Login
- Table of Contents
-
- 11-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Portal Configuration
- 06-Password Control Configuration
- 07-Public Key Configuration
- 08-IPsec Configuration
- 09-SSH Configuration
- 10-Blacklist Configuration
- 11-TCP and ICMP Attack Protection Configuration
- 12-IP Source Guard Configuration
- 13-ARP Attack Protection Configuration
- 14-ND Attack Defense Configuration
- 15-URPF Configuration
- 16-PKI Configuration
- 17-SSL Configuration
- 18-FIPS Configuration
- 19-Attack Detection and Protection Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 19-Attack Detection and Protection Configuration | 55.08 KB |
In this chapter, EC1 cards refer to cards suffixed with EC1 and EF cards refer to cards suffixed with EF.
Overview
Attack detection and protection enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Protection actions include logging and packet dropping.
The device supports only TCP fragment attack protection.
Configuring TCP fragment attack protection
|
|
IMPORTANT: · This feature is supported only on EC1 and EF cards. · For this feature to take effect, you must configure the acl ipv6 enable command first. For more information about this command, see ACL and QoS Command Reference. |
The TCP fragment attack protection feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that traditional packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the following TCP fragments:
· First fragments in which the TCP header is smaller than 20 bytes.
· Non-first fragments with a fragment offset of 8 bytes (FO=1).
To configure TCP fragment attack protection:
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable TCP fragment attack protection. |
attack-defense tcp fragment enable |
By default, TCP fragment attack protection is enabled. |
