本举例是在F5000-AI160的E8371版本上进行配置和验证的。
如下图所示,Device上的接口GigabitEthernet1/0/1与内部网络连接,接口GigabitEthernet1/0/2与外部网络连接,接口GigabitEthernet1/0/3与一台内部服务器连接。现有如下安全需求:
为防范外部网络对内部网络的Smurf攻击和扫描攻击,需要在接口GigabitEthernet1/0/2所在的Untrust安全域上开启Smurf攻击防范和扫描攻击防范。具体要求为:低防范级别的扫描攻击防范;将扫描攻击者添加到黑名单中(老化时间为10分钟);检测到Smurf攻击或扫描攻击后,输出告警日志。
为防范外部网络对内部服务器的SYN flood攻击,需要在接口GigabitEthernet1/0/2所在的Untrust安全域上开启SYN flood攻击防范。具体要求为:当设备监测到向内部服务器每秒发送的SYN报文数持续达到或超过5000时,输出告警日志并丢弃攻击报文。
图-1 安全域上的攻击检测与防范配置组网图
配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.0.0
[Device-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
将接口加入安全域
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Device-security-zone-Untrust] quit
[Device] security-zone name dmz
[Device-security-zone-DMZ] import interface gigabitethernet 1/0/3
[Device-security-zone-DMZ] quit
配置安全策略
# 配置名称为trust-untrust的安全策略,保证Trust安全域内的主机可以访问Internet,具体配置步骤如下。
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-1-trust-untrust] source-zone trust
[Device-security-policy-ip-1-trust-untrust] destination-zone untrust
[Device-security-policy-ip-1-trust-untrust] source-ip-subnet 192.168.0.0 16
[Device-security-policy-ip-1-trust-untrust] action pass
[Device-security-policy-ip-1-trust-untrust] quit
# 配置名称为untrust-dmz的安全策略,保证Internet中的主机可以访问Server,具体配置步骤如下。
[Device-security-policy-ip] rule name untrust-dmz
[Device-security-policy-ip-2-untrust-dmz] source-zone untrust
[Device-security-policy-ip-2-untrust-dmz] destination-zone dmz
[Device-security-policy-ip-2-untrust-dmz] destination-ip-host 10.1.1.2
[Device-security-policy-ip-2-untrust-dmz] action pass
[Device-security-policy-ip-2-untrust-dmz] quit
[Device-security-policy-ip] quit
配置攻击防范策略
# 创建攻击防范策略a1。
[Device] attack-defense policy a1
# 开启Smurf单包攻击报文的特征检测,配置处理行为为输出告警日志。
[Device-attack-defense-policy-a1] signature detect smurf action logging
# 开启低防范级别的扫描攻击防范,配置处理行为输出告警日志以及阻断并将攻击者的源IP地址加入黑名单表项(老化时间为10分钟)。
[Device-attack-defense-policy-a1] scan detect level low action logging block-source timeout 10
# 为保护IP地址为10.1.1.2的内部服务器,配置针对IP地址10.1.1.2的SYN flood攻击防范参数,触发阈值为5000,处理行为输出告警日志并丢弃攻击报文。
[Device-attack-defense-policy-a1] syn-flood detect ip 10.1.1.2 threshold 5000 action logging drop
[Device-attack-defense-policy-a1] quit
# 在安全域Untrust上应用攻击防范策略a1。
[Device] security-zone name untrust
[Device-security-zone-Untrust] attack-defense apply policy a1
[Device-security-zone-Untrust] quit
# 开启全局黑名单过滤功能。
[Device] blacklist global enable
完成以上配置后,可以通过display attack-defense policy命令查看配置的攻击防范策略a1的具体内容。
# 查看攻击防范策略a1的配置信息。
[Device] display attack-defense policy a1
Attack-defense Policy Information
--------------------------------------------------------------------------
Policy name : a1
Applied list : Untrust
--------------------------------------------------------------------------
Exempt IPv4 ACL : Not configured
Exempt IPv6 ACL : Not configured
--------------------------------------------------------------------------
Actions: CV-Client verify BS-Block source L-Logging D-Drop N-None
Signature attack defense configuration:
Signature name Defense Level Actions
Fragment Disabled low L
Impossible Disabled medium L,D
Teardrop Disabled medium L,D
Tiny fragment Disabled low L
IP option abnormal Disabled medium L,D
Smurf Enabled medium L
Traceroute Disabled low L
Ping of death Disabled medium L,D
Large ICMP Disabled info L
Max length 4000 bytes
Large ICMPv6 Disabled info L
Max length 4000 bytes
TCP invalid flags Disabled medium L,D
TCP null flag Disabled medium L,D
TCP all flags Disabled medium L,D
TCP SYN-FIN flags Disabled medium L,D
TCP FIN only flag Disabled medium L,D
TCP Land Disabled medium L,D
Winnuke Disabled medium L,D
UDP Bomb Disabled medium L,D
UDP Snork Disabled medium L,D
UDP Fraggle Disabled medium L,D
IP option record route Disabled info L
IP option internet timestamp Disabled info L
IP option security Disabled info L
IP option loose source routing Disabled info L
IP option stream ID Disabled info L
IP option strict source routing Disabled info L
IP option route alert Disabled info L
ICMP echo request Disabled info L
ICMP echo reply Disabled info L
ICMP source quench Disabled info L
ICMP destination unreachable Disabled info L
ICMP redirect Disabled info L
ICMP time exceeded Disabled info L
ICMP parameter problem Disabled info L
ICMP timestamp request Disabled info L
ICMP timestamp reply Disabled info L
ICMP information request Disabled info L
ICMP information reply Disabled info L
ICMP address mask request Disabled info L
ICMP address mask reply Disabled info L
ICMPv6 echo request Disabled info L
ICMPv6 echo reply Disabled info L
ICMPv6 group membership query Disabled info L
ICMPv6 group membership report Disabled info L
ICMPv6 group membership reduction Disabled info L
ICMPv6 destination unreachable Disabled info L
ICMPv6 time exceeded Disabled info L
ICMPv6 parameter problem Disabled info L
ICMPv6 packet too big Disabled info L
IPv6 extension header abnormal Disabled Info L
IPv6 extension header exceeded Disabled Info L
Limit 7
Scan attack defense configuration:
Defense : Enabled
Level : low
Actions : L,BS(10)
Flood attack defense configuration:
Flood type Global thres(pps) Global actions Service ports Non-specific
DNS flood 1000 - 53 Disabled
HTTP flood 1000 - 80 Disabled
SIP flood 1000 - 5060 Disabled
SYN flood 5000 L,D - Enabled
ACK flood 1000 - - Disabled
SYN-ACK flood 1000 - - Disabled
RST flood 1000 - - Disabled
FIN flood 1000 - - Disabled
UDP flood 1000 - - Disabled
ICMP flood 1000 - - Disabled
ICMPv6 flood 1000 - - Disabled
Flood attack defense for protected IP addresses:
Address VPN instance Flood type Thres(pps) Actions Ports
10.1.1.2 -- SYN-FLOOD 5000 L,D -
如果安全域Untrust上收到Smurf攻击报文,设备输出告警日志;如果安全域Untrust上收到扫描攻击报文,设备会输出告警日志,并将攻击者的IP地址加入黑名单;如果安全域Untrust上收到的SYN flood攻击报文超过触发阈值,则设备会输出告警日志,并将受到攻击的主机地址添加到TCP客户端验证的受保护IP列表中,同时丢弃攻击报文。
可以通过display attack-defense statistics security-zone命令查看各安全域上攻击防范的统计信息。
# 查看安全域Untrust上攻击防范的统计信息。
[Device] display attack-defense statistics security-zone untrust
Attack policy name: a1
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 0
IP sweep 3 0
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 5000
Signature attack defense statistics:
AttackType AttackTimes Dropped
Smurf 1 0
若有扫描攻击发生,还可以通过display blacklist命令查看由扫描攻击防范自动添加的黑名单信息。
# 查看由扫描攻击防范自动添加的黑名单信息。
[Device] display blacklist ip
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
5.5.5.5 -- -- Dynamic 600 353452
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 192.168.1.1 255.255.0.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 202.1.0.1 255.255.0.0
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 10.1.1.1 255.255.255.0
#
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name DMZ
import interface GigabitEthernet1/0/3
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
attack-defense apply policy a1
#
blacklist global enable
#
attack-defense policy a1
scan detect level low action logging block-source
syn-flood detect ip 10.1.1.2 threshold 5000 action logging drop
signature detect smurf action logging
#
security-policy ip
rule 1 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 192.168.0.0 255.255.0.0
rule 2 name untrust-dmz
action pass
source-zone untrust
destination-zone dmz
destination-ip-host 10.1.1.2