Blocking attacks starting with the access switch

Broadband network access switches usually need to connect directly with the user terminal, once the user terminal infection worm, virus attack will seriously consume bandwidth and switch resources, and even network paralysis, this phenomenon in the slammer and shock wave events have been common. What are the security risks facing the broadband access switch? How can we defuse these risks? Next we will reveal.

The risks of the switch

Using the grasping Bag tool, the author often captures the abnormal packets with large flow, which consumes the network bandwidth and consumes the resources of network equipment on the other hand, which affects the normal operation of the network.

Unicast class Exception message: Unicast traffic is mostly sent to the gateway, the gateway device according to the routing table for these messages to forward or discard processing. For private IP addresses, the three-tier switch or router automatically discards unicast traffic. If the user has obtained a public network IP address, these unicast traffic will be forwarded out, thereby affecting a wider range of networks. Taking the shock wave virus as an example, the poisoned host can start an attack propagation thread and randomly generate an attack address to attack, as long as the network can be monitored. In the severe shock wave stage, the network speed obviously slowed down, some access layer switches and some small routers even crash, the core three-tier switch CPU utilization reached 100%, operators have to take the shielding ICMP message to deal with.

Broadcast class Exception message: Broadcasting is a necessary way to implement certain protocols. Broadcast messages will be sent to all the hosts in a particular network segment, each host will handle the message received, make a response or discard the decision, the result is both consumption of network bandwidth and host performance. With the use of port isolation technology, users can limit the broadcast message to the upstream port, which can reduce the impact on the network segment link and host, but can not solve the convergence layer and the core layer of the device impact. If multiple subdivisions are on a single VLAN within a convergence or core device, broadcast traffic is returned to other communities via the upper device, which continues to occupy the link bandwidth of these communities and affects host performance, a configuration method that is widely available in current broadband networks.

Multicast class Exception message: Multicast class information is intended to serve only some users within the network, and its destination address is the host of the network application to join the multicast group. Some hosts did not request to join the multicast group, which should not be forwarded to these hosts, but in fact the hosts received multicast information. What causes the group broadcast to be forwarded to the host that did not apply? Originally, in order to achieve multicast, the two-tier switch uses GMRP Multicast registration protocol or IGMP snooping protocol to maintain a dynamic multicast table, and then the group broadcast text to the multicast group members related to the port, in order to achieve in the VLAN Within the two-layer multicast, if the IGMP snooping is not running, the group broadcasts will be broadcast on the two level, which is the cause of multicast flooding.

With the popularization of broadband network and the increasing of video application, multicast technology will be applied more widely, then the abnormal traffic of multicast will not only appear in the second layer of the network, but also be routed to the whole multicast tree. Plus video class information flow is large, it is difficult to distinguish between normal flow and abnormal flow. Therefore, it is more difficult to control the multicast.

In a word, the application of the local area network has the possibility of being exploited by the virus, if the abnormal traffic is not effectively restricted, the network bandwidth and network equipment will be consumed by resources. Therefore, for the user-oriented two-tier switch to increase intelligence, the problem is isolated in the smallest scope, it is particularly important.

Countermeasures to dissolve the risk

With the flow control function of the switch, we can limit the abnormal traffic flow through the port to a certain range. For example, the Cisco switch has a port based flow control feature that enables storm control, port protection, and port security. Storm control can mitigate the network slowdown caused by unicast, broadcast or multicast packets, by setting a threshold for different kinds of traffic, the switch starts the flow control function when the port traffic reaches the set value, and even the port goes down. Port protection is similar to port isolation and does not exchange any traffic between ports that have set port protection capabilities. Port security is a port-level access restriction on an unlicensed address. Similarly, Huawei switches provide port control functions such as flow control and broadcast storm suppression. The flow control function is used to notify the other in case of congestion between switch and switch to temporarily stop sending packets to avoid loss of packets. Broadcast storm suppression can limit the size of broadcast traffic and discard the broadcast traffic exceeding the set value.

However, the flow control function of the switch can only be a simple speed limit of all types of traffic through the port, the broadcast, multicast abnormal traffic limit to a certain extent, and can not distinguish which is normal flow, which is abnormal traffic. At the same time, how to set a suitable threshold is also difficult. Users can use ACLs (Access control lists) if they need to make further control of the message. ACL uses IP address, tcp/udp port and so on to filter packets into and out of the switch, and makes the decision of allowing forwarding or blocking to the message according to the preset conditions. Both Cisco and Huawei switches support both IP ACLs and Mac ACLs, and each ACL supports both standard and extended formats. The standard format ACL is filtered according to the source address and the upper layer protocol type, and the extended format ACL is filtered according to the source address, destination address, and upper layer protocol type.

By subdividing different network traffic, the user can control the abnormal traffic separately. The Protocol field of IP message controls the abnormal traffic of unicast class, controls the broadcast class exception message through the Protocol field of Ethernet frame, and controls the multicast message through IP Destination address segment. In addition to these control means, network administrators also need to pay attention to the network abnormal traffic, timely location of the source of abnormal traffic, and troubleshooting. (Author of Taiyuan Communications Industry Co., Ltd. Data network branch engineer)