Checking Whether Rate Limiting Is Configured for Attack Source

Procedure

1. If the number of dropped ARP packets keeps increasing and the CPU usage of the switch is high, find out the attack source and eliminate the attack.

   If the source IP or MAC address of the attack source can be determined in the log (display logbuffer), eliminate the attack source.

   For example:

   Aug  1 2014 18:09:48+08:00 HUAWEI %%01SECE/4/ARPMISS(l)[0]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet0/0/1, SourceIP=10.0.0.250, AttackPackets=19 packets per second)

   Check the type of ARP packets of which the drop count keeps increasing.

   1. The number of ARP Miss messages sharply increases.
      1. Increase the aging time of ARP entries.

         <HUAWEI> system-view 
         [HUAWEI] interface GigabitEthernet 0/0/1 
         [HUAWEI-GigabitEthernet0/0/1] arp-fake expire-time 30
         

         NOTE:

         When your switch undergoes an attack, increase the aging time of temporary ARP entries to reduce the frequency of ARP Miss messages. This can reduce the impact on the switch.

         When a switch receives an ARP reply packet before a temporary ARP entry is aged out, the switch discards the IP packets matching the temporary ARP entry, but does not generate an ARP Miss message. Then the switch replaces the temporary ARP entry with the correct ARP entry.

      2. Find out the attack source and handle it.

         Run the display arp all command on the switch to check ARP entries. If the MAC address field is displayed as Incomplete, check the IP address and interface matching the ARP entry, and then analyze the packets obtained from this interface. Find out the source IP address that accesses the IP address in Incomplete entry.

         After determining the attack source, configure a blackhole MAC entry or blacklist to discard the packets from the attack source, or limit the rate of ARP packets from the attack source.

         Method 1: Configure a blackhole MAC entry to discard the packets sent from the attack source.

         <HUAWEI> system-view 
         [HUAWEI] mac-address blackhole 0000-0000-0023 
         

         Method 2: Limit the rate of ARP packets sent from the attack source.

         1. Check the configuration of ARP Miss rate limiting based on source IP address.

            <HUAWEI> display arp anti-attack configuration arpmiss-speed-limit  
             ARP miss speed-limit for source-IP configuration: 
             IP-address          suppress-rate(pps)(rate=0 means function disabled) 
            ------------------------------------------------------------------------------- 
             All                 500    //The switch can process a maximum of 500 ARP Miss messages per second triggered by one source IP address.
            ------------------------------------------------------------------------------- 
             0 specified IP addresses are configured, spec is 256 items.
            

         2. Configure ARP Miss rate limiting based on source IP address.

            <HUAWEI> system-view  
            [HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 100 //The switch can process a maximum of 100 ARP Miss messages per second triggered by IP address 10.0.0.1.
            

   2. The number of ARP request and reply packets sharply increases.
      1. Find out the attack source.

         Use either of the following methods:

         Method 1: Configure attack source tracing to find out the attack source.

         If another attack defense policy (except the policy default) has been applied to the switch, an alarm will be reported when you apply this policy. Run the display cpu-defend policy command to view the current policy name, enter the policy view, and configure attack source tracing. Alternatively, run the undo cpu-defend-policy global command and apply the policy.

         <HUAWEI> system-view  
         [HUAWEI]cpu-defend policy test //Create a policy named test.
         [HUAWEI-cpu-defend-policy-test] auto-defend enable //Enable attack source tracing.
         [HUAWEI-cpu-defend-policy-test] auto-defend attack-packet sample 5  //Set the sampling rate of attack source tracing to 5.
         [HUAWEI-cpu-defend-policy-test] auto-defend threshold 30  //The switch considers that an attack occurs when the rate of ARP packets sent by one IP address reaches 30 pps.
         [HUAWEI-cpu-defend-policy-test] auto-defend trace-type source-ip //Configure attack source identification based on source IP address.
         [HUAWEI-cpu-defend-policy-test] auto-defend protocol arp //Configure attack source identification based on ARP packet type.
         [HUAWEI-cpu-defend-policy-test] quit 
         [HUAWEI] cpu-defend-policy test global //Apply the attack defense policy.
         Run the following command for modular switches:
         [HUAWEI] cpu-defend-policy test (modular switch)
         

         After the attack source tracing is applied, wait for a moment, and run the display auto-defend attack-source command to view attack source information.

         <HUAWEI> display auto-defend attack-source detail 
           Attack Source User Table (MPU): 
           ---------------------------------------------------- 
           MAC Address                    0000-0000-0023  //Exclude the gateway MAC address from the attack source MAC address list. 
           Interface                      GigabitEthernet0/0/1 
           VLAN: Outer/Inner              199                 
               ARP:                       256      
           Total                          256                  
           ---------------------------------------------------- 
           ¡­¡­ 
           Attack Source IP Table (MPU): 
           ---------------------------------------------------- 
           IP address                10.10.10.2  //Exclude the gateway IP address from the attack source IP address list.
               ARP:                  256      
           Total                     256                  
           ---------------------------------------------------- 
           Total: 1
         

         Method 2: Configure port mirroring to obtain packet information.

         Analyze the source address in the headers of ARP request or reply packets.

         If the same MAC or IP address exists in many ARP request or reply packets, the switch considers this address the attack source.

      2. Handle the attack source.

         After determining the attack source, configure a blackhole MAC entry or blacklist to discard the packets from the attack source, or limit the rate of ARP packets from the attack source.

         Method 1: Configure a blackhole MAC entry to discard the packets sent from the attack source.

         <HUAWEI> system-view 
         [HUAWEI] mac-address blackhole 0000-0000-0023 
         

         Method 2: Limit the rate of ARP packets sent from the attack source.

         Reduce the rate of ARP packets from the source IP or MAC address gradually.

         1. Check the ARP rate limiting configuration.

            <HUAWEI> display arp anti-attack configuration arp-speed-limit       
             ARP speed-limit for source-IP configuration: 
             IP-address          suppress-rate(pps)(rate=0 means function disabled) 
            ------------------------------------------------------------------------------- 
             All                 0   //Set the ARP rate limit for each source IP address to 0. That is, the switch does not limit the ARP rate based on source IP address.
            ------------------------------------------------------------------------------- 
             0 specified IP addresses are configured, spec is 256 items.
            

         2. Configure ARP rate limiting based on source IP address.

            <HUAWEI> system-view  
            [HUAWEI] arp speed-limit source-ip 10.10.10.2 maximum 50  //Set the ARP rate limit for IP address 10.10.10.2 to 50 pps.