beautypg.com

Configuring attack detection and protection, Overview, Single-packet attack – H3C Technologies H3C SecBlade LB Cards User Manual

Page 222

background image

211

Configuring attack detection and protection

The term "router" in this document refers to both routers and LB products.

Overview

Attack detection and protection is an important network security feature. It determines whether received
packets are attack packets according to the packet contents and behaviors and, if detecting an attack,

take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting

the source IP address.
The attack protection function can detect three types of network attacks: single-packet attacks, scanning
attacks, and flood attacks. In addition, this function also supports traffic statistics for session analysis on

security zones.

Types of network attacks the device can defend against

The device can defend against three types of network attacks: single-packet attacks, scanning attacks,

and flood attacks, according to the attack characteristics.

Single-packet attack

Single-packet attack is also called malformed packet attack because many single-packet attacks use

defective IP packets, such as overlapping IP fragments and packets with illegal TCP flags.
A single-packet attack occurs when:

An attacker sends defective IP packets to a target, causing the target system to malfunction or crash.

An attacker sends large quantities of junk packets to the network, using up the network bandwidth.

Table 24

lists the single-packet attacks that can be prevented by the device.

Table 24 Types of single-packet attacks

Single-packet attack Description

Fraggle

An attacker sends large amounts of UDP echo requests with the UDP port number
being 7 or Chargen packets with the UDP port number being 19, resulting in a large
quantity of junk replies and eventually exhausting the bandwidth of the target

network.

ICMP Redirect

An attacker sends ICMP redirect messages to a user host to modify the host's routing
table, interfering with the normal forwarding of IP packets.

ICMP Unreachable

Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the

destination. By sending ICMP unreachable packets, an attacker can cut off the

connection between the target host and the network.

Land

An attacker sends a great number of TCP SYN packets using the target IP address as
both the source and destination IP addresses, exhausting the half-open connection
resources of the target and thereby making the target unable to provide services

normally.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: