In the network, there are a large number of malicious attack packets targeting the CPU. These packets will cause the CPU to be busy processing and frequent interruptions, which will trigger intermittent malicious attacks on other services, resulting in CPU performance degradation and high utilization rates. . Need to be protected against CPU safety.
The protection of the CPU ensures the normal processing of normal services by the CPU. The CPU protection restricts and restricts the CPU messages, so that the number of CPU messages sent per unit time is limited within a certain range. For the protection of the CPU, a blacklist function and CPCAR (Control Plane Committed Access Rate) function are adopted.
The so-called CPCAR refers to the protection of the security of the control plane by limiting the rate of protocol packets of different services of the control plane. It is mainly divided into queue-based scheduling and rate limiting, and unified rate limiting for all packets.
The queues used for scheduling are divided into exclusive queues, and the device dynamically allocates queue resources for this type of service. When the service ends, the device will reclaim the allocated queue resources; sharing the queue, the device will automatically allocate all newly opened services to the shared queue, and limit the speed through the shared queue.
The unified rate limit of all messages is to limit the total number of messages processed by the CPU, and to ensure that the CPU processes as many messages as possible within its normal processing capacity without causing CPU abnormalities, ensuring the normal operation of the device CPU.
What about CPU protection configuration?
Create an attack defense strategy first, and then configure the local attack defense function in the created attack defense strategy.
The queues used for scheduling are divided into exclusive queues, and the device dynamically allocates queue resources for this type of service. When the service ends, the device will reclaim the allocated queue resources; sharing the queue, the device will automatically allocate all newly opened services to the shared queue, and limit the speed through the shared queue.
The unified rate limit of all messages is to limit the total number of messages processed by the CPU, and to ensure that the CPU processes as many messages as possible within its normal processing capacity without causing CPU abnormalities, ensuring the normal operation of the device CPU.
What about CPU protection configuration?
Create an attack defense strategy first, and then configure the local attack defense function in the created attack defense strategy.
- Execute the command cpu-defend policy policy-name // to create an anti-attack policy. The device supports up to 17 anti-attack policies. devicename-default is the default policy automatically generated by the system. This policy is applied to the device by default and cannot be deleted or modified. The remaining 16 allow users to create, modify and delete.
- Execute the command description text // Configure the description information of the attack defense strategy. By default, no description information is configured for the attack defense policy.
