Attack Behavior
An attacker sends a large number of IP packets carrying route options to a switch, degrading its forwarding performance and exhausting its resources. As a result, the switch fails to process valid packets.
Security Policy
Switches support the following route options in IP packets:
- Record-route (RR): records the IP address of every switch on the forwarding path.
- Time-stamp (TS): records the IP address and time of every switch on the forwarding path.
- Source and record route (SRR): includes loose SRR (LSRR) and strict SRR (SSRR).
- LSRR: specifies a list of IP addresses that IP packets must traverse.
- SSRR: specifies the exact path that IP packets must follow.
To protect switches against attacks launched using IP packets with route options, run the discard { srr | rr | ra | ts } command in the interface view.
Configuration Method
Configure a switch to discard IP packets carrying route options. Perform the following operations based on different route options:
-
Configure the switch to discard packets carrying the RR option on VLANIF100.
<HUAWEI> system-view [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] discard rr [HUAWEI-Vlanif100] quit
-
Configure the switch to discard packets carrying the TS option on VLANIF100.
<HUAWEI> system-view [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] discard ts [HUAWEI-Vlanif100] quit
-
Configure the switch to discard packets carrying the SRR option on VLANIF100.
<HUAWEI> system-view [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] discard srr [HUAWEI-Vlanif100] quit
-
Configure the switch to discard packets carrying the RA option on VLANIF100.
<HUAWEI> system-view [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] discard ra [HUAWEI-Vlanif100] quit
