beautypg.com

Configuring traffic abnormality detection, Overview, Flood detection – H3C Technologies H3C SecPath F1000-E User Manual

Page 18

background image

10

Configuring traffic abnormality detection

The traffic abnormality detection configuration is available only in the Web interface.

Overview

The traffic abnormality detection feature analyzes the characteristics of traffic to detect abnormal traffic
and take countermeasures accordingly. Supported countermeasures include outputting alarm logs,

dropping packets, and blacklisting the source of the packets.

Flood detection

A flood attack occurs when large amounts of fake packets are sent to a target system in a short period

of time. A flood attack depletes the resources of the target system, making the system unable to provide

services normally.
The firewall can protect against the following categories of attacks:

ICMP flood attacks—Overwhelm the target with large amounts of ICMP echo requests, such as ping
packets.

UDP flood attacks—Flood the target system with a barrage of UDP packets.

DNS flood attacks—Overwhelm the target with large amounts of DNS query requests.

SYN flood attacks—Exploit TCP SYN packets. Due to resource limitation, the number of TCP
connections that can be created on the firewall is limited. A SYN flood attacker sends a barrage of

spurious SYN packets with forged source IP addresses to a victim to initiate TCP connections. As the

SYN_ACK packets that the victim sends in response can never get acknowledgments, large

amounts of half-open connections are created and retained on the victim, making the victim

inaccessible before the number of half-open connections drops to a reasonable level due to timeout
of half-open connections. In this way, a SYN flood attack exhausts system resources such as memory

on a system whose implementation does not limit creation of connections.

Flood detection mainly protects servers against flood attacks. It detects flood attacks by tracking the

connection rates at which certain types of connection establishment requests are initiated to a server.
Usually, flood detection is deployed on the firewall for an internal security zone and takes effect for

packets entering the security zone when an attack prevention policy is configured for the security zone.
After you configure flood detection (except for DNS flood detection) for the firewall, the firewall enters the

attack detection state and starts to track the sending rates of packets destined for certain servers. If the
sending rate of a certain type of packets destined for a server constantly reaches or exceeds the

protection action threshold, the firewall considers the server is under attack, transitions to the attack

protection state, logs the event, and takes attack protection actions as configured. Later, if the sending

rate drops below the silent threshold, the firewall considers the attack is over, returns to the attack
detection state, and stops the attack protection actions.
DNS flood detection is different from other types of flood detection in that it uses only one threshold, the

action threshold. Upon detecting that the sending rate of DNS query requests destined for a server

constantly reaches or exceeds the action threshold, the firewall drops all extra packets and logs the event.