Hello, everybody!
Today I will explain the DoS attack and show the configuration process on the OLT. This is one of two articles about anti-DoS attacks.
The DoS attack is one of the most dangerous hacker attacks. The goal of hackers is to stop the delivery of services to regular users. It disables a network, computer, or other parts of the infrastructure in a way that users cannot use.
Figure 1. DoS attack
(HCIP-Access V2.5 Training Material)
We can recognize the attack if we check the CPU usage. During normal operation, the load on the CPUs of control boards and service boards is not above 20%. During a DoS attack, the CPU has a constant high load.
With the next commands, we can check the CPU usage on control boards and service boards in normal cases. An example is OLT MA5800-X15, the main control board is 0/8 and the standby control board is 0/9, GPON service board is 0/1.
The first command is for check the CPU of the active control board:
TEST(config)#display cpu 0/8
{ <cr>||<K> }:
Command:
display cpu 0/8
CPU occupancy: 5%
And command for standby control board:
TEST(config)#display cpu 0/9
{ <cr>||<K> }:
Command:
display cpu 0/9
Send message for inquiring board cpu occupancy successfully, board
executing...
CPU occupancy: 2%
Command for check the CPU of service board 0/1:
TEST(config)#display cpu 0/1
{ <cr>||<K> }:
Command:
display cpu 0/1
Send message for inquiring board cpu occupancy successfully, board
executing...
CPU occupancy: 7%
We have to disable dos attack, because that, we will activate anti-dos attack on the OLT.
The command for activating the anti-dos attack is:
TEST(config)#security anti-dos
{ control-packet<K>|disable<K>|enable<K> }:enable
Command:
security anti-dos enable
And the end, command for display all security configuration on OLT:
TEST#display security config
{ <cr>||<K> }:
Command:
display security config
Anti-ipspoofing function : disable
Anti-dos function : enable
Anti-macspoofing function : enable
Anti-ipattack function : disable
Anti-icmpattack function : disable
Source-route filter function : disable
Anti-macduplicate function : enable
PPPoE overall aging time(sec) : 360
PPPoE aging period(sec) : 90
ARP detect mode : dummy
Anti-dos control-packet policy : deny
Packet unaffected by anti-ipspoofing : IGMP
Packet unaffected by anti-ipv6spoofing : --
NS-reply function : disable
NS-reply unknown-policy : forward
ARP-reply function : disable
ARP-reply unknown-policy : forward
Anti-ipv6spoofing function : disable
IPv6 DAD proxy function : disable
IPv6 bind route and ND : disable
Packet unaffected by anti-macspoofing : IGMP
DHCP client identifier : chaddr
Packet ignored by anti-macspoofing : --
Anti-illegal-arp function : enable
Anti-illegal-nd function : enable
User delete delay(sec) : 0
Anti-macduplicate alarm function : disable
Anti-ipv6attack function : disable
Anti-icmpv6attack function : disable
Anti-ipconflict refresh function : disable
Anti-illegal-hoplimit-nd function : disable
IP option packet-policy : to-cpu
DHCP packet anti-dos control-packet period(sec) : 1
Thank you!
Reference: HCIP-Access V2.5 Training Material
