Login
- Table of Contents
-
- 10-Security Configuration Examples
- 00-S12500_AAA_Configuration_Examples
- 01-S12500_MAC_Authentication_Configuration_Examples
- 02-S12500_Portal_Configuration_Examples
- 03-S12500_IPv6_Portal_Authentication_Configuration_Examples
- 04-S12500_SSH_Configuration_Examples
- 05-S12500_IP_Source_Guard_Configuration_Examples
- 06-S12500_Attack_Protection_Configuration_Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-S12500_Attack_Protection_Configuration_Examples | 364 KB |
Contents
Example: Configuring link layer attack protection
Configuration restrictions and guidelines
Example: Configuring ARP attack protection
Example: Configuring network layer attack protection
Configuration restrictions and guidelines
Example: Configuring transport layer attack protection
Introduction
This document provides configuration examples of link layer attack protection, ARP attack protection, network layer attack protection, and transport layer attack protection as shown in Table 1.
Table 1 Attack protection types
|
Attack protection types |
Description |
|
|
Link layer attack protection |
MAC address attack protection |
Prevents the attack of packets with different source MAC addresses or VLANs by configuring the maximum number of MAC addresses that an interface can learn. |
|
STP packet attack protection |
Provides protection measures such as BPDU guard, root guard, loop guard, TC-BPDU guard, and STP status confusion protection. |
|
|
ARP attack protection |
ARP source suppression |
Prevents IP attack packets from fixed sources. |
|
ARP black hole routing |
Prevents IP attack packets from sources that are not fixed. |
|
|
ARP active acknowledgement |
Prevents user spoofing. |
|
|
Source MAC-based ARP attack detection |
Prevents ARP packet attacks from the same source MAC. |
|
|
ARP packet source MAC consistency check |
Prevents attacks from ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. |
|
|
Network layer attack protection |
uRPF check |
Protects a network against source spoofing attacks. |
|
TTL attack protection |
Prevents an attack by disabling sending ICMP time exceeded messages. |
|
|
Transport layer attack protection |
SYN flood attack protection |
Enables the server to return a SYN ACK message upon receiving a TCP connection request, without establishing a half-open TCP connection. |
|
Naptha attack protection |
Enables the device to periodically check the number of TCP connections in each state. If it detects that the number of TCP connections in a state exceeds the maximum number, it will accelerate the aging of TCP connections in this state. |
|
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of attack protection.
Example: Configuring link layer attack protection
Network requirements
As shown in Figure 1, Switch A, Switch B, and Switch C run MSTP. Switch B acts as the root bridge, and GigabitEthernet 2/0/1 on Switch C is blocked. Configure the following features to protect against link layer attacks:
· Configure root guard on GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 of Switch B to make sure Switch B act as the root bridge.
· Configure loop guard on GigabitEthernet 2/0/2 of Switch C to prevent temporary loops. The loop guard feature makes sure the port stay in Discarding state in all MSTIs when it receives no BPDU.
· Configure BPDU guard on GigabitEthernet 2/0/3 on Switch A and GigabitEthernet 2/0/3 on Switch C. The BPDU guard feature prevents the ports from performing spanning tree calculations upon receiving forged BPDUs with a higher priority.
· Enable TC-BPDU guard on Switch A, Switch B, and Switch C. The TC-BPDU guard feature prevents a large number of TC-BPDUs in a short time from affecting the network.
· Configure the maximum number of MAC addresses that can be learned by ports at the access side of Switch A and Switch C. This configuration is to protect the devices against a large number of attack packets with different source MAC addresses. The attack packets might cause a large MAC table and low forwarding performance.
· Configure broadcast and multicast suppressions on all ports on Switch A, Switch B, and Switch C. When incoming broadcast or multicast traffic exceeds the threshold, an interface discards broadcast or multicast packets until the traffic drops below the threshold.
Requirements analysis
To make Switch A's and Switch C's ports that connect to user terminals rapidly transit to the forwarding state, configure GigabitEthernet 2/0/3 on Switch A and GigabitEthernet 2/0/3 on Switch C as edge ports by using the stp edged-port enable command.
Software version used
This example was created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure link layer attack protection, follow these restrictions and guidelines:
· On a port, the loop guard function is mutually exclusive with the root guard function or the edge port setting.
· Do not configure the loop guard function on a port that connects to user terminals. Otherwise, the port stays in Discarding state in all MSTIs because it cannot receive BPDUs.
Configuration procedures
Configuring Switch A
# Specify IP addresses for interfaces. (Details not shown.)
# Configure STP BPDU guard.
<SwitchA> system-view
[SwitchA] stp bpdu-protection
[SwitchA] interface GigabitEthernet 2/0/3
[SwitchA-GigabitEthernet2/0/3] undo shutdown
[SwitchA-GigabitEthernet2/0/3] stp edged-port enable
# Configure TC-BPDU guard.
[SwitchA] stp tc-protection enable
[SwitchA] stp tc-protection threshold 10
# Configure the maximum number of MAC addresses that a port at the access side can learn (for example, GigabitEthernet 2/0/3).
[SwitchA-GigabitEthernet2/0/3] mac-address max-mac-count 1024
# Set the broadcast and multicast suppression thresholds on all ports that include ports at the access side, for example, GigabitEthernet 2/0/3.
[SwitchA] interface range GigabitEthernet 2/0/1 to GigabitEthernet 2/0/3
[SwitchA-if-range] undo shutdown
[SwitchA-if-range] broadcast-suppression pps 2000
[SwitchA-if-range] multicast-suppression pps 2000
Configuring Switch B
# Specify IP addresses for interfaces. (Details not shown.)
# Configure root guard on GigabitEthernet 2/0/2 and GigabitEthernet 2/0/1.
<SwitchB> system-view
[SwitchB] interface GigabitEthernet 2/0/2
[SwitchB-GigabitEthernet2/0/2] undo shutdown
[SwitchB-GigabitEthernet2/0/2] stp root-protection
[SwitchB-GigabitEthernet2/0/2] quit
[SwitchB] interface GigabitEthernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] undo shutdown
[SwitchB-GigabitEthernet2/0/1] stp root-protection
[SwitchB-GigabitEthernet2/0/1] quit
# Configure TC-BPDU guard.
[SwitchB] stp tc-protection enable
[SwitchB] stp tc-protection threshold 10
# Set the broadcast and multicast suppression thresholds on GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2.
[SwitchB] interface range GigabitEthernet 2/0/1 to GigabitEthernet 2/0/2
[SwitchB-if-range] broadcast-suppression pps 2000
[SwitchB-if-range] multicast-suppression pps 2000
Configuring Switch C
# Specify IP addresses for interfaces. (Details not shown.)
# Configure STP BPDU guard.
<SwitchC> system-view
[SwitchC] stp bpdu-protection
[SwitchC] interface GigabitEthernet 2/0/3
[SwitchC-GigabitEthernet2/0/3] undo shutdown
[SwitchC-GigabitEthernet2/0/3] stp edged-port enable
# Configure root guard on GigabitEthernet 2/0/1.
<SwitchC> system-view
[SwitchC] interface GigabitEthernet 2/0/1
[SwitchC-GigabitEthernet2/0/1] undo shutdown
[SwitchC-GigabitEthernet2/0/1] stp root-protection
[SwitchC-GigabitEthernet2/0/1] quit
# Configure loop guard on GigabitEthernet 2/0/2.
[SwitchC] interface GigabitEthernet 2/0/2
[SwitchC-GigabitEthernet2/0/2] undo shutdown
[SwitchC-GigabitEthernet2/0/2] stp loop-protection
[SwitchC-GigabitEthernet2/0/2] quit
# Configure TC-BPDU guard.
[SwitchC] stp tc-protection enable
[SwitchC] stp tc-protection threshold 10
# Configure the maximum number of MAC addresses that a port at the access side can learn (for example, GigabitEthernet 2/0/3).
[SwitchC-GigabitEthernet2/0/3] mac-address max-mac-count 1024
# Set the broadcast and multicast suppression thresholds on all ports that include ports at the access side, for example, GigabitEthernet 2/0/3.
[SwitchC] interface range GigabitEthernet 2/0/1 to GigabitEthernet 2/0/3
[SwitchC-if-range] broadcast-suppression pps 2000
[SwitchC-if-range] multicast-suppression pps 2000
Verifying the configuration
After receiving STP BPDUs, the ports GigabitEthernet 2/0/3 of Switch A and Switch C go down. You can bring them up by executing the undo shutdown command.
After STP BPDUs with higher priority are sent to a port, the root port does not change, and the STP topology is stable.
After receiving a large number of various TC BPDUs, Switch A, Switch B, and Switch C do not refresh the FIB table frequently, and no serious packet loss occurs.
After you send a large number of broadcasts to GigabitEthernet 2/0/3 on Switch A and GigabitEthernet 2/0/3 on Switch C, no broadcast flooding occurs on the uplink ports.
Configuration files
· Switch A:
#
stp bpdu-protection
stp tc-protection enable
stp tc-protection threshold 10
#
interface GigabitEthernet 2/0/1
port link-mode bridge
broadcast-suppression pps 2000
multicast-suppression pps 2000
#
interface GigabitEthernet 2/0/2
port link-mode bridge
broadcast-suppression pps 2000
multicast-suppression pps 2000
#
interface GigabitEthernet 2/0/3
port link-mode bridge
mac-address max-mac-count 1024
stp edged-port enable
broadcast-suppression pps 2000
multicast-suppression pps 2000
#
· Switch B:
#
stp tc-protection enable
stp tc-protection threshold 10
#
interface GigabitEthernet 2/0/1
port link-mode bridge
stp root-protection
broadcast-suppression pps 2000
multicast-suppression pps 2000
#
interface GigabitEthernet 2/0/2
port link-mode bridge
stp root-protection
broadcast-suppression pps 2000
multicast-suppression pps 2000
#
interface GigabitEthernet 2/0/3
port link-mode bridge
stp edged-port enable
#
· Switch C:
#
stp bpdu-protection
stp tc-protection enable
stp tc-protection threshold 10
#
interface GigabitEthernet 2/0/1
port link-mode bridge
stp root-protection
broadcast-suppression pps 2000
multicast-suppression pps 2000
#
interface GigabitEthernet 2/0/2
port link-mode bridge
stp loop-protection
broadcast-suppression pps 2000
multicast-suppression pps 2000
#
interface GigabitEthernet 2/0/3
port link-mode bridge
mac-address max-mac-count 1024
broadcast-suppression pps 2000
multicast-suppression pps 2000
#
Example: Configuring ARP attack protection
Network requirements
As shown in Figure 2, Switch A and Switch B form a VRRP group. Configure the ARP attack protection features to protect Switch A and Switch B.
Software version used
This example was created and verified on S12500-CMW520-R1825P01.
Configuration procedures
Configuring Switch A
# Specify IP addresses for interfaces. (Details not shown.)
# Configure ARP source suppression and set the maximum number of unresolvable packets that can be received in 5 seconds to 8 to prevent IP attack packets from fixed sources.
<SwitchA> system-view
[SwitchA] arp source-suppression enable
[SwitchA] arp source-suppression limit 8
# Configure ARP black hole routing to prevent IP attack packets from sources that are not fixed.
[SwitchA] arp resolving-route enable
# Configure ARP active acknowledgment to prevent user spoofing.
[SwitchA] arp anti-attack active-ack enable
# Configure source MAC-based ARP attack detection to prevent ARP packet attacks from the same source MAC.
[SwitchA] arp anti-attack source-mac filter
[SwitchA] arp anti-attack source-mac threshold 25
# Configure ARP packet source MAC address consistency check to prevent attacks from ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.
[SwitchA] arp anti-attack valid-check enable
Configuring Switch B
# Specify IP addresses for interfaces. (Details not shown.)
# Configure ARP source suppression and set the maximum number of unresolvable packets that can be received in 5 seconds to 8 to prevent IP attack packets from fixed sources.
<SwitchB> system-view
[SwitchB] arp source-suppression enable
[SwitchB] arp source-suppression limit 8
# Configure ARP black hole routing to prevent IP attack packets from sources that are not fixed.
[SwitchB] arp resolving-route enable
# Configure ARP active acknowledgment to prevent user spoofing.
[SwitchB] arp anti-attack active-ack enable
# Configure source MAC-based ARP attack detection to prevent ARP packet attacks from the same source MAC.
[SwitchB] arp anti-attack source-mac filter
[SwitchB] arp anti-attack source-mac threshold 25
# Configure ARP packet source MAC address consistency check to prevent attacks from ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.
[SwitchB] arp anti-attack valid-check enable
Verifying the configuration
After you send various ARP attack packets to the switches, no busy CPU event occurs, and other service modules are operating correctly.
Take ARP source suppression as an example. After you send 20 forged packets with fixed source IP addresses and unresolvable destination IP addresses to a switch, the switch stops resolving the packets when the number of unresolvable packets within 5 seconds reaches 8.
# Display information about the ARP source suppression configuration.
<Sysname> display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 8
Current cache length: 16
Configuration files
· Switch A:
#
arp source-suppression enable
arp source-suppression limit 8
arp resolving-route enable
arp anti-attack active-ack enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 25
#
· Switch B:
#
arp source-suppression enable
arp source-suppression limit 8
arp resolving-route enable
arp anti-attack active-ack enable
arp anti-attack source-mac filter
arp anti-attack source-mac threshold 25
#
Example: Configuring network layer attack protection
Network requirements
As shown in Figure 3, configure the network layer protection features to protect Switch A from being attacked by IP packet attacks from users and the network.
Software version used
This example was created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
After you disable sending ICMP time exceeded messages, the traceroute feature is not available.
Configuration procedures
# Configure uRPF to prevent source spoofing attacks.
[SwitchA] interface vlan-interface 100
[SwitchA-Vlan-interface100] ip urpf strict
[SwitchA-Vlan-interface100] quit
[SwitchA] vlan 200
[SwitchA-vlan] port GigabitEthernet 2/0/2
[SwitchA-vlan] quit
[SwitchA] interface GigabitEthernet 2/0/2
[SwitchA-GigabitEthernet2/0/2] undo shutdown
[SwitchA-GigabitEthernet2/0/2] quit
[SwitchA] interface vlan-interface 200
[SwitchA-Vlan-interface200] undo shutdown
[SwitchA-Vlan-interface200] ip address 202.101.0.2 255.255.255.0
[SwitchA-Vlan-interface200] ip urpf strict
[SwitchA-Vlan-interface200] quit
# Disable sending ICMP time exceeded messages to prevent attacks from packets with TTL being 1. Sending ICMP time exceeded messages is disabled by default.
[SwitchA] undo ip ttl-expires
Verifying the configuration
After you use a PC to send packets with TTL 1 to the device, the packets are dropped, and the PC does not receive TTL timeout ICMP packets.
After you send packets with forged source IP addresses to Switch A, the packets are filtered.
Configuration files
#
vlan 100
#
vlan 200
#
interface Vlan-interface100
ip address 192.168.0.1 255.255.255.0
#
interface Vlan-interface200
ip address 202.101.0.2 255.255.255.0
#
interface GigabitEthernet2/0/1
port access vlan 100
#
interface GigabitEthernet2/0/2
port access vlan 200
#
interface Vlan-interface100
ip address 192.168.0.1 255.255.255.0
ip urpf strict
#
Example: Configuring transport layer attack protection
Network requirements
As shown in Figure 4, configure SYN Cookie and Naptha attack protection on Switch A to protect Switch A from SYN Flood and Naptha attacks and to make sure BGP can operate correctly.
Software version used
This example was created and verified on S12500-CMW520-R1825P01.
Configuration procedures
# Specify IP addresses for interfaces. (Details not shown.)
# Enable SYN Cookie.
<SwitchA> system-view
[SwitchA] tcp syn-cookie enable
# Enable Naptha attack protection.
[SwitchA] tcp anti-naptha enable
Verifying the configuration
After you send a large number of protocol packets with the destination port as the BGP protocol port to Switch A, BGP can operate correctly.
After you send a large number of Naptha attack packets to Switch A, the switch and BGP can operate correctly.
Configuration files
#
tcp syn-cookie enable
tcp anti-naptha enable
#
Related documentation
· H3C S12500 Routing Switch Series Layer 2—LAN Switching Configuration Guide
· H3C S12500 Routing Switch Series Layer 2—LAN Switching Command Reference
· H3C S12500 Routing Switch Series Layer 3—IP Services Configuration Guide
· H3C S12500 Routing Switch Series Layer 3—IP Services Command Reference
· H3C S12500 Routing Switch Series Security Configuration Guide
· H3C S12500 Routing Switch Series Security Command Reference
