Hello guys,

The CPU usage goes very high some times and when trying to find the guilty parts you could get dumb with surprise that our old ARP friend might be the reason of it. Address Resolution Protocol (ARP) is easy to use but has no security mechanisms and because of this attackers often use ARP to attack network devices

So, what to do when the output of the display cpu-usage command shows you a high value and you get a lot of logs that tells you ARP is the prime suspect of the case.

To confirm our fear and check the statistics on ARP-request packets sent to the CPU with the display cpu-defend statistics command .

If the results are out of charts you should take some measures and the first one should be:

1.     1.  Reduce the number of packets that are sent to the CPU

You can do this by limiting the rate of ARP packets with CPU attack defense configuration. You can run the display cpu-defend configuration command to view the rate limit of ARP-request packets sent to the CPU. By default, the rate limit of ARP-request packets in the default policy is displayed:

<Huawei> display cpu-defend configuration sru

Rate configurations on main board.                                             

-----------------------------------------------------------------              

Packet-type              Status        Rate-limit(PPS)  Priority               

arp-miss                  Enabled            64             2                  

arp-reply                 Enabled           128             2                  

arp-request               Enabled           128             2        

After  you check the rate-limit of the packets you can reduce the value. In this way you limit the packets sent to the CPU.

Configuration procedure:

cpu-defend policy arp_policy // create a cpu policy in system view

  packet-type arp-request rate-limit 64  // limit the arp-request rate

cpu-defend-policy arp_policy  global  // apply policy in system view

2.    2.  Find out the source

To find out the source of the arp request messages you could configure attack source tracing. After you discover the source of the arp packets you can decide what kind of measures you can take against it

Configuration procedure:

cpu-defend policy discover_attack // create cpu-defend policy

  auto-defend enable // enable automatic attack source tracing

  auto-defend threshold threshold-value // the threshold value might be big

  auto-defend trace-type { source-ip | source-mac |  source-portvlan } *

  auto-defend protocol arp // trace the source of ARP packets

  auto-defend alarm enable // the device generates alarms when are too many                                    packets

cpu-defend-policy policy-name global // apply policy in system view

3.    3.  Enable ARP strict learning 

To avoid problems generated by the big number of received ARP packets, configure the strict ARP learning function on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks. 

arp learning strict

There are more measures you can take against high CPU usage caused by ARP but the ones presented here could be of help until you find out the source or cause of the problem.