Intrusion detection statistics, Configuring packet inspection – H3C Technologies H3C SecBlade LB Cards User Manual
Page 228
217
After receiving a SYN message from a client to a protected server, the TCP proxy sends back a
SYN ACK message with the window size of 0 on behalf of the server. If the client is legitimate, the
TCP proxy receives an ACK message. Upon receiving an ACK message from the client, the TCP
proxy sets up a connection between itself and the server through a three-way handshake on behalf
of the client. Thus, two TCP connections are established, and the two connections use different
sequence numbers.
In bidirectional proxy mode, the TCP proxy plays two roles: a virtual server that communicates with
clients and a virtual client that communicates with servers. To use this mode, you must deploy the
TCP proxy on the key path that passes through the ingress and egress of the protected servers, and
make sure all packets that the clients send to the server and all packets that the servers send to the
clients pass through the TCP proxy device.
Intrusion detection statistics
Intrusion detection is an important network security feature. By analyzing the contents and behaviors of
packets passing by, it determines whether the packets are attack packets. If so, it takes actions
accordingly, as configured. Supported actions include outputting alarm logs, discarding packets, and
adding the attacker to the blacklist.
The intrusion detection statistics reflect the counts of attacks as per attack type, and the counts of attack
packets dropped. This helps you analyze the intrusion types and quantities present to generate better
network security policies.
For information about packet inspection and traffic abnormality detection, see "
Configuring attack detection and protection in the
Web interface
Configuring packet inspection
1.
From the navigation tree, select Security > Intrusion Detection > Packet Inspection.