415
packets and therefore can filter packets at a high speed. Blacklist filtering is very effective in filtering
packets from certain IP addresses.
Working in conjunction with the scanning attack protection function or the user login authentication
function, the device can add blacklist entries automatically and can age such blacklist entries. More
specifically:
• When the device detects a scanning attack from an IP address according to the packet behavior,
it adds the IP address to the blacklist. Thus, packets from the IP address are filtered.
• When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the
correct username, password, or verification code (for a web login user) after the maximum
number of attempts, it considers the user an attacker, adds the IP address of the user to the
blacklist, and filters subsequent login requests from the user. This mechanism can effectively
prevent attackers from cracking login passwords through repeated login attempts. The
maximum number of login failures is six, the blacklist entry aging time is 10 minutes, and they
are not configurable.
The device also allows you to add and delete blacklist entries manually. Blacklist entries added
manually can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry
always exists in the blacklist unless you delete it manually. You can configure the aging time of a
non-permanent entry. After the timer expires, the device automatically deletes the blacklist entry,
allowing packets from the corresponding IP address to pass.
On a distributed device, the blacklist function for excessive login failures takes effect only for users
who try to log in to the device from the interfaces on the main control board.
NOTE:
The device supports the blacklist function for excessive login failures.
Traffic statistics function
The traffic statistics function collects statistics on sessions between the internal network and external
network almost in real time. You can custom attack protection policies based on the statistics. For
example, by analyzing whether the total number of TCP or UDP session requests initiated from the
external network to the internal network exceeds the threshold, you can determine whether to limit
new sessions in the direction, or limit new sessions to a specific internal IP address.
The device supports collecting statistics on the following items:
• Total number of sessions
• Session establishment rate
• Number of TCP sessions
• Number of half-open TCP sessions
• Number of half-close TCP sessions
• TCP session establishment rate
• Number of UDP sessions
• UDP session establishment rate
• Number of ICMP sessions
• ICMP session establishment rate
• Number of RAW IP sessions
• RAW IP session establishment rate
The device collects statistics to calculate the session establishment rates at an interval of 5 seconds.
Therefore, the session establishment rates displayed on the device are based on the statistics
collected during the latest 5-second interval.
To Next Page
Loading...
Need help?
General
