151
Configuring attack protection
You can enable the blacklist function, add a blacklist entry manually, view blacklist entries, and
configure intrusion detection in the Web interface.
Overview
Attack protection is an important network security feature. It can determine whether received packets
are attack packets according to the packet contents and behaviors and, if detecting an attack, take
measures to deal with the attack. Protection measures include logging the event, dropping packets,
updating the session status, and blacklisting the source IP address.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address.
Compared with ACL packet filtering, blacklist filtering is simpler in matching packets. Therefore, it
filer packets at a high speed. Blacklist filtering is very effective in filtering packets from certain IP
addresses.
One outstanding benefit of the blacklist function is that it allows the device to add and delete blacklist
entries dynamically. This is done by working in conjunction with the scanning attack protection
function. When the device detects a scanning attack according to the packet behavior, it adds the IP
address of the attacker to the blacklist. Therefore, packets from the IP address will be filtered.
Blacklist entries added dynamically will be aged in a specific period of time.
The blacklist function also allows you to add and delete blacklist entries manually. Blacklist entries
added manually can be permanent blacklist entries or non-permanent blacklist entries. A permanent
entry will always exist in the blacklist unless you delete it manually. You can configure the aging time
of a non-permanent entry. After the timer expires, the device automatically deletes the blacklist entry,
allowing packets from the corresponding IP address to pass.
Intrusion detection function
The device can defend against two categories of network attacks: single-packet attacks and
abnormal traffic attacks. Abnormal traffic attacks include two sub-categories: scanning attacks and
flood attacks.
Protection against single-packet attacks
Single-packet attack is also called malformed packet attack. Such an attack is formed when:
• The attacker sends defective IP packets, such as overlapping IP fragments and packets with
illegal TCP flags, to a target system so that the target system malfunctions or crashes when
processing such packets.
• The attacker sends large quantities of such packets to the network to use up the network
bandwidth.
Table 93 lists
the types of single-pa
cket attacks that can be prevented by the device.
To Next Page
Loading...
Need help?
General
