Login
- Table of Contents
-
- 12-Security Configuration Guide
- 00-Preface
- 01-DAE proxy configuration
- 02-Password control configuration
- 03-Keychain configuration
- 04-Public key management
- 05-PKI configuration
- 06-IPsec configuration
- 07-SSH configuration
- 08-SSL configuration
- 09-Session management
- 10-Object group configuration
- 11-Attack detection and prevention configuration
- 12-IP-based attack prevention configuration
- 13-IP source guard configuration
- 14-ARP attack protection configuration
- 15-ND attack defense configuration
- 16-uRPF configuration
- 17-SAVA configuration
- 18-SAVA-P configuration
- 19-Crypto engine configuration
- 20-Trust level configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 12-IP-based attack prevention configuration | 139.83 KB |
Configuring IP-based attack prevention
About IP-based attack prevention
Configuring Naptha attack prevention
Configuring TCP connection attack prevention
Configuring ICMP attack prevention
Configuring TCP SYN flood attack prevention
About TCP SYN flood attack prevention
TCP SYN flood attack prevention tasks at a glance
Configuring flow-based TCP SYN flood attack prevention
Configuring interface-based TCP SYN flood attack prevention
Enabling logging for TCP SYN flood attack prevention
Configuring UDP flood attack prevention
About UDP flood attack prevention
UDP flood attack prevention tasks at a glance
Configuring flow-based UDP flood attack prevention
Configuring interface-based UDP flood attack prevention
Enabling logging for UDP flood attack prevention
Configuring abnormal IP packet attack prevention
Display and maintenance commands for IP-based attack prevention
Configuring IP-based attack prevention
About IP-based attack prevention
Attackers can initiate attacks based on IP and upper-layer protocols. For example, an attacker can exploit the TCP connection establishment process or send a target excessive ICMP requests (such as ping packets) in a short period of time. To prevent such attacks, IP-based attack prevention provides the following features:
· Naptha attack prevention.
· TCP connection attack prevention.
· ICMP attack prevention.
· TCP SYN flood attack prevention.
· UDP flood attack prevention.
· Abnormal IP packet attack prevention.
Configuring Naptha attack prevention
About this task
Naptha is a DDoS attack that targets operating systems. It exploits the resources consuming vulnerability in TCP/IP stack and network application process. The attacker establishes a large number of TCP connections in a short period of time and leaves them in certain states without requesting any data. These TCP connections starve the victim of system resources, resulting in a system breakdown.
After you enable Naptha attack prevention, the device periodically checks the number of TCP connections in each state (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, and LAST_ACK). If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in that state to mitigate the Naptha attack.
Procedure
1. Enter system view.
system-view
2. Enable Naptha attack prevention.
tcp anti-naptha enable
By default, Naptha attack prevention is disabled.
3. (Optional.) Set the maximum number of TCP connections in a state.
tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack } connection-limit number
By default, the maximum number of TCP connections in each state (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, and LAST_ACK) is 50.
To disable the device from accelerating the aging of the TCP connections in a state, set the value to 0.
4. (Optional.) Set the interval for checking the number of TCP connections in each state.
tcp check-state interval interval
By default, the interval for checking the number of TCP connections in each state is 30 seconds.
Configuring TCP connection attack prevention
About this task
This feature enables the device to count the error packets received by each established TCP connection. If the number of error packets received by a TCP connection within a statistics interval (one second) exceeds the threshold, the device determines that the TCP connection is attacked and disconnects the TCP connection. If you enable logging for TCP connection attack prevention, the device generates a log about the attacked TCP connection.
Procedure
1. Enter system view.
system-view
2. Enable TCP connection attack prevention.
tcp abnormal-packet-defend [ log | threshold threshold-value ]*
By default, TCP connection attack prevention is disabled.
Configuring ICMP attack prevention
About this task
The ICMP request attack sends excessive number of ICMP request packets, such as ping packets, to a target in a short period of time. Because the CPU of the target device is busy replying to these requests, it is unable to provide services. To prevent ICMP request attacks, you can enable the ICMP fast reply feature. This feature allows the hardware to reply to the ICMP requests without delivering them to the CPU for processing.
Procedure
1. Enter system view.
system-view
2. Enable ICMP fast reply.
ip icmp fast-reply enable
By default, ICMP fast reply is disabled.
3. Enable ICMPv6 fast reply.
ipv6 icmpv6 fast-reply enable
By default, ICMPv6 fast reply is disabled.
Configuring TCP SYN flood attack prevention
About TCP SYN flood attack prevention
A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim unresponsive to legal users. An attacker sends a large number of SYN packets to a server. This causes the server to open a large number of half-open connections and respond to the requests. However, the server will never receive the expected ACK packets. Because all of its resources are bound to half-open connections, the server is unable to accept new incoming connection requests.
After you enable TCP SYN flood attack prevention, the device enters attack detection state. When the number of received SYN packets reaches or exceeds the threshold within a check interval, the device changes to prevention state and rate limits or drops subsequent SYN packets. When the prevention duration is reached, the device returns to the attack detection state.
TCP SYN flood attack prevention supports the following packet statistics collection methods:
· Interface-based—Collects statistics for received SYN packets on a per-interface basis.
· Flow-based—Identifies a flow by source IP address, destination port number, VPN instance, and packet type, and collects packet statistics on a per-flow basis.
TCP SYN flood attack prevention tasks at a glance
To configure TCP SYN flood attack detection and prevention, perform the following tasks:
· (Optional.) Configuring flow-based TCP SYN flood attack prevention
· (Optional.) Configuring interface-based TCP SYN flood attack prevention
· (Optional.) Enabling logging for TCP SYN flood attack prevention
Configuring flow-based TCP SYN flood attack prevention
1. Enter system view.
system-view
2. Enable flow-based TCP SYN flood attack prevention.
tcp anti-syn-flood flow-based enable
By default, flow-based TCP SYN flood attack prevention is disabled.
3. (Optional.) Set the threshold for triggering flow-based TCP SYN flood attack prevention.
tcp anti-syn-flood flow-based threshold threshold-value
By default, the threshold is 100 packets per check interval.
4. (Optional.) Set the flow-based TCP SYN flood attack prevention duration.
tcp anti-syn-flood flow-based duration minutes
By default, the flow-based TCP SYN flood attack prevention duration is 5 minutes.
5. (Optional.) Set the check interval for flow-based TCP SYN flood attack prevention.
tcp anti-syn-flood flow-based check-interval interval
By default, the check interval is 1 second for flow-based TCP SYN flood attack prevention.
Configuring interface-based TCP SYN flood attack prevention
1. Enter system view.
system-view
2. Enable interface-based TCP SYN flood attack prevention.
tcp anti-syn-flood interface-based enable
By default, interface-based TCP SYN flood attack prevention is disabled.
3. (Optional.) Set the threshold for triggering interface-based TCP SYN flood attack prevention.
tcp anti-syn-flood interface-based threshold threshold-value
By default, the threshold is 100 packets per check interval.
4. (Optional.) Set the interface-based TCP SYN flood attack prevention duration.
tcp anti-syn-flood interface-based duration minutes
By default, the interface-based TCP SYN flood attack prevention duration is 5 minutes.
5. (Optional.) Set the check interval for interface-based TCP SYN flood attack prevention.
tcp anti-syn-flood interface-based check-interval interval
By default, the check interval is 1 second for interface-based TCP SYN flood attack prevention.
Enabling logging for TCP SYN flood attack prevention
About this task
This feature generates TCP SYN flood attack prevention logs and sends them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable logging for TCP SYN flood attack prevention.
tcp anti-syn-flood log enable
By default, TCP SYN flood attack prevention logging is disabled.
Configuring UDP flood attack prevention
About UDP flood attack prevention
A UDP flood attacker sends a large number of UDP packets to a target system within a short period of time. Busy processing these packets, the target system cannot respond to normal services.
After you enable UDP flood attack prevention, the device enters attack detection state. When the number of received UDP packets reaches or exceeds the threshold during a check interval, the device changes to prevention state and takes a defensive action.
UDP flood attack prevention supports the following packet statistics collection methods:
· Flow-based—Identifies a flow by source IP address, destination port number, VPN instance, and packet type. It collects packet statistics on a per-flow basis.
· Interface-based—Collects statistics for received UDP packets on a per-interface basis.
The device supports the following defensive actions based on the packet statistics collection method:
· Flow-based—When an attack occurs, the device drops subsequent UDP packets of the flow until the prevention duration expires.
· Interface-based—When an attack occurs on an interface, the device limits the UDP packet receiving rate on this interface and drops UDP packets that exceed the threshold until the prevention duration expires.
When the prevention duration expires, the device returns to the attack detection state.
UDP flood attack prevention tasks at a glance
To configure UDP flood attack detection and prevention, perform the following tasks:
· Configuring flow-based UDP flood attack prevention
· Configuring interface-based UDP flood attack prevention
· Enabling logging for UDP flood attack prevention
Configuring flow-based UDP flood attack prevention
1. Enter system view.
system-view
2. Enable flow-based UDP flood attack prevention.
udp anti-flood flow-based enable
By default, flow-based UDP flood attack prevention is disabled.
3. (Optional.) Set the threshold for triggering flow-based UDP flood attack prevention.
udp anti-flood flow-based threshold threshold-value
By default, the threshold is 100 packets per check interval.
4. (Optional.) Set the flow-based UDP flood attack prevention duration.
udp anti-flood flow-based duration minutes
By default, the flow-based UDP flood attack prevention duration is 5 minutes.
5. (Optional.) Set the check interval for flow-based UDP flood attack prevention.
udp anti-flood flow-based check-interval interval
By default, the check interval is 1 second for flow-based UDP flood attack prevention.
6. Configure a protected destination port for flow-based UDP flood attack prevention.
udp anti-flood flow-based exclude { ipv4 | ipv6 } destination-port port-number
By default, no protected destination port is configured for flow-based UDP flood attack prevention.
7. Set the check interval and triggering threshold for flow-based UDP flood attack prevention on a specified destination port.
udp anti-flood flow-based { ipv4 | ipv6 } destination-port port-number [ check-interval interval ] [ threshold threshold-value ]
By default, the check interval is 1 second for flow-based UDP flood attack prevention and the threshold for triggering flow-based UDP flood attack prevention is 100 packets per check interval.
Configuring interface-based UDP flood attack prevention
1. Enter system view.
system-view
2. Enable interface-based UDP flood attack prevention.
udp anti-flood interface-based enable
By default, interface-based UDP flood attack prevention is disabled.
3. (Optional.) Set the threshold for triggering interface-based UDP flood attack prevention.
udp anti-flood interface-based threshold threshold-value
By default, the threshold is 100 packets per check interval.
4. (Optional.) Set the interface-based UDP flood attack prevention duration.
udp anti-flood interface-based duration minutes
By default, the interface-based UDP flood attack prevention duration is 5 minutes.
5. (Optional.) Set the check interval for interface-based UDP flood attack prevention.
udp anti-flood interface-based check-interval interval
By default, the check interval is 1 second for interface-based UDP flood attack prevention.
Enabling logging for UDP flood attack prevention
About this task
This feature generates UDP flood attack prevention logs and sends them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable logging for UDP flood attack prevention.
udp anti-flood log enable
By default, UDP flood attack prevention logging is disabled.
Configuring abnormal IP packet attack prevention
About this task
Network devices might suffer from the following abnormal IP packet attacks:
· LAND attack—An attacker sends the victim a large number of forged SYN packets. In these packets, the victim's IP address is used as the source and destination IP addresses, and the source and destination ports are the same. After receiving the packets, the target host repeatedly sends replies to itself to establish half-open TCP connection. This attack exhausts the resources on the victim and locks the victim's system.
· Null payload IP packet flood attack—An attacker floods packets that contain only IP headers but no payload to the victim, which makes the victim unable to process other services.
· Smurf attack—An attacker broadcasts an ICMP echo request to the target network. These requests contain the victim's IP address as the source IP address. Every receiver on the target networks will send an ICMP echo reply to the victim. The victim will be flooded with replies, and will be unable to provide services.
This feature enables the device to examine each received packet and drop abnormal IP packets. It protects the device against the abnormal IP packet attack but slows down the packet processing speed.
Procedure
1. Enter system view.
system-view
2. Enable abnormal IP packet attack prevention.
ip abnormal-packet-defend enable
By default, abnormal IP packet attack prevention is disabled.
Display and maintenance commands for IP-based attack prevention
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display statistics about abnormal IP attack packets dropped by the device. |
display ip abnormal-packet-defend statistics [ slot slot-number ] |
|
Display fast replied ICMP message statistics. |
display ip icmp fast-reply statistics [ slot slot-number ] |
|
Display fast replied ICMPv6 message statistics. |
display ipv6 icmpv6 fast-reply statistics [ slot slot-number ] |
|
Display IPv6 flow-based TCP SYN flood attack prevention entries. |
display ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ] [ verbose ] |
|
Display the number of IPv6 flow-based TCP SYN flood attack prevention entries. |
display ipv6 tcp anti-syn-flood flow-based entry [ slot slot-number ] count |
|
Display IPv6 flow-based UDP flood attack prevention entries. |
display ipv6 udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ] [ verbose ] |
|
Display the number of IPv6 flow-based UDP flood attack prevention entries. |
display ipv6 udp anti-flood flow-based entry [ slot slot-number ] count |
|
Display the configuration of flow-based TCP SYN flood attack prevention. |
display tcp anti-syn-flood flow-based configuration |
|
Display IPv4 flow-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * slot slot-number [ verbose ] |
|
Display the number of IPv4 flow-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood flow-based entry slot slot-number count |
|
Display the configuration of interface-based TCP SYN flood attack prevention. |
display tcp anti-syn-flood interface-based configuration |
|
Display interface-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * slot slot-number [ verbose ] |
|
Display the number of interface-based TCP SYN flood attack prevention entries. |
display tcp anti-syn-flood interface-based entry slot slot-number count |
|
Display the configuration of flow-based UDP flood attack prevention. |
display udp anti-flood flow-based configuration |
|
Display IPv4 flow-based UDP flood attack prevention entries. |
display udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ] [ verbose ] |
|
Display the number of IPv4 flow-based UDP flood attack prevention entries. |
display udp anti-flood flow-based entry [ slot slot-number ] count |
|
Display the configuration of interface-based UDP flood attack prevention. |
display udp anti-flood interface-based configuration |
|
Display interface-based UDP flood attack prevention entries. |
display udp anti-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ] [ verbose ] |
|
Display the number of interface-based UDP flood attack prevention entries. |
display udp anti-flood interface-based entry [ slot slot-number ] count |
|
Clear statistics about abnormal IP attack packets dropped by the device. |
reset ip abnormal-packet-defend statistics [ slot slot-number ] |
|
Clear fast replied ICMP message statistics. |
reset ip icmp fast-reply statistics [ slot slot-number ] |
|
Clear fast replied ICMPv6 message statistics. |
reset ipv6 icmpv6 fast-reply statistics [ slot slot-number ] |
|
Delete IPv6 flow-based TCP SYN flood attack prevention entries. |
reset ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ] |
|
Clear statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention. |
reset ipv6 tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ] |
|
Delete IPv6 flow-based UDP flood attack prevention entries. |
reset ipv6 udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ] |
|
Clear statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention. |
reset ipv6 udp anti-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ] |
|
Delete IPv4 flow-based TCP SYN flood attack prevention entries. |
reset tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ] |
|
Clear statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention. |
reset tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ] |
|
Delete interface-based TCP SYN flood attack prevention entries. |
reset tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ] |
|
Clear statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention. |
reset tcp anti-syn-flood interface-based statistics [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ] |
|
Delete IPv4 flow-based UDP flood attack prevention entries. |
reset udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ]* [ slot slot-number ] |
|
Clear statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention. |
reset udp anti-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ] |
|
Delete interface-based UDP flood attack prevention entries. |
reset udp anti-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ] |
|
Clear statistics for UDP packets received by interface-based UDP flood attack prevention. |
reset udp anti-flood interface-based statistics [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ] |
