Traffic statistics function – H3C Technologies H3C SecBlade LB Cards User Manual
Page 225
214
•
When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the correct
username, password, or verification code (for a web login user) after the maximum number of
attempts, it considers the user an attacker, adds the IP address of the user to the blacklist, and filters
subsequent login requests from the user. This mechanism can effectively prevent attackers from
cracking login passwords through repeated login attempts. The maximum number of login failures
is six, the blacklist entry aging time is 10 minutes, and they are not configurable.
The device also allows you to add and delete blacklist entries manually. Blacklist entries added manually
can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry always exists in
the blacklist unless you delete it manually. You can configure the aging time of a non-permanent entry.
After the timer expires, the device automatically deletes the blacklist entry, allowing packets from the
corresponding IP address to pass.
On a distributed device, the blacklist function for excessive login failures takes effect only for users who
try to log in to the device from the security zones on the main control board.
Traffic statistics function
The traffic statistics function collects statistics on sessions between the internal network and external
network almost in real time. You can custom attack protection policies based on the statistics. For
example, by analyzing whether the total number of TCP or UDP session requests initiated from the
external network to the internal network exceeds the threshold, you can determine whether to limit new
sessions in the direction, or limit new sessions to a specific internal IP address.
The device supports collecting statistics on the following items:
•
Total number of sessions
•
Session establishment rate
•
Number of TCP sessions
•
Number of half-open TCP sessions
•
Number of half-close TCP sessions
•
TCP session establishment rate
•
Number of UDP sessions
•
UDP session establishment rate
•
Number of ICMP sessions
•
ICMP session establishment rate
•
Number of RAW IP sessions
•
RAW IP session establishment rate
The device collects statistics to calculate the session establishment rates at an interval of 5 seconds.
Therefore, the session establishment rates displayed on the device are based on the statistics collected
during the latest 5-second interval.
The traffic statistics function does not concern about the session status (except the TCP half-open and
half-close states). As long as a session is established, the count increases by 1. As long as a session is
deleted, the count decreases by 1.