Table of Contents Chapter 1 Transient Traffic Interruption on Ports Due to Source MAC Address Attacks Troubleshooting... 1-1 1.1 Symptom... 1-1 1.2 Related Information... 1-1 1.3 Diagnosis... 1-2 1.4 Troubleshooting... 1-4 1.5 Suggestion and Conclusion... 1-4 i
Chapter 1 Transient Traffic Interruption on Ports Due to Source MAC Address Attacks Troubleshooting 1.1 Symptom As Figure 1-1 shows, the switch is attached to a DSLAM (Digital Subscriber Line Access Multiplexer) downstream and a BAS (Broadband Access Server) upstream. The BAS terminates user s dial-up PPPoE (Point-to-Point Protocol over Ethernet) packets. Enable selective QinQ function on the switch, with VLAN 824 as the user side VLAN and VLAN 1003 as the network side VLAN. The gateway MAC address of the BAS is 0090-1AA0-D47A. BAS Switch GE2/0/1 Eth3/0/4 DSLAM Host A Host B Host C Figure 1-1 Transient traffic interruption on ports due to source MAC address attacks Fault description: The majority of the hosts attached to the DSLAM are disconnected intermittently. When the fault occurs, the traffic on port Ethernet 3/0/4 drops rapidly, all the incoming unicast packets are discarded on the port. Approximately five minutes later, the traffic on port Ethernet 3/0/4 goes back up slowly, indicating that the fault has gone, the hosts attached to the DSLAM becomes online again, and the network restores gradually. 1.2 Related Information <Switch> display interface ethernet 3/0/4 1-1
1.3 Diagnosis Transient Traffic Interruption on Ports Due to Ethernet3/0/4 current state: UP IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-e200-8048 Description: Ethernet3/0/4 Interface Loopback is not set Media type is twisted pair, port hardware type is 100_BASE_TX Unknown-speed mode, unknown-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 9022 Broadcast MAX-ratio: 100% Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 100 Mdi type: auto Port link-type: trunk VLAN Passing : 824 VLAN Permitted: 824 Trunk port encapsulation: IEEE 802.1q Port priority: 0 Last 300 seconds input: 1 packets/sec 147 bytes/sec Last 300 seconds output: 1 packets/sec 179 bytes/sec Input (total): 271 packets, 12250 bytes //Only multicast and broadcast packet counts are available when a port failure occurs. 150 broadcasts, 121 multicasts Input (normal): 271 packets, 12250 bytes 150 broadcasts, 121 multicasts Input: 0 input errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 frame, - overruns, 0 aborts - ignored, - parity errors Output (total): 1522 packets, 183608303 bytes 13 broadcasts, 860 multicasts, 0 pauses Output (normal): 1522 packets, - bytes 13 broadcasts, 860 multicasts, 0 pauses Output: 0 output errors, - underruns, 1 buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier The above output information shows that only multicast packets and broadcast packets were received on port Ethernet 3/0/4 of the switch when the fault occurs. So it can be found that the incoming unicast packets are discarded on port Ethernet 3/0/4 of the 1-2
switch. Since the traffic of the hosts attached to the DSLAM is mainly composed of unicast packets, unicast packet loss disconnects the hosts and causes them to log on again. Thus, the traffic on the port drops tremendously. Therefore it can be assumed that this fault occurs due to packet loss. Such packet loss is similar to the loss of packets returned from the source port. That is, the port receives the packets whose destination MAC addresses are the same as those learned by the port. Normally, the MAC address of a BAS device (the destination MAC address of the PPPoE unicast packets reaching port Ethernet 3/0/4 of the switch) can only be learnt by GigabitEthernet 2/0/1 of the switch in VLAN 1003 (the external VLAN), instead of the port on the user side, unless there are loops in the network. Below is the MAC address table of the switch in normal cases: <Switch> display mac-address MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0090-1aa0-d47a 1003 Learned GigabitEthernet2/0/1 AGING 0090-1aa0-d47a 1101 Learned GigabitEthernet2/0/1 AGING 0090-1aa0-d47a 1201 Learned GigabitEthernet2/0/1 AGING 0090-1aa0-d47a 4093 Learned GigabitEthernet2/0/1 AGING Below is the MAC address learnt by port Ethernet 3/0/4 of the switch when a fault occurs: 0090-1aa0-d47a 824 Learned Ethernet3/0/4 AGING The MAC address entry displayed is the MAC address of the BAS. Note that it was learnt by port Ethernet 3/0/4 of the switch (a user side port) in VLAN 824. As the MAC addresses of the PPPoE service packets reaching port Ethernet 3/0/4 are just the MAC address of the BAS, all such PPPoE packets are considered as packets returned from the source port and are thus discarded. By reviewing the fault location information before and after the fault occurs, you can find such a rule: when the majority of the hosts attached to the DSLAM are disconnected (that is, a large amount of packets get discarded on the port), the MAC address of the BAS is learnt by port Ethernet 3/0/4 of the switch. During the course in which the traffic recovers to normal gradually, the MAC address ages out. As the DSLAM and the switch are directly connected, no loop exists between them and the network topology is always stable. Therefore you can draw the conclusion: Through gateway MAC address spoofing, a host attached to the DSLAM launches attacks against the switch, and this causes majority of the hosts attached to the DSLAM to be disconnected. The intention of the attacker is to get greater bandwidth by disconnecting other users through attacks, so as to cause the network to initialize one more time. After that, the attacker can get a faster network speed. 1-3
1.4 Troubleshooting On port GigabitEthernet 2/0/1 of the switch (the uplink port), configure a static gateway MAC address for VLAN 824 on the user side. In this way, the gateway MAC address will never be learnt by port Ethernet 3/0/4 of the switch, and attacks through MAC address spoofing will fail. Below is the configuration. # Add port GigabitEthernet 2/0/1 to VLAN 824. <Switch> system-view [Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] port link-type trunk [Switch-GigabitEthernet2/0/1] port trunk permit vlan 824 # Configure a static gateway MAC address on port GigabitEthernet2/0/1 for VLAN 824. [Switch-GigabitEthernet2/0/1] quit [Switch] mac-address static 0090-1aa0-d47a interface gigabitethernet 2/0/1 vlan 824 After the static MAC address is configured, the hosts attached to DSLAM run normally and never get disconnected again. Note: You can configure the static MAC address on any uplink port to solve the problem if there are multiple uplink ports. 1.5 Suggestion and Conclusion When the selective QinQ function is enabled, to prevent source MAC address attacks, you are recommended to configure a static gateway MAC address on an uplink port of a device. Copyright 2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. 1-4