Overview Of Local Attack Defense; Local Attack Defense Features Supported By The S3700; Configuring The Attack Defense Policy; Establishing The Configuration Task - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security

6.1 Overview of Local Attack Defense

This section describes the principle of the local attack defense.
With the development and wide application of the network, users poses higher requirement for
security of the network and network devices. On the network, a large number of packets including
the malicious attack packets are sent to the Central Processing Unit (CPU). These packets cause
high CPU usage, degrade the system performance, and affect service provisioning. The
malicious packets that aim at attacking the CPU busy the CPU in processing the attack packets
during a long period. Therefore, other normal services are interrupted and even the system fails.
To protect the CPU and enable the CPU to process and respond to normal services, the packets
to be sent to the CPU need to be limited. For example, filtering and classifying packets to be
sent to the CPU, limiting the number of such packets and their rate, and setting the priority of
such packets. Packets that do not conform to certain rules are directly discarded to ensure that
the CPU can process normal services.
The local attack defense feature of the S3700 is specially designed for packets directing at the
CPU and mainly used to protect the S3700 from attacks and ensure that the existing services run
normally upon attacks.

6.2 Local Attack Defense Features Supported by the S3700

The S3700 implements the local attack defense feature through the blacklist and CAR.
The S3700 implements the local attack defense feature through the following ways:
l
l

6.3 Configuring the Attack Defense Policy

This section describes how to configure the attack defense policy.

6.3.1 Establishing the Configuration Task

This section describes how to establish the configuration task of an attack defense policy.
Applicable Environment
When a large number of users access the S3700, the CPU of the S3700 may be attacked by the
packets sent by attackers or the CPU needs to process a large number of packets.
Issue 01 (2011-07-15)
Blacklist
A blacklist refers to a group of unauthorized users. You can define the blacklist through
ACL rules. Then, the packets matching ACL rules bound to the blacklist are discarded. The
unauthorized users that are involved in attacks can be added to the blacklist.
CAR
CAR is used to set the rate of sending the classified packets to the CPU. You can set the
committed information rate (CIR) and the committed burst size (CBS). By setting different
CAR rules for different packets, you can reduce the number of different packets sent to the
CPU to prevent CPU overload. CAR can also be used to set the total rate of packets sent
to the CPU. When the total rate exceeds the upper limit, the system discards the packets,
preventing CPU overload.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6 Local Attack Defense Configuration
178