discarding packets from
the attack source.
Attack source tracing involves four processes shown in Figure 3-2: packet
parsing, traffic analysis, attack source identification, log & alarm generation
as well as taking punish actions.
a. Parse packets based on IP addresses, MAC addresses, and ports. The ports
are identified by physical port numbers and VLAN IDs.
b. The system counts the number of received protocol packets based on IP
addresses, MAC addresses, or port numbers.
c. When the rate of packets sent to the CPU exceeds the threshold, the
system considers that an attack has occurred.
d. When detecting an attack, the system reports a log and an alarm, or
takes punish actions. For example, the system discards the packets.
Logs and
Attack alarms
Packet Traffic
source
parsing analysis Taking
identification
punish
actions
Chip forwarding
You can add authorized users or ports to the whitelist to ensure that packets
from these users can be sent to the CPU.
● User-Level Rate Limiting
User-level rate limiting identifies users based on MAC address, and rates the
limits of specified protocol packets, such as ARP, ND, DHCP Request, DHCPV6
Request, IGMP and HTTPS-SYN. If a user undergoes a DoS attack, other users
are not affected. The core of user-level rate limiting is HOST CAR.
The procedure of user-level rate limiting is as follows:
a. When receiving preceding packets, the switch performs a hash calculation
on the source MAC addresses and places the packets into different
buckets.
b. When the number of packets placed in a bucket within one second
exceeds the rate limit, the bucket discards the packets. The switch counts
the number of discarded packets every 10 minutes. When the number of
discarded packets within 10 minutes exceeds 2000, the switch reports a
packet discard log for this bucket. If the numbers of discarded packets in
many buckets exceed 2000, the switch records the packet discard logs for
the top 10 buckets.
Licensing Requirements
Configuration commands of local attack defense are available only after the
S1720GW, S1720GWR, and S1720X have the license (WEB management to full
management Electronic RTU License) loaded and activated and the switches are
restarted. Configuration commands of local attack defense on other models are
not under license control.
For details about how to apply for a license, see S Series Switch License Use
Guide.
Version Requirements
S2710SI V100R006(C03&C05)
S5710-C-LI V200R001C00
S5730SI V200R011C10
S5730S-EI V200R011C10
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
● In V200R011C10 and earlier versions, the attack source tracing function does
not take effect on IPv6 packets.
● The user-level rate limiting is available in the S5720HI of V200R009 and later
versions.
● It is recommended that you disable user-level rate limiting on the network-
side interfaces of an access switch and a gateway switch. The user-level rate
limiting is enabled on interfaces by default.
● The packets destined for the local switch are sent to the CPU. After functions
related to some protocols such as BGP, OSPF, and LACP are enabled, packets
of these protocols are also sent to the CPU. If packets sent to the CPU match
both CPCAR and a traffic classification rule in a traffic policy, but the actions
to be taken conflict with each other, CPCAR or the traffic policy with a higher
precedence takes effect. Table 3-2 describes the precedence between CPCAR
and traffic policies.
Blacklist None
CPCAR value for BGP, OSPF, FTP, The default CPCAR values vary
HTTPS, IKE, IPSEC-ESP, SSH, TELNET, according to the protocol types of
and TFTP packets used when packets. For details, see 3.4.4
connections are set up Configuring a Rule for Sending
Packets to the CPU.
Types of protocol packets to which ARP Request, ARP Reply, DHCP, ICMP,
port attack defense is applied IGMP, and IP fragment packets
Sampling ratio 5
Whitelist None
Packet types to which the user-level ARP, ND, DHCP Request, DHCPv6
rate limiting applies Request, and 8021x packets
Pre-configuration Tasks
Before configuring CPU attack defense, complete the following tasks:
● Connect interfaces and set physical parameters for the interfaces to ensure
that the physical status of the interfaces is Up.
● Configure an ACL for blacklist, if necessary.
Configuration Procedure
Before configuring CPU attack defense, create an attack defense policy. The other
tasks can be performed in any sequence and can be selected as required. An
attack defense policy takes effect only after it is applied to an object. There is no
limitation on when the attack defense policy is applied.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
An attack defense policy is created and the attack defense policy view is displayed.
The device supports a maximum of 13 attack defense policies, including the
default attack defense policy. By default, the default attack defense policy is
applied to the device and cannot be deleted or modified. The other 12 policies can
be created, modified or deleted.
Step 3 (Optional) Run description text
The description of the attack defense policy is configured.
By default, an attack defense policy does not have a description.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Step 3 Create a blacklist.
● Run the blacklist blacklist-id acl acl-number1 command to create an IPv4
blacklist.
The ACL referenced by the IPv4 blacklist can be a basic ACL, an advanced ACL,
or a Layer 2 ACL. For details about ACL configuration, see 2 ACL
Configuration.
By default, no IPv4 blacklist is configured.
● Run the blacklist blacklist-id acl ipv6 acl-number2 command to create an
IPv6 blacklist.
Only advanced ACLs can be applied to the IPv6 blacklist. For details about
ACL configuration, see 2 ACL Configuration.
By default, no IPv6 blacklist is configured.
● Run the blacklist blacklist-id acl acl-number3 hard-drop command to create
the blacklist that discards the packets matching ACL rules in the forwarding
chip.
The ACL referenced in this command must be an advanced ACL, and this
command applies to only IPv4 packets. For details about ACL configuration,
see 2 ACL Configuration.
By default, the blacklist that discards the packets matching ACL rules in the
forwarding chip is not configured.
NOTE
● An attack defense policy can contain a maximum of eight blacklists (including IPv4 and IPv6
blacklists and the blacklist that discards the packets matching ACL rules).
● Packets matching the ACL applied to a blacklist are discarded, regardless of whether the ACL
contains a permit or deny rule.
● If an ACL has no rule, the blacklist that references the ACL does not take effect.
● Only the S6720EI, S6720S-EI, S5720HI, and S5720EI support the IPv6 blacklist.
● For the S5720HI, an advanced ACL applied to the IPv6 blacklist can match only the source IP
address.
● Only the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E,
S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI,
S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI support the blacklist that
discards the packets matching ACL rules in the forwarding chip.
● For the S5720EI, S5720HI, S6720EI, and S6720S-EI, when a basic ACL is applied to the
blacklist, the ARP packets matching the ACL are discarded. For the S5720EI, S6720EI, and
S6720S-EI, when an advanced ACL is applied to the blacklist, the ARP packets matching the
ACL are also discarded.
● For the S5720HI, after fast ICMP reply is enabled, the ping detection cannot be blocked by
the blacklist. This is because after the fast ICMP reply function is enabled, the ICMP Echo
Request packets received on an interface of the device are not sent to the protocol stack or
processed by the CPU. Instead, the interface directly processes the packets.
----End
Context
You can bind an ACL to a user-defined flow to specify characteristics of attack
flows. When unknown attacks occur on the network, the device can identify attack
data flows and limit the rate of data flows with the specified characteristics.
NOTE
Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support this function.
If a blacklist and a user-defined flow reference the same ACL, the blacklist takes effect.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Step 3 Run user-defined-flow flow-id acl acl-number
A user-defined flow is configured.
The ACL referenced by a user-defined flow can be a basic ACL, an advanced ACL,
or a Layer 2 ACL. For details on how to create an ACL, see 2 ACL Configuration.
By default, no user-defined flow is configured.
NOTE
----End
NOTE
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure a rule for sending packets to the CPU.
Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Configure a rate limit on protocol packets or a rate limit after ALP is enabled in
the attack defense policy view.
● Configure rate limits for protocol packets.
The action to be performed on protocol packets sent to the CPU can be car or
deny. When you configure the action to be performed on packets of the same
protocol, the latest configuration takes effect.
– Run car { packet-type packet-type | user-defined-flow flow-id } cir cir-
value [ cbs cbs-value ]
The CIR and CBS values for packets sent to the CPU are set.
By default, the CIR value for user-defined flows is 64 kbit/s. You can run
the display cpu-defend configuration command to check the CAR
values for protocol packets.
– Run deny { packet-type packet-type | user-defined-flow flow-id }
The action taken for the packets sent to the CPU is set to deny.
By default, the switch does not discard packets sent to the CPU. Instead,
the switch limits the rate of user-defined flows and packets sent to the
CPU based on the default rate. You can run the display cpu-defend
configuration command to check the CAR values of each type of
packets.
● Configure a rate limit after ALP is enabled.
a. Run linkup-car packet-type { bgp | ftp | https | ike | ipsec-esp | ospf |
ssh | telnet | tftp } cir cir-value [ cbs cbs-value ]
The CAR values for protocol packets, including the CIR and CBS values,
are set.
Table 3-7 lists the default CIR and CBS values for the setup of BGP, FTP,
HTTPS, IKE, IPSEC-ESP, OSPF, SSH, TELNET, and TFTP connections.
S1720GFR, S2750EI,
S5700LI, S5700S-LI,
▪ FTP, SSH, TFTP: ▪ FTP, SSH, TFTP:
1024 kbit/s 192512 bytes
S5710-X-LI
▪ TELNET: 64 kbit/s ▪ TELNET: 12032
bytes
S1720GW,
S1720GWR, S1720X,
▪ FTP, SSH, TFTP: ▪ FTP, SSH, TFTP:
1024 kbit/s 192512 bytes
S1720GW-E,
S1720GWR-E, ▪ OSPF: 512 kbit/s ▪ OSPF: 96256 bytes
S1720X-E, S5720LI,
S5720S-LI, S6720LI, ▪ TELNET: 64 kbit/s ▪ TELNET: 12032
S6720S-LI bytes
S5720SI, S5720S-SI
▪ FTP, SSH, TFTP: ▪ FTP, SSH, TFTP:
1024 kbit/s 192512 bytes
S2720EI
▪ FTP, SSH, TFTP: ▪ FTP, SSH, TFTP:
1024 kbit/s 192512 bytes
S5730SI, S5730S-EI,
S6720SI, S6720S-SI
▪ BGP: 1024 kbit/s ▪ BGP: 192512 bytes
S5720EI, S6720EI,
S6720S-EI
▪ BGP: 1024 kbit/s ▪ BGP: 192512 bytes
S5720HI
▪ BGP: 1024kbit/s ▪ BGP: 192512bytes
▪ IPSEC-ESP: ▪ IPSEC-ESP:
800kbit/s 150400bytes
NOTE
▪ Only the S5730SI, S5730S-EI, S5720EI, S5720HI, S6720SI, S6720S-SI, S6720EI, and
S6720S-EI support the bgp parameter.
▪ Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the https parameter.
▪ A shared CAR value for packets of FTP, SSH, TFTP connections can be set on
S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E,
S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI,
S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI. For
example, the linkup-car packet-type ftp cir cir-value [ cbs cbs-value ] command
specifies the CAR value for FTP packets when an FTP connection is set up, and also
specifies the CAR value for packets of SSH, TFTP connections.
b. Run quit
Return to the system view.
c. Run cpu-defend application-apperceive enable
Globally ALP is enabled.
By default, globally ALP is enabled.
d. Run cpu-defend application-apperceive { bgp | ftp | https | ike | ipsec-
esp | ospf | ssh | telnet | tftp } enable
ALP of protocol packets is enabled.
By default, ALP is enabled on FTP, HTTPS, IKE, IPSEC-ESP, SSH, TELNET,
and TFTP packets and disabled on BGP and OSPF packets.
NOTE
▪ Only the S5730SI, S5730S-EI, S5720EI, S5720HI, S6720SI, S6720S-SI, S6720EI, and
S6720S-EI support the bgp parameter.
▪ After ALP is enabled for HTTPS, the CIR value (transmission rate) is automatically
increased to ensure high-speed file transmission between the web NMS and
switch.
----End
Context
If the default CPCAR settings cannot meet the changing requirements for the
upper limit of the packet sending rate, the dynamic CPCAR adjustment function
can meet these requirements.
If the default CIR value of a protocol has never been modified, a device with this
function enabled can dynamically adjust the default CIR value for the protocol
packets based on service scale (for example, number of dynamic ARP entries) and
CPU usage to meet various service requirements. For details, see Table 3-8.
More than 512 and less than or equal 128 kbit/s (remain unchanged if the
to 1024 default CIR is larger than 128 kbit/s)
NOTE
When the number of entries increases, the CIR value is automatically increased. If the CPU
is overloaded, the CIR value is decreased.
The device dynamically adjusts the default CIR value of ARP protocol packets only
when the function is enabled globally and on ARP protocol packets.
Procedure
Step 1 Run system-view
The dynamic CPCAR adjustment function is enabled globally for protocol packets.
----End
Context
To protect the CPU, a switch limits the rate of protocol packets sent to the CPU
based on the CPCAR. If the rate of protocol packets exceeds the CPCAR, excess
protocol packets are dropped. As a result, the corresponding service may not run
normally. To quickly detect packet loss caused by CPCAR exceeding, you can
enable alarm reporting for this event. After this function is enabled, the switch
checks for packet loss caused by CPCAR at 10-minute intervals. If the switch finds
that the number of dropped packets of a protocol increases, the switch reports a
packet loss alarm.
NOTE
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend trap drop-packet
The system is enabled to report alarms for packet loss caused by CPCAR
exceeding.
----End
Context
Generally, a device uses an ACL to control the protocol packets to be sent to the
CPU. The ACL can only control packets based on protocol types. If protocol packets
are sent to the device, you can run the deny command to discard all the packets
sent to the CPU or run the car (attack defense policy view) command to set a rate
limit for packets. However, packets received by different interfaces cannot be
differentiated.
If an interface is attacked, the attack packets occupy bandwidth and valid protocol
packets cannot be processed. To prevent attack packets, you can disable the device
where the attacked interface is located. However, neither the attacked interface
nor the other interfaces on the device can send packets to the CPU, affecting
communication of the device.
You can configure the device to send different types of protocol packets to the
CPU from different interfaces.
NOTE
The priorities of Network-to-Network Interface (NNI), Enhanced Network Interface (ENI), and
User-to-Network Interface (UNI) are in descending order. If the priority of an interface is higher
or equivalent to the interface priority supported by the protocol packets, the protocol packets
can be sent through this interface. For example, if the type of an interface is ENI and a protocol
packet can take effect on an ENI or UNI interface, the protocol packet can be sent to the CPU
through this ENI interface. However, if the protocol packet can only take effect on an NNI
interface, the protocol packet is discarded by this interface. If the device receives attack packets,
run the blacklist command to configure a blacklist so that the device can discard the attack
packets.
Only the S5720EI, S6720S-EI, and S6720EI support this function.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run port type { uni | eni | nni }
The interface type is specified. The interface type can be NNI, UNI, or ENI.
The interface type is specified for the packets of a protocol. The interface type can
be NNI, UNI, or ENI.
To view the default types of interfaces sending protocol packets to the CPU, run
the display cpu-defend configuration command.
----End
Context
Packets sent to the CPU pass through the switching chip before they reach the
CPU, as shown in Figure 3-3. Therefore, an attack defense policy is usually applied
to the switching chip of a switch by specifying the global keyword.
CPU
Switching Switching
chip chip
Path of packets
sent to CPU
In a stack system shown in Figure 3-4, applying an attack defense policy to the
CPU of the master switch by not specifying the global keyword. If you only limit
packet rates on switching chips of member switches, the CPU of the master switch
may still be overloaded by a large number of protocol packets, because most
protocol packets need to be sent to the CPU of the master switch after being
processed by the CPU of the standby switch or a slave switch. Applying an attack
defense policy to the CPU of the master switch can limit the rates of protocol
packets sent to this CPU, protecting the CPU from attacks.
CPU
CPU
Standby
Master switch
switch
CPU CPU
Slave Slave
switch switch
Stack cable
Path of packets sent to CPU
Procedure
● Apply a attack defense policy to the CPU.
a. Run the system-view command to enter the system view.
b. Run the cpu-defend-policy policy-name1 command to apply an attack
defense policy.
NOTE
In a stack system, some protocol packets are not sent to the CPU of the master switch. If
you apply an attack defense policy against such protocol packets to the CPU, the system
displays an error message, indicating that the policy cannot be applied.
Only the attack defense policies that limit the rates of packets sent to the CPU can be
applied to the CPU. Other types of attack defense policies are not applicable to the CPU, so
configuring such policies cannot protect the CPU.
● Apply an attack defense policy to the switching chip.
a. Run the system-view command to enter the system view.
b. Run the cpu-defend-policy policy-name2 global command to apply an
attack defense policy.
----End
Procedure
● Run the display cpu-defend policy [ policy-name ] command to check the
attack defense policy.
● Run the display cpu-defend statistics [ packet-type packet-type ] [ all | slot
slot-id ] command to check statistics on packets sent to the CPU.
NOTE
Only the S5720EI, S5720HI, S6720S-EI, and S6720EI support this command.
NOTE
Only the S5720EI, S5720HI, S6720S-EI, and S6720EI support this command.
● Run the display cpu-defend configuration [ packet-type packet-type ] [ all |
slot slot-id ] command or display cpu-defend configuration [ packet-type
packet-type ] { all | slot slot-id | mcu } command to check the CAR
configuration for protocol packets sent to the CPU.
● Run the display cpu-defend dynamic-car history-record command to check
history records on dynamic adjustment of the default CIR value of protocol
packets.
NOTE
Only the S5720HI, S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI,
S6720SI, S6720S-SI, S6720S-EI, and S6720EI support this command.
----End
Pre-configuration Tasks
Before configuring attack source tracing, connect interfaces and set physical
parameters for the interfaces to ensure that the physical status of the interfaces is
Up.
Configuration Procedure
To configure attack source tracing, you must create an attack defense policy. All
other configuration tasks are optional and are not listed in sequence. An attack
defense policy takes effect only after it is applied to an object. There is no
limitation on when the attack defense policy is applied.
Context
Before configuring the local attack defense function, you must create an attack
defense policy.
Procedure
Step 1 Run system-view
An attack defense policy is created and the attack defense policy view is displayed.
----End
Context
Attackers may send a large number of packets to attack network devices' CPUs.
You can configure attack source tracing and set an alarm threshold for attack
source tracing so that the device can analyze packets sent to the CPU. If the
number of protocol packets sent from an attack source in a specified period
exceeds the alarm threshold, the device sends logs or alarms to notify the
administrator so that the administrator can take measures to prevent attacks.
Procedure
Step 1 Run system-view
----End
Context
Attack source tracing identifies attacks by sampling received packets. A proper
packet sampling ratio can reduce the errors in attack packet identification and
packet rate calculation. A small sampling ratio makes the attack source tracing
result accurate, but increases CPU usage.
For example, when the sampling ratio is set to 1, the attack source tracing result is
accurate, but the CPU usage is high because every packet is analyzed. Therefore,
balance between the attack defense precision and CPU usage when setting a
sampling ratio.
Procedure
Step 1 Run system-view
----End
Context
After attack source tracing is enabled, you need to set a mode in which the device
traces attack sources. The device supports the following attack source tracing
modes:
● Source IP address-based tracing: prevents Layer 3 attack packets.
● Source MAC address-based tracing: prevents Layer 2 attack packets with a
fixed source MAC address.
● Tracing based on a combination of source port and VLAN: prevents Layer 2
attack packets with different source MAC addresses.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Step 3 Run auto-defend enable
Attack source tracing is enabled.
By default, attack source tracing is enabled.
NOTE
When the attack source tracing mode is source-ip and action is error-down, if multiple
interfaces receive the attack packets with the same source IP address and the packet rate
exceeds the threshold, the switch shuts down only one interface, and then checks packet
rate again. If the packet rate is still higher than the threshold, the switch shuts down
another interface. The switch repeats the operations until the packet rate falls below the
threshold.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Step 3 Run auto-defend enable
Attack source tracing is enabled.
By default, attack source tracing is enabled.
Step 4 Run auto-defend protocol { all | { 8021x | arp | dhcp | icmp | igmp | tcp | telnet |
ttl-expired | udp }* }
----End
NOTE
● Before referencing an ACL in a whitelist, create the ACL and configure rules.
● To specify a protocol type in the ACL referenced by the whitelist, ensure that this protocol
supports the attack source tracing function. You can run the display auto-defend
configuration command to view the protocols supported by attack source tracing. If a
protocol is not supported by attack source tracing, you can run the auto-defend protocol
command to configure attack source tracing to support the protocol.
● The whitelist may fail to be applied because ACL resources are insufficient.
● All the packets matching an ACL referenced by a whitelist are considered to be valid packets
regardless of whether the ACL rule is permit or deny.
If an ACL has no rule, the whitelist that references the ACL does not take effect.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Step 3 Run auto-defend enable
Attack source tracing is enabled.
By default, attack source tracing is enabled.
Step 4 Run auto-defend whitelist whitelist-number { acl acl-number | interface
interface-type interface-number }
A whitelist is configured.
By default, no whitelist is configured for attack source tracing. If any of the
following conditions is met, however, the device uses the condition as the whitelist
matching rule, regardless of whether attack source tracing is enabled. After attack
source tracing is enabled, the device does not perform attack source tracing for
the packets matching such rules.
● If an application uses the TCP protocol and has set up a TCP connection with
the switch, the switch will not consider TCP packets with the matching source
IP address as attack packets. If no TCP packets match a source IP address
within 1 hour, the rule that specifies this source IP address will be aged out.
----End
Context
This function sends an event report to the administrator when the rate of packets
of a specified protocol sent by an attack source exceeds the configured threshold,
so that the administrator can take measures in time to protect the device.
Procedure
Step 1 Run system-view
Step 4 Configure the event reporting function for attack source tracing.
1. Run auto-defend alarm enable
By default, the event reporting function for attack source tracing is disabled.
2. Run auto-defend threshold threshold
By default, the event reporting threshold for attack source tracing is 60 pps.
----End
Context
A device with the punish actions configured identifies the attack source and
performs punish actions on the attack source to protect the device. The punish
actions include:
● Discard the packets from the attack source.
● Change the status of the interface receiving attack packets to shutdown.
NOTICE
Procedure
Step 1 Run system-view
NOTE
The device does not trace the source of users in the whitelist.
----End
Context
After an attack defense policy is created, you must apply the policy in the system
view. Otherwise, the attack defense policy does not take effect.
Procedure
● Apply an attack defense policy.
a. Run the system-view command to enter the system view.
b. Run the cpu-defend-policy policy-name global command to apply an
attack defense policy.
----End
Procedure
● Run the display auto-defend attack-source [ history [ begin begin-date
begin-time ] [ slot slot-id ] | [ slot slot-id ] [ detail ] ] command to check
attack sources.
● Run the display auto-defend configuration [ cpu-defend policy policy-
name ] command to check the configuration of attack source tracing in an
attack defense policy.
● Run the display cpu-defend policy [ policy-name ] command to check the
attack defense policy.
● Run the display auto-defend whitelist [ slot slot-id ] command to check
information about the attack source tracing whitelist.
----End
NOTE
Only the S1720GFR, S2750, S5700LI, and S5700S-LI do not support this function.
Pre-configuration Tasks
Before configuring port attack defense, complete the following tasks:
● Connect interfaces and set physical parameters for the interfaces to ensure
that the physical status of the interfaces is Up.
● Configure ACL if the whitelist needs to reference an ACL.
Configuration Procedure
Before configuring the functions related to port attack defense, create an attack
defense policy and enable the port attack defense function. The other tasks are
performed in any sequence and can be selected as required. An attack defense
policy takes effect only after it is applied to an object. There is no limitation on
when the attack defense policy is applied.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
An attack defense policy is created and the attack defense policy view is displayed.
The device supports a maximum of 13 attack defense policies, including the
default attack defense policy. By default, the default attack defense policy is
applied to the device and cannot be deleted or modified. The other 12 policies can
be created, modified or deleted.
Step 3 (Optional) Run description text
The description of the attack defense policy is configured.
By default, an attack defense policy does not have a description.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Step 3 Run auto-port-defend enable
Port attack defense is enabled.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Step 3 Run auto-port-defend protocol { all | { arp-request | arp-reply | dhcp | icmp |
igmp | ip-fragment } * }
The protocols to which port attack defense is applied are specified.
By default, port attack defense is applicable to ARP Request, ARP Reply, DHCP,
ICMP, IGMP, and IP fragment packets.
----End
Procedure
Step 1 Run system-view
The following table lists the default protocol rate thresholds for different
protocols.
ip-fragment 30 pps
----End
Context
A device with port attack defense enabled identifies attacks by analyzing sampled
packets. A proper packet sampling ratio can reduce the errors in attack packet
identification and packet rate calculation.
A small sampling ratio improves attack defense accuracy, but consumes more CPU
resources. For example, when the sampling ratio is set to 1, the device analyzes
every packet. The attack packets can be detected quickly, but CPU usage becomes
high and services are affected. Therefore, balance between the attack defense
precision and CPU usage when setting a sampling ratio.
Procedure
Step 1 Run system-view
The protocol packet sampling ratio for port attack defense is set.
By default, the protocol packet sampling ratio for port attack defense is 5. That is,
one packet is sampled when every 5 packets are received.
----End
Context
After a device with port attack defense function enabled detects an attack on a
port, the device traces the source and limits the rate of the attack packets on the
port within the aging time (T seconds). When the aging time expires, the device
calculates the protocol packet rate on the port again. If the rate is still above the
protocol rate threshold, the device keeps tracing the source and limits the rate of
the attack packets; otherwise, the device stops tracing the source.
If the aging time is too short, the device frequently starts packet rate detection on
ports, which consumes CPU resources. If the aging time is too long, protocol
packets cannot be promptly processed by the CPU, which affects services.
Therefore, balance between the service operation status and CPU usage when
setting an aging time.
Procedure
Step 1 Run system-view
By default, the aging time for port attack defense is 300 seconds.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Step 3 Run auto-port-defend whitelist whitelist-number { acl acl-number | interface
interface-type interface-number }
The whitelist is configured.
A maximum of 16 whitelists can be configured on the device.
The ACL referenced by a whitelist can be a basic ACL, an advanced ACL, or a Layer
2 ACL. For details about ACL configuration, see 2 ACL Configuration.
By default, no whitelist is configured for port attack defense. After a port is
configured as a DHCP trusted port using the dhcp snooping trusted command,
the device automatically delivers whitelist matching rules regardless of whether
the port attack defense function is enabled. A maximum of 16 rules based on
source IP addresses and interfaces can be delivered. The device will not perform
port attack defense actions on the DHCP packets received on interfaces.
NOTE
All the packets matching an ACL referenced by a whitelist are considered to be valid packets
regardless of whether the ACL rule is permit or deny.
If an ACL has no rule, the whitelist that references the ACL does not take effect.
----End
packets on a port exceeds the check threshold, the switch reports an event to
notify the network administrator, so that the administrator can promptly take
measures to protect the switch.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend policy policy-name
The attack defense policy view is displayed.
Step 3 Run auto-port-defend enable
Port attack defense is enabled.
By default, the port attack defense function is enabled.
Step 4 Configure the report of port attack defense events.
1. Run auto-port-defend alarm enable
The report of port attack defense events is enabled.
By default, port attack defense events are not reported.
2. Run auto-port-defend protocol { all | arp-request | arp-reply | dhcp | icmp |
igmp | ip-fragment } threshold threshold
The rate threshold for port attack defense is set.
The following table lists the default rate thresholds for different protocols in
port attack defense.
ip-fragment 30 pps
----End
Context
After an attack defense policy is created, you must apply the policy in the system
view. Otherwise, the attack defense policy does not take effect.
Procedure
● Apply an attack defense policy.
a. Run the system-view command to enter the system view.
b. Run the cpu-defend-policy policy-name global command to apply an
attack defense policy.
----End
Procedure
● Run the display auto-port-defend attack-source [ slot slot-id ] command to
view source tracing information on interfaces.
● Run the display auto-port-defend configuration command to view port
attack defense configuration on interfaces.
● Run the display auto-port-defend whitelist [ slot slot-id ] command to view
the port attack defense whitelist.
● Run the display auto-port-defend statistics [ slot slot-id ] command to view
packet statistics on port attack defense.
----End
Pre-configuration Tasks
Before configuring the user-level rate limiting, connect interfaces and set physical
parameters for the interfaces to ensure that the physical status of the interfaces is
Up.
Configuration Procedure
Before configuring the user-level rate limiting options, enable the user-level rate
limiting function first (enabled by default). The other tasks are performed in any
sequence and can be selected as required. By default, the user-level rate limiting is
enabled on interfaces. You can disable it on the interfaces where this function is
not required.
NOTE
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend host-car enable
The user-level rate limiting is enabled.
By default, the user-level rate limiting is enabled.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run cpu-defend host-car enable
The user-level rate limiting is enabled.
Step 3 Run cpu-defend host-car [ mac-address mac-address | car-id car-id ] pps pps-
value
----End
Context
By default, the switch limits the rates of the ARP, ND, DHCP Request, DHCPv6
Request, and 8021x packets received from user MAC addresses, and discards
excessive packets when the packet rates exceed the rate limit. If you need to limit
the rate of only IGMP and HTTPS-SYN packets or packets of the specified types,
specify the packet type.
Procedure
Step 1 Run system-view
The packet types to which the user-level rate limiting applies is specified.
By default, the user-level rate limiting can apply to ARP Request, ARP Reply, ND,
DHCP Request, DHCPv6 Request, and 8021x packets, but does not apply to IGMP
and HTTPS-SYN packets.
----End
Context
By default, the switch performs user-level rate limiting on the users connecting to
all interfaces. If you are sure that the users connecting to an interface are secure,
you can disable user-level rate limiting on this interface.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run host-car disable
User-level rate limiting is disabled on the interface.
By default, the user-level rate limiting is enabled on all interfaces.
----End
Context
Before collecting updated statistics on attack sources, run the following command
in the system view to clear the existing statistics.
NOTICE
The cleared attack source information cannot be restored. Exercise caution when
you use the command.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the reset auto-defend attack-source [ history ] [ slot slot-id ] command to
clear information about the attack sources.
Step 3 Run the reset auto-defend attack-source trace-type { source-mac [ mac-
address ] | source-ip [ ip-address ] | source-portvlan [ interface interface-type
----End
Context
Before collecting updated statistics on packets sent to the CPU, run the following
command in the user view to clear the existing statistics.
NOTE
Only the S5720EI, S5720HI, S6720S-EI, and S6720EI support this command.
NOTICE
The cleared statistics cannot be restored. Exercise caution when you use the
command.
Procedure
Step 1 Run the reset cpu-defend statistics [ packet-type packet-type ] { all | slot slot-
id } command to clear statistics about packets sent to the CPU.
----End
Context
If you want to view the history records on dynamic adjustment of default CIR
values of protocol packets in a specified period, run the following command in the
user view to clear the previous records.
NOTE
Only the S5720HI, S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI,
S6720SI, S6720S-SI, S6720S-EI, and S6720EI support this command.
NOTICE
The history records cannot be restored after they are cleared. Exercise caution
when you run this command.
Procedure
Step 1 Run the reset cpu-defend dynamic-car history-record command to clear history
records on dynamic adjustment of default CIR values of protocol packets.
----End
Context
Before collecting port attack defense statistics, run the following command in any
view to clear the existing statistics.
NOTE
Only the S5720EI, S5720HI, S6720S-EI, and S6720EI support this command.
NOTICE
Packet statistics cannot be restored after they are deleted. Exercise caution when
you use the command.
Procedure
Step 1 Run the reset auto-port-defend statistics [ all | slot slot-id ] command to delete
packet statistics about port attack defense.
----End
Context
Before collecting packet statistics in user-level rate limiting, run the following
command in the user view to clear the existing statistics.
NOTE
NOTICE
Packet statistics cannot be restored after they are deleted. Exercise caution when
you use the command.
Procedure
Step 1 Run the reset cpu-defend host-car [ mac-address mac-address ] statistics [ slot
slot-id ] command to clear packet statistics in user-level rate limiting.
----End
Networking Requirements
As shown in Figure 3-5, users on different network segments access the Internet
through the Switch. Because a large number of users connect to the Switch, the
Switch's CPU will receive a lot of protocol packets. If attackers send a lot of
malicious attack packets to the Switch, CPU usage will increase to affect services.
The network administrator has the following requirements:
● The network administrator wants to monitor CPU status. When the CPU is
attacked, the Switch can promptly notify the administrator and take measures
to protect the CPU.
● When the Switch receives a lot of ARP Request packets, the CPU usage of the
Switch greatly increases. The administrator wants to reduce CPU usage to
avoid impacting services.
● Users on Net1 often initiate attacks, so the administrator wants to reject
access by Net1 users.Net2 users are fixed authorized users.
● The administrator wants to upload files to the Switch through FTP, so data
transmission between the administrator's computer and the Switch must be
reliable and stable.
Net1: 10.1.1.0/24
GE0/0/1
Internet
Net3: 10.3.3.0/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure attack source tracing, alarms, and punish function so that the
device can send an alarm to the administrator when detecting an attack
source and automatically take punish actions.
2. Add Net2 users to the whitelist to exclude them from attack source tracing
analysis and punishment.
3. Set the protocol rate threshold so that the Switch can limit the rate of
protocol packets based on ports and record a log. (Port attack defense is
enabled by default, so it does not need to be enabled again.)
4. Set the CPCAR for ARP Request packets to limit the rate of ARP Request
packets sent to the CPU. This reduces the impact of ARP Request packets on
the CPU.
5. Add Net1 users to the blacklist to reject their access.
6. Set the rate limit for the FTP packets sent to the CPU to ensure reliability and
stability of data transmission between the administrator's computer and the
Switch. (ALP is enabled for FTP by default, so it does not need to be enabled
again.)
Procedure
Step 1 Configure the rule for filtering packets sent to the CPU.
# Define ACL rules.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[Switch-acl-basic-2001] quit
[Switch] acl number 2002
[Switch-acl-basic-2002] rule permit source 10.2.2.0 0.0.0.255
[Switch-acl-basic-2002] quit
NOTE
Add the IP addresses of valid servers, interconnected interfaces, and IP address of network
management device to the whitelist.
[Switch-cpu-defend-policy-policy1] auto-defend whitelist 1 acl 2002
Before configuring the punish action, ensure that the device is undergoing an attack; otherwise,
the punish action may discard a lot of valid protocol packets.
# Set the rate threshold to 40 pps. (Port attack defense is enabled by default, so it
does not need to be enabled again.)
[Switch-cpu-defend-policy-policy1] auto-port-defend protocol arp-request threshold 40
# Add the network-side interface GE0/0/1 to the whitelist so that the CPU can
promptly process the packets from the network-side interface.
[Switch-cpu-defend-policy-policy1] auto-port-defend whitelist 1 interface gigabitethernet 0/0/1
# Set the CIR of FTP packets sent to the CPU to 5000 kbit/s.
[Switch-cpu-defend-policy-policy1] linkup-car packet-type ftp cir 5000
[Switch-cpu-defend-policy-policy1] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
acl number 2001
rule 5 permit source 10.1.1.0 0.0.0.255
acl number 2002
rule 5 permit source 10.2.2.0 0.0.0.255
#
cpu-defend policy policy1
blacklist 1 acl 2001
car packet-type arp-request cir 120 cbs 22560
linkup-car packet-type ftp cir 5000 cbs 940000
auto-defend alarm enable
auto-defend action deny
auto-defend whitelist 1 acl 2002
auto-port-defend protocol arp-request threshold 40
auto-port-defend whitelist 1 interface GigabitEthernet0/0/1
#
cpu-defend-policy policy1 global
#
return
Related Content
Videos
Configure Attack Source Tracing
Networking Requirements
As shown in Figure 3-6, users on different network segments access the Internet
through SwitchA. Because there are a large number of access users, SwitchA often
processes a large number of ARP packets, leading to a high CPU usage and hence
affecting services. The administrator requires that the device analyze the ARP
packets sent to the CPU, identify the packets whose rate exceeds the threshold as
attack packets, find out the attack source user or source interface, and send logs
and alarms to notify the administrator so that the administrator can take security
measures to protect the CPU. Users on Net2 are fixed authorized users, so the
administrator needs to ensure that ARP packets of these users can be sent to the
CPU.
Net1: 10.1.1.0/24
GE0/0/1
Internet
Net3: 10.3.3.0/24
Configuration Roadmap
1. Configure the attack source tracing function, threshold, and type of the
packets to be defended against, and enable the device to trace and analyze
the ARP packets whose rate exceeds the threshold.
2. Configure the attack source tracing mode based on the source IP address and
source MAC address.
3. Configure the attack source tracing alarm function so that the device can
send an alarm to the administrator when detecting an attack source.
Configure the attack source tracing punishment function and specify the
punishment action to discard attack packets.
4. Add users on Net2 to the whitelist to exclude them from attack source tracing
analysis and punishment.
Procedure
Step 1 Configure an attack defense policy.
# Create an attack defense policy.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] cpu-defend policy policy1
NOTE
Before configuring the punishment action, ensure that the device is under attack; otherwise, the
device may discard a lot of valid protocol packets according to the configured punishment
action.
[SwitchA-cpu-defend-policy-policy1] auto-defend action deny timer 300
[SwitchA-cpu-defend-policy-policy1] quit
NOTE
You are advised to add the IP addresses of valid servers, interconnected interfaces, and IP
address of the network management device to the whitelist.
[SwitchA] acl number 2001
[SwitchA-acl-basic-2001] rule permit source 10.2.2.0 0.0.0.255
[SwitchA-acl-basic-2001] quit
[SwitchA] cpu-defend policy policy1
[SwitchA-cpu-defend-policy-policy1] auto-defend whitelist 1 acl 2001
[SwitchA-cpu-defend-policy-policy1] quit
------------------------------------------------------------
GigabitEthernet0/0/1 10 605
------------------------------------------------------------
Total: 1
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
acl number 2001
rule 5 permit source 10.2.2.0 0.0.0.255
#
cpu-defend policy policy1
auto-defend alarm enable
auto-defend protocol arp
auto-defend action deny
auto-defend whitelist 1 acl 2001
#
cpu-defend-policy policy1 global
#
return
Related Content
Videos
Fault Description
Attack source tracing does not take effect after attack source tracing is configured.
Common Causes
Possible causes are as follows:
● The attack defense policy is not applied to any object.
● The checking threshold for attack source tracing is large.
Procedure
Step 1 Determine whether the attack defense policy configured with attack source tracing
is applied.
1. Run the display this command in the system view to check whether the cpu-
defend-policy command has been configured.
----End
Fault Description
Protocol packets are not sent to the CPU after CPU attack defense is configured.
Common Causes
Possible causes are as follows:
● A blacklist has been configured or a rule is configured to discard the specified
protocol packets.
● The CPU is attacked by invalid packets.
Procedure
Step 1 Check whether a rule has been configured to discard protocol packets on the
device.
1. Run the display this command in the system view to check the configured
attack defense policy.
2. Run the display cpu-defend policy [ policy-name ] command to check
whether a blacklist, or rule is configured in an attack defense policy to discard
protocol packets.
– If a blacklist is configured, run the display acl command to check
whether protocol packets match the rules in the blacklist. If protocol
packets match the rules, adjust the rules as required. Otherwise, go to the
next step.
– If the action taken on the protocol packets sent to the CPU is deny, run
the car command in the attack defense policy view to set the rate limit.
– If no blacklist is configured, and the action taken on the protocol packets
sent to the CPU is not deny, go to step 2.
Step 2 Check statistics for packets sent to the CPU.
Run the display cpu-defend statistics [ packet-type packet-type ] [ all | slot
slot-id ] command to check statistics on packets sent to the CPU. If a large
number of protocol packets are being discarded, check whether these packets are
invalid attack packets using the attack source tracing function. If they are invalid
attack packets, use the configured blacklist or traffic policy to prevent these
packets from being sent to the CPU.
----End
Fault Description
The configured blacklist does not take effect.
Common Causes
Possible causes are as follows:
● Packets do not match the rules in the blacklist.
● ACL resources are insufficient.
Procedure
Step 1 Run the display cpu-defend policy policy-name command to check the attack
defense policy.
Step 2 Check the ACL of the blacklist in the displayed attack defense policy information,
and run the display acl acl-number command to check whether service packets
match the ACL rule.
Step 3 If service packets do not match the ACL rule, run the rule command in the ACL
view to modify the ACL rule. If service packets match the ACL rule, the blacklist
may fail to be applied because ACL resources are insufficient.
----End
In this case, adjust the CIR value for the ARP Reply packet. If the CPU is attacked,
obtain the packet header or enable the debugging to trace the attack source and
add the attack source to the blacklist.
NOTICE
Improper CPCAR settings will affect services on your network. If you need to
adjust CPCAR settings, you are advised to contact technical support personnel for
help.
After locating the attack source, run the cpu-defend policy command to
configure the blacklist to prevent the packets from this source entering the control
plane. Alternatively, you can configure the penalty action in auto-defend to
discard attack packets.
Additionally, the device can restrict the rate of ICMP packets from the source, or
use traffic policy to discard SSH and FTP attack packets.
S1720GFR
Packet Type Explanation
nd IPv6 ND packet
S1720X/S1720X-E
Packet Type Explanation
nd IPv6 ND packet
S2720EI
Packet Type Explanation
nd IPv6 ND packet
S2750EI
Packet Type Explanation
nd IPv6 ND packet
S5700LI/S5700S-LI
Packet Type Explanation
nd IPv6 ND packet
S5710-X-LI
Packet Type Explanation
nd IPv6 ND packet
S1720GW/S1720GWR/S1720GW-E/S1720GWR-E
Packet Type Explanation
nd IPv6 ND packet
S5720LI/S5720S-LI
Packet Type Explanation
nd IPv6 ND packet
S5720SI/S5720S-SI
Packet Type Explanation
nd IPv6 ND packet
S5720EI
Packet Type Explanation
nd IPv6 ND packet
S5720HI
Packet Type Explanation
nd IPv6 ND packet
S6720LI/S6720S-LI
Packet Type Explanation
nd IPv6 ND packet
S6720SI/S6720S-SI/S5730SI/S5730S-EI
Packet Type Explanation
nd IPv6 ND packet
S6720EI/S6720S-EI
Packet Type Explanation
nd IPv6 ND packet