Hello guys,
The CPU usage goes very high some times and when trying to find the guilty parts you could get dumb with surprise that our old ARP friend might be the reason of it. Address Resolution Protocol (ARP) is easy to use but has no security mechanisms and because of this attackers often use ARP to attack network devices
So, what to do when the output of the display cpu-usage command shows you a high value and you get a lot of logs that tells you ARP is the prime suspect of the case.
To confirm our fear and check the statistics on ARP-request packets sent to the CPU with the display cpu-defend statistics command .
If the results are out of charts you should take some measures and the first one should be:
1. 1. Reduce the number of packets that are sent to the CPU
You can do this by limiting the rate of ARP packets with CPU attack defense configuration. You can run the display cpu-defend configuration command to view the rate limit of ARP-request packets sent to the CPU. By default, the rate limit of ARP-request packets in the default policy is displayed:
<Huawei> display cpu-defend configuration sru
Rate configurations on main board.
-----------------------------------------------------------------
Packet-type Status Rate-limit(PPS) Priority
arp-miss Enabled 64 2
arp-reply Enabled 128 2
arp-request Enabled 128 2
After you check the rate-limit of the packets you can reduce the value. In this way you limit the packets sent to the CPU.
Configuration procedure:
cpu-defend policy arp_policy // create a cpu policy in system view
packet-type arp-request rate-limit 64 // limit the arp-request rate
cpu-defend-policy arp_policy global // apply policy in system view
2. 2. Find out the source
To find out the source of the arp request messages you could configure attack source tracing. After you discover the source of the arp packets you can decide what kind of measures you can take against it
Configuration procedure:
cpu-defend policy discover_attack // create cpu-defend policy
auto-defend enable // enable automatic attack source tracing
auto-defend threshold threshold-value // the threshold value might be big
auto-defend trace-type { source-ip | source-mac | source-portvlan } *
auto-defend protocol arp // trace the source of ARP packets
auto-defend alarm enable // the device generates alarms when are too many packets
cpu-defend-policy policy-name global // apply policy in system view
3. 3. Enable ARP strict learning
To avoid problems generated by the big number of received ARP packets, configure the strict ARP learning function on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks.
arp learning strict
There are more measures you can take against high CPU usage caused by ARP but the ones presented here could be of help until you find out the source or cause of the problem.