Got it
Enterprise
Community Forums Switches
Attack Defense Overview

Attack Defense Overview Highlighted

Latest reply: Oct 29, 2018 00:50:27 1507 7 10 0
display all floors #1

On networks, there are many risks that may cause overload on the control plane. For example, a large number of viruses and hacker tools are flooded on networks. These viruses and hacker tools may attack network devices, resulting in network breakdown. Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) attacks are often initiated. Attackers use viruses and hacker tools to preempt resources of attacked devices, causing service interruption on the attacked devices. If switches respond to ICMP and ARP packets unconditionally, the CPU usage becomes high when the switches are attacked by viruses. Signaling protocols on the control plane may fail or even switches fail to respond to valid ARP Request packets. Consequently, the switches may break down, causing service interruption.

To solve the preceding problem, switches provide security functions and the functions are increasingly optimized. As a main security function on switches, the central processor committed access rate (CPCAR) function allows switches to classify packets sent to the control plane, limit the rate of these packets, and schedule the packets in queues to ensure security of the control plane.


Local attack defense is implemented based on the following levels:

  • Level 1: The ASIC identifies packets sent to the control plane and limits the rate of or discards packets. The attack defense methods include the CPCAR, blacklist, access control list (ACL), and traffic suppression.
  • Level 2: The ASIC adjusts and shapes various protocol packets using queues. The attack defense methods include the protocol queue adjustment, CPU interface rate limiting, and CPU queue rate limiting (fixed switches).
  • Level 3: The RISC processor limits the rate of various protocol packets, configures anti-spoofing functions, and identifies the attack source using auto-defend. This level is located on the control plane. The attack defense methods include protocol security, ARP anti-spoofing, attack source identification in auto-defend, and traffic rate limiting.
  • x
  • convention:

Helpful (10) Favorite(0) Share Report
Previous: Detailed Packet Path in Distributed Firewalls
Next: [Knowledge sharing] Maximum PoE distance for S5700/S6700 switches
faysalji
Created Oct 19, 2018 10:08:29 Helpful(0) Helpful(0)

Thanks, please link this documentation for further detailed reading
View more
  • x
  • convention:
If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
Mysterious.color
Created Oct 19, 2018 13:29:39 Helpful(0) Helpful(0)

thank you for this info
View more
  • x
  • convention:
Core%20Engineer%2C%20Technical%20Department.%20High%20experience%20in%20Networking
littlestone
Created Oct 24, 2018 01:00:45 Helpful(0) Helpful(0)

 the Alarm information field to determine whether the optical module is certified for Huawei Ethernet switches. If the alarm message "Non-Huawei-Certified Transceiver" or "Non-Huawei-Ethernet-Switch-Certified Transceiver" is displayed, the optical module is not certified for Huawei Ethernet switches. Replace it with one that is certified for Huawei Ethernet switches This post was last edited by littlestone at 2018-10-31 05:57.
View more
  • x
  • convention:
Mark.hu
Created Oct 26, 2018 06:30:55 Helpful(0) Helpful(0)

Attack defense is a network security feature that enables a device to analyze the content and behavior of packets sent to the CPU, identify attack packets, and take measures to block attack packets.Attack defense prevents malformed packet attacks, packet fragment attacks, and flood attacks.Attacks initiated by utilizing inherent bugs of communication protocols or improper network deployment have great impact on networks. In particular, attacks on a network device can cause the device or network to crash. This post was last edited by Mark.hu at 2018-10-31 06:00.
View more
  • x
  • convention:
Torrent
Created Oct 27, 2018 08:31:50 Helpful(0) Helpful(0)

On networks, there are many risks that may cause overload on the control plane. For example, a large number of viruses and hacker tools are flooded on networks. These viruses and hacker tools may attack network devices, resulting in network breakdown.  we usually meet this kind of attack in the network but do not know how to deal with, thanks for sharing us a good example, I learned a lot. This post was last edited by Torrent at 2018-10-31 06:05.
View more
  • x
  • convention:
No.9527
Created Oct 27, 2018 08:33:58 Helpful(0) Helpful(0)

the attack is occurred in network usually, sometime we need professional device to do this, it is recommended that buy the  professional device to do this

This post was last edited by No.9527 at 2018-10-31 03:14.
View more
  • x
  • convention:
SupperRobin
Created Oct 29, 2018 00:50:27 Helpful(0) Helpful(0)

The switches provide security functions and the functions are increasingly  optimized. As a main security function on switches, the central processor  committed access rate (CPCAR) function allows switches to classify packets sent  to the control plane, limit the rate of these packets, and schedule the packets  in queues to ensure security of the control plane. So we should configuration the attach or cpu cpcar ? This post was last edited by SupperRobin at 2018-10-31 07:18.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.

APP

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.