Control Plane Security

Created: Mar 31, 2017 15:20:43Latest reply: Mar 31, 2017 15:25:54 3209 1 0 2

Control Plane Security

As mentioned in Security Holistic View, CPU is the most part in control plane security. A high CPU usage may cause the device to be out of management, service abnormality, and user disconnection or slow network access speed. This chapter describes how to protect CPU security.

1.1 How to Ensure Normal Running of the CPU

Limiting the number of packets sent to the CPU is a major method to ensure normal CPU running. The switch provides the following methods to limit the number of packets sent to the CPU.

1.1.1 Setting an Appropriate Rate Limit

l   Set an appropriate CPCAR value for the packets sent to the CPU.

Control Plane Committed Access Rate (CPCAR) limits the rate of packets sent to the CPU.

Figure 1-1 CPCAR rate limiting

20170331152000723001.png

 

Figure 1-1 shows the CPCAR rate limiting in three levels: protocol, queue, and all packets. Table 1-1 describes the mechanism.

Table 1-1 CPCAR rate limiting mechanism

Level

Mechanism

Protocol

Set a rate limit for each type of protocol packets sent to the CPU.

The switch has default rate limits, which are configurable.

Queue

Classify protocol packets and add certain protocols to the specified queue. For example, the management protocols such as Telnet and SSH are added to a queue and routing protocols are added to another queue. Then scheduling and rate limiting are performed for each queue.

To view the queues and protocols in queues, run the display cpu-defend configuration slot command.

The switch has default rate limits, which are not configurable.

All packets

Set limit for all packets sent to the CPU.

The switch has default rate limits, which are not configurable.

 

By default, the switch has defined the CPCAR values for the protocol packets sent to the CPU. To view the default CPCAR values, run the display cpu-defend configuration all command. The CPCAR values can be adjusted according to network requirements. Note: Improper CPCAR values will affect network services. To adjust CPCAR values, you are advised to contact the technical support personnel.

Protocol-based CPCAR rate limiting has two properties:

l   Threshold: maximum rates (CIR and CBS) of protocol packets sent to the CPU

CIR refers to the average rate of packets sent to the CPU within a certain period. CBS refers to the maximum number of packets sent to the CPU within a period of time. It is the burst traffic rate allowed by the CPU.

l   Punishment measure: action (drop) taken when the rate of packets sent to the CPU exceeds the threshold.

For example, to prevent ARP attacks, set the CIR of ARP request packets to 64 kbit/s, CBS to 33000 bytes, and punishment measure to drop.

[Switch-cpu-defend-policy-test] car packet-type arp-request cir 64 cbs 33000

The threshold consists of CIR 64 kbit/s and CBS 33000 bytes. When the rate of ARP request packets sent to the CPU exceeds the threshold, the excessive packets are dropped.

Ø  Configure the ACL and set the CPCAR value for user-defined flows.

The switch can use ACL to limit the rate of user-defined flows. Note:

l   If permit is set in the ACL rule, the packet rate is limited based on the rule, and the packets exceeding the threshold are dropped.

l   If deny is set in the ACL rule, all the packets matching the ACL are dropped.

The configuration is as follows:

1.     Configure the user-defined flow.

[Switch] acl number 2000

[Switch-acl-basic-2001] rule permit source 192.168.32.1 0   //Allow the packets from source IP address 192.168.32.1.

[Switch-acl-basic-2001] quit

[Switch] cpu-defend policy test

[Switch-cpu-defend-policy-test] user-defined-flow 2 acl 2001   //Configure ACL 2001 to specify user-defined flow 2.

2.     Set the threshold.

[Switch-cpu-defend-policy-test] car user-defined-flow 2 cir 64 cbs 33000   //Set the CIR and CBS for user-defined flow 2. Drop the packets from source IP address 192.168.32.1 that exceed the threshold.

[Switch-cpu-defend-policy-test] quit

3.     Apply the traffic policy.

[Switch] cpu-defend-policy test global   //Apply the policy to all LPUs. Otherwise, the policy does not take effect.

Note: The protocol-based CPCAR, ACL-based CPCAR setting for user-defined flows, and the configurations in the attack defense view take effect only after the attack defense policy is applied.

Ø  Limit the number of packets sent to the CPU based on user MAC address.

If the network environment has security risks (many protocol packets are transmitted), the number of packets sent to the CPU can be limited based on user MAC addresses.

The configuration is as follows:

[Switch] cpu-defend host-car enable   //Enable user-level rate limiting globally. By default, user-level rate limiting is enabled.

[Switch] cpu-defend host-car mac-address 000a-000b-000c pps 20   //Set the threshold of packets sent from the user with MAC address 000a-000b-000c to the CPU to 20 pps. The threshold of each type of protocol packets is 20 pps.

[Switch] cpu-defend host-car all    //Apply the setting to all types of packets, including ARP request, ARP reply, ND, DHCP Request, DHCPv6 Request, and 802.1x packets. The packet types depend on the device model.

1.1.2 Configuring Attack Defense Policy

In addition to limiting the number of packets sent to the CPU, you can preconfigure the attack defense policy. When the number of packets sent to the CPU exceeds the threshold of the corresponding protocol, record a log or execute the punishment action. The switch supports port-based attack defense.

Port attack defense: When too many protocol packets are sent to the CPU from a port within a period, the protocol packets cannot be sent to the CPU. Some measures are taken to prevent the attacks.

The process of port attack defense is as follows:

Figure 1-2 Port attack defense process

20170331152001648002.png

 

1)        Packet parsing

Parse the protocol packets sent to the CPU based on port. The switch can parse the protocol packets such as ARP Request, ARP Reply, DHCP, ICMP, IGMP, and IP fragments, which are configurable.

2)        Traffic analysis

Sample the packets sent to the CPU. For example, if the sampling rate is 5, 1 packet out of 5 will be parsed. If this packet is sent from a port and belongs to a protocol, all the 5 packets are considered to belong to the same protocol and be sent from the same port.

Caution: The result of measurement based on sampling rate may be inaccurate. A small sampling rate makes measurement result more accurate, but more CPU usage is occupied. Therefore, set an appropriate sampling rate. The default sampling rate on switch is 5.

3)        Attack identification

If the packets of a protocol sent from a port to the CPU exceeds the threshold, an attack of this protocol is considered to occur on this port.

4)        Rate limiting

Handle the attack packets: The packets within the threshold are placed into the low-priority queue, and then sent to the CPU for processing. The packets exceeding the threshold are dropped.

After an attack is detected, an alarm is reported to the administrator if the alarm function is enabled.

5)        Reduce impact on services

l   Aging detection

When a switch detects an attack interface, it limits the rate of the packets within the aging time (assume that the aging time is T seconds). When the aging time expires, the switch parses packets again based on port. If the packet rate exceeds the threshold (attack occurs), the switch continuously limits the packet rate. Otherwise, the switch stops limiting the rate.

l   Whitelist for port attack defense

If the packets of one type are important, to prevent them from being mistakenly restricted, you can configure an ACL and add them to a whitelist. 

Configure port attack defense as follows:

[Switch] cpu-defend policy test

[Switch-cpu-defend-policy-test] auto-port-defend enable   //Enabled by default.

[Switch-cpu-defend-policy-test] auto-port-defend protocol arp-reply   //If the command is run multiple times, the last configuration takes effect.

[Switch-cpu-defend-policy-test] auto-port-defend sample 4   //Set the sampling rate of protocol packets to 4.

[Switch-cpu-defend-policy-test] auto-port-defend alarm enable

[Switch-cpu-defend-policy-test] auto-port-defend protocol arp-reply threshold 60   //Set the threshold of ARP Reply packets to 60 pps.

[Switch-cpu-defend-policy-test] auto-port-defend aging-time 350   //Set the aging detection interval to 350s.

[Switch] acl 2000

[Switch-acl-basic-2000] rule permit source 10.1.1.1 0

[Switch-acl-basic-2000] quit

[Switch] cpu-defend policy test

[Switch-cpu-defend-policy-test] auto-port-defend whitelist 1 acl 2000   //Exclude the packets from source IP address 10.1.1.1 from port defense processing.

[Switch-cpu-defend-policy-test] auto-port-defend whitelist 1 interface gigabitethernet 0/0/1  //Exclude the packets from GE0/0/1 from port defense processing.

1.2 How to Cope with a High CPU Usage

The cause of a high CPU may be network flapping, loop, and attack.

l   When network flappings occur, a network will change frequently, and the switch will be busy processing network switchover events, causing a high CPU usage. For example, STP flapping will cause the CPU to frequently update MAC address and ARP entries, and route flapping will cause the CPU to frequently calculate routes.

l   Network loop: A network loop will cause MAC address flapping. A large number of protocol packets are sent to the CPU, overwhelming the CPU.

l   Network attack: A user host or network device sends a large number of attack packets to overwhelm the CPU.

To be summarized, there are two causes of a high CPU usage. The first is that the CPU needs to handle too many events, and the second is that the CPU needs to handle too many packets. The CPU handles events differentially. This section describes how to handle the high CPU usage caused by excessive packets.

1.2.1 Identification Method

1.         Clear statistics on the packets sent to the CPU.

<Switch> reset cpu-defend statistics

2.         Wait for several seconds and check the statistics on the packets sent to the CPU.

<Switch> display cpu-defend statistics all

Statistics on slot 2:

-----------------------------------------------------------------------------

Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)

-----------------------------------------------------------------------------

dhcp-client         40800         35768          600               52600

The command output shows that a large number of DHCP client packets are newly sent to the CPU and dropped within several seconds.

1.2.2 Too Many Service Packets Are Sent to the CPU

Too many packets are sent to the CPU because the CPCAR value is inappropriate. You can change the CPCAR value to reduce the number of packets sent to the CPU.

For example, to change the CIR of DHCP client packets sent to the CPU from 512 kbit/s to 256 kbit/s, run the following commands:

[Switch] cpu-defend policy test

[Switch-cpu-defend-policy-test] car packet-type dhcp-client cir 256

When the high CPU usage is caused by too many service packets, change the CPCAR values to reduce the CPU usage. However, if many services are run on a network, changing the CPCAR values cannot address the problem. The number of running services must be reduced (key services cannot be affected).

For example, the FTP protocol occupies low bandwidth and little CPU resource when no file is transferred. However, when FTP transfers files, high bandwidth is used. In this situation, you cannot simply reduce the CPCAR value of FTP. A switch can use the following methods to protect key services.

Table 1-2 Key service processing

Method

Description

Configure dynamic link protection

This function ensures that key services run normally when the CPU usage is high, for example, FTP, SSH, HTTPS, TFTP, Telnet, BGP, and OSPF.

After the rate limit for dynamic link protection is set, protocol-based rate limiting does not take effect.

Configure the whitelist

You can create a whitelist on a device and add the packets with specified characteristics to the whitelist. The device then processes the packets matching these characteristics first.

Only the modular switches support whitelist.

 

Ø   Configure dynamic link protection.

[Switch] cpu-defend policy test

[Switch-cpu-defend-policy-test] linkup-car packet-type ftp cir 2048   //Set the CPCAR value for FTP connection setup.

[Switch-cpu-defend-policy-test] quit

[Switch] cpu-defend application-apperceive enable

[Switch] cpu-defend application-apperceive ftp enable   //Enable dynamic link protection for FTP.

Ø   Configure the whitelist.

[Switch] acl 2000

[Switch-acl-basic-2000] rule permit source 10.1.1.1 0   //Configure the ACL to match the packets with source IP address 10.1.1.1.

[Switch-acl-basic-2000] quit

[Switch] cpu-defend policy test

[Switch-cpu-defend-policy-test] whitelist 1 acl 2002   //Add the packets matching ACL 2002 to the whitelist.

1.2.3 Too Many Attack Packets Are Sent to the CPU

If a network attack is caused by excessive packets sent to the CPU, configure attack source tracing to locate the attack source. You can also configure a blacklist to drop the attack packets.

Ø   Attack source tracing

The switch analyzes and collects statistics on the packets sent to the CPU, and considers the packets exceeding the threshold as attack packets. Then the switch locates the attack source user or port based on attack packet information, and then generates a log or alarm, or drop the attack packets.

Attack source tracing and port attack defense have similar mechanisms. Both of them are used to defend against DoS attack. The difference is that port attack defense has a smaller impact on services than attack source tracing. Attack source tracing not only prevents attacks based on port, but also locates the attack source (source IP/MAC) and takes measures on the attack source.

Attack source tracing includes five stages.

Figure 1-3 Attack source tracing process

20170331152002012003.png

 

1)        Packet parsing

By default, the switch can parse the 802.1x, ARP, DHCP, DHCPv6, ICMP, ICMPv6, IGMP, MLD, ND, TCP, and Telnet packets. The packet types are configurable.

A switch can parse packets based on IP address, MAC address, and interface + VLAN. The three modes are applicable to different scenarios:

l  Based on source IP address: defends against Layer 3 attack packets.

l  Based on source MAC address: defends against the attack packets with a fixed source MAC address.

l  Based on interface + VLAN: defends against the packets with variable MAC addresses.

2)        Traffic analysis

Similar to port attack defense, traffic analysis also works based on sampling rate.

For example, if the sampling rate is 5, 1 packet out of 5 is analyzed based on the attack source tracing mode. If this packet matches the source tracing mode, all the 5 packets are considered to match the source tracing mode and are counted in traffic analysis. If this packet does not match the source tracing mode, all the 5 packets are considered not to match the source tracing mode.

3)        Attack source identification

The packets exceeding the threshold are considered as attack packets. After packet analysis, you can obtain details about the attack source.

For example, the threshold is set to 60 pps and the mode is based on source IP address. When the rate of ARP packets sent from a source IP address to the CPU exceeds 60 pps, the ARP packets from this source IP address are considered as attack packets.

4)        Attack handling

After detecting an attack source, the switch records a log by default. The switch also supports alarm and punishment action (including dropping packets and error down).

5)        Reduce impact on services

If you do not want to perform attack source tracing on some users or interfaces no matter whether an attack occurs. You can configure an ACL and add these users or interfaces to the whitelist.

The configuration is as follows:

[Switch-cpu-defend-policy-test] auto-defend protocol arp   //Only the ARP packets sent to the CPU need to be parsed.

[Switch-cpu-defend-policy-test] auto-defend trace-type source-ip   //Set the attack source tracing mode to source IP address.

[Switch-cpu-defend-policy-test] auto-defend attack-packet sample 2    //Set the sampling rate to 2.

[Switch-cpu-defend-policy-test] auto-defend threshold 200   //Set the threshold.

[Switch-cpu-defend-policy-test] auto-defend alarm enable    //Configure alarm.

[Switch-cpu-defend-policy-test] auto-defend action deny   //Set the punishment action to drop.

[Switch] acl 2000

[Switch-acl-basic-2000] rule permit source 10.1.1.1 0

[Switch-acl-basic-2000] quit

[Switch] cpu-defend policy test

[Switch-cpu-defend-policy-test] auto-defend enable

[Switch-cpu-defend-policy-test] auto-defend whitelist 1 acl 2000   //Exclude the user with IP address 10.1.1.1 from attack source tracing.

[Switch-cpu-defend-policy-test] auto-defend whitelist 1 interface gigabitethernet 0/0/1  //Exclude GE0/0/1 from attack source tracing.

Ø   Blacklist

The blacklist is configured based on ACL. The device drops all packets matching the characteristics in the blacklist. You can add the known attackers to the blacklist. Configure the blacklist as follows:

[Switch] acl 2000

[Switch-acl-basic-2000] rule permit source 10.1.1.1 0

[Switch-acl-basic-2000] quit

[Switch] cpu-defend policy test

[Switch-cpu-defend-policy-test] blacklist 1 acl 2001   //Drop all packets with source IP address 10.1.1.1.

1.3 Example for Configuring CPU Security Control

In Figure 1-4, a switch is connected to three subnets and there are a large number of users on the subnets. Therefore, the switch's CPU needs to process a large number of protocol packets. If a malicious user sends many attack packets, the CPU usage of the switch will sharply increase, affecting services. The administrator has the following requirements:

l   Monitor the CPU security status. When the CPU is attacked, the administrator can detect the attack immediately.

l   The switch often receives many ARP request and ICMP packets. The administrator wants to lower the CPU usage.

l   Users on Net1 often initiate attacks, so the administrator wants to reject the access of Net1 users. Net2 users are fixed authorized users.

l   The administrator often uploads files to the switch through FTP, so data transmission between the administrator's computer and switch must be reliable and stable.

Figure 1-4 CPU security control configuration example

20170331152002076004.png

 

Configuration Roadmap

1.         Configure attack source tracing, alarms, and punishment so that the switch can send an alarm to the administrator when detecting an attack source and automatically take punishment actions.

2.         Add Net2 users to the whitelist to exclude them from attack source tracing analysis and punishment.

3.         Add Net1 users to the blacklist to reject their access.

4.         Set the CPCAR for ARP Request packets to limit the rate of ARP Request packets sent to the CPU. This reduces impact of ARP Request packets on the CPU.

5.         Enable defense against ICMP flood attacks.

6.         Set the rate limit for the FTP packets sent to the CPU during FTP connection setup to ensure reliability and stability of data transmission between administrator's computer and switch. (ALP is enabled for FTP by default, so it does not need to be enabled again.)

Procedure

1.       Configure the rule for filtering packets sent to the CPU.

<Switch> system-view

[Switch] acl number 2001

[Switch-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255

[Switch-acl-basic-2001] quit

[Switch] acl number 2002

[Switch-acl-basic-2002] rule permit source 10.2.2.0 0.0.0.255

[Switch-acl-basic-2002] quit

2.       Configure an attack defense policy.

[Switch] cpu-defend policy policy1  //Create an attack defense policy.

[Switch-cpu-defend-policy-policy1] auto-defend enable  //Enable the attack source tracing.

[Switch-cpu-defend-policy-policy1] auto-defend alarm enable  //Enable attack source tracing alarm.

[Switch-cpu-defend-policy-policy1] auto-defend whitelist 1 acl 2002  //Configure a whitelist for attack source tracing.

[Switch-cpu-defend-policy-policy1] auto-defend action deny  //Set the punishment action to drop.

[Switch-cpu-defend-policy-policy1] car packet-type arp-request cir 120  //Set the CPCAR for ARP Request packets to 120 kbit/s.

[Switch-cpu-defend-policy-policy1] blacklist 1 acl 2001  //Configure the blacklist for CPU defense.

[Switch-cpu-defend-policy-policy1] linkup-car packet-type ftp cir 5000  //Set the rate of FTP packets sent to the CPU to 5000 kbit/s.

[Switch-cpu-defend-policy-policy1] quit

3.       Apply the attack defense policy globally.

[Switch] cpu-defend-policy policy1 global

4.       Enable ICMP flood attack defense and set the rate of receiving ICMP packets to 15000 kbit/s.

[Switch] anti-attack icmp-flood enable

[Switch] anti-attack icmp-flood car cir 15000

[Switch] quit

5.       Verify the configuration.

# Display the configuration of attack source tracing.

<Switch> display auto-defend configuration

-------------------------------------------------------------------------

 Name  : policy1

 Related slot : <0>

 auto-defend                      : enable

 auto-defend attack-packet sample : 5

 auto-defend threshold            : 60 (pps)

 auto-defend alarm                : enable

 auto-defend trace-type           : source-mac source-ip

 auto-defend protocol             : arp icmp dhcp igmp tcp telnet 8021x

 auto-defend action               : deny (Expired time : 300 s)

 auto-defend whitelist 1          : acl number 2002

 -------------------------------------------------------------------------

# Display the configuration of the attack defense policy.

<Switch> display cpu-defend policy policy1

 Related slot : <0>

Configuration :

   Blacklist 1 ACL number : 2001

   Car packet-type arp-request : CIR(120)  CBS(22560)

   Linkup-car packet-type  ftp : CIR(5000)  CBS(940000)

# Display the CPCAR setting.

<Switch> display cpu-defend configuration packet-type arp-request slot 0

Car configurations on slot 0.

----------------------------------------------------------------------

Packet Name           Status   Cir(Kbps)   Cbs(Byte)  Queue  Port-Type

----------------------------------------------------------------------

arp-request          Enabled    120          22560       3       NA         

----------------------------------------------------------------------

# Display the statistics on ICMP attack defense.

<Switch> display anti-attack statistics

Packets Statistic Information:                                                 

-------------------------------------------------------------------------

AntiAtkType  TotalPacketNum        DropPacketNum         PassPacketNum         

             (H)        (L)        (H)        (L)        (H)        (L)        

-------------------------------------------------------------------------

URPF          0          0          0          0          0          0

Abnormal      0          0          0          0          0          0

Fragment      0          0          0          0          0          0

Tcp-syn       0          0          0          0          0          0

Udp-flood     0          0          0          0          0          0

Icmp-flood    0          0          0          0          0          0

-------------------------------------------------------------------------

 

Security Issues - Issue 1 Security Holistic View
Security Issues - Issue 2 Management Plane Security
Security Issues - Issue 3 Control Plane Security
Security Issues - Issue 4 Forwarding Plane Security – Layer 2 Security
Security Issues - Issue 5 Forwarding Plane Security – Layer 3 Security

 

本帖最后由 交换机在江湖 于 2017-08-11 10:41 编辑
  • x
  • convention:

user_2790689     Created Mar 31, 2017 15:25:54 Helpful(0) Helpful(0)

thank you for sharing
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top