Connection limit, Blacklist function – H3C Technologies H3C SecBlade LB Cards User Manual
Page 224
213
receive the expected ACK packets, and thus have to maintain large amounts of half-open
connections. In this way, the attacker exhausts the system resources of the server, making the
server unable to service normal clients.
•
ICMP flood attack
An attacker sends a large number of ICMP requests to the target in a short time by, for example,
using the ping program, causing the target too busy to process normal services.
•
UDP flood attack
An attacker sends a large number of UDP packets to the target in a short time, making the target
too busy to process normal services.
•
DNS flood attack
An attacker sends a large number of DNS request packets to the target in a short time, making the
target too busy to process normal services.
Flood detection mainly protects servers against flood attacks. It detects flood attacks by tracking the
connection rates at which certain types of connection establishment requests are initiated to a server.
Usually, flood detection is deployed on the device for an internal security zone, and takes effect for
packets entering the security zone when an attack detection policy is configured for the security zone.
After you configure flood detection for a device, the device enters the attack detection state, and starts to
track the sending rates of packets destined for certain servers. If the sending rate of a certain type of
packets destined for a server constantly reaches or exceeds the protection action threshold, the device
considers the server is under attack, transitions to the attack protection state, logs the event, and takes
attack protection actions as configured. Later, if the sending rate drops below the silent threshold, the
device considers the attack is over, returns to the attack detection state, and stops the attack protection
actions.
Connection limit
When an internal user initiates a large number of connections to a host on the external network in a short
period of time, system resources on the device are used up soon. This will make the device unable to
service other users. In addition, if an internal server receives large number of connection requests in a
short period of time, the server is not able to process normal connection requests from other hosts.
To protect internal network resources (including hosts and servers) and distribute resources of the device
reasonably, you can set connection limits based on source or destination IP addresses for security zones.
When a limit based on source or destination IP address is reached or exceeded, the device will output
an alarm log and discard subsequent connection requests from or to the IP address.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address. Compared
with Access Control List (ACL) packet filtering, blacklist filtering is simpler in matching packets and
therefore can filter packets at a high speed. Blacklist filtering is very effective in filtering packets from
certain IP addresses.
Working in conjunction with the scanning attack protection function or the user login authentication
function, the device can add blacklist entries automatically and can age such blacklist entries. More
specifically:
•
When the device detects a scanning attack from an IP address according to the packet behavior, it
adds the IP address to the blacklist. Thus, packets from the IP address are filtered.