AARF Principles
Generally speaking, the principle of protocol packet anti-attack is to count the packets sent to CPU, calculate the rate of sending them, and then compare with the set attack threshold. If the rate reaches the attack threshold, it is considered that the protocol packet has attack behavior, and then, perform some restrictions for the host with the attack behavior, such as CPU discarding, speed limit, and filtering, so as to protect the CPU.
In fact, from the view of implementation, different protocol packet anti-attack functions have the same implementation method for packet statistics, identification, attack policy application, and so on. We abstract the same processing, build a framework, and form AARF. AARF is used to implement some common processing mechanisms of the anti-attack module, so as to enhance the scalability of the anti-attack module and reduce the workload of developing new protocol anti-attack module.
Currently, AARF supports the ARP guard (arp-guard).