09-Security Configuration Guide

HomeSupportResource CenterConfigure & DeployConfiguration GuidesH3C S12500-X & S12500X-AF Switch Series Configuration Guides(R115x)-6W10209-Security Configuration Guide
12-Attack detection and prevention configuration

Configuring attack detection and prevention

Overview

Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to drop attack packets to protect a private network.

The device supports only TCP fragment attack prevention.

Enabling TCP fragment attack prevention

The TCP fragment attack prevention feature takes effect only on Layer 3 packets.

This feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that traditional packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the following TCP fragments:

·          First fragments in which the TCP header is smaller than 20 bytes.

·          Non-first fragments with a fragment offset of 8 bytes (FO=1).

To enable TCP fragment attack prevention:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable TCP fragment attack prevention.

attack-defense tcp fragment enable

By default, TCP fragment attack prevention is enabled.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网