8/10/2019 Cpu-Defend Policy for Network v1.1
1/8
CPU-DEFEND POLICY ON NETWORK
HUAWEIs NE40E/80E/CX600 have built-in default cu-defend !lic" t! #event
the !tential th#eats ai$ at !u# e%ui$ent in #eal net&!#'( in !#de# t! $eet
$!st scena#i!s and )ua#antee eve#" #!t!c!l #unnin) n!#$al( s!$e #ules !f
!lic" is a little bit l!!se( *! &e need ad+ust the a#!#iate #ules t! $eetin)
the self-defend #e%ui#e$ent &hen seci,ed scena#i! !# a#ticula# attac's
!ccu#
.athe#in) ea$les f!# !the# et#!-E( $!bile net&!#' built b" HUAWEI(
c!$bine &ith the incidents haened !n net&!#'( HUAWEIs 123 #ec!$$end
udatin) f!ll!&in) a#a$ete#s t! ensu#e sucient #!tecti!n f!# C5U( &hen
facin) that the #!utin) l!! and the )ene#al A15 / IC5 and !the# c!$$!n
attac's
5#event IC5 attac'7
In the c!$$!n net&!#'( IC5in)9 is used t! detect n!de !# lin'
#eachabilit"( but IC5 #el" need )ene#ated b" C5UN5 can !nl"
f!#&a#din) ac'et n!t )ene#ate ac'et9 In #ealit"( this &ill incu# IC5
attac'( !u# C5U can handle 4s IC5 ac'et du#in) idle ti$e( but in #eal
scena#i!( C5U need #!cess $an" #!t!c!l at sa$e ti$e If IC5 #!cess
!ccuies C5U f!# t!! l!n) ti$e( it &ill lead t! !the# c#itical #!cesses cann!t be scheduled
HUAWEI hi)hl" su))est t! l!&e# this value deend !n #eal net&!#'
#e%ui#e$ent
1ec!$$end value7 00'bs (c!nve#t t! :000s( based !n $in f#a$e
si;e 64b"tes9
: 5#event
8/10/2019 Cpu-Defend Policy for Network v1.1
2/8
the A15 ent#" eists( this ac'et &ill encasulated &ith $ac then
f!#&a#ded di#ectl"D if this A15 n!t eist( e%ui$ent &ill )ene#ates !ne A15
iss n!tif" A15 $!dule t! send A15 #e%uest
A15 I** attac' +ust $a'e use !f this &ea'ness( )ene#ate l!ts !f ac'et
&ith 3I5 n!t eist( the 1!ute# have t! )ene#ate l!ts !f A15 issn!ti,cati!ns &hen failu#e in ,ndin) a# ent#"
the hi)h C5U usa)e
HUAWEI hi)hl" su))est t! l!&e# this value deend !n #eal net&!#'
#e%ui#e$ent
1ec!$$end value7 @00'bs (c!nve#t t! 000s( based !n $in f#a$e
si;e 64b"tes9
4 5#event *N5 attac'
In the c!$$!n net&!#'( *N5 is used t! t#ansfe# $ana)e inf!#$ati!n
bet&een N stati!n and a)ent( *N5 #!t!c!l ac'ets $ust be #!cessed
b" C5U !f the =5U b!a#d In #ealit"( this &ill incu# *N5 attac'( !u# C5U
can handle :s *N5 ac'et du#in) idle ti$e( but in #eal scena#i!( C5U
need #!cess $an" #!t!c!l at sa$e ti$e If *N5 #!cess !ccuies C5U
f!# t!! l!n) ti$e( it &ill lead t! !the# c#itical #!cesses can n!t be
scheduled
HUAWEI hi)hl" su))est t! l!&e# this value deend !n #eal net&!#'
#e%ui#e$ent
1ec!$$end value7 @00'bs
@ 5#event B.5/=35/*5 attac'
In the c!$$!n net&!#'( #!ute #!t!c!lsuch as B.5/=35/*59 is used t!advice c!$$unicate #!ute bet&een #!ute#s( these #!t!c!l ac'ets $ust
be #!cessed b" C5U !f the =5U b!a#d In #ealit"( this &ill incu# #!ute
#!t!c!l attac'( !u# C5U can handle these ac'ets du#in) idle ti$e( but in
#eal scena#i!( C5U need #!cess $an" #!t!c!l at sa$e ti$e If s!$e !ne
#!t!c!l #!cess !ccuies C5U f!# t!! l!n) ti$e( it &ill lead t! !the# c#itical
#!cesses can n!t be scheduled
HUAWEI hi)hl" su))est t! #!tect these i$!#tant #!ute #!t!c!ls deend
!n #eal net&!#' #e%ui#e$ent
Recommend : Use advanced ACL to protect mportant ro!tn"
protoco#s$s!c% as &'P(LDP(O)PF*
6 5#event 3HC5 attac'
In the c!$$!n net&!#'( 3HC5 is used t! !btain I5 add#ess d"na$ic b"
h!sts But 3HC5 ac'ets $ust be #!cessed b" C5U !f the =5U b!a#d In
#ealit"( this &ill incu# 3HC5 attac'( !u# C5U can handle :s 3HC5 ac'ets
du#in) idle ti$e( but in #eal scena#i!( C5U need #!cess $an" #!t!c!l at
sa$e ti$e If 3HC5 #!cess !ccuies C5U f!# t!! l!n) ti$e( it &ill lead t!
!the# c#itical #!cesses can n!t be scheduled
1ec!$$end value7 @00'bs this value $ust be evaluated ca#efull"
deend !n #eal net&!#' #e%ui#e$ent9F 5#event HW
8/10/2019 Cpu-Defend Policy for Network v1.1
3/8
In the c!$$!n net&!#'( HW
8/10/2019 Cpu-Defend Policy for Network v1.1
4/8
Inde
I3
Ite$ 3efault
alue'bs9
1ec!$$ended
alue'bs
: IC5 4000 00
?G I54
8/10/2019 Cpu-Defend Policy for Network v1.1
5/8
U35 *!u#ce Add#ess 7 :6:
U35 *!c'et I3 7 F
*e%uence N! 7 0
C!n,)u#ati!n Hell! H!ld
8/10/2019 Cpu-Defend Policy for Network v1.1
6/8
acl nu$be# ?00?
#ule @ e#$it !sfs!u#ce :6:0
4 !dif" !ne C5U-3efend !lic" as f!ll!&in)7
cu-defend !lic" use#-de,ned-O!& acl ?00
use#-de,ned-O!& : acl ?00:
use#-de,ned-O!& ? acl ?00?
alicati!n-ae#ceive disable
#!cess-se%uence &hitelist use#-de,ned-O!& blac'list
ca# ic$ ci# 00
ca# inde ?G ci# 00
ca# inde 4F ci# 00
ca# inde @0 ci# @00
ca# sn$ ci# @00
ca# b) ci# :00
ca# ld ci# :00
ca# !sf ci# :00
ca# dhc ci# @00
ca# h&tacacs ci# :00
ca# lsin) ci# 00
ca# i)$ ci# :00
ca# v## ci# 000
@ Al" !lic" t! eve#" =5U ca#d need t! be #!tected7
sl!t X
cu-defend-!lic"
6 Chec' the !lic" statistics t! ve#if" the attac' &hen net&!#' attac' !ccu#7
N*5=5ac'ets--------------------------------------------------------------------------------
6 Alicati!n-Ae#ceive @68@?@: G8G::8? @F8G:@?G
--------------------------------------------------------------------------------
8/10/2019 Cpu-Defend Policy for Network v1.1
7/8
*5 : : 0
1I5 0
I*I* 0 0 0
IC5 :06 :06 0
*35 0 0 0
5I :: :: 0
3HC5 @@@F0:8F GF6F8?06 @F8GG8
=AC5 :8G? :8G? 0
N
8/10/2019 Cpu-Defend Policy for Network v1.1
8/8
Ud-ac'et 0 0 0
--------------------------------------------------------------------------------
Top Related