Login
- Table of Contents
-
- 13-Security Configuration Guide
- 00-Preface
- 01-Public key management
- 02-PKI configuration
- 03-Crypto engine configuration
- 04-SSH configuration
- 05-SSL configuration
- 06-Packet filter configuration
- 07-DHCP snooping configuration
- 08-DHCPv6 snooping configuration
- 09-ARP attack protection configuration
- 10-ND attack defense configuration
- 11-Attack detection and prevention configuration
- 12-IP-based attack prevention configuration
- 13-IP source guard configuration
- 14-Microsegmentation configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 12-IP-based attack prevention configuration | 41.06 KB |
Configuring IP-based attack prevention
About IP-based attack prevention
Restrictions: Software compatibility with IP-based attack prevention
Configuring Naptha attack prevention
Configuring IP-based attack prevention
About IP-based attack prevention
Attackers can initiate attacks based on IP and upper-layer protocols. For example, an attacker can exploit the TCP connection establishment process to attack the target device. To prevent such attacks, configure Naptha attack prevention.
Restrictions: Software compatibility with IP-based attack prevention
IP-based attack protection is available only in R9322 and later versions.
Configuring Naptha attack prevention
About this task
Naptha is a DDoS attack that targets operating systems. It exploits the resources consuming vulnerability in TCP/IP stack and network application process. The attacker establishes a large number of TCP connections in a short period of time and leaves them in certain states without requesting any data. These TCP connections starve the victim of system resources, resulting in a system breakdown.
After you enable Naptha attack prevention, the device checks the number of TCP connections in each state (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, and LAST_ACK). If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in that state to mitigate the Naptha attack.
Procedure
1. Enter system view.
system-view
2. Enable Naptha attack prevention.
tcp anti-naptha enable
By default, Naptha attack prevention is disabled.
3. (Optional.) Set the maximum number of TCP connections in a state.
tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack } connection-limit number
By default, the maximum number of TCP connections in each state (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, and LAST_ACK) is 50.
To disable the device from accelerating the aging of the TCP connections in a state, set the value to 0.
