On networks, there are many risks that may cause overload on the control plane. For example, a large number of viruses and hacker tools are flooded on networks. These viruses and hacker tools may attack network devices, resulting in network breakdown. Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) attacks are often initiated. Attackers use viruses and hacker tools to preempt resources of attacked devices, causing service interruption on the attacked devices. If switches respond to ICMP and ARP packets unconditionally, the CPU usage becomes high when the switches are attacked by viruses. Signaling protocols on the control plane may fail or even switches fail to respond to valid ARP Request packets. Consequently, the switches may break down, causing service interruption.
To solve the preceding problem, switches provide security functions and the functions are increasingly optimized. As a main security function on switches, the central processor committed access rate (CPCAR) function allows switches to classify packets sent to the control plane, limit the rate of these packets, and schedule the packets in queues to ensure security of the control plane.
Local attack defense is implemented based on the following levels:
- Level 1: The ASIC identifies packets sent to the control plane and limits the rate of or discards packets. The attack defense methods include the CPCAR, blacklist, access control list (ACL), and traffic suppression.
- Level 2: The ASIC adjusts and shapes various protocol packets using queues. The attack defense methods include the protocol queue adjustment, CPU interface rate limiting, and CPU queue rate limiting (fixed switches).
- Level 3: The RISC processor limits the rate of various protocol packets, configures anti-spoofing functions, and identifies the attack source using auto-defend. This level is located on the control plane. The attack defense methods include protocol security, ARP anti-spoofing, attack source identification in auto-defend, and traffic rate limiting.