Cpu-Defend Policy For Network v1.1

CPU-DEFEND POLICY ON NETWORK
HUAWEIs NE40E/80E/CX600 have built-in default cpu-defend policy to prevent

the potential threats aim at our equipment in real network, in order to meet
most scenarios and guarantee every protocol running normal, some rules of
policy is a little bit loose, So we need adjust the appropriate rules to meeting
the self-defend requirement when specified scenario or particular attacks
occur.
Gathering examples for other Metro-E, mobile network built by HUAWEI,
combine with the incidents happened on network, HUAWEIs R&D recommend
updating following parameters to ensure sufficient protection for CPU, when
facing that the routing loop and the general ARP / ICMP and other common
attacks.
1. Prevent ICMP attack:
In the common network, ICMP(ping) is used to detect node or link
reachability, but ICMP reply need generated by CPU(NP can only
forwarding packet not generate packet). In reality, this will incur ICMP
attack, our CPU can handle 4Ms ICMP packet during idle time, but in real
scenario, CPU need process many protocol at same time. If ICMP process
occupies CPU for too long time, it will lead to other critical processes can
not be scheduled.
HUAWEI highly suggest to lower this value depend on real network
requirement.
Recommend value: 100kbps ,(convert to 2000pps, based on min frame
size 64bytes)
2. Prevent TTL attack:
In the common network, TTL defines the max hops one packet can be
transmitted. When one router received one packet with TTL=1, it will
discard this packet and send ICMP notification to the source, indicating
package TTL expired. Unfortunately this ICMP TTL expire notification need
generated by CPU too. In reality, this will incur TTL expire attack. HUAWEI
highly suggest to lower this value depend on real network requirement.
Recommend value: 100kbps ,(convert to 200pps, based on min frame size
64bytes)
Except L3 routing loop and Traceroute, in normal scenario shouldnt have
lots of TTL expired packet. The default TTL=255, In modern network, one
packet only need pass less then 30 hops to reach destination.
3. Prevent ARP Miss(FIB_MISS):
ARP Miss is HUAWEI Routers internal implement. Normally, when
forwarding one IP/MPLS packet, router need to encapsulated L2 header, if
4.
5.
6.
7.
the ARP entry exists, this packet will encapsulated with mac then
forwarded directly; if this ARP not exist, equipment will generates one ARP
Miss notify ARP module to send ARP request.
ARP MISS attack just make use of this weakness, generate lots of packet
with DIP not exist, the Router have to generate lots of ARP Miss
notifications when failure in finding arp entry. Too much arp-miss cause
the high CPU usage.
requirement.
Recommend value: 500kbps ,(convert to 1000pps, based on min frame
size 64bytes)
Prevent SNMP attack
In the common network, SNMP is used to transfer manage information
between NM station and agent, SNMP protocol packets must be processed
by CPU of the LPU board. In reality, this will incur SNMP attack, our CPU
can handle 2Ms SNMP packet during idle time, but in real scenario, CPU
need process many protocol at same time. If SNMP process occupies CPU
for too long time, it will lead to other critical processes can not be
scheduled.
requirement.
Recommend value: 500kbps.
Prevent BGP/LDP/OSPF attack
In the common network, route protocol(such as BGP/LDP/OSPF) is used to
advice communicate route between routers, these protocol packets must
be processed by CPU of the LPU board. In reality, this will incur route
protocol attack, our CPU can handle these packets during idle time, but in
real scenario, CPU need process many protocol at same time. If some one
protocol process occupies CPU for too long time, it will lead to other critical
processes can not be scheduled.
HUAWEI highly suggest to protect these important route protocols depend
on real network requirement.
Recommend : Use advanced ACL to protect important routing
protocols,such as BGP/LDP/OSPF.
Prevent DHCP attack
In the common network, DHCP is used to obtain IP address dynamic by
hosts. But DHCP packets must be processed by CPU of the LPU board. In
reality, this will incur DHCP attack, our CPU can handle 2Ms DHCP packets
during idle time, but in real scenario, CPU need process many protocol at
same time. If DHCP process occupies CPU for too long time, it will lead to
other critical processes can not be scheduled.
Recommend value: 500kbps .(this value must be evaluated carefully
depend on real network requirement)
Prevent HWTACAS attack
In the common network, HWTACAS is used to transfer manage information

between HWTACAS station and routers. But HWTACAS packets must be
processed by CPU of the LPU board. In reality, this will incur HWTACAS
attack, our CPU can handle 1Ms HWTACAS packets during idle time, but in
real scenario, CPU need process many protocol at same time. If HWTACAS
process occupies CPU for too long time, it will lead to other critical
requirement.
Recommend value: 200kbps .
8. Prevent LSP PING attack
In the common network, LSP PING is used to detect LSP link
reachable,such as TE LSP/LDP LSP. But LSP PING packets must be
processed by CPU of the LPU board. In reality, this will incur LSP PING
attack, our CPU can handle 4Ms LSP PING packets during idle time, but in
real scenario, CPU need process many protocol at same time. If LSP PING
process occupies CPU for too long time, it will lead to other critical
requirement.
9. Prevent IGMP attack
In the common network, IGMP is used to manage multicast hosts. But IGMP
packets must be processed by CPU of the LPU board. In reality, this will
incur LSP PING attack, our CPU can handle 3Ms IGMP packets during idle
time, but in real scenario, CPU need process many protocol at same time.
If IGMP process occupies CPU for too long time, it will lead to other critical
requirement.
10. Prevent VRRP attack
In the common network,VRRP is used to choose route between multigateway. But VRRP packets must be processed by CPU of the LPU board. In
reality, this will incur VRRP attack, our CPU can handle 3Ms VRRP packets
during idle time, but in real scenario, CPU need process many protocol at
same time. If VRRP process occupies CPU for too long time, it will lead to
other critical processes can not be scheduled.
HUAWEI highly suggest to deploy admin-VRRP to reduce unnecessary VRRP
protocol packet, later HUAWEI will provide detailed info during network
evaluation, temporary pls lower this value to prevent attacks;
Recommend value: 1000kbps.
ITEM NEED TO BE UPDATED:
Index
ID
Item
Default
Value(kbps)
Recommended
Valuekbps
12
ICMP
4000
100
39
IPV4 TTL EXPIRED
2000
100
47
IPV6 TTL EXPIRED
2000
100
50
ARP_MISS(FIB_MISS)
2000
500
SNMP packet
2000
500
BGP packet
4000
200
LDP packet
4000
200
OSPF packet
4000
200
17
DHCP packet
2000
500
21
HWTACACS packet
1000
200
22
LSP Ping packet
4000
100
23
IGMP packet
3000
200
26
VRRP packet
3000
1000
HOW TO:
1. Use advanced ACL to protect BGP protocol
[NE40E-X8]display bgp peer
BGP local router ID : 121.121.121.121
Local AS number : 100
Total number of peers : 4
Peers in established state : 3
Peer
V
AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
116.116.116.116 4
100
266
300
0 03:47:46 Established
12
[NE40E-X8-acl-adv-3001display this
acl number 3001
rule 5 permit tcp source 116.116.116.116 0 destination-port eq bgp
rule 10 permit tcp source 116.116.116.116 0 source-port eq bgp
2. Use advanced ACL to protect LDP protocol
[NE40E-X8]display mpls ldp adjacency verbose
LDP Adjacency Information
-----------------------------------------------------------------------------LDP Peer ID : 116.116.116.116
VPNInstance name : CreateDate : 2001-03-17
CreateTime : 16:37:50
Adjacency Age : 0000:04:14
AdjacencyType : Local Adjacency
Discovery-Source : GigabitEthernet1/1/0
UDP Source Address : 121.116.1.2

UDP Socket ID : 7
Sequence No. : 0
Configuration Hello Hold Timer(sec) : 15
Hello Message Rcvd : 3078
Adjacency Deletion Status : No
-----------------------------------------------------------------------------TOTAL: 1 Adjacency(s) found.
[NE40E-X8]display mpls ldp peer verbose
LDP Peer Information in Public network
-----------------------------------------------------------------------------Peer LDP ID
: 116.116.116.116:0
Peer Max PDU Length : 4096
Peer Transport Address : 116.116.116.116
Peer Loop Detection : Off
Peer Path Vector Limit : ---Peer FT Flag
: Off
Peer Keepalive Timer : 45 Sec
Recovery Timer
: ---Reconnect Timer : ---Peer Type
: Local
Peer Label Advertisement Mode : Downstream Unsolicited
Peer Discovery Source
: GigabitEthernet1/1/0
Peer Deletion Status
: No
-----------------------------------------------------------------------------[NE40E-X8-acl-adv-3002]display this
acl number 3002
rule 5 permit udp source 121.116.1.2 0 destination-port eq 646
rule 10 permit tcp source 116.116.116.116 0 source-port eq 646
rule 15 permit tcp source 116.116.116.116 0 destination-port eq 646
3. Use advanced ACL to protect OSPF protocol
[NE40E-X8]display ospf peer
OSPF Process 1 with Router ID 121.121.121.121
Neighbors
Area 0.0.0.0 interface 121.116.1.1(GigabitEthernet1/1/0)'s neighbors
Router ID: 116.116.116.116 Address: 121.116.1.2
State: Full Mode:Nbr is Slave Priority: 1
DR: 121.116.1.1 BDR: 121.116.1.2 MTU: 0
Dead timer due in 31 sec
Retrans timer interval: 5
Neighbor is up for 00:00:31
Authentication Sequence: [ 0 ]
[NE40E-X8-acl-adv-3003]display this
acl number 3003

rule 5 permit ospf source 121.116.1.2 0
4. Modify one CPU-Defend policy as following:
cpu-defend policy 1
user-defined-flow 1 acl 3001
application-apperceive disable
process-sequence whitelist user-defined-flow blacklist
car icmp cir 100
car index 39 cir 100
car snmp cir 500
car bgp cir 200
car ldp cir 200
car ospf cir 200
car dhcp cir 500
car hwtacacs cir 200
car lspping cir 100
car igmp cir 200
car vrrp cir 1000
5. Apply policy to every LPU card need to be protected:

slot X
cpu-defend-policy 1
6. Check the policy statistics to verify the attack when network attack occur:
[NSP_LMT_161] display cpu-defend all statistics slot 6
Slot/Intf
Attack-Type
Total-Packets
Passed-Packets
Packets-------------------------------------------------------------------------------6
Application-Apperceive
156815352
98922813
-------------------------------------------------------------------------------FTP SERVER
SSH SERVER
SNMP
TELNET SERVER
TFTP
0
0
0
0
0
0
BGP
LDP
RSVP
57892539
Dropped-
OSPF
0
0
RIP
11
11
ISIS
ICMP
206
MSDP
PIM
206
0
2112
LACP
28931
NTP
97678306
0
0
LSPPING
1210527
RRPP
VRRP
2761
1210527
0
2216
0
0
FTP CLIENT
545
0
802.1AG
MPLSOAM
57891981
28931
0
HWTACACS
BFD
2112
155570287
RADIUS
DHCP
IGMP
TELNET CLIENT
515
502
13
SSH CLIENT
DNS CLIENT
-------------------------------------------------------------------------------6
MA-Defend
-------------------------------------------------------------------------------FTP
SSH
SNMP
TELNET
TFTP
BGP
LDP
RSVP
OSPF
RIP
-------------------------------------------------------------------------------6
URPF
-------------------------------------------------------------------------------6
Tcpip-defend
-------------------------------------------------------------------------------Abnormal-packet
Fragment-packet
Tcpsyn-packet
Udp-packet
--------------------------------------------------------------------------------

Cpu-Defend Policy For Network v1.1

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cpu-Defend Policy For Network v1.1

Transféré par

Droits d'auteur :

Formats disponibles

CPU-DEFEND POLICY ON NETWORK

HUAWEIs NE40E/80E/CX600 have built-in default cpu-defend policy to prevent

In the common network, HWTACAS is used to transfer manage information

IPV4 TTL EXPIRED

IPV6 TTL EXPIRED

LSP Ping packet

UDP Source Address : 121.116.1.2

acl number 3003

5. Apply policy to every LPU card need to be protected:

Vous aimerez peut-être aussi