Let’s assume that a large number of packets are sent to CPU of a device. What will happen if most of these packets are malicious attack packets? CPU usage will become high, what can bring to services’ deterioration. In extreme cases it can lead the device to reboot. We can minimize an impact of the attack on network services, providing the local attack defense function. When such attack occurs, this function ensures non-stop service transmission.
Attack Defense Policy Supported by AR routers:
CPU attack defense:
- The device uses blacklists to filters invalid packets sent to the CPU
- The device limits the rate of packets sent to the CPU based on the protocol type
- The device schedules packets sent to the CPU based on priorities of protocol packets
- The device uniformly limits the rate of packets with the same priority sent to the CPU and randomly discards the excess packets to protect the CPU
- ALP is enabled to protect HTTP, FTP and BGP sessions. Packets matching characteristics of the sessions are sent at a high rate, that’s why session-related services are ensured.