Login
- Table of Contents
-
- H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100
- 00-Preface
- 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example.
- 02-BGP Layer 3 Bypass Return Path Configuration Example
- 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example
- 04-TCP Port Protection Configuration Example
- 05-AFC Comprehensive Protection Configuration Example
- 06-Typical Configuration Examples of Traction Management Example
- 07-OSPF Layer 2 Reintroduction Configuration Example
- 08-Cascaded Cluster and Dual-Node Active-Standby Configuration Example
- 09-Bypass BGP Layer 2 Return Traffic Configuration Example
- 10-OSPF-Based Three-Layer Return Injection Configuration Example
- 11-BGP-Based Three-Layer Injection Configuration Example for Bypass Single-Device Multi-Channel Deployment Example
- 12-BGP-Based Three-Layer Injection Configuration Example for Bypass Multi-Device Cluster Deployment Example
- 13-Bypass GRE Layer 3 Return Injection Configuration Example
- 14-Typical Configuration for HTTPS CC Protection Example
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-AFC Comprehensive Protection Configuration Example | 601.53 KB |
Example of Typical Configuration for AFC Defense Against Flood Attacks
Example of Typical Configuration for AFC Defense Against All Types of Attacks
Applicable Products and Versions
Network Deployment Requirements
Feature Overview
This
document introduces typical TCP-related configurations in AFC devices.
TCP port protection enables customized settings for individual TCP services,
defending against CC attacks, SYN floods, and port-based attacks on TCP
protocol services. It allows protocol-type-based filtering to restrict
specified protocols and supports editing protection protocol types for
specialized services.
Feature Usage
All configurations demonstrated in this document were performed and validated in a laboratory environment, with all device parameters initialized to factory default settings prior to configuration. If you have previously configured the device, to ensure configuration effectiveness, please verify that your existing configuration does not conflict with the examples provided below.
Configuration Guide
Switch basic configurations are performed via the command line interface (CLI), while the AFC's basic and service-related configurations are configured through the Web interface.
Example of Typical Configuration for AFC Defense Against Flood Attacks
Introduction
When a protected IP triggers the global trigger rules, the system intelligently activates the global filtering module to automatically filter transmission protocol characteristics. Simultaneously, it samples and compares the transmitted data. The sampled and compared data is then distributed to different modules for in-depth analysis—such as HTTP, DNS, UDP audio/video transmission, and TCP gaming data. This process maximizes the automatic filtering of attack data while ensuring legitimate data passes securely.
Example of Typical Configuration for AFC Defense Against All Types of Attacks
Applicable Products and Versions
Software Version: H3C i-Ware Software,Version 7.1, ESS 6401
Network Deployment Requirements
Figure 0‑1 AFC Single-Device Single-Channel Series Deployment Mode Configuration Networking
Configuration Approach
SYN Flood Attack Protection Mechanism (SYN
Packet Threshold Control Based on Global Trigger Rules)
AFC implements graded protection against SYN Flood attacks by setting global
SYN packet thresholds. The specific processing flow is as follows:
Normal
State (SYN Packet Rate Below Threshold)
When the number of SYN packets received by the target server per second is
lower than the "per-second SYN packet count" threshold set in the
global trigger rules, AFC identifies the current traffic as normal and directly
allows the received SYN packets to pass without processing.
Light
Protection (Rate Exceeds Primary Threshold)
When the number of SYN packets received by the target server per second exceeds
the "per-second SYN packet count" threshold but remains below the
"per-server SYN strict protection trigger count", AFC activates the
proxy handshake mechanism:
AFC
proxies the server to complete the three-way handshake process with the client;
the connection is forwarded to the server only after successful handshake
completion, thereby effectively identifying and blocking SYN attack requests with
spoofed source IPs.
Strict
Protection (Rate Exceeds High-Intensity Threshold)
When the number of SYN packets received by the target server per second exceeds
the "per-server SYN strict protection trigger count", AFC enables
enhanced security policies:
Upon
receiving the first SYN packet from the client, AFC discards the packet and
waits for the client to retransmit (to verify its legitimacy);
for subsequently retransmitted SYN packets, AFC performs proxy three-way
handshake verification to ensure only legitimate requests are forwarded to the
server.
Configuration Precautions
For SYN Flood attacks, AFC's built-in protection algorithm can directly intercept attack packets. Thus, the key configuration lies in adjusting the SYN Flood protection threshold in global trigger parameters based on specific applications.
It is recommended to use the default [S_globar Trigger] value for global trigger rule parameters. For special business IPs, observe the per-second TCP/UDP/ICMP packet counts during normal server operation via the server list, and adjust the default parameters to twice the normal business volume.
Configuration Steps
Log in to AFC
Access the login page via browser: https://192.168.0.1:16010/ , with username "admin" and password "admin".
Figure 0‑2 AFC Web Login Interface
If you need to adjust the global settings for a single IP individually
If you need to modify the global trigger rules for a single protected IP, customize the parameters based on the server list's normal per-second TCP and SYN packet counts for that specific IP. Finally, apply the newly created global trigger parameters to this IP through rule application.
Figure 0‑3 View Single IP Trigger Threshold
In [Protection] > [RuleS Config] > [Trigger Rule] > [Global Trigger Rules], create a new [Global Trigger Rules].
Figure 0‑4 Modify Default Protection Threshold
Apply to the IP by navigating to [Protection] > [Global Status] > [Server List], locating the corresponding IP, and clicking "Add Rule". Then, in the Global Trigger Rules section, select [Custom IP Trigger Parameter] and save to activate the configuration.
Figure 0‑5 Apply Default Protection Threshold
Customized Attack Protection
Custom protection rules belong to customized rules, which can intercept or allow data packets based on the feature codes of packets analyzed from online packet capture on the device. [Protection Threshold Rules] are used to set trigger thresholds. [Protection Rules (including Fast Rules, System Plugin, and Signature Rules) ] process feature packets by either intercepting or allowing them. One [Protection Threshold Rules] combined with one [Protection Rule] forms a [Rule Set]. After adding a protected IP in [Applied Rules], the [Rule Set] can only take effect for the specified IP when it is explicitly referenced.
Usage Instructions: Protection Threshold Rules = Trigger Conditions;[Protection Rules (including Fast Rules, System Plugin, and Signature Rules) ]= Policy Actions;Rule Set = A protection rule set consists of trigger conditions and policy actions. The rule set can only take effect after being referenced in the applied rules.
Step 1: Add a Protection Threshold Rules, allowing configuration of the packet-per-second threshold based on customer requirements.
Step 3: Combine the added Rule Set with the IP to form a Applied Rules.
Example Scenario:
A customer reported abnormal server connectivity issues, including intermittent access exceptions and website unavailability. Packet capture analysis on the cleansing device revealed that a single external IP address was conducting high-frequency request flooding.
Figure 0‑6 Connect Monitor
Based on experience, normal human browsing typically does not exceed 15 requests per 10 seconds. The current traffic pattern (15 requests per 10 seconds) clearly indicates malicious scraping behavior. Therefore, we will add a protection policy. Below are the configuration steps:
Navigate to [Protection] > [Rules Config] > [Trigger Rule] > [Security Trigger Rules], then add a new Protection Trigger Rule named "test-cf" with the following parameters:
· TCP packets per second: 1
· SYN packets per second: 1
· All other parameters set to 0
Figure 0‑7 Add Protection Threshold Rules
Navigate to [Protection] > [Rules Config] > [Protection Rules] > [Exploit Rule], then add a new rule named "test-ld" with the configuration as shown in the figure below.
Figure 0‑8 Add Exploit Rules
Add a Ruleset:
Navigate to [Protection] >
[Rule Config] > [Ruleset], then bind the Trigger
Rule (test-cf) and Protection Rule (test-ld) from Step 1 and Step 2 into a
single Protection Rule Set named "Anti-Scraping-10s15c".
Figure 0‑9 Add Ruleset
Figure 0‑10 Add Applied Rules
Verify the Configuration
Use the attack tool Webbench (a Linux-based tool for testing web servers) to send SYN Flood attack traffic to the protected host at 200.2.0.100, triggering the SYN Flood protection threshold. Verify that the protected host enters the [SYN] protection state and that the attack traffic is filtered by AFC.
Capture SYN Flood interception packets from the client to the server on AFC. The presence of interception packets confirms successful blocking.