R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

391

392

393

394

395

396

397

398

399

400

Configuring attack detection and protection

Overview

Attack detection and protection is an important network security feature. It determines whether received

packets are attack packets according to the packet contents and behaviors and, if detecting an attack,

take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting

the source IP address.

The attack protection function can detect three types of network attacks: single-packet attacks, scanning

attacks, and flood attacks. In addition, this function also supports traffic statistics for session analysis on

interfaces.

Types of network attacks the device can defend against

The device can defend against three types of network attacks: single-packet attacks, scanning attacks,

and flood attacks, according to the attack characteristics.

Single-packet attack

Single-packet attack is also called malformed packet attack because many single-packet attacks use

defective IP packets, such as overlapping IP fragments and packets with illegal TCP flags.

A single-packet attack occurs when:

• An attacker sends defective IP packets to a target, causing the target system to malfunction or crash.

• An attacker sends large quantities of junk packets to the network, using up the network bandwidth.

Table 15 li

sts the single-packet attacks that can be prevented by the device.

Table 15 Types of single-packet attacks

Sin

le-

acket attac

Descri

tion

Fraggle

An attacker sends large amounts of UDP echo requests with the UDP port number

being 7 or Chargen packets with the UDP port number being 19, resulting in a large

quantity of junk replies and eventually exhausting the bandwidth of the target

network.

ICMP Redirect

An attacker sends ICMP redirect messages to a user host to modify the host's routing

table, interfering with the normal forwarding of IP packets.

ICMP Unreachable

Upon receiving an ICMP unreachable response, some systems conclude that the

destination is unreachable and drop all subsequent packets destined for the

destination. By sending ICMP unreachable packets, an attacker can cut off the

connection between the target host and the network.

Land

An attacker sends a great number of TCP SYN packets using target IP address as both

the source and destination IP addresses, exhausting the half-open connection

resources of the target and thereby making the target unable to provide services

correctly.