153
Protection against scanning attacks
Scanning attackers usually use some scanning tools to scan host addresses and ports in a network,
so as to find possible targets and the services enabled on the targets and figure out the network
topology, preparing for further attacks to the target hosts.
The scanning attack protection function takes effect to only incoming packets. It monitors the rate at
which an IP address initiates connections to destination systems. If the rate reaches or exceeds
4000 connections per second, it logs the event, adds the IP address to the blacklist, and discards
subsequent packets from the IP address.
Protection against flood attacks
Flood attackers send a large number of forged requests to the targets in a short time, so that the
target systems will be too busy to provide services for legal users, resulting in denial of services.
The device can defend against three types of flood attacks:
• SYN flood attack
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP
connections. A SYN flood attacker sends a great quantity of SYN packets to a target server,
using a forged address as the source address. After receiving the SYN packets, the server
replies with SYN ACK packets. As the destination address of the SYN ACK packets is
unreachable, the server can never receive the expected ACK packets, resulting in large
amounts of half-open connections. In this way, the attacker exhausts the system resources,
making the server unable to service normal clients.
• ICMP flood attack
An ICMP flood attacker sends a large number of ICMP requests to the target in a short time by,
for example, using the ping program, causing the target too busy to process normal services.
• UDP flood attack
A UDP flood attacker sends a large number of UDP messages to the target in a short time, so
that the target gets too busy to process normal services.
The flood attack protection function takes effect to only outgoing packets. It is mainly used to
protect servers. It monitors the connection establishment rate and number of half-open
connections of a server. If the rate reaches or exceeds 1000 connections per second or the
number of half-open connections reaches or exceeds 10000 (only SYN flood attack protection
supports restriction of half-open connections), it logs the event, and discards subsequent
connection requests to the server.
Configuring the blacklist function
Recommended configuration procedure
Step Remarks
1. Enabling the blacklist function
Required.
By default, the blacklist function is disabled.
2. Configuring the scanning attack
protection function to add
blacklist entries automatically
Required.
Perform at least one of the two tasks.
To Next Page
Loading...
Need help?
General
