Login
- Table of Contents
-
- H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100
- 00-Preface
- 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example.
- 02-BGP Layer 3 Bypass Return Path Configuration Example
- 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example
- 04-TCP Port Protection Configuration Example
- 05-AFC Comprehensive Protection Configuration Example
- 06-Typical Configuration Examples of Traction Management Example
- 07-OSPF Layer 2 Reintroduction Configuration Example
- 08-Cascaded Cluster and Dual-Node Active-Standby Configuration Example
- 09-Bypass BGP Layer 2 Return Traffic Configuration Example
- 10-OSPF-Based Three-Layer Return Injection Configuration Example
- 11-BGP-Based Three-Layer Injection Configuration Example for Bypass Single-Device Multi-Channel Deployment Example
- 12-BGP-Based Three-Layer Injection Configuration Example for Bypass Multi-Device Cluster Deployment Example
- 13-Bypass GRE Layer 3 Return Injection Configuration Example
- 14-Typical Configuration for HTTPS CC Protection Example
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-TCP Port Protection Configuration Example | 900.57 KB |
Typical Configuration Example for AFC Defending Against CC Attacks
Example Configuration for Defending Against CC Attacks
Applicable Products and Versions
Typical Configuration Examples for AFC Defending Against SYN Flood Attacks
Typical Configuration Examples for Defending Against SYN Flood Attacks
Applicable Products and Versions
Feature Overview
Description of Typical TCP Configurations in AFC Devices.
This document outlines the standard configurations related to TCP protocols in AFC devices.
TCP port protection allows for specialized settings targeting individual TCP services. It provides defense mechanisms against CC attacks, SYN flood attacks, and other port-based attacks targeting TCP protocol services. Additionally, it enables protocol type filtering to restrict specific protocols and allows editing of protection protocol types for specialized services.
Feature Usage
Document
Version Compatibility and Configuration Guidelines
This document is not strictly version-bound to specific software or hardware
releases. If discrepancies arise between the document content and the actual
product behavior during use, the device's actual status shall take precedence.
All configurations demonstrated in this document were performed and validated in a laboratory environment. The device was reset to its factory default settings before each configuration test. If you have modified your device's configuration, please ensure that your existing settings do not conflict with the examples provided below to guarantee successful implementation.
Configuration Guide
H3C Abnormal Traffic Cleaning and Detection System The configuration covers AFD devices, AFC devices, and switch devices. The basic configuration of switch devices is performed via the command line interface (CLI). For the abnormal traffic cleaning device (AFC), both basic configuration and service-related configurations are implemented through the Web interface.
Typical Configuration Example for AFC Defending Against CC Attacks
Introduction
Usage Restrictions
Example Configuration for Defending Against CC Attacks
Applicable Products and Versions
Networking Requirements
Figure 0‑1 AFC Bypass Deployment Mode Configuration Networking Diagram
Configuration Approach
To enable AFC's capability to defend against CC attacks, configure AFC as follows:
· Enable TCP port protection for port 80.
· Activate the web plugin on the port and adopt application-layer source authentication to defend against CC attacks.
Configuration Precautions
· The web plugin can be enabled in two modes: automatic and manual. To enable the plugin automatically, you need to set the "Attack Frequency Detection" threshold based on your live network traffic conditions and empirical experience.
Configuration Steps
Log in to AFC
Access the login page via browser: https://192.168.0.1 (Username: admin, Password: admin). Refer to the figure below.
Figure 0‑2 AFC Web Login Interface
Add JavaScript Validation Interaction Configuration
JS validation is the most imperceptible protection method in web-based CC defense, capable of automatically identifying whether the source IP is a bot (zombie computer) or a legitimate client IP address. Configuration is as follows.
- 【Protection】-【Rules Config】-【Applied Rules 】Click "Add" to configure the S_HTTP NEW CC V2.1_JS policy for the targeted attacked web address.
Figure 0‑3 Add Rule
Add Redirection Page Interactive Verification Configuration
Redirection Page Interaction: Legitimate users access the system-integrated web channel redirection page. Upon successful verification, they can normally open the target website; otherwise, access is blocked. Bots cannot simulate genuine user interactions to pass the verification. Configuration is as follows.
Figure 0‑4 Add Rule
Problem Page Interactive Verification Configuration
Interactive challenge-response pages represent a widely adopted security measure, akin to implementing CAPTCHA on websites. Legitimate users must correctly respond to verification prompts to gain access, while unauthorized access attempts are blocked—since botnets (compromised devices) are incapable of simulating human-like interactive responses. Configuration details are as follows:
Figure 0‑5 Add Rule
- 【Protection】-【System Config】-【Http CC】 you can add custom-defined question and answer verifications.
Figure 0‑6 Custom Question and Answer Verification
Verification Configuration
Using tools to
simulate a CC attack on the protected host:
Client connections exceeding the configured limit are blocked. As shown in the
figure, AFC restricts each client to establish a maximum of 30 connections to
port 80. Since 10 clients were simulated, only 300 connections were allowed.
The attack source was added to the blocklist:
The blocking reason is "System Connection Protection."
The protected host entered [SYN] protection mode.
Figure 0‑7 Generate a CC attack using tools
Figure 0‑8 The attacking host's IP address is blocked
Using tools to send a CC attack to the protected host:
The attack frequency exceeds the configured detection threshold of 10. The protected host enters protection mode, and the web plugin is automatically enabled. As shown in the figure.
Figure 0‑9 Generate a CC attack using tools
After the plugin is enabled, accessing the protected server's port 80 will display the source authentication page shown in the figure (customization is not currently supported). Since legitimate users are active, they will click "Continue Manually" when prompted. However, botnets lack this capability.
Figure 0‑10 Enable Web Plugin for Protected Website - Redirection Page Interaction
Typical Configuration Examples for AFC Defending Against SYN Flood Attacks
Introduction
This document provides configuration examples for defending against SYN Flood attacks.
A SYN Flood attack exploits the "vulnerability" in the three-way handshake process of TCP connection establishment. It sends SYN packets with forged source addresses through raw sockets. This prevents the target host from ever completing the three-way handshake, exhausts the system's protocol stack queue, ties up resources that cannot be released, and ultimately results in denial of service. It is one of the most prevalent forms of DDoS attacks on the internet.
Usage Restrictions
Typical Configuration Examples for Defending Against SYN Flood Attacks
Applicable Products and Versions
Software Version: H3C I-Ware Software, Version 7.1, ESS 6401
Networking Requirements
Figure 0‑1 Standalone Series Deployment Mode Configuration and Networking for AFC
Configuration Approach
To
enable AFC's capability to defend against SYN Flood attacks, configure AFC
according to the following approach:
Adjust the SYN Flood protection threshold in the global parameters based on
specific application requirements, leveraging the built-in protection algorithm
to intercept attack packets. If the attack frequency does not exceed the SYN
Flood protection threshold, AFC will proxy the three-way handshake between the
server and client. If the attack frequency exceeds the threshold, AFC will drop
the first packet sent by the client and then proxy the three-way handshake
between the server and client.
Configuration Precautions
Configuration Steps
Log in to AFC
Access the login page via browser: https://192.168.0.1/ (Username: admin, Password: admin). Refer to the figure below.
Figure 0‑2 AFC Web Login
Viewing SYN Protection
- Navigate to [Protection ] → [Rules Config] → [Applied Rules], click Add, and the SYN protection module will be enabled by default for all addresses.
Figure 0‑3 View Rules
Configuration Validation
Send SYN Flood Attack Traffic to the Test Server
Deploy a test client server either on the core network equipment within the user's network or externally connected to the user's network. Utilize packet generation tools (e.g., Druid, RDDoS, Xcap) or specialized testing instruments to simulate a SYN Flood attack toward the test server. Ensure the attack packet rate exceeds the threshold value set for "SYN Packets Per Second" under [Protection] → [Rules Config] → [Trigger Rules] → [Global Trigger Rules ].
Figure 0‑4 Default Protection Threshold S_globar Trigger
Default Protection Threshold“S_globar Trigger” Counting and triggering defense mechanisms independently for each server IP address. Specifically, when the packet reception rate of a server exceeds the predefined threshold values listed below, that specific server IP will enter the corresponding defense state, while other IP addresses remain unaffected.
TCP Packets Per Second: When the reception rate of TCP protocol packets with Fin or Urg flag bits by a specific IP address in the AFC system exceeds the configured threshold value, the server will enter the TCP Flood defense state.
ICMP Packets Per Second: When the reception rate of ICMP protocol packets by a specific IP address in the AFC system exceeds the configured threshold value, the server will enter the ICMP Flood defense state.
ACK & RST Packets Per Second: When the reception rate of TCP protocol packets carrying ACK or RST flag bits by a specific IP address in the AFC system exceeds the configured threshold value, the server will enter the TCP ACK Flood defense state.
Other Protocol Packets Per Second: When the reception rate of non-TCP, non-UDP, and non-ICMP protocol packets by a specific IP address in the AFC system exceeds the configured threshold value, the server address will enter the IP Flood defense state.
View the traffic received by the test server
Navigate to [Protection] → [Global Status] → [Server List] in the AFC system:
Select [Input Package(pps)] to view the packet reception rate of the test server.
Figure 0‑5 View the input packet rate of the test server
View the intercepted traffic of the test server.
Select [Input Blocked (Mbps)] to view the input traffic interception information of the test server.
Figure 0‑6 View the input traffic interception information of the test server.
View the attack logs of the test server.
Navigate to [Log Center] → [Attack Log] to query the attack log records of the test server:
Figure 0‑7 View the attack logs of the test server.
The SYN flood attack against the test server has been successfully mitigated.