Got it

IPV6 attack

Created: Aug 25, 2020 16:20:39Latest reply: Sep 9, 2020 01:25:44 517 6 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hi friends!

We are using NE20 as BRAS - BAS (PPPoE Server) (NE20E V800R011C10SPC100) Patch Version: V800R011SPH026. 

Today checking the alarms, i saw the following alarm.

112       0xC150009  4     2020-08-06 Security cpu-defend drop packets alarmed.

13:49:42-  (ChassisID=1, SlotID=3, ObjectIndex=259,

  03:00       DiscardedPackets=30823, DiscardedThreshold=30000, ProtocolDescription=DHCPv6, Reason=The discarded rate for packets destined to CPU exceeded alarm threshold.)


After this, a increase the value of dhcpv6 

cpu-defend policy 1

car dhcpv6 cir 2048

slot 3

cpu-defend-policy 1


The alarm was cleared ( the cpu-usage increase from 32 to 40 %).


Now I am checking the following command and i'm seeing something weird. A lot messages about attacks IPV6


[~BRAS-Terra-slot-3]display attack-source-trace slot 3 brief


-----------------------------

Slot            : 3

Buffer Size     : 1048576 Bytes

Record Number   : 6000 Packets

Overwrite Flag  : Yes

-----------------------------

 No 1 Packet Info:

 Interface Name   : GigabitEthernet0/3/1

 PeVlanid : 0

 CeVlanid : 0

 Attack Type      : CAR

 Source IPv6      : 2620:XXX:XXX:XXX::8

 Dest IPv6        : 2804:XXXX:XXX:XXXX:XXX:XXX:XXX:C12E

 Source Port      : 443

 Dest Port        : 53723

 Next Header      : 6

 CAR Index        : 49

 Attack Pack Time : 2020-08-25 05:16-03:00

 Attack Trace Data:

60 00 00 00 05 b4 06 2e 26 20 01 49 01 49 10 11

00 00 00 00 00 00 00 08 28 04 2f ec 03 51 41 00

ec 42 7d d4 6b 24 c1 2e 01 bb d1 db e5 74 7d ad

53 b2 ac 77 80 10 00 ea a7 3f 00 00 01 01 08 0a

9b 7d 4f de 2c a9 28 7c 16 03 03 00 5f 02 00 00

5b 03 03 5f 45 38 fa ff a4 24 7f 57 8b fc a7 36


Is it normal? I need to increase another value in Cpu-Defend?


Thank you.



Featured Answers

Recommended answer

DDSN
Admin Created Aug 26, 2020 03:49:17

Hi gilberto_milhomem, 

The display attack-source-trace slot 3 brief command output shows that the IPv6 address 2620:XXX:XXX::8 sends a large number of attack packets. Check why the IP address is used to send attack packets. Check whether the IP address is an internal or external IP address and determine whether to disable the IP address.

I hope it helps!

View more
  • x
  • convention:

gilberto_milhomem
gilberto_milhomem Created Aug 26, 2020 09:21:13 (0) (0)
Hi

Checking the source ipv6 address i could see that they are good sources ipv6 address like, Microsoft, Amazon and destination are our Ipv6 address.
How can i adjust to solve this problem?

Thank you.  
All Answers
Hello. we are reviewing your question. we will answer you shortly. thanks
View more
  • x
  • convention:

DDSN
DDSN Admin Created Aug 26, 2020 03:49:17

Hi gilberto_milhomem, 

The display attack-source-trace slot 3 brief command output shows that the IPv6 address 2620:XXX:XXX::8 sends a large number of attack packets. Check why the IP address is used to send attack packets. Check whether the IP address is an internal or external IP address and determine whether to disable the IP address.

I hope it helps!

View more
  • x
  • convention:

gilberto_milhomem
gilberto_milhomem Created Aug 26, 2020 09:21:13 (0) (0)
Hi

Checking the source ipv6 address i could see that they are good sources ipv6 address like, Microsoft, Amazon and destination are our Ipv6 address.
How can i adjust to solve this problem?

Thank you.  
Hi

Checking the Car index 49 informed on output command: display attack-source-trace slot 3 brief ,
i could see that apparentely is related with IPV6 packet too big

[~BRAS-Terra-slot-3]dis cpu-defend car index 49 statistics
Slot : 3
Application switch : Open
Default Action : Min-to-cp
--------------------------------------------
IPV6 packet too big
Protocol switch: N/A
Packet information:
Passed packet(s) : 62382140
Dropped packet(s) : 8298177
Configuration information:
Configured CIR : 512 kbps Actual CIR in NP : 512 kbps
Configured CBS : 51200 bytes Actual CBS in NP : 51200 bytes
Priority : be
Min-packet-length : 128 bytes
CIR Configuration Type: Default
History information:
Last drop:
Start time: 2020-08-26 02:24
End time : 2020-08-26 02:24
Last drop rate(pps): 1
Total dropped packet(s): 143
Peak rate:
Time: 2020-08-26 02:24
Peak rate(pps): 79


View more
  • x
  • convention:

Hi guys!

I added a config on cpu-defend
car index 49 cir 2048 cbs 400000
After this, apparentely the messages about attacks stopped.
View more
  • x
  • convention:

Clear and useful
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.