413
Configuring attack detection and
protection
Overview
Attack detection and protection is an important network security feature. It determines whether
received packets are attack packets according to the packet contents and behaviors and, if detecting
an attack, take measures to deal with the attack, such as recording alarm logs, dropping packets,
and blacklisting the source IP address.
The attack protection function can detect three types of network attacks: single-packet attacks,
scanning attacks, and flood attacks. In addition, this function also supports traffic statistics for
session analysis on interfaces.
Types of network attacks the device can defend against
The device can defend against three types of network attacks: single-packet attacks, scanning
attacks, and flood attacks, according to the attack characteristics.
Single-packet attack
Single-packet attack is also called malformed packet attack because many single-packet attacks use
defective IP packets, such as overlapping IP fragments and packets with illegal TCP flags.
A single-packet attack occurs when:
• An attacker sends defective IP packets to a target, causing the target system to malfunction or
crash.
• An attacker sends large quantities of junk packets to the network, using up the network
bandwidth.
Table 21 lists
the single-packet attacks that can be prevented by the device.
Table 21 Types of single-packet attacks
Single-packet
attack
Description
Fraggle
An attacker sends large amounts of UDP echo requests with the UDP port number
being 7 or Chargen packets with the UDP port number being 19, resulting in a large
quantity of junk replies and eventually exhausting the bandwidth of the target
network.
ICMP Redirect
An attacker sends ICMP redirect messages to a user host to modify the host's
routing table, interfering with the normal forwarding of IP packets.
ICMP Unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.
Land
An attacker sends a great number of TCP SYN packets using target IP address as
both the source and destination IP addresses, exhausting the half-open connection
resources of the target and thereby making the target unable to provide services
correctly.
Large ICMP
For some hosts and devices, large ICMP packets cause memory allocation error
and thus crash down the protocol stack. A large ICMP attacker sends large ICMP
packets to a target to make it crash down.
To Next Page
Loading...
Need help?
General
