Ruijie Community

Title: When the Device Encounters an OSPF Attack, How Can I Find the Attack Source Rapidly and Take Anti-attack Measures? [Print this page]

Author: admin Time: 2017-5-3 16:51
Title: When the Device Encounters an OSPF Attack, How Can I Find the Attack Source Rapidly and Take Anti-attack Measures?
When the Device Encounters an OSPF Attack, How Can I Find the Attack Source Rapidly and Take Anti-attack Measures?

Author: admin Time: 2017-5-3 16:51

1. Fault Symptom

The S12000 encounters an OSPF attack, the CPU usage of the device is very high, and a large number of OSPF packets transmitted to the CPU for processing are lost. As a result, the device fails to establish OSPF neighbor relationships normally.

2. Possible Causes

1) OSPF packets transmitted to the CPU are beyond the processing capability of the CPU. As a result, packet loss occurs. Run the show cpu-protect mboard command to check whether packet loss occurs.

2) Run the show cpu command to identify the processes with high CPU usage.

3) The OSPF neighbor relationships cannot be established.

It can be judged that the OSPF process is attacked. Based on this conclusion, find out the attack source and take anti-attack measures accordingly.

3. Troubleshooting

1) Find out the attack source.

Method 1: Run the show interface counter summary command on the device to locate ports with excessive multicast/broadcast packets, shut down the ports, and then check whether the fault is rectified.

Method 2: Enable the NFPP anti-attack function. If the device encounters ARP attacks, enable the ARP attack prevention policy. In this fault case, the OSPF process is attacked. Therefore, use a defined NFPP policy for restriction. The configuration commands are as follows:

nfpp

define ospf

match etype 0x800 protocol 89

global-policy per-src-ip 100 200

(The former is used to limit the rate, the latter is used to set the attack threshold, and the values here can be adjusted.)

isolate-period 30 //Set hardware isolation.

interface GigabitEthernet 1/0/1//Apply the policy to all ports.

nfpp define ospf enable

2) After the preceding commands are configured, check whether the CPU attacks of the device are eliminated and check information about the attack source isolated by NFPP. It is found that attacks are initiated in VLAN 77. Perform the shutdown operation on SVI 77, find out the attack source further, and take actions accordingly.

4. Fault Information Collection

show cpu

show cpu-protect mboard

show interface counter summary

show interfaces counters rate

show ip ospf neighbor

show ip ospf interface

show nfpp define hosts ospf

5. Fault Summary and Precautions

N/A

Welcome to Ruijie Community (https://community.ruijienetworks.com/)