This post refers to CPU defend. Please have a look at the information displayed below.
Function
The cpu-defend policy command creates an attack defense policy and displays the attack defense policy view.
The undo cpu-defend policy command deletes an attack defense policy.
By default, the default attack defense policy exists on the device and is applied to the device.
The default attack defense policy cannot be deleted or modified.
Usage scenario
A large number of packets including attack packets are sent to the CPU on a network. If excess packets are sent to the CPU, its usage becomes high and its performance deteriorates.
The attack packets affect services and may even cause system breakdown. To solve the problem, create an attack defense policy and configure CPU attack defense and attack source tracing in the attack defense policy.
Precautions
The device supports a maximum of 13 attack defense policies, including the default attack defense policy. The default attack defense policy is generated in the system by default and is applied to the device.
The default attack defense policy cannot be deleted or modified. The other 12 policies can be created, modified, and deleted.
# Create an attack defense policy named test.
<HUAWEI> system-view
[HUAWEI] cpu-defend
policy test
[HUAWEI-cpu-defend-policy-test]
cpu-defend trap drop-packet
Usage scenario
To protect the CPU, a switch limits the rate of protocol packets sent to the CPU based on the CPCAR. If the rate of protocol packets exceeds the CPCAR, excess protocol packets are dropped, which may affect the corresponding service. To quickly detect packet loss caused by exceeding the CPCAR, you can use this command to enable alarm reporting for this event. After this function is enabled, the switch checks at 10-minute intervals for packet loss caused by CPCAR. If the switch finds that the number of dropped packets of a protocol increases, the switch reports a packet loss alarm.
Example
# Enable alarm reporting for packet loss caused by CPCAR exceeding.
<HUAWEI> system-view
[HUAWEI] cpu-defend
trap drop-packet
Checking whether network attacks exist
Run the display cpu-defend statistics command to check statistics about packets sent to the CPU.
According to the statistics, determine whether many protocol packets have been discarded because the CPU is too busy to process them. Then, run the reset cpu-defend statistics command to clear the statistics. After several seconds, run the display cpu-defend statistics command again to re-check the statistics.
If packets of a protocol are numerous, determine whether this is a normal phenomenon based on the networking. If this is abnormal, a protocol packet attack occurs.
<HUAWEI> reset cpu-defend statistics
<HUAWEI> display
cpu-defend statistics all
Statistics on slot
2:
-----------------------------------------------------------------------------------------------------------
Packet Type Pass(Bytes) Drop(Bytes)
Pass(Packets)
Drop(Packets)
-----------------------------------------------------------------------------------------------------------
arp-miss 0 0 0 0
arp-request 40800 35768 600 52600
bgp 0 0 0
0
......
---------------------------------------------------------------------------
If the live network has no possibility to produce so many ARP request packets, the switch is under an ARP attack.
If the switch has a high CPU usage, do not increase the CPCAR value. Instead, find out the attack source.
{:9_417:}