3.8.5.1 Anti-DDoS Attack
Due to more and more complicated network environment, the switch should be more
competent in fighting against attacks. There are lots of ways to prevent DDoS attack,
CPU protection is a very important one.
Currently, controlling protocol message is used to protection CPU. The speed of
messages sent to CPU can be set. If the real speed exceeds the threshold, this message
will be discarded or its transport priority will be modified. CPU protection is implemented
based upon the following principle.
CPU protection is mainly realized by using the switch to monitor the speed of messages
sent to CPU. The speed threshold for messages going to CPU can be set on devices.
When messages are sent to CPU in an abnormal speed, related alarms will be generated
and the NM will be aware of the attack. At this moment, the NM can decide how to
process the message according to the message type and speed. When the protocol
protection unit finds one protocol message is transferred too fast, this unit will send an
alarm to warn user. After reading this alarm, the user can configure protocol protection
shutdown to avoid CPU failure.
Currently, the supported protocols include most L2 and L3 protocols. The covered Ipv4
protocol consists of: OSPF, PIM, IGMP, VRRP, ICMP, ARP reply, ARP request, group
mng, VBASE, DHCP, RIP, BGP, telnet, LDP_TCP, LDP_UDP, TTL=1, BPDU, SNMP,
MSDP and RADIUS. The included Ipv6 protocols are: MLD, ND, ICMP6, BGP4+, RIPng,
OSPFv3, LDPtcp6, LDPudp6, telnet6 and PIM6. L2 protocols cover some messages like
STP and MSTP, as well as some switch L2 ring protocols.
Based upon common CPU protection, 8900E has multi-level CPU protection which
includes: hardware protection, software protection and protocol stack protection. CPU
supports multiple hardware queues to make sure the precedence of key messages. Key
message filtering makes sure key messages are sent to CPU. Protocol stack controls
message transport speed. Via multi-level protection, network efficiency and key services
operation are guaranteed.
Moreover, ZXR10 8900E can also use MAC address learning restriction, port speed
restriction and multi-level ACL filtering to avoid DDoS attack.
3.8.5.2 Unicast Reverse Path Forwarding (uRPF)
Unicast Reverse Path Forwarding (uRPF) can be used to avoid the network attack based
upon source address spoofing.Source address spoofing (A legal address made by
attacker) in common DoS attack uses a fake source address to prevent the device from
providing normal services. uRPF can avoid such attacks effectively. uRPF is made for
normal route search. Normally when router receives packet and gets its destination
address, route table will be looked up as per the destination address. If the route is found,
the packet will be forwarded, otherwise, it will be discarded. uRPF by getting source
address and incoming interface of the packet sets source address as the target address
To Next Page
Loading...
Need help?
General
