- Table of Contents
-
- 10-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Portal Configuration
- 05-Password Control Configuration
- 06-Public Key Configuration
- 07-IPsec Configuration
- 08-SSH Configuration
- 09-Packet-Filter Firewall Configuration
- 10-ALG Configuration
- 11-Session Management Configuration
- 12-TCP and ICMP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-URPF Configuration
- 16-COPS Configuration
- 17-FIPS Configuration
- 18-PKI Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
12-TCP and ICMP Attack Protection Configuration | 93.70 KB |
Contents
Configuring TCP and ICMP attack protection
TCP and ICMP attack protection overview
Enabling the SYN Cookie feature
Enabling protection against Naptha attacks
Displaying and maintaining TCP and ICMP attack protection
TCP and ICMP attack protection overview
An attacker can attack the router during the process of TCP connection establishment or by sending a large number of ICMP fragments. To prevent such attacks, the router provides the following features:
· SYN Cookie
· Protection against Naptha attacks
This document describes the attacks these features can prevent, working mechanisms of these features, and configuration procedures.
Enabling the SYN Cookie feature
As a general rule, the establishment of a TCP connection involves the following three handshakes:
1. The request originator sends a SYN message to the target server.
2. After receiving the SYN message, the target server establishes a TCP connection in the SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.
3. After receiving the SYN ACK message, the originator returns an ACK message. Thus, the TCP connection is established.
Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number of SYN messages to the server to establish TCP connections, but they never make any response to SYN ACK messages. As a result, a large amount of incomplete TCP connections are established, resulting in heavy resource consumption and making the server unable to handle services normally.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only after receiving an ACK message from the client can the server establish a connection, and then enter the ESTABLISHED state. In this way, large amounts of incomplete TCP connections could be avoided to protect the server against SYN Flood attacks.
To enable the SYN Cookie feature:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable the SYN Cookie feature. |
tcp syn-cookie enable |
Enabled by default |
|
NOTE: · If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically becomes effective. For more information about MD5 authentication, see Layer 3—IP Routing Configuration Guide. · With the SYN Cookie feature enabled, only the maximum segment size (MSS), instead of the window’s zoom factor and timestamp, is negotiated during TCP connection establishment. |
Enabling protection against Naptha attacks
Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.
Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these connections in the same state (any of the six), and request for no data so as to exhaust the memory resource of the server. As a result, the server cannot process normal services.
Protection against Naptha attacks mitigates such attacks by accelerating the aging of TCP connections in a state. After the feature is enabled, the device (serving as a TCP server) periodically checks the number of TCP connections in each state. If the device detects that the number of TCP connections in a state exceeds the maximum number, it considers that a Naptha attack occurs and accelerates the aging of TCP connections in this state. The device will stop accelerating the aging of TCP connections when the number of TCP connections in the state is less than 80% of the maximum number (1 at least).
To enable the protection against Naptha attack:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable the protection against Naptha attack. |
tcp anti-naptha enable |
Disabled by default. |
3. Configure the maximum of TCP connections in a state. |
tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number number |
Optional. 5 by default. If the maximum number of TCP connections in a state is 0, the aging of TCP connections in this state will not be accelerated. |
4. Configure the TCP state check interval. |
tcp timer check-state time-value |
Optional. 30 seconds by default. |
|
NOTE: · With the protection against Naptha attack enabled, the router will periodically check and record the number of TCP connections in each state. · With the protection against Naptha attack enabled, if the router detects that the number of TCP connections in a state exceeds the maximum number, the router will consider that as Naptha attacks and accelerate the aging of these TCP connections. The router will not stop accelerating the aging of TCP connections until the number of TCP connections in the state is less than 80% of the maximum number. |
Displaying and maintaining TCP and ICMP attack protection
Task |
Command |
Remarks |
Display current TCP connection state. |
display tcp status [ | { begin | exclude | include } regular-expression ] |
Available in any view |