Enabling protection against naptha attacks, Displaying and maintaining tcp attack protection – H3C Technologies H3C SecPath F1000-E User Manual
Page 60
52
Enabling protection against Naptha attacks
Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the
six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and
SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.
Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these
connections in the same state (any of the six), and request for no data so as to exhaust the memory
resource of the server. As a result, the server cannot process normal services.
Protection against Naptha attacks mitigates such attacks by accelerating the aging of TCP connections
in a state. After the feature is enabled, the firewall (serving as a TCP server) periodically checks the
number of TCP connections in each state. If the firewall detects that the number of TCP connections in a
state exceeds the maximum number, it considers that a Naptha attack occurs and accelerates the aging
of TCP connections in this state. The firewall will stop accelerating the aging of TCP connections when the
number of TCP connections in the state is less than 80% of the maximum number (1 at least).
To enable the protection against Naptha attack:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable the protection
against Naptha attack.
tcp anti-naptha enable
Disabled by default.
3.
Configure the maximum
number of TCP
connections in a state.
tcp state { closing | established |
fin-wait-1 | fin-wait-2 | last-ack |
syn-received } connection-number
number
Optional.
5 by default.
If the maximum number of TCP
connections in a state is 0, the aging
of TCP connections in this state will
not be accelerated.
4.
Configure the TCP state
check interval.
tcp timer check-state timer-value
Optional.
30 seconds by default.
Displaying and maintaining TCP attack protection
Task Command
Remarks
Display current TCP connection state.
display tcp status [ | { begin | exclude |
include } regular-expression ]
Available in any view
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS