CPU Defend

Created Sep 28, 2018 23:42:18Latest reply Sep 29, 2018 02:20:41 277 2 0 0

Function

The cpu-defend policy command creates an attack defense policy and displays the attack defense policy view.

The undo cpu-defend policy command deletes an attack defense policy.

By default, the default attack defense policy exists on the device and is applied to the device. The default attack defense policy cannot be deleted or modified.

 

 

Usage Scenario

A large number of packets including attack packets are sent to the CPU on a network. If excess packets are sent to the CPU, its usage becomes high and its performance deteriorates. The attack packets affect services and may even cause system breakdown. To solve the problem, create an attack defense policy and configure CPU attack defense and attack source tracing in the attack defense policy.

 

Precautions

The device supports a maximum of 13 attack defense policies, including the default attack defense policy. The default attack defense policy is generated in the system by default and is applied to the device. The default attack defense policy cannot be deleted or modified. The other 12 policies can be created, modified, and deleted.

 

# Create an attack defense policy named test.

<HUAWEI> system-view
[HUAWEI]
cpu-defend policy test
[HUAWEI-cpu-defend-policy-test]

 

cpu-defend trap drop-packet

Usage Scenario

To protect the CPU, a switch limits the rate of protocol packets sent to the CPU based on the CPCAR. If the rate of protocol packets exceeds the CPCAR, excess protocol packets are dropped, which may affect the corresponding service. To quickly detect packet loss caused by exceeding the CPCAR, you can use this command to enable alarm reporting for this event. After this function is enabled, the switch checks at 10-minute intervals for packet loss caused by CPCAR. If the switch finds that the number of dropped packets of a protocol increases, the switch reports a packet loss alarm.

 

Example

# Enable alarm reporting for packet loss caused by CPCAR exceeding.

<HUAWEI> system-view
[HUAWEI]
cpu-defend trap drop-packet

 

 

Checking Whether Network Attacks Exist

 

Run the display cpu-defend statistics command to check statistics about packets sent to the CPU.

According to the statistics, determine whether many protocol packets have been discarded because the CPU is too busy to process them. Then, run the reset cpu-defend statistics command to clear the statistics. After several seconds, run the display cpu-defend statistics command again to re-check the statistics.

 

If packets of a protocol are numerous, determine whether this is a normal phenomenon based on the networking. If this is abnormal, a protocol packet attack occurs.

 

<HUAWEI> reset cpu-defend statistics
<HUAWEI>
display cpu-defend statistics all
Statistics on slot 2:
-----------------------------------------------------------------------------------------------------------
Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)
-----------------------------------------------------------------------------------------------------------
arp-miss            0            0             0               0
arp-request         40800        35768         600             52600
bgp                 0            0             0               0
......
---------------------------------------------------------------------------

 

If the live network has no possibility to produce so many ARP request packets, the switch is under an ARP attack.

 If the switch has a high CPU usage, do not increase the CPCAR value. Instead, find out the attack source.




  • x
  • convention:

RubenMonroy  Moderator   Created Sep 29, 2018 00:57:38 Helpful(0) Helpful(0)

Thanks a for sharing, the post is very clear and useful
  • x
  • convention:

faysalji  Novice   Created Sep 29, 2018 02:20:41 Helpful(0) Helpful(0)

Good share mate
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top