R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

401

402

403

404

405

406

407

408

409

410

An attacker sends a large number of UDP packets to the target in a short time, making the target

too busy to process normal services.

Blacklist function

The blacklist function is an attack protection measure that filters packets by source IP address. Compared

with Access Control List (ACL) packet filtering, blacklist filtering is simpler in matching packets and

therefore can filter packets at a high speed. Blacklist filtering is very effective in filtering packets from

certain IP addresses.

Working in conjunction with the scanning attack protection function or the user login authentication

function, the device can add blacklist entries automatically and can age such blacklist entries. More

specifically:

• When the device detects a scanning attack from an IP address according to the packet behavior, it

adds the IP address to the blacklist. Thus, packets from the IP address are filtered.

• When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the correct

username, password, or verification code (for a web login user) after the maximum number of

attempts, it considers the user an attacker, adds the IP address of the user to the blacklist, and filters

subsequent login requests from the user. This mechanism can effectively prevent attackers from

cracking login passwords through repeated login attempts. The maximum number of login failures

is six, the blacklist entry aging time is 10 minutes, and they are not configurable.

The device also allows you to add and delete blacklist entries manually. Blacklist entries added manually

can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry always exists in

the blacklist unless you delete it manually. You can configure the aging time of a non-permanent entry.

After the timer expires, the device automatically deletes the blacklist entry, allowing packets from the

corresponding IP address to pass.

Traffic statistics function

The traffic statistics function collects statistics on sessions between the internal network and external

network almost in real time. You can custom attack protection policies based on the statistics. For

example, by analyzing whether the total number of TCP or UDP session requests initiated from the

external network to the internal network exceeds the threshold, you can determine whether to limit new

sessions in the direction, or limit new sessions to a specific internal IP address.

The device supports collecting statistics on the following items:

• Total number of sessions

• Session establishment rate

• Number of TCP sessions

• Number of half-open TCP sessions

• Number of half-close TCP sessions

• TCP session establishment rate

• Number of UDP sessions

• UDP session establishment rate

• Number of ICMP sessions

• ICMP session establishment rate

• Number of RAW IP sessions