- Table of Contents
-
- 12-Security Configuration Guide
- 00-Preface
- 01-MAC authentication configuration
- 02-Password control configuration
- 03-Keychain configuration
- 04-Public key management
- 05-PKI configuration
- 06-IPsec configuration
- 07-SSH configuration
- 08-SSL configuration
- 09-Session management
- 10-Object group configuration
- 11-Attack detection and prevention configuration
- 12-TCP and ICMP attack prevention configuration
- 13-IP source guard configuration
- 14-ARP attack protection configuration
- 15-ND attack defense configuration
- 16-uRPF configuration
- 17-Crypto engine configuration
- 18-DAE proxy configuration
- 19-802.1X configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
12-TCP and ICMP attack prevention configuration | 59.74 KB |
Configuring TCP and ICMP attack prevention
About TCP and ICMP attack prevention
Configuring Naptha attack prevention
Configuring ICMP attack prevention
Configuring TCP SYN flood attack prevention
TCP SYN flood attack prevention tasks at a glance
Configuring flow-based TCP SYN flood attack prevention
Configuring interface-based TCP SYN flood attack prevention
Enabling logging for TCP SYN flood attack prevention
Display and maintenance commands for TCP and ICMP attack prevention
Configuring TCP and ICMP attack prevention
About TCP and ICMP attack prevention
Attackers can exploit the TCP connection establishment process or send a target excessive number of ICMP requests, such as ping packets, in a short period of time. To prevent such attacks, the device provides TCP and ICMP attack prevention features.
Configuring Naptha attack prevention
About Naptha attack prevention
Naptha is a DDoS attack that targets operating systems. It exploits the resources consuming vulnerability in TCP/IP stack and network application process. The attacker establishes a large number of TCP connections in a short period of time and leaves them in certain states without requesting any data. These TCP connections starve the victim of system resources, resulting in a system breakdown.
After you enable Naptha attack prevention, the device periodically checks the number of TCP connections in each state (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, and LAST_ACK). If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in that state to mitigate the Naptha attack.
Procedure
1. Enter system view.
system-view
2. Enable Naptha attack prevention.
tcp anti-naptha enable
By default, Naptha attack prevention is disabled.
3. (Optional.) Set the maximum number of TCP connections in a state.
tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack } connection-limit number
By default, the maximum number of TCP connections in each state (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, and LAST_ACK) is 50.
To disable the device from accelerating the aging of the TCP connections in a state, set the value to 0.
4. (Optional.) Set the interval for checking the number of TCP connections in each state.
tcp check-state interval interval
By default, the interval for checking the number of TCP connections in each state is 30 seconds.
Configuring ICMP attack prevention
About ICMP attack prevention
The ICMP request attack sends excessive number of ICMP request packets, such as ping packets, to a target in a short period of time. Because the CPU of the target device is busy replying to these requests, it is unable to provide services. To prevent ICMP request attacks, you can enable the ICMP fast reply feature. This feature allows the hardware to reply to the ICMP requests without delivering them to the CPU for processing.
Procedure
1. Enter system view.
system-view
2. Enable ICMP fast reply.
ip icmp fast-reply enable
By default, ICMP fast reply is disabled.
3. Enable ICMPv6 fast reply.
ipv6 icmpv6 fast-reply enable
By default, ICMPv6 fast reply is disabled.
Configuring TCP SYN flood attack prevention
About TCP SYN flood attack prevention
A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim unresponsive to legal users. An attacker sends a large number of SYN packets to a server. This causes the server to open a large number of half-open connections and respond to the requests. However, the server will never receive the expected ACK packets. Because all of its resources are bound to half-open connections, the server is unable to accept new incoming connection requests.
After you enable TCP SYN flood attack prevention, the device enters attack detection state. When the number of received SYN packets reaches or exceeds the threshold within a check interval, the device changes to prevention state and rate limits or drops subsequent SYN packets. When the prevention duration is reached, the device returns to the attack detection state. TCP SYN flood attack prevention supports the following packet statistics collection methods:
· Interface-based TCP SYN flood attack prevention—Collects statistics for received SYN packets on a per interface basis.
· Flow-based TCP SYN flood attack prevention—Identifies a flow by source IP address, destination port number, VPN instance, and packet type and collects packet statistics on a per flow basis.
TCP SYN flood attack prevention tasks at a glance
To configure attack detection and prevention, perform the following tasks:
· (Optional.) Configuring flow-based TCP SYN flood attack prevention
· (Optional.) Configuring interface-based TCP SYN flood attack prevention
· (Optional.) Enabling logging for TCP SYN flood attack prevention
Configuring flow-based TCP SYN flood attack prevention
1. Enter system view.
system-view
2. Enable flow-based TCP SYN flood attack prevention.
tcp anti-syn-flood flow-based enable
By default, flow-based TCP SYN flood attack prevention is disabled.
3. (Optional.) Set the threshold for triggering flow-based TCP SYN flood attack prevention.
tcp anti-syn-flood flow-based threshold threshold-value
By default, the threshold is 100 packets per check interval.
4. (Optional.) Set the flow-based TCP SYN flood attack prevention duration.
tcp anti-syn-flood flow-based duration minutes
By default, the flow-based TCP SYN flood attack prevention duration is 5 minutes.
5. (Optional.) Set the check interval for flow-based TCP SYN flood attack prevention.
tcp anti-syn-flood flow-based check-interval interval
By default, the check interval is 1 second for flow-based TCP SYN flood attack prevention.
Configuring interface-based TCP SYN flood attack prevention
1. Enter system view.
system-view
2. Enable interface-based TCP SYN flood attack prevention.
tcp anti-syn-flood interface-based enable
By default, interface-based TCP SYN flood attack prevention is disabled.
3. (Optional.) Set the threshold for triggering interface-based TCP SYN flood attack prevention.
tcp anti-syn-flood interface-based threshold threshold-value
By default, the threshold is 100 packets per check interval.
4. (Optional.) Set the interface-based TCP SYN flood attack prevention duration.
tcp anti-syn-flood interface-based duration minutes
By default, the interface-based TCP SYN flood attack prevention duration is 5 minutes.
5. (Optional.) Set the check interval for interface-based TCP SYN flood attack prevention.
tcp anti-syn-flood interface-based check-interval interval
By default, the check interval is 1 second for interface-based TCP SYN flood attack prevention.
Enabling logging for TCP SYN flood attack prevention
About logging for TCP SYN flood attack prevention
This feature generates TCP SYN flood attack prevention logs and sends them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable logging for TCP SYN flood attack prevention.
tcp anti-syn-flood log enable
By default, TCP SYN flood attack prevention logging is disabled.
Display and maintenance commands for TCP and ICMP attack prevention
Execute display commands in any view and reset commands in user view.
Task |
Command |
(In standalone mode.) Display fast replied ICMP message statistics. |
display ip icmp fast-reply statistics [ slot slot-number ] |
(In IRF mode.) Display fast replied ICMP message statistics. |
display ip icmp fast-reply statistics [ chassis chassis-number slot slot-number ] |
(In standalone mode.) Display fast replied ICMPv6 message statistics. |
display ipv6 icmpv6 fast-reply statistics [ slot slot-number ] |
(In IRF mode.) Display fast replied ICMPv6 message statistics. |
display ipv6 icmpv6 fast-reply statistics [ chassis chassis-number slot slot-number ] |
Display the configuration of flow-based TCP SYN flood attack prevention. |
display tcp anti-syn-flood flow-based configuration |
(In standalone mode.) Display IPv4 flow-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * slot slot-number [ verbose ] |
(In IRF mode.) Display IPv4 flow-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * chassis chassis-number slot slot-number [ verbose ] |
(In standalone mode.) Display the number of IPv4 flow-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood flow-based entry slot slot-number count |
(In IRF mode.) Display the number of IPv4 flow-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood flow-based entry chassis chassis-number slot slot-number count |
(In standalone mode.) Display IPv6 flow-based TCP SYN flood attack prevention entries. |
display ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * slot slot-number [ verbose ] |
(In IRF mode.) Display IPv6 flow-based TCP SYN flood attack prevention entries. |
display ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * chassis chassis-number slot slot-number [ verbose ] |
(In standalone mode.) Display the number of IPv6 flow-based TCP SYN flood attack prevention entries. |
display ipv6 tcp anti-syn-flood flow-based entry slot slot-number count |
(In IRF mode.) Display the number of IPv6 flow-based TCP SYN flood attack prevention entries. |
display ipv6 tcp anti-syn-flood flow-based entry chassis chassis-number slot slot-number count |
Display the configuration of interface-based TCP SYN flood attack prevention. |
display tcp anti-syn-flood interface-based configuration |
(In standalone mode.) Display interface-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * slot slot-number [ verbose ] |
(In IRF mode.) Display interface-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * chassis chassis-number slot slot-number [ verbose ] |
(In standalone mode.) Display the number of interface-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood interface-based entry slot slot-number count |
(In IRF mode.) Display the number of interface-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood interface-based entry chassis chassis-number slot slot-number count |
(In standalone mode.) Clear fast replied ICMP message statistics. |
reset ip icmp fast-reply statistics [ slot slot-number ] |
(In IRF mode.) Clear fast replied ICMP message statistics. |
reset ip icmp fast-reply statistics [ chassis chassis-number slot slot-number ] |
(In standalone mode.) Clear fast replied ICMPv6 message statistics. |
reset ipv6 icmpv6 fast-reply statistics [ slot slot-number ] |
(In IRF mode.) Clear fast replied ICMPv6 message statistics. |
reset ipv6 icmpv6 fast-reply statistics [ chassis chassis-number slot slot-number ] |
(In standalone mode.) Delete IPv4 flow-based TCP SYN flood attack prevention entries. |
reset tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ] |
(In IRF mode.) Delete IPv4 flow-based TCP SYN flood attack prevention entries. |
reset tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ] |
(In standalone mode.) Delete IPv6 flow-based TCP SYN flood attack prevention entries. |
reset ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ] |
(In IRF mode.) Delete IPv6 flow-based TCP SYN flood attack prevention entries. |
reset ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ] |
(In standalone mode.) Clear statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention. |
reset tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ] |
(In IRF mode.) Clear statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention. |
reset tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ] |
(In standalone mode.) Clear statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention. |
reset ipv6 tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ] |
(In IRF mode.) Clear statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention. |
reset ipv6 tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ] |
(In standalone mode.) Delete interface-based TCP SYN flood attack prevention entries. |
reset tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ] |
(In IRF mode.) Delete interface-based TCP SYN flood attack prevention entries. |
reset tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ] |
(In standalone mode.) Clear statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention. |
reset tcp anti-syn-flood interface-based statistics [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ] |
(In IRF mode.) Clear statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention. |
reset tcp anti-syn-flood interface-based statistics [ interface interface-type interface-number | type { ip | mpls } ] * [ chassis chassis-number slot slot-number ] |