Login
- Table of Contents
-
- 07-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Portal Configuration
- 06-Port Security Configuration
- 07-User Profile Configuration
- 08-Password Control Configuration
- 09-Public Key Configuration
- 10-PKI Configuration
- 11-SSH Configuration
- 12-SSL Configuration
- 13-SSL VPN Configuration
- 14-TCP Attack Protection Configuration
- 15-ARP Attack Protection Configuration
- 16-IPsec Configuration
- 17-ALG Configuration
- 18-Firewall Configuration
- 19-Session Management Configuration
- 20-Web Filtering Configuration
- 21-User Isolation Configuration
- 22-Source IP Address Verification Configuration
- 23-FIPS Configuration
- 24-Protocol Packet Rate Limit Configuration
- 25-Attack detection and protection configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 25-Attack detection and protection configuration | 32.54 KB |
Configuring attack detection and protection
Overview
Attack detection and protection enables a device to detect attacks by inspecting arriving packets and to take protection actions, such as packet dropping, to protect a private network.
The device supports only TCP fragment attack protection.
Configuring TCP fragment attack protection
The TCP fragment attack protection feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the following TCP fragments:
· First fragments in which the TCP header is smaller than 20 bytes.
· Non-first fragments with a fragment offset of 8 bytes (FO=1).
To configure TCP fragment attack protection:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable TCP fragment attack protection. |
attack-defense tcp fragment enable |
By default, TCP fragment attack protection is enabled. |
