Safeguard Engine - D-Link xStack DES-3800 Series User Manual

Safeguard Engine

Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other methods.
These attacks may increase the Safeguard Engine beyond its capability. To alleviate this problem, the Safeguard Engine function
was added to the Switch's software.
The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is
ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. When the Switch either (a)
receives too many packets to process or (b) exerts too much memory, it will enter an Exhausted mode. When in this mode the
Switch only receives a small amount of ARP or IP broadcast packets for a calculated time interval. Every five seconds, the Switch
will check to see if there are too many packets flooding the Switch. If the threshold has been crossed, the Switch will do a rate
limit and only allow a small amount of ARP and IP broadcast packets for five seconds. After another five-second checking
interval arrives, the Switch will again check the ingress flow of packets. If the flooding has stopped, the Switch will again begin
accepting all packets. Yet, if the checking shows that there continues to be too many packets flooding the Switch, it will still only
accept a small amount of ARP and IP broadcast packets for double the time of the previous stop period. This doubling of time for
stopping ingress ARP and IP broadcast packets will continue until the maximum time has been reached, which is 320 seconds and
every stop from this point until a return to normal ingress flow would be 320 seconds. For a better understanding, examine the
following example of the Safeguard Engine.
If the Switch detects
too many packets, it
will rate limit all ingress
ARP and IP broadcast
packets for 5 seconds.
For every consecutive checking interval that reveals a packet flooding issue, the Switch will double the time it will accept a few
ingress ARP and IP broadcast packets. In the example above, the Switch doubled the time for dropping ARP and IP broadcast
packets when consecutive flooding issues were detected at 5-second intervals. (First stop = 5 seconds, second stop = 10 seconds,
third stop = 20 seconds) Once the flooding is no longer detected, the wait period for limiting ARP and IP broadcast packets will
return to 5 seconds and the process will resume.
Once in Exhausted mode, the packet flow will decrease by half of the level that caused the Switch to enter Exhausted mode. After
the packet flow has stabilized, the rate will initially increase by 25% and then return to a normal packet flow.
To configure the Safeguard Engine for the Switch, click Security > Safeguard Engine > which will open the following window:
xStack DES-3800 Series Layer 3 Stackable Fast Ethernet Managed Switch
If the second checking
interval reveals there are
still too many ingress
packets, the Switch will
rate limit all ARP and IP
broadcast packets for 10
seconds (5*2=10)
Figure 11- 66. Safeguard Engine example
If the third checking
interval reveals there are
still too many ingress
packets, the Switch will
rate limit all ARP and IP
broadcast packets for 20
seconds (10*2=20).
289
If the fourth interval reveals
the packet flooding has
subsided, the Switch will
return to accepting ARP
and IP broadcast packets.