When receiving an IP packet of which the TTL value is 1, the device sends this packet to the CPU. Traceroute is to use the packet with TTL value 1 to detect a link hop-by-hop. An attacker may send a large number of IP packets with TTL value 1 to a network device. Then the device's CPU is busy processing these packets and sends many ICMP unreachable packets to the sender. The CPU usage of the device keeps high. The following procedure help us to discover the IP address and MAC address from the device that is sending the ttl-expired packages, so we can take proper actions to fix the problem:
1. Clear statistics on the TTL Expired packets sent to the CPU.
[Huawei] reset cpu-defend statistics packet-type ttl-expired
2. Wait for one minute and view statistics about the TTL Expired packets sent to the CPU again.
[Quidway] display cpu-defend statistics packet-type ttl-expired
Statistics on slot 2:
-----------------------------------------------------------------------------------------------------------------
Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets)
-----------------------------------------------------------------------------------------------------------------
ttl-expired 40800 35768 600 52600
-----------------------------------------------------------------------------------------------------------------
3. View the number of passing and discarded packets. If many packets are sent to the CPU or discarded, a TTL Expired packet attack may occur.
4. Configure auto-defend to identify the attack source.
#
cpu-defend policy test
auto-defend enable
auto-defend threshold 30 //The device sending packets of which the rate exceeds 30 pps is considered attack source.
auto-defend trace-type source-mac source-ip //Identify attack source based on source MAC or IP addresses.
auto-defend protocol ttl-expired //Identify only TTL-Expired packet attacks.
#
cpu-defend-policy test
quit
cpu-defend-policy test global
#
Run the command to view attack source information:
[Quidway] display auto-defend attack-source
Attack Source User Table (MPU):
-----------------------------------------------------------------------------------------------
MacAddress InterfaceName Vlan:Outer/Inner TOTAL
-----------------------------------------------------------------------------------------------
0000-0000-0001 GigabitEthernet5/0/0 500 310
-----------------------------------------------------------------------------------------------
Total: 1
Attack Source IP Table (MPU):
-------------------------------------------------------
IPAddress TOTAL Packets
-------------------------------------------------------
50.1.1.3 310
-------------------------------------------------------
Total: 1
Basing on the IP and MAC address, take proper actions like disconnecting the attacking device from the network.