Traffic abnormality detection configuration, Overview, Flood detection – H3C Technologies H3C SecPath F1000-E User Manual
Page 621
1
Traffic Abnormality Detection Configuration
Overview
The traffic abnormality detection feature analyzes the characteristics of traffic to detect abnormal traffic
and take countermeasures accordingly. Supported countermeasures include outputting alarm logs,
dropping packets, and blacklisting the source of the packets.
This feature contains three functions:
•
•
•
Flood Detection
A flood attack occurs when large amounts of fake packets are sent to a target system in a short period
of time. A flood attack depletes the resources of the target system, making the system unable to provide
services normally.
The device can protect against:
•
ICMP flood attacks, which overwhelm the target with large amounts of ICMP echo requests, such
as ping packets.
•
UDP flood attacks, which flood the target system with a barrage of UDP packets.
•
DNS flood attacks, which overwhelm the target with large amounts of DNS query requests.
•
SYN flood attacks, which exploit TCP SYN packets. Due to resource limitation, the number of TCP
connections that can be created on a device is limited. A SYN flood attacker sends a barrage of
spurious SYN packets with forged source IP addresses to a victim to initiate TCP connections. As
the SYN_ACK packets that the victim sends in response can never get acknowledgments, large
amounts of half-open connections are created and retained on the victim, making the victim
inaccessible before the number of half-open connections drops to a reasonable level due to
timeout of half-open connections. In this way, a SYN flood attack exhausts system resources such
as memory on a system whose implementation does not limit creation of connections.
Flood detection is mainly used to protect servers against flood attacks. It detects flood attacks by
tracking the connection rates at which certain types of connection establishment requests are initiated to
a server and the number of half-open connections on the server (the latter is for SYN flood detection
only). Usually, flood detection is deployed on the device for an internal security zone and takes effect
for packets entering the security zone when an attack prevention policy is configured for the security
zone.
If the device detects that a tracked parameter has reached or exceeded the threshold, it outputs an
attack alarm log and, depending on your configuration, blocks the subsequent packets from the
suspects to the server.
When used to protect a specified object, an attack prevention policy supports IP address based attack
protection configuration. If no specific protection object is specified, the global settings will be used for
protection.