Forgot password?
 Register now

Welcome to use this form to feedback your problems with Ruijie Community

The category of your feedback

Your Feedback

Your Email address (optional):

Official
When the Device Encounters an OSPF Attack, How Can I Find the Attack Source Rapidly and Take Anti-attack Measures? Reply

admin

Level 4

When the Device Encounters an OSPF Attack, How Can I Find the Attack Source Rapidly and Take Anti-attack Measures?
6513 1 2017-5-3 16:51:00
Original
When the Device Encounters an OSPF Attack, How Can I Find the Attack Source Rapidly and Take Anti-attack Measures?

0 2017-5-3 16:51:39 View all replies
1. Fault Symptom
The S12000 encounters an OSPF attack, the CPU usage of the device is very high, and a large number of OSPF packets transmitted to the CPU for processing are lost. As a result, the device fails to establish OSPF neighbor relationships normally.

2. Possible Causes
1) OSPF packets transmitted to the CPU are beyond the processing capability of the CPU. As a result, packet loss occurs. Run the show cpu-protect mboard command to check whether packet loss occurs.

2) Run the show cpu command to identify the processes with high CPU usage.

3) The OSPF neighbor relationships cannot be established.

It can be judged that the OSPF process is attacked. Based on this conclusion, find out the attack source and take anti-attack measures accordingly.

3. Troubleshooting
1) Find out the attack source.
Method 1: Run the show interface counter summary command on the device to locate ports with excessive multicast/broadcast packets, shut down the ports, and then check whether the fault is rectified.
Method 2: Enable the NFPP anti-attack function. If the device encounters ARP attacks, enable the ARP attack prevention policy. In this fault case, the OSPF process is attacked. Therefore, use a defined NFPP policy for restriction. The configuration commands are as follows:
nfpp
define ospf
  match etype 0x800 protocol 89
  global-policy per-src-ip 100 200
(The former is used to limit the rate, the latter is used to set the attack threshold, and the values here can be adjusted.)
isolate-period 30 //Set hardware isolation.
interface GigabitEthernet 1/0/1//Apply the policy to all ports.
nfpp define ospf enable
  
2) After the preceding commands are configured, check whether the CPU attacks of the device are eliminated and check information about the attack source isolated by NFPP. It is found that attacks are initiated in VLAN 77. Perform the shutdown operation on SVI 77, find out the attack source further, and take actions accordingly.

4. Fault Information Collection
show cpu
show cpu-protect mboard
show interface counter summary
show interfaces counters rate
show ip ospf neighbor
show ip ospf interface
show nfpp define hosts ospf

5. Fault Summary and Precautions
N/A

Related Posts
Product Model

Share this topic to

Cancel

This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.

More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.

©2000-2023 Ruijie Networks Co,Ltd