Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging and packet dropping.

Attacks that the device can prevent

This section describes the attacks that the device can detect and prevent.

Single-packet attacks

Single-packet attacks are also known as malformed packet attacks. An attacker typically launches single-packet attacks by using the following methods:

· An attacker sends defective packets to a device, which causes the device to malfunction or crash.

· An attacker sends normal packets to a device, which interrupts connections or probes network topologies.

· An attacker sends a large number of forged packets to a target device, which consumes network bandwidth and causes denial of service (DoS).

Table 1 lists the single-packet attack types that the device can detect and prevent.

Table 1 Types of single-packet attacks

Single-packet attack	Description
ICMP redirect	An attacker sends ICMP redirect messages to modify the victim's routing table. The victim cannot forward packets correctly.
ICMP destination unreachable	An attacker sends ICMP destination unreachable messages to cut off the connections between the victim and its destinations.
ICMP type	A receiver responds to an ICMP packet according to its type. An attacker sends forged ICMP packets of a specific type to affect the packet processing of the victim.
ICMPv6 type	A receiver responds to an ICMPv6 packet according to its type. An attacker sends forged ICMPv6 packets of specific types to affect the packet processing of the victim.
Land	An attacker sends the victim a large number of TCP SYN packets, which contain the victim's IP address as the source and destination IP addresses. This attack exhausts the half-open connection resources on the victim, and locks the victim's system.
Large ICMP packet	An attacker sends large ICMP packets to crash the victim. Large ICMP packets can cause memory allocation error and crash the protocol stack.
Large ICMPv6 packet	An attacker sends large ICMPv6 packets to crash the victim. Large ICMPv6 packets can cause memory allocation error and crash the protocol stack.
IP option	An attacker builds IP datagrams with certain option types and sends them to probe the network topology.
IP option abnormal	An attacker sends IP datagrams in which the IP options are abnormal. This attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets.
IP fragment	An attacker sends the victim an IP datagram with an offset no larger than 5, which causes the victim to malfunction or crash.
IP impossible packet	An attacker sends IP packets whose source IP address is the same as the destination IP address, which causes the victim to malfunction.
Tiny fragment	An attacker makes the fragment size small enough to force Layer 4 header fields into the second fragment. These fragments can pass the packet filtering because they do not hit any match.
Smurf	An attacker sends an ICMP echo request to target networks. In these requests, the destination IP address is a network or broadcast address of a Class A, B, or C subnet, and the source IP address is the victim's IP address. Every receiver on the target networks will send an ICMP echo reply to the victim. The victim will be flooded with replies, and will be unable to provide services. Network congestion might occur.
TCP flag	An attacker sends packets with defective TCP flags to probe the operating system of the target host. Different operating systems process unconventional TCP flags differently. The target system will break down if it processes this type of packets incorrectly.
Traceroute	An attacker uses traceroute tools to probe the topology of the victim network.
WinNuke	An attacker sends Out-Of-Band (OOB) data to the TCP port 139 (NetBIOS) on the victim that runs Windows system. The malicious packets contain an illegal Urgent Pointer, which causes the victim's operating system to crash.
UDP bomb	An attacker sends a malformed UDP packet. The length value in the IP header is larger than the IP header length plus the length value in the UDP header. When the target system processes the packet, a buffer overflow can occur, which causes a system crash.
UDP Snork	An attacker sends a UDP packet with destination port 135 (the Microsoft location service) and source port 135, 7, or 19. This attack causes an NT system to exhaust its CPU.
UDP Fraggle	An attacker sends a large number of packets with source UDP port 7 and destination UDP port 19 (UDP chargen port) to a network. These packets use the victim's IP address as the source IP address. Replies will flood the victim, resulting in DoS.
Teardrop	An attacker sends a stream of overlapping fragments. The victim will crash when it tries to reassemble the overlapping fragments.
Ping of death	An attacker sends the victim an ICMP echo request larger than 65535 bytes that violates the IP protocol. When the victim reassembles the packet, a buffer overflow can occur, which causes a system crash.
IPv6 extension header	An attack sends the victim a packet with IPv6 extension headers.
IPv6 ext header abnormal	An attacker sends IPv6 packets with disordered or repeated IPv6 extension headers to the target.
IPv6 ext header exceed	An attacker sends IPv6 packets with IPv6 extension headers exceeding the upper limit to the target.

‌

Scanning attacks

Scanning is a preintrusion activity used to prepare for intrusion into a network. The scanning allows the attacker to find a way into the target network and to disguise the attacker's identity.

Attackers use scanning tools to probe a network, find vulnerable hosts, and discover services that are running on the hosts. Attackers can use the information to launch attacks.

The device can detect and prevent the IP sweep and port scan attacks. If an attacker performs port scanning from multiple hosts to the target host, distributed port scan attacks occur.

Flood attacks

An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time. The victim is too busy responding to these forged requests to provide services for legal users, and a DoS attack occurs.

The device can detect and prevent the following types of flood attacks.

SYN flood attack

A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim unresponsive to legal users. An attacker sends a large number of SYN packets with forged source addresses to a server. This causes the server to open a large number of half-open connections and respond to the requests. However, the server will never receive the expected ACK packets. The server is unable to accept new incoming connection requests because all of its resources are bound to half-open connections.

ACK flood attack

An ACK packet is a TCP packet only with the ACK flag set. Upon receiving an ACK packet from a client, the server must search half-open connections for a match.

An ACK flood attacker sends a large number of ACK packets to the server. This causes the server to be busy searching for half-open connections, and the server is unable to process packets for normal services.

SYN-ACK flood attack

Upon receiving a SYN-ACK packet, the server must search for the matching SYN packet it has sent. A SYN-ACK flood attacker sends a large number of forged SYN-ACK packets to the server. This causes the server to be busy searching for SYN packets, and the server is unable to process packets for normal services.

FIN flood attack

FIN packets are used to shut down TCP connections.

A FIN flood attacker sends a large number of forged FIN packets to a server. The victim might shut down correct connections, or be unable to provide services because it is busy searching for matching connections.

RST flood attack

RST packets are used to abort TCP connections when TCP connection errors occur.

An RST flood attacker sends a large number of forged RST packets to a server. The victim might shut down correct connections, or be unable to provide services because it is busy searching for matching connections.

DNS flood attack

The DNS server processes and replies all DNS queries that it receives.

A DNS flood attacker sends a large number of forged DNS queries. This attack consumes the bandwidth and resources of the DNS server, which prevents the server from processing and replying legal DNS queries.

DNS response flood attack

The DNS cache server or host processes all incoming DNS responses.

A DNS response flood attacker sends excessive forged DNS responses. This attack consumes the bandwidth and resources of the DNS cache server or host, and prevents the DNS cache server or host from processing legitimate DNS responses.

HTTP flood attack

Upon receiving an HTTP GET or POST request, the HTTP server performs complex operations, including character string searching, database traversal, data reassembly, and format switching. These operations consume a large amount of system resources.

An HTTP flood attacker sends a large number of HTTP GET or POST requests that exceed the processing capacity of the HTTP server, which causes the server to crash.

HTTPS flood attack

Upon receiving an HTTPS request, the HTTPS server performs complex operations. These operations consume a large amount of system resources.

An HTTP flood attacker sends a large number of HTTPS requests that exceed the processing capacity of the HTTPS server, which causes the server to crash.

SIP flood attack

After receiving a SIP INVITE packet from a SIP client, the server must allocate resources to establish and trace the session with the SIP client.

A SIP flood attacker sends a large number of fake INVITE request packets at a rate exceeding the processing capacity of the SIP server, which causes the server to crash.

ICMP flood attack

An ICMP flood attacker sends ICMP request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services.

ICMPv6 flood attack

An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services.

UDP flood attack

A UDP flood attacker sends UDP packets to a host at a fast rate. These packets consume a large amount of the target host's bandwidth, so the host cannot provide other services.

TCP fragment attack

An attacker launches TCP fragment attacks by sending attack TCP fragments defined in RFC 1858:

· First fragments in which the TCP header is smaller than 20 bytes.

· Non-first fragments with a fragment offset of 8 bytes (FO=1).

Typically, packet filter detects the source and destination IP addresses, source and destination ports, and transport layer protocol of the first fragment of a TCP packet. If the first fragment passes the detection, all subsequent fragments of the TCP packet are allowed to pass through.

Because the first fragment of attack TCP packets does not hit any match in the packet filter, the subsequent fragments can all pass through. After the receiving host reassembles the fragments, a TCP fragment attack occurs.

To prevent TCP fragment attacks, enable TCP fragment attack prevention to drop attack TCP fragments.

Login DoS attack

In a login DoS attack, a malicious user can attempt to interfere with the normal operations of a device by flooding it with login requests. These requests consume the authentication resources, which makes the device unable to allow legal users to log in.

You can configure login attack prevention to prevent the login DoS attacks. This feature blocks user login attempts for a period of time after the user fails the maximum number of successive login attempts.

Login dictionary attack

The login dictionary attack is an automated process to attempt to log in by trying all possible passwords from a pre-arranged list of values (the dictionary). Multiple login attempts can occur in a short period of time.

You can configure the login delay feature to slow down the login dictionary attacks. This feature enables the device to delay accepting another login request after detecting a failed login attempt for a user.

HTTP slow attack

An attacker exploits the HTTP connection mechanism to establish a connection to an HTTP server and hold the connection for a long time in order to exhaust the server resources. The following types of HTTP slow attacks are commonly used:

· Slow headers—An attacker uses the HTTP GET or POST method to connect to the server. The HTTP header does not contain two CRLF sequences that mark the end of the header. In subsequent communication, the attacker sends packets to the server regularly with other HTTP header fields filled to keep the connection alive. The server is expecting the header end markers and maintains the connection for a long time.

· Slow POST—This type of attack occurs in one of the following conditions:

¡ An attacker sends an HTTP POST request to submit data to the server and sets the Content-Length field to a greater value. In subsequent payload transisthmian, the attacker sends a small number of data each time to maintain the connection. The server keeps expecting the payload data from the attacker without releasing the connection.

¡ An attacker sends an HTTP packet in chunked transfer encoding. If the HTTP packet is not ended with a zero-length chunk, the server is expecting the payload data from the attacker without releasing the connection.

Session creation attack

An attacker sends a large number of packets to create new sessions with the target to exhaust the target's resources and affect operation of its services.

To prevent session creation attacks, configure session creation rate limit to enable the device to limit the receiving rates of inbound packets for new sessions.

Address object group whitelist

The address object group whitelist feature exempts packets from the whitelisted address object group from attack detection. Packets from the whitelisted address object group are directly forwarded whether they are attack packets or not. The address object group whitelist feature must be used together with the address object group feature. An address object group is a set of IP address objects. For more information about address object groups, see "Configuring object groups."

Attack detection and prevention tasks at a glance

To configure attack detection and prevention, perform the following tasks:

1. ‍Configuring and applying an attack defense policy

a. ‍Creating an attack defense policy

b. Configuring an attack defense policy

Choose the following tasks as needed:

- Configuring a single-packet attack defense policy

- Configuring a scanning attack defense policy

- Configuring a flood attack defense policy

- Configuring an HTTP slow attack defense policy

c. (Optional.) Configuring attack detection exemption

d. Applying an attack defense policy

Choose the following tasks as needed:

- Applying an attack defense policy to an interface

- Applying an attack defense policy to the device

2. (Optional.) Enabling log non-aggregation for single-packet attack events

3. (Optional.) Configuring TCP fragment attack prevention

Typically, this feature is separately used.

4. (Optional.) Enabling the top attack statistics ranking feature

5. (Optional.) Configuring the whitelist feature

Use this feature separately or jointly with a scanning attack defense policy

¡ Configuring the address object group whitelist

6. (Optional.) Configuring the login attack prevention feature

Typically, this feature is separately used.

¡ Enabling the login delay

7. (Optional.) Enabling SNMP notifications for attack detection and prevention

Configuring and applying an attack defense policy

Creating an attack defense policy

About this task

An attack defense policy contains a set of attack detection and prevention configuration.

To configure attack defense configuration such as detection signatures and protection actions, you must first create an attack defense policy and enter its view.

Restrictions and guidelines

CAUTION:

The default thresholds for triggering attack prevention might not be appropriate for your network. Set appropriate according to the actual application scenarios. Small thresholds might affect the Internet or webpage access speed. Large thresholds might make your network vulnerable to attacks.

Procedure

1. Enter system view.

system-view

2. Create an attack defense policy and enter its view.

attack-defense policy policy-name

Configuring a single-packet attack defense policy

About this task

Apply the single-packet attack defense policy to the interface that is connected to the external network.

Single-packet attack detection inspects incoming packets based on the packet signature. If an attack packet is detected, the device can take the following actions:

· Output logs (the default action).

· Drop attack packets.

You can also configure the device to not take any actions.

Restrictions and guidelines

The device with the logging keyword specified supports outputting logs by using one of the following methods:

· Fast log output—The fast log output feature enables fast output of logs to specified log hosts.

· System log output—The system log output feature enables the attack detection and prevention module to log single-packet attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations. The information center can output single-packet attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view single-packet attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

As a best practice, use the fast log output feature to output logs, because the system log output feature has impacts on device performance.

For more information about the display logbuffer command, see System Management Command Reference. For more information about the fast log output feature, see Network Management and Monitoring Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Configure signature detection for specific single-packet attack types, and specify the actions against the attacks.

¡ Configure signature detection for well-known single-packet attacks, and specify the actions against the attacks.

signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]

signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } *

¡ Configure signature detection for ICMP packet attacks, and specify the actions against the attacks.

signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]

¡ Configure signature detection for ICMPv6 packet attacks, and specify the actions against the attacks.

signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]

¡ Configure signature detection for IP option attacks, and specify the actions against the attacks.

signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]

¡ Configure signature detection for IPv6 extension header attacks, and specify the actions against the attacks.

signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]

¡ Configure signature detection for abnormal IPv6 extension header attacks, and specify the actions against the attacks.

signature detect ipv6-ext-header-abnormal [ action { { drop | logging } * | none } ]

¡ Configure signature detection for IPv6 extension header exceeded attacks, and specify the actions against the attacks.

signature detect ipv6-ext-header-exceed [ limit limit-value ] [ action { { drop | logging } * | none } ]

By default, signature detection is not configured for single-packet attacks.

4. (Optional.) Set the maximum length of safe ICMP or ICMPv6 packets.

signature { large-icmp | large-icmpv6 } max-length length

By default, the maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.

5. (Optional.) Specify the actions against single-packet attacks of a specific level.

signature level { high | info | low | medium } action { { drop | logging } * | none }

The default action is logging for single-packet attacks of the informational and low levels.

The default actions are logging and drop for single-packet attacks of the medium and high levels.

6. (Optional.) Enable signature detection for single-packet attacks of a specific level.

signature level { high | info | low | medium } detect

By default, signature detection is disabled for all levels of single-packet attacks.

Configuring a scanning attack defense policy

About this task

Apply a scanning attack defense policy to the interface that is connected to the external network.

Scanning attack detection inspects the incoming packet rate of connections to the target system. If a source initiates connections at a rate equal to or exceeding the pre-defined threshold, the device can take the following actions:

· Output logs.

· Drop subsequent packets from the IP address of the attacker.

If logging is specified for IP sweep and port scan attacks, the system outputs logs for only IP sweep attacks when both the IP sweep and port scan attack thresholds are reached.

Procedure

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Configure scanning attack detection.

scan detect level { { high | low | medium } | user-defined { port-scan-threshold threshold-value | ip-sweep-threshold threshold-value } * [ period period-value ] } action { drop | logging } *

By default, scanning attack detection is not configured.

Configuring a flood attack defense policy

About this task

Apply a flood attack defense policy to the interface that is connected to the external network to protect internal servers.

Flood attack detection monitors the rate at which connections are initiated to the internal servers.

The device supports the following flood attack prevention types:

· Source-based flood attack prevention—Monitors the receiving rate of packets on a per-source IP basis. When the receiving rate of packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified defensive actions. Supported defensive actions include logging and dropping packets that originate from this IP address. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

· Destination-based flood attack prevention—Monitors the receiving rate of packets on a per-destination IP basis. When the receiving rate of packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. Supported defensive actions include logging and dropping subsequent packets destined for this IP address. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

An appropriate threshold can effectively prevent attacks. If the global threshold for triggering flood attack prevention is too low, false positives might occur, causing performance degradation or packet loss. If the global threshold is too high, false negatives might occur, making the network defenseless. Therefore, it is a good practice to enable the threshold learning feature for the device to automatically learn the global threshold. This feature allows the device to learn the global threshold based on the traffic flows in the network as follows:

1. Monitors the packet receiving rate in the network.

2. Calculates the global threshold based on the peak rate learned within the threshold learning duration.

You can choose to manually apply the learned threshold or configure the device to automatically apply the learned threshold.

The threshold learning feature includes the following modes:

· One-time learning—The device performs threshold learning only once.

· Periodic learning—The device performs threshold learning at intervals. The most recent learned threshold always takes effect.

Restrictions and guidelines for flood attack detection and prevention

If a device has multiple service cards, the global trigger threshold you set takes effect on each service card. The global trigger threshold of the device is the product of multiplying the value you set by the service card quantity.

You can configure flood attack detection and prevention for a specific IP address. Only destination-based flood attack prevention supports specifying IP addresses in the current software version. For non-specific IP addresses, the device uses the global attack prevention settings.

The device with the logging keyword specified supports outputting logs by using one of the following methods:

· Fast log output—The fast log output feature enables fast output of logs to specified log hosts.

· System log output—The system log output feature enables the attack detection and prevention module to log single-packet attack events and send log messages to the information center.

To view flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

As a best practice, use the fast log output feature to output logs, because the system log output feature has impacts on device performance.

Configuring a SYN flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global SYN flood attack detection.

syn-flood detect non-specific

By default, global SYN flood attack detection is disabled.

4. Set the global threshold for triggering source-based SYN flood attack prevention.

syn-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based SYN flood attack prevention.

syn-flood threshold threshold-value

The default setting is 10000.

6. Specify global actions against SYN flood attacks.

syn-flood action { drop | logging } *

By default, no global action is specified for SYN flood attacks.

7. Configure IP address-specific SYN flood attack detection.

syn-flood detect { ip ipv4-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific SYN flood attack detection is not configured.

Configuring an ACK flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global ACK flood attack detection.

ack-flood detect non-specific

By default, global ACK flood attack detection is disabled.

4. Set the global threshold for triggering source-based ACK flood attack prevention.

ack-flood source-threshold threshold-value

The default setting is 40000.

5. Set the global threshold for triggering destination-based ACK flood attack prevention.

ack-flood threshold threshold-value

The default setting is 40000.

6. Specify global actions against ACK flood attacks.

ack-flood action { drop | logging } *

By default, no global action is specified for ACK flood attacks.

7. Configure IP address-specific ACK flood attack detection.

ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific ACK flood attack detection is not configured.

Configuring a SYN-ACK flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global SYN-ACK flood attack detection.

syn-ack-flood detect non-specific

By default, global SYN-ACK flood attack detection is disabled.

4. Set the global threshold for triggering source-based SYN-ACK flood attack prevention.

syn-ack-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based SYN-ACK flood attack prevention.

syn-ack-flood threshold threshold-value

The default setting is 10000.

6. Specify global actions against SYN-ACK flood attacks.

syn-ack-flood action { drop | logging }*

By default, no global action is specified for SYN-ACK flood attacks.

7. Configure IP address-specific SYN-ACK flood attack detection.

syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific SYN-ACK flood attack detection is not configured.

Configuring a FIN flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global FIN flood attack detection.

fin-flood detect non-specific

By default, global FIN flood attack detection is disabled.

4. Set the global threshold for triggering source-based FIN flood attack prevention.

fin-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based FIN flood attack prevention.

fin-flood threshold threshold-value

The default setting is 10000.

6. Specify global actions against FIN flood attacks.

fin-flood action { drop | logging } *

By default, no global action is specified for FIN flood attacks.

7. Configure IP address-specific FIN flood attack detection.

fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific FIN flood attack detection is not configured.

Configuring an RST flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global RST flood attack detection.

rst-flood detect non-specific

By default, global RST flood attack detection is disabled.

4. Set the global threshold for triggering source-based RST flood attack prevention.

rst-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based RST flood attack prevention.

rst-flood threshold threshold-value

The default setting is 10000.

6. Specify global actions against RST flood attacks.

rst-flood action { drop | logging } *

By default, no global action is specified for RST flood attacks.

7. Configure IP address-specific RST flood attack detection.

rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific RST flood attack detection is not configured.

Configuring an ICMP flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global ICMP flood attack detection.

icmp-flood detect non-specific

By default, global ICMP flood attack detection is disabled.

4. Set the global threshold for triggering source-based ICMP flood attack prevention.

icmp-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based ICMP flood attack prevention.

icmp-flood threshold threshold-value

The default setting is 10000.

6. Specify global actions against ICMP flood attacks.

icmp-flood action { drop | logging } *

By default, no global action is specified for ICMP flood attacks.

7. Configure IP address-specific ICMP flood attack detection.

icmp-flood detect ip ip-address [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific ICMP flood attack detection is not configured.

Configuring an ICMPv6 flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global ICMPv6 flood attack detection.

icmpv6-flood detect non-specific

By default, global ICMPv6 flood attack detection is disabled.

4. Set the global threshold for triggering source-based ICMPv6 flood attack prevention.

icmpv6-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based ICMPv6 flood attack prevention.

icmpv6-flood threshold threshold-value

The default setting is 10000.

6. Specify global actions against ICMPv6 flood attacks.

icmpv6-flood action { drop | logging } *

By default, no global action is specified for ICMPv6 flood attacks.

7. Configure IP address-specific ICMPv6 flood attack detection.

icmpv6-flood detect ipv6 ipv6-address [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific ICMPv6 flood attack detection is not configured.

Configuring a UDP flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global UDP flood attack detection.

udp-flood detect non-specific

By default, global UDP flood attack detection is disabled.

4. Set the global threshold for triggering source-based UDP flood attack prevention.

udp-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based UDP flood attack prevention.

udp-flood threshold threshold-value

The default setting is 10000.

6. Specify global actions against UDP flood attacks.

udp-flood action { drop | logging } *

By default, no global action is specified for UDP flood attacks.

7. Configure IP address-specific UDP flood attack detection.

udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific UDP flood attack detection is not configured.

Configuring a DNS flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global DNS flood attack detection.

dns-flood detect non-specific

By default, global DNS flood attack detection is disabled.

4. Set the global threshold for triggering source-based DNS flood attack prevention.

dns-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based DNS flood attack prevention.

dns-flood threshold threshold-value

The default setting is 10000.

6. (Optional.) Specify the global ports to be protected against DNS flood attacks.

dns-flood port port-list

By default, DNS flood attack prevention protects port 53.

7. Specify global actions against DNS flood attacks.

dns-flood action { drop | logging } *

By default, no global action is specified for DNS flood attacks.

8. Configure IP address-specific DNS flood attack detection.

dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific DNS flood attack detection is not configured.

Configuring a DNS response flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global DNS response flood attack detection.

dns-reply-flood detect non-specific

By default, global DNS response flood attack detection is disabled.

4. Set the global threshold for triggering source-based DNS response flood attack prevention.

dns-reply-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based DNS response flood attack prevention.

dns-reply-flood threshold threshold-value

The default setting is 10000.

6. (Optional.) Specify the global ports to be protected against DNS response flood attacks.

dns-reply-flood port port-list

By default, DNS response flood attack prevention protects port 53.

7. Specify global actions against DNS response flood attacks.

dns-reply-flood action { drop | logging } *

By default, no global action is specified for DNS response flood attacks.

8. Configure IP address-specific DNS response flood attack detection.

dns-reply-flood detect { ip ipv4-address | ipv6 ipv6-address } [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific DNS response flood attack detection is not configured.

Configuring an HTTP flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global HTTP flood attack detection.

http-flood detect non-specific

By default, global HTTP flood attack detection is disabled.

4. Set the global threshold for triggering source-based HTTP flood attack prevention.

http-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based HTTP flood attack prevention.

http-flood threshold threshold-value

The default setting is 10000.

6. (Optional.) Specify the global ports to be protected against HTTP flood attacks.

http-flood port port-list

By default, HTTP flood attack prevention protects port 80.

7. Specify global actions against HTTP flood attacks.

http-flood action { drop | logging } *

By default, no global action is specified for HTTP flood attacks.

8. Configure IP address-specific HTTP flood attack detection.

http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific HTTP flood attack detection is not configured.

Configuring HTTPS flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global HTTPS flood attack detection.

https-flood detect non-specific

By default, global HTTPS flood attack detection is disabled.

4. Set the global threshold for triggering source-based HTTPS flood attack prevention.

https-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based HTTPS flood attack prevention.

https-flood threshold threshold-value

The default setting is 10000.

6. (Optional.) Specify the global ports to be protected against HTTPS flood attacks.

https-flood port port-list

By default, HTTP flood attack prevention protects port 443.

7. Specify global actions against HTTPS flood attacks.

https-flood action { drop | logging } *

By default, no global action is specified for HTTP flood attacks.

8. Configure IP address-specific HTTPS flood attack detection.

https-flood detect { ip ipv4-address | ipv6 ipv6-address } [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific HTTPS flood attack detection is not configured.

Configuring a SIP flood attack defense policy

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global SIP flood attack detection.

sip-flood detect non-specific

By default, global SIP flood attack detection is disabled.

4. Set the global threshold for triggering source-based SIP flood attack prevention.

sip-flood source-threshold threshold-value

The default setting is 10000.

5. Set the global threshold for triggering destination-based SIP flood attack prevention.

sip-flood threshold threshold-value

The default setting is 10000.

6. (Optional.) Specify the global ports to be protected against SIP flood attacks.

sip-flood port port-list

By default, SIP flood attack prevention protects port 5060.

7. Specify global actions against SIP flood attacks.

sip-flood action { drop | logging } *

By default, no global action is specified for SIP flood attacks.

8. Configure IP address-specific SIP flood attack detection.

sip-flood detect { ip ipv4-address | ipv6 ipv6-address } [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

By default, IP address-specific SIP flood attack detection is not configured.

Configuring threshold learning for flood attack prevention

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable the threshold learning feature for flood attack prevention.

threshold-learn enable

By default, the threshold learning feature for flood attack prevention is disabled.

4. (Optional.) Set the threshold learning mode.

¡ To set the one-time learning mode:
threshold-learn mode once

¡ To set the periodic learning mode:
threshold-learn mode periodic

By default, the one-time learning mode is used.

5. (Optional.) Set the threshold learning duration.

threshold-learn duration duration

By default, the threshold learning duration is 1440 minutes.

6. (Optional.) Set the threshold learning interval.

threshold-learn interval interval

By default, the threshold learning interval is 1440 minutes.

Skip this step for the one-time learning mode.

7. (Optional.) Set the threshold learning tolerance value.

threshold-learn tolerance-value tolerance-value

By default, the threshold learning tolerance is 50, in percentage.

Skip this step if auto application of the learned threshold is disabled.

8. (Optional.) Enable auto application of the learned threshold.

threshold-learn auto-apply enable

By default, auto application of the learned threshold is disabled.

9. Apply the most recent threshold that the device has learned.

threshold-learn apply

This command does not take effect when auto application of the learned threshold is enabled.

Configuring an HTTP slow attack defense policy

About this task

The device enters HTTP slow attack detection state when the number of HTTP concurrent connections reaches the detection triggering threshold. If the device receives an HTTP slow attack packet later, an HTTP slow attack occurs. When the number of HTTP slow attack packets exceeds the threshold within the detection period, the device takes defensive actions.

HTTP slow attack defensive actions include logging the attack events.

Restrictions and guidelines

As a best practice, specify port 80 as the global port to be protected against HTTP slow attacks. If you specify other ports by using the http-slow-attack port command, make sure these ports are used for HTTP communication. If the specified ports are not used for HTTP communication, the device resources will be wasted in inspecting non-HTTP slow attack packets.

Procedure

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Enable global HTTP slow attack detection.

http-slow-attack detect non-specific

By default, global HTTP slow attack detection is disabled.

4. Set the global thresholds for triggering HTTP slow attack prevention.

http-slow-attack threshold [ alert-number alert-number | content-length content-length | payload-length payload-length | packet-number packet-number ]*

By default, thresholds for HTTP concurrent connections, the Content-Length field value, payload size, and abnormal packets are 5000, 10000, 50, and 10, respectively.

5. Set the global HTTP slow attack detection period.

http-slow-attack period period

By default, the global HTTP slow attack detection period is 60 seconds.

6. (Optional.) Specify the global ports to be protected against HTTP slow attacks.

http-slow-attack port port-list &<1-32>

By default, HTTP slow attack prevention protects port 80.

7. Specify global actions against HTTP slow attacks.

http-slow-attack action logging

By default, no global action is specified for HTTP slow attacks.

8. Configure IP address-specific HTTP slow attack detection.

http-slow-attack detect { ip ipv4-address | ipv6 ipv6-address } [ port { start-port-number [ to end-port-number ] } &<1-16> ] [ threshold { alert-number alert-number | content-length content-length | payload-length payload-length | packet-number packet-number }* ] [ period period ] [ action logging }* ]

By default, IP address-specific HTTP slow attack detection is not configured.

Configuring attack detection exemption

About this task

The attack defense policy uses the ACL to identify exempted packets. The policy does not check the packets permitted by the ACL. You can configure the ACL to identify packets from trusted servers. The exemption feature reduces the false alarm rate and improves packet processing efficiency. For example, the attack defense policy identifies multicast packets with the same source addresses and different destination addresses as scanning attack packets (for example, OSPF or PIM packets). You can configure an ACL to exempt such packets from attack detection.

Restrictions and guidelines

If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit rules take effect:

· Source IP address.

· Destination IP address.

· Source port.

· Destination port.

· Protocol.

· The fragment keyword for matching non-first fragments.

Procedure

1. Enter system view.

system-view

2. Enter attack defense policy view.

attack-defense policy policy-name

3. Configure attack detection exemption.

exempt acl [ ipv6 ] { acl-number | name acl-name }

By default, attack detection exemption is not configured.

Applying an attack defense policy to an interface

1. Enter system view.

system-view

2. Enter system view.

interface interface-type interface-number

3. Apply an attack defense policy to the interface.

attack-defense apply policy policy-name

By default, no attack defense policy is applied to the interface.

Applying an attack defense policy to the device

About this task

An attack defense policy applied to the device itself rather than the interfaces detects packets destined for the device and prevents attacks targeted at the device.

Applying an attack defense policy to a device can improve the efficiency of processing attack packets destined for the device.

If a device and its interfaces have attack defense policies applied, a packet destined for the device is processed as follows:

1. The policy applied to the receiving interface processes the packet.

2. If the packet is not dropped by the receiving interface, the policy applied to the device processes the packet.

Procedure

1. Enter system view.

system-view

2. Apply an attack defense policy to the device.

attack-defense local apply policy policy-name

By default, no attack defense policy is applied to the device.

Enabling log non-aggregation for single-packet attack events

About this task

Log aggregation aggregates multiple logs generated during a period of time and sends one log. Logs that are aggregated must have the following attributes in common:

· Attacks are detected on the same interface or are destined for the device.

· Attack type.

· Attack defense action.

· Source and destination IP addresses.

Restrictions and guidelines

As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console.

Procedure

1. Enter system view.

system-view

2. Enable log non-aggregation for single-packet attack events.

attack-defense signature log non-aggregate

By default, log non-aggregation is disabled for single-packet attack events.

Configuring TCP fragment attack prevention

About this task

The TCP fragment attack prevention feature detects the length and fragment offset of received TCP fragments and drops attack TCP fragments.

Restrictions and guidelines

TCP fragment attack prevention takes precedence over single-packet attack prevention. When both are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by the single-packet attack defense policy.

Procedure

1. Enter system view.

system-view

2. Enable TCP fragment attack prevention.

attack-defense tcp fragment enable

By default, TCP fragment attack prevention is enabled.

Enabling the top attack statistics ranking feature

About this task

This feature collects statistics about dropped attack packets based on attacker, victim, and attack type and ranks the top attack statistics by attacker and victim. To display the top attack statistics rankings, use the display attack-defense top-attack-statistics command.

Procedure

1. Enter system view.

system-view

2. Enable the top attack statistics ranking feature.

attack-defense top-attack-statistics enable

By default, the top attack statistics ranking feature is disabled.

Configuring the address object group whitelist

About this task

This feature exempts packets sourced from the subnets specified in the whitelisted address object group from attack detection.

Restrictions and guidelines

An address object group can only be manually added to or deleted from the whitelist.

The address object group whitelist feature must be used together with the address object group feature. For more information about address object groups, see "Configuring object groups."

Procedure

1. Enter system view.

system-view

2. Add an address object group to the whitelist.

whitelist object-group { ip | ipv6 } object-group-name

By default, no address object group is added to the whitelist.

3. Enable the whitelist feature. Choose one option as needed:

¡ Enable the global whitelist feature.

whitelist global enable

By default, the global whitelist feature is disabled.

¡ Enter interface view and enable the whitelist feature on the interface.

interface interface-type interface-number

whitelist enable

By default, the whitelist feature is disabled on the interface.

Enabling the login delay

About this task

The login delay feature delays the device from accepting a login request from a user after the user fails a login attempt. This feature can slow down login dictionary attacks.

The login delay feature is independent of the login attack prevention feature.

Procedure

1. Enter system view.

system-view

2. Enable the login delay feature.

attack-defense login reauthentication-delay seconds

By default, the login delay feature is disabled. The device does not delay accepting a login request from a user who has failed a login attempt.

Enabling SNMP notifications for attack detection and prevention

About this task

To report critical attack detection and prevention events to an NMS, enable SNMP notifications for attack detection and prevention. For attack detection and prevention event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Procedure

1. Enter system view

system-view

2. Enable SNMP notifications for attack detection and prevention.

snmp-agent trap enable attack-defense [ flood | scan | slow-attack ] *

By default, SNMP notifications for attack detection and prevention are disabled.

Display and maintenance commands for attack detection and prevention

Use the display commands in any view and the reset commands in user view.

To display and maintain attack detection and prevention:

Task	Command
Display flood attack detection and prevention statistics for an IPv4 address.	display attack-defense { ack-flood \| dns-flood \| dns-reply-flood \| fin-flood \| flood \| http-flood \| https-flood \| icmp-flood \| rst-flood \| sip-flood \| syn-ack-flood \| syn-flood \| udp-flood } statistics ip [ ip-address ] [ interface interface-type interface-number \| local ] [ count ]
Display flood attack detection and prevention statistics for an IPv6 address.	display attack-defense { ack-flood \| dns-flood \| dns-reply-flood \| fin-flood \| flood \| http-flood \| https-flood \| icmpv6-flood \| rst-flood \| sip-flood \| syn-ack-flood \| syn-flood \| udp-flood } statistics ipv6 [ ipv6-address ] [ interface interface-type interface-number \| local ] [ count ]
Display statistics about IPv4 HTTP slow attack detection and prevention.	display attack-defense http-slow-attack statistics ip [ ip-address ] [ interface { interface-type interface-number \| interface-name } \| local ] [ count ]
Display statistics about IPv6 HTTP slow attack detection and prevention.	display attack-defense http-slow-attack statistics ipv6 [ ipv6-address ] [ interface { interface-type interface-number \| interface-name } \| local ] [ count ]
Display attack defense policy configuration.	display attack-defense policy [ policy-name ]
Display information about IPv4 addresses protected by flood attack detection and prevention.	display attack-defense policy policy-name { ack-flood \| dns-flood \| dns-reply-flood \| fin-flood \| flood \| http-flood \| https-flood \| icmp-flood \| rst-flood \| sip-flood \| syn-ack-flood \| syn-flood \| udp-flood } ip [ ip-address ] [ count ]
Display information about IPv6 addresses protected by flood attack detection and prevention.	display attack-defense policy policy-name { ack-flood \| dns-flood \| dns-reply-flood \| fin-flood \| flood \| http-flood \| https-flood \| icmpv6-flood \| rst-flood \| sip-flood \| syn-ack-flood \| syn-flood \| udp-flood } ipv6 [ ipv6-address ] [ count ]
Display information about IPv4 scanning attackers.	display attack-defense scan attacker ip [ interface interface-type interface-number \| local ] [ count ]
Display information about IPv6 scanning attackers.	display attack-defense scan attacker ipv6 [ interface interface-type interface-number \| local ] [ count ]
Display attack detection and prevention statistics on an interface.	display attack-defense statistics interface interface-type interface-number
Display attack detection and prevention statistics for the device.	display attack-defense statistics local
Display top 10 attack statistics.	display attack-defense top-attack-statistics { last-1-hour \| last-24-hours \| last-30-days } [ by-attacker \| by-type \| by-victim ]
Display statistics about packets that match the address object groups on the whitelist.	display whitelist object-group [ object-group-name ]
Clear flood attack detection and prevention statistics.	reset attack-defense policy policy-name flood protected { ip \| ipv6 } statistics
Clear attack detection and prevention statistics for an interface.	reset attack-defense statistics interface interface-type interface-number
Clear attack detection and prevention statistics for the device.	reset attack-defense statistics local
Clear top 10 attack statistics.	reset attack-defense top-attack-statistics
Clear statistics about packets that match the address object groups on the whitelist.	reset whitelist statistics

‌

16-Security Configuration Guide

Configuring attack detection and prevention

Attacks that the device can prevent

Attack detection and prevention tasks at a glance

Creating an attack defense policy

About this task

Procedure

Configuring a single-packet attack defense policy

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

Configuring the address object group whitelist

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

Display and maintenance commands for attack detection and prevention

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us