The first instinct in troubleshooting high ARP CPU usage on a router

Latest reply: Jul 1, 2014 03:24:13 3137 1 0 0

Hello guys,


The CPU usage goes very high some times and when trying to find the guilty parts you could get dumb with surprise that our old ARP friend might be the reason of it. Address Resolution Protocol (ARP) is easy to use but has no security mechanisms and because of this attackers often use ARP to attack network devices


So, what to do when the output of the display cpu-usage command shows you a high value and you get a lot of logs that tells you ARP is the prime suspect of the case.


To confirm our fear and check the statistics on ARP-request packets sent to the CPU with the display cpu-defend statistics command .


If the results are out of charts you should take some measures and the first one should be:


1.     1.  Reduce the number of packets that are sent to the CPU


You can do this by limiting the rate of ARP packets with CPU attack defense configuration. You can run the display cpu-defend configuration command to view the rate limit of ARP-request packets sent to the CPU. By default, the rate limit of ARP-request packets in the default policy is displayed:


<Huawei> display cpu-defend configuration sru

Rate configurations on main board.                                             

-----------------------------------------------------------------              

Packet-type              Status        Rate-limit(PPS)  Priority               

arp-miss                  Enabled            64             2                  

arp-reply                 Enabled           128             2                  

arp-request               Enabled           128             2        

After  you check the rate-limit of the packets you can reduce the value. In this way you limit the packets sent to the CPU.


Configuration procedure:


cpu-defend policy arp_policy // create a cpu policy in system view

  packet-type arp-request rate-limit 64  // limit the arp-request rate

cpu-defend-policy arp_policy  global  // apply policy in system view


2.    2.  Find out the source


To find out the source of the arp request messages you could configure attack source tracing. After you discover the source of the arp packets you can decide what kind of measures you can take against it


Configuration procedure:



cpu-defend policy discover_attack // create cpu-defend policy

  auto-defend enable // enable automatic attack source tracing

  auto-defend threshold threshold-value // the threshold value might be big

  auto-defend trace-type { source-ip | source-mac |  source-portvlan } *

  auto-defend protocol arp // trace the source of ARP packets

  auto-defend alarm enable // the device generates alarms when are too many                                    packets

cpu-defend-policy policy-name global // apply policy in system view


3.    3.  Enable ARP strict learning 


To avoid problems generated by the big number of received ARP packets, configure the strict ARP learning function on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks. 


arp learning strict


There are more measures you can take against high CPU usage caused by ARP but the ones presented here could be of help until you find out the source or cause of the problem.  

  • x
  • convention:

Sophoni
Created Jul 1, 2014 03:24:13 Helpful(0) Helpful(0)

thanks
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login