Configuring attack protection, Overview, Blacklist function – H3C Technologies H3C MSR 50 User Manual
Page 188: Intrusion detection function, Protection against single-packet attacks
167
Configuring attack protection
You can enable the blacklist function, add a blacklist entry manually, view blacklist entries, and configure
intrusion detection in the Web interface.
Overview
Attack protection is an important network security feature. It can determine whether received packets are
attack packets according to the packet contents and behaviors and, if detecting an attack, take measures
to deal with the attack. Protection measures include logging the event, dropping packets, updating the
session status, and blacklisting the source IP address.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address. Compared
with ACL packet filtering, blacklist filtering is simpler in matching packets. Therefore, it filer packets at a
high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
One outstanding benefit of the blacklist function is that it allows the device to add and delete blacklist
entries dynamically. This is done by working in conjunction with the scanning attack protection function.
When the device detects a scanning attack according to the packet behavior, it adds the IP address of
the attacker to the blacklist. Therefore, packets from the IP address will be filtered. Blacklist entries added
dynamically will be aged in a specific period of time.
The blacklist function also allows you to add and delete blacklist entries manually. Blacklist entries added
manually can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry will
always exist in the blacklist unless you delete it manually. You can configure the aging time of a
non-permanent entry. After the timer expires, the device automatically deletes the blacklist entry, allowing
packets from the corresponding IP address to pass.
Intrusion detection function
The device can defend against two categories of network attacks: single-packet attacks and abnormal
traffic attacks. Abnormal traffic attacks include two sub-categories: scanning attacks and flood attacks.
Protection against single-packet attacks
Single-packet attack is also called malformed packet attack. Such an attack is formed when:
•
The attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system so that the target system malfunctions or crashes when processing such
packets.
•
The attacker sends large quantities of such packets to the network to use up the network bandwidth.
lists the types of single-packet attacks that can be prevented by the device.