Block hacker attacks start with access switch

A Broadband Network Access Switch usually needs to be directly connected to a user terminal. Once the user terminal is infected with the worm virus, a virus attack will seriously consume bandwidth and switch resources, and even cause network paralysis, this phenomenon has long been common in Slammer and shock wave events. What security risks does a broadband access switch face? How can we resolve these risks? Next we will reveal them one by one.

Vswitch risks

Using packet capture tools, I often capture large-volume abnormal packets. On the one hand, they consume network bandwidth, on the other hand, they consume resources of network devices, affecting the normal operation of the network.

Unicast abnormal packets: Most unicast traffic is sent to the Gateway. The gateway device forwards or discards these packets according to the route table. For private IP addresses, layer-3 vswitches or vrouters of the public network will automatically discard unicast traffic. If the user has obtained a public IP address, the unicast traffic will be forwarded out, affecting a wider range of networks. Taking the shock wave virus as an example, as long as the infected host detects that the Network is available, it will start an attack propagation thread and generate attack addresses randomly to launch attacks. In the phase of severe shock wave attacks, the network speed slows down significantly. Some access layer switches and some small routers even crash, and the CPU usage of the core layer-3 switch reaches 100%, the operator has to Block ICMP packets.

Broadcast exception packets: broadcast is a necessary way to implement certain protocols. Broadcast packets are sent to all hosts in a specific network segment. Each host processes the received packets and makes a response or discard decision, the result is that both network bandwidth consumption and host performance are affected. By using port isolation technology, you can restrict the transmission of broadcast packets only to upstream ports, which can reduce the impact on the link and host of the local network segment, but cannot solve the impact on the Convergence layer and core layer devices. If multiple sub-divisions are located in one VLAN on the aggregation or core device, the broadcast traffic will be returned to other cells through the upper-layer device, which will continue to occupy the link bandwidth of these cells and affect the host performance, this configuration method is widely used in the current broadband network.

Multicast exception message: the multicast information serves only some users in the network. The destination address is the host applied to join the multicast group in the network. Some hosts do not apply to join multicast groups. These multicast texts should not be forwarded to these hosts, but in fact these hosts still receive multicast information. Why is it that the multicast packets are forwarded to hosts that have not been added? Originally, in order to implement multicast, the L2 Switch uses the GMRP multicast Registration Protocol or the IGMP Snooping protocol to maintain a dynamic multicast table, then, the multicast packets are forwarded to the ports related to the multicast group members to implement layer-2 multicast in the VLAN. If IGMP Snooping is not run, the multicast packets are broadcast on layer-2, this is why multicast flood occurs.

With the popularization of broadband networks and the increasing number of video applications, the multicast technology will be more widely used. At that time, abnormal multicast traffic will not only appear on the second layer of the network, the route is also routed to the whole multicast tree. With the large video traffic, it is difficult to distinguish between normal traffic and abnormal traffic. Therefore, it is more difficult to control multicast.

In short, applications in the LAN may be exploited by viruses. If abnormal traffic is not effectively restricted, the network bandwidth and network devices will consume resources. Therefore, it is particularly important to add intelligence for user-oriented L2 switches and isolate problems within the minimum range.

Countermeasures to resolve risks

With the traffic control function of the switch, we can limit the abnormal traffic passing through the port to a certain range. For example, a Cisco switch has a port-based traffic control function to implement storm control, Port Protection, and port security. Storm Control can reduce the network slowdown caused by unicast, broadcast, Or multicast packets. By setting a threshold value for different types of traffic, when the port traffic of the vswitch reaches the set value, the traffic control function is enabled or even the port is down. Port Protection is similar to port isolation. ports configured with port protection do not exchange any traffic. Port Security imposes port-level access restrictions on unauthorized addresses. Coincidentally, Huawei switches provide port control functions such as traffic control and broadcast storm suppression ratio. The traffic control function is used to notify the other party to temporarily stop sending data packets when the switch and the switch are congested to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic that exceeds the set value.

However, the traffic control function of the switch can only limit the speed of all types of traffic passing through the port, and limit the abnormal traffic of broadcast and multicast to a certain range, however, it is impossible to distinguish between normal traffic and abnormal traffic. It is also difficult to set an appropriate threshold. To further control packets, you can use ACL (Access Control List ). The ACL filters incoming and outgoing packets using IP addresses, TCP/UDP ports, and determines whether packets can be forwarded or blocked Based on Preset conditions. Both Cisco and Huawei vswitches support ip acl and mac acl. Each ACL supports standard and extended formats, respectively. The ACL in the standard format is filtered based on the source address and the upper-layer protocol type. The ACL in the extended format is filtered based on the source address, destination address, and upper-layer protocol type.

By dividing different network traffic segments, you can control abnormal traffic separately. The protocol field of the IP message is used to control abnormal unicast traffic, the protocol field of the Ethernet frame is used to control abnormal broadcast packets, and the multicast packets are used to control the IP address segment. In addition to these control methods, network administrators also need to pay attention to abnormal network traffic, locate the source host with abnormal traffic in time, and eliminate faults.

1. Principle of ARP attack protection on access layer Switches
2. Access switches that cannot be ignored during IP Broadband Network Construction