Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
IPV6 attack

IPV6 attack

Created: Aug 25, 2020 16:20:39Latest reply: Sep 9, 2020 01:25:44 516 6 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi friends!

We are using NE20 as BRAS - BAS (PPPoE Server) (NE20E V800R011C10SPC100) Patch Version: V800R011SPH026. 

Today checking the alarms, i saw the following alarm.

112       0xC150009  4     2020-08-06 Security cpu-defend drop packets alarmed.

13:49:42-  (ChassisID=1, SlotID=3, ObjectIndex=259,

  03:00       DiscardedPackets=30823, DiscardedThreshold=30000, ProtocolDescription=DHCPv6, Reason=The discarded rate for packets destined to CPU exceeded alarm threshold.)


After this, a increase the value of dhcpv6 

cpu-defend policy 1

car dhcpv6 cir 2048

slot 3

cpu-defend-policy 1


The alarm was cleared ( the cpu-usage increase from 32 to 40 %).


Now I am checking the following command and i'm seeing something weird. A lot messages about attacks IPV6


[~BRAS-Terra-slot-3]display attack-source-trace slot 3 brief


-----------------------------

Slot            : 3

Buffer Size     : 1048576 Bytes

Record Number   : 6000 Packets

Overwrite Flag  : Yes

-----------------------------

 No 1 Packet Info:

 Interface Name   : GigabitEthernet0/3/1

 PeVlanid : 0

 CeVlanid : 0

 Attack Type      : CAR

 Source IPv6      : 2620:XXX:XXX:XXX::8

 Dest IPv6        : 2804:XXXX:XXX:XXXX:XXX:XXX:XXX:C12E

 Source Port      : 443

 Dest Port        : 53723

 Next Header      : 6

 CAR Index        : 49

 Attack Pack Time : 2020-08-25 05:16-03:00

 Attack Trace Data:

60 00 00 00 05 b4 06 2e 26 20 01 49 01 49 10 11

00 00 00 00 00 00 00 08 28 04 2f ec 03 51 41 00

ec 42 7d d4 6b 24 c1 2e 01 bb d1 db e5 74 7d ad

53 b2 ac 77 80 10 00 ea a7 3f 00 00 01 01 08 0a

9b 7d 4f de 2c a9 28 7c 16 03 03 00 5f 02 00 00

5b 03 03 5f 45 38 fa ff a4 24 7f 57 8b fc a7 36


Is it normal? I need to increase another value in Cpu-Defend?


Thank you.



NE20EPPPoEIPv6attackcpu-defend

Like (0) Dislike (0) Favorite(0) Share Report
Previous: S3300 software
Next: Send operation logs only to the Log Host
Featured Answers

Recommended answer

(0) (0)
DDSN
Admin Created Aug 26, 2020 03:49:17

Hi gilberto_milhomem, 

The display attack-source-trace slot 3 brief command output shows that the IPv6 address 2620:XXX:XXX::8 sends a large number of attack packets. Check why the IP address is used to send attack packets. Check whether the IP address is an internal or external IP address and determine whether to disable the IP address.

I hope it helps!

View more
  • x
  • convention:

gilberto_milhomem
gilberto_milhomem Created Aug 26, 2020 09:21:13 (0) (0)
Hi

Checking the source ipv6 address i could see that they are good sources ipv6 address like, Microsoft, Amazon and destination are our Ipv6 address.
How can i adjust to solve this problem?

Thank you.  
All Answers
(0) (0)
2#
Gustavo.HdezF
Gustavo.HdezF Admin Created Aug 25, 2020 16:57:23

Hello. we are reviewing your question. we will answer you shortly. thanks
View more
  • x
  • convention:
(0) (0)
3#
DDSN
DDSN Admin Created Aug 26, 2020 03:49:17

Hi gilberto_milhomem, 

The display attack-source-trace slot 3 brief command output shows that the IPv6 address 2620:XXX:XXX::8 sends a large number of attack packets. Check why the IP address is used to send attack packets. Check whether the IP address is an internal or external IP address and determine whether to disable the IP address.

I hope it helps!

View more
  • x
  • convention:

gilberto_milhomem
gilberto_milhomem Created Aug 26, 2020 09:21:13 (0) (0)
Hi

Checking the source ipv6 address i could see that they are good sources ipv6 address like, Microsoft, Amazon and destination are our Ipv6 address.
How can i adjust to solve this problem?

Thank you.  
(0) (0)
4#
gilberto_milhomem
gilberto_milhomem Created Aug 26, 2020 13:34:05

Hi

Checking the Car index 49 informed on output command: display attack-source-trace slot 3 brief ,
i could see that apparentely is related with IPV6 packet too big

[~BRAS-Terra-slot-3]dis cpu-defend car index 49 statistics
Slot : 3
Application switch : Open
Default Action : Min-to-cp
--------------------------------------------
IPV6 packet too big
Protocol switch: N/A
Packet information:
Passed packet(s) : 62382140
Dropped packet(s) : 8298177
Configuration information:
Configured CIR : 512 kbps Actual CIR in NP : 512 kbps
Configured CBS : 51200 bytes Actual CBS in NP : 51200 bytes
Priority : be
Min-packet-length : 128 bytes
CIR Configuration Type: Default
History information:
Last drop:
Start time: 2020-08-26 02:24
End time : 2020-08-26 02:24
Last drop rate(pps): 1
Total dropped packet(s): 143
Peak rate:
Time: 2020-08-26 02:24
Peak rate(pps): 79


View more
  • x
  • convention:
(0) (0)
5#
gilberto_milhomem
gilberto_milhomem Created Aug 27, 2020 22:49:03

Hi guys!

I added a config on cpu-defend
car index 49 cir 2048 cbs 400000
After this, apparentely the messages about attacks stopped.
View more
  • x
  • convention:
(2) (0)
6#
victorDa
victorDa Created Sep 9, 2020 01:25:44

Clear and useful
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.