beautypg.com

Connection limit, Scanning detection, Configuring traffic abnormality detection – H3C Technologies H3C SecPath F1000-E User Manual

Page 622: Configuring icmp flood detection

background image

2

Connection Limit

When an internal user initiates a large number of connections to a host on the external network in a

short period of time, system resources on the device will be used up soon. This will make the device

unable to service other users. In addition, if an internal server receives large quantities of connection
requests in a short period of time, the server will not be able to process normal connection requests from

other hosts.
To protect internal network resources (including hosts and servers) and distribute resources of the device

reasonably, you can set connection limits based on source or destination IP addresses for security zones.

When a limit based on source or destination IP address is reached or exceeded, the device will output
an alarm log and discard subsequent connection requests from or to the IP address.

Scanning Detection

A scanning attack probes the addresses and ports on a network to identify the hosts attached to the

network and application ports available on the hosts and to figure out the topology of the network, so

as to get ready for further attacks.
Scanning detection detects scanning attempts by tracking the rates at which connections are initiated to
protected systems. Usually, it is deployed on the device for the external security zone and takes effect for

packets from the security zone.
If detecting that a connection rate of an IP address has reached or exceeded the threshold, the device

outputs an attack alarm log, blocks the subsequent connection requests from the IP address, and

blacklists the IP address, depending on your configuration.

Configuring Traffic Abnormality Detection

Complete the following tasks to configure traffic abnormality detection:

1.

Configuring ICMP Flood Detection

2.

Configuring UDP Flood Detection

3.

Configuring DNS Flood Detection

4.

Configuring SYN Flood Detection

5.

Configuring Connection Limit

6.

Configuring Scanning Detection

Configuring ICMP Flood Detection

NOTE:

ICMP flood detection is mainly intended to protect servers and is usually configured for an internal zone.

From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood to
enter the ICMP flood detection configuration page, as shown in

Figure 1

. You can select a security zone

and then view and configure ICMP flood detection rules for the security zone.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: