Manualshelf

R3166-R3206-HP High-End Firewalls Attack Protection Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
11121314151617181920
9
Traffic abnormality detection configuration
NOTE:
The firewall supports configuring traffic abnormality detection only in the web interface.
Traffic abnormality detection overview
The traffic abnormality detection feature analyzes the characteristics of traffic to detect abnormal traffic,
such as flood attacks and scanning attacks, and to take countermeasures accordingly.
ICMP flood detection
An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo requests in a short
period, preventing the victim from providing normal services.
To fence off ICMP flood attacks, you can set a connection rate threshold on your firewall. Once the ICMP
connection rate of the protected host exceeds the threshold, the firewall outputs an attack alarm log and,
depending on your configuration, blocks the subsequent ICMP echo requests to the host.
UDP flood detection
A UDP flood attack overwhelms the victim with an enormous number of UDP packets in a short period,
preventing the victim from providing normal services.
To fence off UDP flood attacks, you can set a connection rate threshold on your firewall. Once the UDP
echo connection rate of the protected host exceeds the threshold, the firewall outputs an attack alarm log
and, depending on your configuration, blocks the subsequent UDP echo requests to the host.
SYN flood detection
A SYN flood attack exhausts the limited resources of the victim by exploiting SYN packets of TCP.
The number of TCP connections that can be created on a firewall is limited due to resource limitation. The
idea of SYN Flood attack is to initiate TCP connections to a victim with spurious SYN packets. As the
SYN_ACK packets that the victim sends in response can never get an acknowledgement (ACK),
half-open connections are created on the victim. The presence of excessive half-open connections can
exhaust the resources of the victim, making the victim inaccessible until the number of half-open
connections drops to a reasonable level due to timeout of half-open connections. Likewise, SYN flood
attacks can exhaust system resources such as memory on a system performing implementations that do
not limit creation of connections.
To protect a host against SYN flood attacks, you can set a connection rate threshold and a half-open
connection threshold for the host on your firewall. Once the TCP connection rate of the protected host
exceeds either of the thresholds, the firewall outputs an attack alarm log and, depending on your
configuration, takes the following actions:
Blocks subsequent TCP connection requests.
Removes the oldest half-open connections of the host.
Add protected IP address entries for TCP proxy.
For more information about TCP proxy, see the chapter “TCP proxy configuration.