09-Security Configuration Guide

HomeSupportSwitchesS6300 SeriesConfigure & DeployConfiguration GuidesH3C S6300 Switch Series Configuration Guides-Release 243x-6W10009-Security Configuration Guide
18-Attack detection and prevention configuration
Title Size Download
18-Attack detection and prevention configuration 133.06 KB

Configuring attack detection and prevention

Overview

Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging and packet dropping.

Attacks that the device can prevent

This section describes the attacks that the device can detect and prevent.

Single-packet attacks

Single-packet attacks are also known as malformed packet attacks. An attacker typically launches single-packet attacks by using the following methods:

·           An attacker sends defective packets to a device, which causes the device to malfunction or crash.

·           An attacker sends normal packets to a device, which interrupts connections or probes network topologies.

·           An attacker sends a large number of forged packets to a target device, which consumes network bandwidth and causes denial of service (DoS).

Table 1 lists the single-packet attack types that the device can detect and prevent.

Table 1 Types of single-packet attacks

Single-packet attack

Description

ICMP redirect

An attacker sends ICMP redirect messages to modify the victim's routing table. The victim cannot forward packets correctly.

ICMP destination unreachable

An attacker sends ICMP destination unreachable messages to cut off the connections between the victim and its destinations.

ICMP type

A receiver responds to an ICMP packet according to its type. An attacker sends forged ICMP packets of a specific type to affect the packet processing of the victim.

ICMPv6 type

A receiver responds to an ICMPv6 packet according to its type. An attacker sends forged ICMPv6 packets of specific types to affect the packet processing of the victim.

Land

An attacker sends the victim a large number of TCP SYN packets, which contain the victim's IP address as the source and destination IP addresses. This attack exhausts the half-open connection resources on the victim, and locks the victim's system.

Large ICMP packet

An attacker sends large ICMP packets to crash the victim. Large ICMP packets can cause memory allocation error and crash the protocol stack.

Large ICMPv6 packet

An attacker sends large ICMPv6 packets to crash the victim. Large ICMPv6 packets can cause memory allocation error and crash the protocol stack.

IP options

An attacker sends IP datagrams in which the IP options are abnormal. This attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets.

IP fragment

An attacker sends the victim an IP datagram with an offset smaller than 5, which causes the victim to malfunction or crash.

IP impossible packet

An attacker sends IP packets whose source IP address is the same as the destination IP address, which causes the victim to malfunction.

Tiny fragment

An attacker makes the fragment size small enough to force Layer 4 header fields into the second fragment. These fragments can pass the packet filtering because they do not hit any match.

Smurf

An attacker broadcasts an ICMP echo request to target networks. These requests contain the victim's IP address as the source IP address. Every receiver on the target networks will send an ICMP echo reply to the victim. The victim will be flooded with replies, and will be unable to provide services. Network congestion might occur.

TCP flag

An attacker sends packets with defective TCP flags to probe the operating system of the target host. Different operating systems process unconventional TCP flags differently. The target system will break down if it processes this type of packets incorrectly.

Traceroute

An attacker uses traceroute tools to probe the topology of the victim network.

WinNuke

An attacker sends Out-Of-Band (OOB) data to the TCP port 139 (NetBIOS) on the victim that runs Windows system. The malicious packets contain an illegal Urgent Pointer, which causes the victim's operating system to crash.

UDP bomb

An attacker sends a malformed UDP packet. The length value in the IP header is larger than the IP header length plus the length value in the UDP header. When the target system processes the packet, a buffer overflow can occur, which causes a system crash.

UDP Snork

An attacker sends a UDP packet with destination port 135 (the Microsoft location service) and source port 135, 7, or 19. This attack causes an NT system to exhaust its CPU.

UDP Fraggle

An attacker sends a large number of chargen packets with source UDP port 7 and destination UDP port 19 to a network. These packets use the victim's IP address as the source IP address. Replies will flood the victim, resulting in DoS.

Teardrop

An attacker sends a stream of overlapping fragments. The victim will crash when it tries to reassemble the overlapping fragments.

Ping of death

An attacker sends the victim an ICMP echo request larger than 65535 bytes that violates the IP protocol. When the victim reassembles the packet, a buffer overflow can occur, which causes a system crash.

 

Scanning attacks

Scanning is a preintrusion activity used to prepare for intrusion into a network. The scanning allows the attacker to find a way into the target network and to disguise the attacker's identity.

Attackers will use scanning tools to probe a network, find vulnerable hosts, and discover services that are running on the hosts. Attackers can use the information to launch attacks.

The device can detect and prevent the IP sweep and port scan attacks. If an attacker performs port scanning from multiple hosts to the target host, distributed port scan attacks occur.

Flood attacks

An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time. The victim is too busy responding to these forged requests to provide services for legal users, and a DoS attack occurs.

The device can detect and prevent the following types of flood attacks:

·           SYN flood attack.

A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim unresponsive to legal users. An attacker sends a large number of SYN packets with forged source addresses to a server. This causes the server to open a large number of half-open connections and respond to the requests. However, the server will never receive the expected ACK packets. The server is unable to accept new incoming connection requests because all of its resources are bound to half-open connections.

·           ACK flood attack.

An ACK packet is a TCP packet only with the ACK flag set. Upon receiving an ACK packet from a client, the server must search half-open connections for a match.

An ACK flood attacker sends a large number of ACK packets to the server. This causes the server to be busy searching for half-open connections, and the server is unable to process packets for normal services.

·           SYN-ACK flood attack.

Upon receiving a SYN-ACK packet, the server must search for the matching SYN packet it has sent. A SYN-ACK flood attacker sends a large number of SYN-ACK packets to the server. This causes the server to be busy searching for SYN packets, and the server is unable to process packets for normal services.

·           FIN flood attack.

FIN packets are used to shut down TCP connections.

A FIN flood attacker sends a large number of forged FIN packets to a server. The victim might shut down correct connections, or be unable to provide services because it is busy searching for matching connections.

·           RST flood attack.

RST packets are used to abort TCP connections when TCP connection errors occur.

An RST flood attacker sends a large number of forged RST packets to a server. The victim might shut down correct connections, or be unable to provide services because it is busy searching for matching connections.

·           DNS flood attack.

The DNS server processes and replies all DNS queries that it receives.

A DNS flood attacker sends a large number of forged DNS queries. This attack consumes the bandwidth and resources of the DNS server, which prevents the server from processing and replying legal DNS queries.

·           HTTP flood attack.

Upon receiving an HTTP GET request, the HTTP server performs complex operations, including character string searching, database traversal, data reassembly, and format switching. These operations consume a large amount of system resources.

An HTTP flood attacker sends a large number of HTTP GET requests that exceed the processing capacity of the HTTP server, which causes the server to crash.

·           ICMP flood attack.

An ICMP flood attacker sends ICMP request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services.

·           ICMPv6 flood attack.

An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services.

·           UDP flood attack.

A UDP flood attacker sends UDP packets to a host at a fast rate. These packets consume a large amount of the target host's bandwidth, so the host cannot provide other services.

TCP fragment attack

An attacker launches TCP fragment attacks by sending attack TCP fragments defined in RFC 1858:

·           First fragments in which the TCP header is smaller than 20 bytes.

·           Non-first fragments with a fragment offset of 8 bytes (FO=1).

Typically, packet filter detects the source and destination IP addresses, source and destination ports, and transport layer protocol of the first fragment of a TCP packet. If the first fragment passes the detection, all subsequent fragments of the TCP packet are allowed to pass through.

Because the first fragment of attack TCP packets does not hit any match in the packet filter, the subsequent fragments can all pass through. After the receiving host reassembles the fragments, a TCP fragment attack occurs.

To prevent TCP fragment attacks, enable TCP fragment attack prevention to drop attack TCP fragments.

Login dictionary attack

The login dictionary attack is an automated process to attempt to log in by trying all possible passwords from a pre-arranged list of values (the dictionary). Multiple login attempts can occur in a short period of time.

You can configure the login delay feature to slow down the login dictionary attacks. This feature enables the device to delay accepting another login request after detecting a failed login attempt for a user.

Attack detection and prevention configuration task list

Tasks at a glance

(Required.) Configuring an attack defense policy:

·          (Required.) Creating an attack defense policy

·          (Required.) Perform at least one of the following tasks to configure attack detection:

¡  Configuring a single-packet attack defense policy

¡  Configuring a scanning attack defense policy

¡  Configuring a flood attack defense policy

·          (Optional.) Configuring attack detection exemption

(Required.) Applying an attack defense policy to the device

(Optional.) Disabling log aggregation for single-packet attack events

(Optional.) Configuring TCP fragment attack prevention

(Optional.) Enabling the login delay

 

Configuring an attack defense policy

Creating an attack defense policy

An attack defense policy can contain a set of attack detection and prevention configuration against multiple attacks.

To create an attack defense policy:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Create an attack defense policy and enter its view.

attack-defense policy policy-name

By default, no attack defense policy exists.

 

Configuring a single-packet attack defense policy

Single-packet attack detection inspects packets destined for the device based on the packet signature. If an attack packet is detected, the device can take the following actions:

·           Output logs (the default action).

·           Drop attack packets.

You can also configure the device to not take any actions.

To configure a single-packet attack defense policy:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Configure signature detection for single-packet attacks.

·          signature detect { fraggle | fragment | impossible | ip-option-abnormal | land | large-icmp | large-icmpv6 | ping-of-death | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | teardrop | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]

·          signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]

·          signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]

·          signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]

·          signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]

By default, signature detection is not configured for single-packet attacks.

You can configure signature detection for multiple single-packet attacks.

4.      (Optional.) Set the maximum length of safe ICMP or ICMPv6 packets.

signature { large-icmp | large-icmpv6 } max-length length

By default, the maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.

A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.

5.      (Optional.) Specify the actions against single-packet attacks of a specific level.

signature level { high | info | low | medium } action { { drop | logging } * | none }

The default action is logging for single-packet attacks of the informational and low levels.

The default actions are logging and drop for single-packet attacks of the medium and high levels.

6.      (Optional.) Enable signature detection for single-packet attacks of a specific level.

signature level { high | info | low | medium } detect

By default, signature detection is disabled for all levels of single-packet attacks.

 

Configuring a scanning attack defense policy

Scanning attack detection monitors the rate at which connections are initiated to the device. If a source initiates connections at a rate equal to or exceeding the pre-defined threshold, the device can take the following actions:

·           Output logs.

·           Drop subsequent packets from the IP address of the attacker.

To configure a scanning attack defense policy:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Configure scanning attack detection.

scan detect level { high | low | medium } action { drop | logging } *

By default, scanning attack detection is not configured.

 

Configuring a flood attack defense policy

Attack detection and prevention takes effect only on packets destined for the device in the current release. The IP address specified for IP address-specific flood attack detection must be an IP address of a Layer 3 interface on the device.

Flood attack detection monitors the rate at which connections are initiated to the device.

With flood attack detection configured, the device is in attack detection state. When the packet sending rate to an IP address reaches or exceeds the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure flood attack detection and prevention for a specific IP address. For non-specific IP addresses, the device uses the global attack prevention settings.

Configuring a SYN flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global SYN flood attack detection.

syn-flood detect non-specific

By default, global SYN flood attack detection is disabled.

4.      Set the global trigger threshold for SYN flood attack prevention.

syn-flood threshold threshold-value

The default setting is 1000.

5.      Specify global actions against SYN flood attacks.

syn-flood action { drop | logging } *

By default, no global action is specified for SYN flood attacks.

6.      Configure IP address-specific SYN flood attack detection.

syn-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific SYN flood attack detection is not configured.

 

Configuring an ACK flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global ACK flood attack detection.

ack-flood detect non-specific

By default, global ACK flood attack detection is disabled.

4.      Set the global trigger threshold for ACK flood attack prevention.

ack-flood threshold threshold-value

The default setting is 1000.

5.      Specify global actions against ACK flood attacks.

ack-flood action { drop | logging } *

By default, no global action is specified for ACK flood attacks.

6.      Configure IP address-specific ACK flood attack detection.

ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific ACK flood attack detection is not configured.

 

Configuring a SYN-ACK flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global SYN-ACK flood attack detection.

syn-ack-flood detect non-specific

By default, global SYN-ACK flood attack detection is disabled.

4.      Set the global trigger threshold for SYN-ACK flood attack prevention.

syn-ack-flood threshold threshold-value

The default setting is 1000.

5.      Specify global actions against SYN-ACK flood attacks.

syn-ack-flood action { drop | logging } *

By default, no global action is specified for SYN-ACK flood attacks.

6.      Configure IP address-specific SYN-ACK flood attack detection.

syn-ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific SYN-ACK flood attack detection is not configured.

 

Configuring a FIN flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global FIN flood attack detection.

fin-flood detect non-specific

By default, global FIN flood attack detection is disabled.

4.      Set the global trigger threshold for FIN flood attack prevention.

fin-flood threshold threshold-value

The default setting is 1000.

5.      Specify global actions against FIN flood attacks.

fin-flood action { drop | logging } *

By default, no global action is specified for FIN flood attacks.

6.      Configure IP address-specific FIN flood attack detection.

fin-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific FIN flood attack detection is not configured.

 

Configuring an RST flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global RST flood attack detection.

rst-flood detect non-specific

By default, global RST flood attack detection is disabled.

4.      Set the global trigger threshold for RST flood attack prevention.

rst-flood threshold threshold-value

The default setting is 1000.

5.      Specify global actions against RST flood attacks.

rst-flood action { drop | logging } *

By default, no global action is specified for RST flood attacks.

6.      Configure IP address-specific RST flood attack detection.

rst-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific RST flood attack detection is not configured.

 

Configuring an ICMP flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global ICMP flood attack detection.

icmp-flood detect non-specific

By default, global ICMP flood attack detection is disabled.

4.      Set the global trigger threshold for ICMP flood attack prevention.

icmp-flood threshold threshold-value

The default setting is 1000.

5.      Specify global actions against ICMP flood attacks.

icmp-flood action { drop | logging } *

By default, no global action is specified for ICMP flood attacks.

6.      Configure IP address-specific ICMP flood attack detection.

icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific ICMP flood attack detection is not configured.

 

Configuring an ICMPv6 flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global ICMPv6 flood attack detection.

icmpv6-flood detect non-specific

By default, global ICMPv6 flood attack detection is disabled.

4.      Set the global trigger threshold for ICMPv6 flood attack prevention.

icmpv6-flood threshold threshold-value

The default setting is 1000.

5.      Specify global actions against ICMPv6 flood attacks.

icmpv6-flood action { drop | logging } *

By default, no global action is specified for ICMPv6 flood attacks.

6.      Configure IP address-specific ICMPv6 flood attack detection.

icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific ICMPv6 flood attack detection is not configured.

 

Configuring a UDP flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global UDP flood attack detection.

udp-flood detect non-specific

By default, global UDP flood attack detection is disabled.

4.      Set the global trigger threshold for UDP flood attack prevention.

udp-flood threshold threshold-value

The default setting is 1000.

5.      Specify global actions against UDP flood attacks.

udp-flood action { drop | logging } *

By default, no global action is specified for UDP flood attacks.

6.      Configure IP address-specific UDP flood attack detection.

udp-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific UDP flood attack detection is not configured.

 

Configuring a DNS flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global DNS flood attack detection.

dns-flood detect non-specific

By default, global DNS flood attack detection is disabled.

4.      Set the global trigger threshold for DNS flood attack prevention.

dns-flood threshold threshold-value

The default setting is 1000.

5.      (Optional.) Specify the global ports to be protected against DNS flood attacks.

dns-flood port port-list

By default, DNS flood attack prevention protects port 53.

6.      Specify global actions against DNS flood attacks.

dns-flood action { drop | logging } *

By default, no global action is specified for DNS flood attacks.

7.      Configure IP address-specific DNS flood attack detection.

dns-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific DNS flood attack detection is not configured.

 

Configuring an HTTP flood attack defense policy

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Enable global HTTP flood attack detection.

http-flood detect non-specific

By default, global HTTP flood attack detection is disabled.

4.      Set the global trigger threshold for HTTP flood attack prevention.

http-flood threshold threshold-value

The default setting is 1000.

5.      (Optional.) Specify the global ports to be protected against HTTP flood attacks.

http-flood port port-list

By default, HTTP flood attack prevention protects port 80.

6.      Specify global actions against HTTP flood attacks.

http-flood action { drop | logging } *

By default, no global action is specified for HTTP flood attacks.

7.      Configure IP address-specific HTTP flood attack detection.

http-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { drop | logging } * ]

By default, IP address-specific HTTP flood attack detection is not configured.

 

Configuring attack detection exemption

The attack defense policy uses the ACL to identify exempted packets. The policy does not check the packets permitted by the ACL. You can configure the ACL to identify packets from trusted hosts. The exemption feature reduces the false alarm rate and improves packet processing efficiency.

To configure attack detection exemption:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter attack defense policy view.

attack-defense policy policy-name

N/A

3.      Configure attack detection exemption.

exempt acl [ ipv6 ] { acl-number | name acl-name }

By default, the attack defense policy applies to all packets destined for the device.

 

Applying an attack defense policy to the device

An attack defense policy applied to the device itself detects packets destined for the device and prevents attacks targeted at the device.

A switch uses hardware to implement packet forwarding and uses software to process packets if the packets are destined for the switch. The software does not provide any attack defense features, so you must apply an attack defense policy to the switch to prevent attacks aimed at the switch.

To apply an attack defense policy to the device:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Apply an attack defense policy to the device.

attack-defense local apply policy policy-name

By default, no attack defense policy is applied to the device.

 

Disabling log aggregation for single-packet attack events

Log aggregation aggregates all logs generated for attacks targeted at the device during a period of time and sends one log. The logs with the same attributes for the following items can be aggregated:

·           Attack type.

·           Attack defense action.

·           Source and destination IP addresses.

·           VPN instance to which the victim IP address belongs.

As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console.

To disable log aggregation for single-packet attack events:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Disable log aggregation for single-packet attack events.

attack-defense signature log non-aggregate

By default, log aggregation is enabled for single-packet attack events.

 

Configuring TCP fragment attack prevention

The TCP fragment attack prevention feature detects the length and fragment offset of received TCP fragments and drops attack TCP fragments.

TCP fragment attack prevention takes precedence over single-packet attack prevention. When both are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by the single-packet attack defense policy.

To configure TCP fragment attack prevention:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable TCP fragment attack prevention.

attack-defense tcp fragment enable

By default, TCP fragment attack prevention is enabled.

 

Enabling the login delay

The login delay feature delays the device from accepting a login request from a user after the user fails a login attempt. This feature can slow down login dictionary attacks.

To enable the login delay:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable the login delay feature.

attack-defense login reauthentication-delay seconds

By default, the login delay feature is disabled. The device does not delay accepting a login request from a user who has failed a login attempt.

 

Displaying and maintaining attack detection and prevention

Use the display commands in any view and the reset commands in user view.

To display and maintain attack detection and prevention:

 

Task

Command

Display attack detection and prevention statistics for the device.

display attack-defense statistics local [ slot slot-number ]

Display attack defense policy configuration.

display attack-defense policy [ policy-name ]

Display information about IPv4 scanning attackers.

display attack-defense scan attacker ip [ count ]

Display information about IPv6 scanning attackers.

display attack-defense scan attacker ipv6 [ count ]

Display information about IPv4 scanning attack victims.

display attack-defense scan victim ip [ count ]

Display information about IPv6 scanning attack victims.

display attack-defense scan victim ipv6 [ count ]

Display flood attack detection and prevention statistics for an IPv4 address.

display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ local [ slot slot-number ] ] [ count ]

Display flood attack detection and prevention statistics for an IPv6 address.

display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ local [ slot slot-number ] ] [ count ]

Display information about IPv4 addresses protected by flood attack detection and prevention.

display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]

Display information about IPv6 addresses protected by flood attack detection and prevention.

display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]

Clear attack detection and prevention statistics for the device.

reset attack-defense statistics local

Clear flood attack detection and prevention statistics.

reset attack-defense policy policy-name flood protected { ip | ipv6 } statistics

 

Attack detection and prevention configuration example

Network requirements

Configure attack detection and prevention on the switch (the gateway) to protect against network attacks from the user side or the network side.

·           To prevent TCP flag attacks and low level scanning attacks that aim at the switch, enable TCP flag attack prevention and scanning attack prevention. Configure the device to output logs if it detects such attacks.

·           To prevent the SYN flood attacks that aim at the external interface of the switch, enable IP address-specific SYN flood attack detection for 192.168.2.1/24. When the device receives 5000 or more SYN packets sent to the protected IP address per second, it outputs logs and drops the packets.

·           To prevent the SYN flood attacks that aim at the internal interface of the switch, enable global SYN flood attack detection. When the device receives 2000 or more SYN packets that are destined to the switch but not to the protected IP address per second, it outputs logs.

Figure 1 Network diagram

 

 

Configuration procedure

# Create an attack defense policy named a1.

[Switch] attack-defense policy a1

# Enable signature detection for TCP single packet attacks and enable logging for the specified attacks. A TCP packet is identified as an attack packet if it has all flags set, FIN flag set, invalid flags, no TCP flags set, or both SYN and FIN flags set.

[Switch-attack-defense-policy-a1] signature detect tcp-all-flags action logging

[Switch-attack-defense-policy-a1] signature detect tcp-fin-only action logging

[Switch-attack-defense-policy-a1] signature detect tcp-invalid-flags action logging

[Switch-attack-defense-policy-a1] signature detect tcp-null-flag action logging

[Switch-attack-defense-policy-a1] signature detect tcp-syn-fin action logging

# Configure low level scanning attack detection and enables logging for such attack events.

[Router-attack-defense-policy-a1] scan detect level low action logging

# Configure SYN flood attack detection for 192.168.2.1. Set the threshold for triggering SYN flood attack prevention to 5000 and specify logging and drop as the actions for SYN packets that are destined for the protected IP address.

[Switch-attack-defense-policy-a1] syn-flood detect ip 192.168.2.1 threshold 5000 action logging drop

# Enable global SYN flood attack detection, set the global threshold for triggering SYN flood attack prevention to 2000, and specify logging as the global protection action.

[Switch-attack-defense-policy-a1] syn-flood detect non-specific

[Switch-attack-defense-policy-a1] syn-flood threshold 2000

[Switch-attack-defense-policy-a1] syn-flood action logging

[Switch-attack-defense-policy-a1] quit

# Apply the attack defense policy to the device.

[Switch] attack-defense local apply policy a1

Verifying the configuration

# Verify that the attack defense policy a1 is correctly configured.

[Switch] display attack-defense policy a1

          Attack-defense Policy Information

--------------------------------------------------------------------------

Policy name                        : a1

Applied list                       : Local

--------------------------------------------------------------------------

Exempt IPv4 ACL                    : Not configured

Exempt IPv6 ACL                    : Not configured

--------------------------------------------------------------------------

  Actions: CV-Client verify  BS-Block source  L-Logging  D-Drop  N-None

 

Signature attack defense configuration:

Signature name                     Defense      Level             Actions

Fragment                           Disabled     low               L

Impossible                         Disabled     medium            L,D

Teardrop                           Disabled     medium            L,D

Tiny fragment                      Disabled     low               L

IP option abnormal                 Disabled     medium            L,D

Smurf                              Enabled      medium            L,D

Traceroute                         Disabled     low               L

Ping of death                      Disabled     medium            L,D

Large ICMP                         Disabled     info              L

  Max length                       4000 bytes

Large ICMPv6                       Disabled     info              L

  Max length                       4000 bytes

TCP invalid flags                  Disabled     medium            L

TCP null flag                      Disabled     medium            L

TCP all flags                      Disabled     medium            L

TCP SYN-FIN flags                  Disabled     medium            L

TCP FIN only flag                  Disabled     medium            L

TCP Land                           Disabled     medium            L,D

Winnuke                            Disabled     medium            L,D

UDP Bomb                           Disabled     medium            L,D

UDP Snork                          Disabled     medium            L,D

UDP Fraggle                        Disabled     medium            L,D

IP option record route             Disabled     info              L

IP option internet timestamp       Disabled     info              L

IP option security                 Disabled     info              L

IP option loose source routing     Disabled     info              L

IP option stream ID                Disabled     info              L

IP option strict source routing    Disabled     info              L

IP option route alert              Disabled     info              L

ICMP echo request                  Disabled     info              L

ICMP echo reply                    Disabled     info              L

ICMP source quench                 Disabled     info              L

ICMP destination unreachable       Disabled     info              L

ICMP redirect                      Disabled     info              L

ICMP time exceeded                 Disabled     info              L

ICMP parameter problem             Disabled     info              L

ICMP timestamp request             Disabled     info              L

ICMP timestamp reply               Disabled     info              L

ICMP information request           Disabled     info              L

ICMP information reply             Disabled     info              L

ICMP address mask request          Disabled     info              L

ICMP address mask reply            Disabled     info              L

ICMPv6 echo request                Disabled     info              L

ICMPv6 echo reply                  Disabled     info              L

ICMPv6 group membership query      Disabled     info              L

ICMPv6 group membership report     Disabled     info              L

ICMPv6 group membership reduction  Disabled     info              L

ICMPv6 destination unreachable     Disabled     info              L

ICMPv6 time exceeded               Disabled     info              L

ICMPv6 parameter problem           Disabled     info              L

ICMPv6 packet too big              Disabled     info              L

 

Scan attack defense configuration:

 Defense : Enabled

 Level   : low

 Actions : L

 

Flood attack defense configuration:

Flood type      Global thres(pps)  Global actions  Service ports   Non-specific

SYN flood       2000               L               -               Enabled

ACK flood       1000(default)      -               -               Disabled

SYN-ACK flood   1000(default)      -               -               Disabled

RST flood       1000(default)      -               -               Disabled

FIN flood       1000(default)      -               -               Disabled

UDP flood       1000(default)      -               -               Disabled

ICMP flood      1000(default)      -               -               Disabled

ICMPv6 flood    1000(default)      -               -               Disabled

DNS flood       1000(default)      -               53              Disabled

HTTP flood      1000(default)      -               80              Disabled

 

Flood attack defense for protected IP addresses:

 Address                 VPN instance Flood type    Thres(pps) Actions Ports

 192.168.2.1            --           SYN-FLOOD     5000       L,D     -

If the device receives TCP flag attack packets or scanning attack packets that are destined for the device, the device outputs logs. If the device receives TCP SYN flood attack packets that are destined for the protected IP address, the device outputs logs and drops the attack packets. If the device receives TCP SYN flood attack packets that are destined for the device but not to the protected IP address, the device outputs logs.

# Display the attack defense statistics.

[Switch] display attack-defense statistics local

Attack policy name: a1

Slot 1:

Scan attack defense statistics:

 AttackType                          AttackTimes Dropped

 Port scan                           4           0

Flood attack defense statistics:

 AttackType                          AttackTimes Dropped

 No flood attacks detected.

Signature attack defense statistics:

 AttackType                          AttackTimes Dropped

 TCP invalid flags                   116         0

 TCP null flag                       709         0

 TCP all flags                       251         0

 TCP SYN-FIN flags                   46          0

 TCP FIN only flag                   130         0

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网