Login
- Table of Contents
-
- 09-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Web authentication configuration
- 06-Triple authentication configuration
- 07-Port security configuration
- 08-User profile configuration
- 09-Password control configuration
- 10-Keychain configuration
- 11-Public key management
- 12-IPsec configuration
- 13-SSH configuration
- 14-SSL configuration
- 15-TCP attack prevention configuration
- 16-IP source guard configuration
- 17-ARP attack protection configuration
- 18-ND attack defense configuration
- 19-SAVI configuration
- 20-MFF configuration
- 21-Crypto engine configuration
- 22-FIPS configuration
- 23-802.1X client configuration
- 24-Attack detection and prevention configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 24-Attack detection and prevention configuration | 42.84 KB |
Contents
Configuring attack detection and prevention
About attack detection and prevention
Attacks that the device can prevent
Configuring TCP fragment attack prevention
Configuring attack detection and prevention
About attack detection and prevention
Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take a prevention action, such as packet dropping, to protect a private network.
Attacks that the device can prevent
The device can detect and prevent only TCP fragment attacks.
TCP fragment attack
An attacker launches TCP fragment attacks by sending attack TCP fragments defined in RFC 1858:
· First fragments in which the TCP header is smaller than 20 bytes.
· Non-first fragments with a fragment offset of 8 bytes (FO=1).
Typically, packet filter detects the source and destination IP addresses, source and destination ports, and transport layer protocol of the first fragment of a TCP packet. If the first fragment passes the detection, all subsequent fragments of the TCP packet are allowed to pass through.
Because the first fragment of attack TCP packets does not hit any match in the packet filter, the subsequent fragments can all pass through. After the receiving host reassembles the fragments, a TCP fragment attack occurs.
To prevent TCP fragment attacks, enable TCP fragment attack prevention to drop attack TCP fragments.
Configuring TCP fragment attack prevention
About this task
The TCP fragment attack prevention feature detects the length and fragment offset of received TCP fragments and drops attack TCP fragments.
Restrictions and guidelines
TCP fragment attack prevention takes precedence over single-packet attack prevention. When both are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by the single-packet attack defense policy.
Procedure
1. Enter system view.
system-view
2. Enable TCP fragment attack prevention.
attack-defense tcp fragment enable
By default, TCP fragment attack prevention is enabled.
