Login
- Table of Contents
-
- H3C SecPath Security Products FAQ(V7)-6W100
- 00-Preface
- 01-System management and maintenance FAQ
- 02-Device forwarding FAQ
- 03-License management FAQ
- 04-RBM-based hot backup FAQ
- 05-NAT FAQ
- 06-User access and authentication FAQ
- 07-Attack detection and prevention FAQ
- 08-IPS FAQ
- 09-Anti-virus FAQ
- 10-URL filtering FAQ
- 11-File filtering FAQ
- 12-Bandwidth management FAQ
- 13-SSL VPN FAQ
- 14-IPsec FAQ
- 15-Load balancing FAQ
- 16-Mirroring FAQ
- 17-IRF FAQ
- 18-Security policy FAQ
- 19-Security zone FAQ
- 20-ASPF FAQ
- 21-PKI FAQ
- 22-APR FAQ
- 23-DPI FAQ
- 24-Application audit and management FAQ
- 25-Data filtering FAQ
- 26-Data analysis center FAQ
- 27-WAF FAQ
- 28-AFT FAQ
- 29-SSL decryption FAQ
- 30-NetShare control FAQ
- 31-FAQ on Intranet security comprehensive scoring (Security overview)
- 32-Web operations FAQ
- Related Documents
-
07-Attack detection and prevention FAQ
Attack detection and prevention FAQ
Q. If I configure scanning attack detection and specify the prevention action as adding the attackers' IP addresses to the IP blacklist, should I enable the blacklist feature globally or on the security zone?
A. Yes. The blacklist feature takes effect only after you enable it globally or on the security zone. If you enable the blacklist feature, the blacklist module drops subsequent packets from the blacklisted IP addresses. If you do not enable the blacklist feature, the scanning attack detection module drops subsequent packets from the attackers’ IP addresses which are not added to the IP blacklist.
Q. How does the client verification feature take effect on an attack defense policy?
A. The client verification feature takes effect only after you enable it on the security zone to which the attack defense policy is applied.
Q. How can I set a reasonable threshold for triggering flood attack prevention?
A. Adjust the threshold according to the application scenarios. If the number of packets sent to a protected server is normally large, set a high threshold. A low threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a low threshold.
Q. Does the attack detection exemption feature take effect if the referenced ACL does not exist or does not contain any rules?
A. No.
Q. Which match criteria in ACL rules take effect if an ACL is used for attack detection exemption?
A. If an ACL is used for attack detection exemption, only the following match criteria in ACL rules take effect:
· Source IP address.
· Destination IP address.
· Source port.
· Destination port.
· Protocol.
· VPN instance.
· The fragment keyword for matching non-first fragments.
Q. For what types of attacks does the threshold learning feature take effect only on the default port protected against the attacks?
A. DNS flood attacks, SIP flood attacks, and HTTP flood attacks.
Q. Does the threshold learning feature for flood attack prevention change the threshold that triggers flood attack prevention for protected IP addresses?
A. No.
Q. What’s the priority order for the attack detection and prevention features?
A. The attack detection and prevention features in priority descending order are as follows:
Blacklist, whitelist, single-packet attack detection and prevention, IP address-specific flood attack detection and prevention, flood attack detection and prevention, and scanning attack detection and prevention.
Q. What should I pay attention to when I configure attack detection and prevention on a dual-device IRF/RBM system?
A. On a dual-device IRF/RBM system, if you enable auto application of the learned threshold on the master device, the learned threshold is not synchronized to the subordinate device. Because the subordinate device does not have actual traffic, it learns a very small threshold value which is applied automatically. After the VRRP master device fails, a large number of packets are incorrectly dropped by the attack defense policy after the traffic is switched to the standby device.
Dynamically generated protected IP addresses are not synchronized to the subordinate device. Hosts that require client authentication for access on the master device will suffer from a large number of attacks before the subordinate device generates a protected IP list during master/standby switchover.
Q. Are all attack packets matching an attack defense policy dropped by the attack detection and prevention module?
A. No. In the following scenarios, attack packets are not dropped by the attack detection and prevention module:
· Single-packet attacks—After you configure an attack defense policy and enable single-packet prevention, the attack packets are dropped by the single-packet prevention module. If you do not enable single-packet prevention, the attack packets are dropped by the platform forwarding module. You can view the attack logs in the attack detection and prevention module.
· Scanning attacks—If you enable the blacklist feature, the attack packets are dropped by the blacklist module. You can view the attack logs in the attack detection and prevention module.
· Flood attacks—If you enable client verification, the attack packets are dropped by the client verification module. You can view the attack logs in the attack detection and prevention module.
