Attack Behavior
An attacker can easily tamper with information during a Label Distribution Protocol (LDP) session, simulates real LDP packets, and keeps sending the packets to a switch. As a result, the switch is busy processing these attack packets, and the CPU usage is high.
Security Policy
To defend against the preceding attack, configure the following security policies on a switch:
-
LDP MD5 authentication
LDP MD5 authentication generates a unique digest for an information segment to prevent LDP packets from being tampered with. LDP MD5 authentication is stricter than TCP check.
The MD5 algorithm is easy to configure and generates a single password which can only be changed manually. MD5 authentication applies to networks requiring short-period encryption.
MD5 is an insecure encryption algorithm. Keychain authentication is recommended for networks that require high security.
-
LDP keychain authentication
The keychain algorithm is complex to configure and generates a set of passwords. Keychain authentication allows passwords to be changed automatically based on configurations. Therefore, keychain authentication is applicable to networks requiring high security.
Keychain authentication and MD5 authentication cannot be both configured on a single LDP peer.
-
LDP GTSM
GTSM determines whether a packet is valid by checking its TTL value. This protects switches against attacks. LDP peers are configured with GTSM and a valid TTL value range to check TTL values in LDP packets exchanged between them. If the TTL value of an LDP packet is out of the range, the LDP packet is considered invalid and discarded. This prevents the CPU from processing a large number of forged LDP packets and protects upper layer protocols.
Configuration Method
-
Configure LDP keychain authentication.
Configure LDP keychain authentication for a peer with the Label Switching Router (LSR) ID of 2.2.2.2 and the referenced keychain name of kc1.
<HUAWEI> system-view [HUAWEI] keychain kc1 mode absolute [HUAWEI-keychain-kc1] key-id 1 [HUAWEI-keychain-kc1-keyid-1] algorithm sha-256 [HUAWEI-keychain-kc1-keyid-1] key-string abcDEF-13579 [HUAWEI-keychain-kc1-keyid-1] quit [HUAWEI-keychain-kc1] quit [HUAWEI] mpls lsr-id 2.2.2.2 [HUAWEI] mpls [HUAWEI-mpls] quit [HUAWEI] mpls ldp [HUAWEI-mpls-ldp] authentication key-chain peer 2.2.2.2 name kc1
Configuring LDP keychain authentication will cause the re-establishment of an LDP session and delete the Label Switch Path (LSP) associated with the LDP session.
-
Configure LDP GTSM.
On the LSR, set the valid TTL value range to 254-255 for LDP packets from the peer with the transport address of 1.1.1.1.
<HUAWEI> system-view [HUAWEI] mpls lsr-id 1.1.1.1 [HUAWEI] mpls [HUAWEI-mpls] quit [HUAWEI] mpls ldp [HUAWEI-mpls-ldp] gtsm peer 1.1.1.1 valid-ttl-hops 2
If the value of hops is set to the maximum number of valid hops permitted by GTSM and the TTL value carried in a packet from an LDP peer is beyond the range [255-hops+1, 255], the packet is discarded.
