Manualshelf

R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
21222324252627282930
22
Traffic abnormality detection configuration
NOTE:
The LB module supports configuring traffic abnormality detection only in the web interface.
Overview
The traffic abnormality detection feature analyzes the characteristics of traffic to detect abnormal traffic
and take countermeasures accordingly. Supported countermeasures include outputting alarm logs,
dropping packets, and blacklisting the source of the packets.
Flood detection
A flood attack occurs when large amounts of fake packets are sent to a target system in a short period
of time. A flood attack depletes the resources of the target system, making the system unable to provide
services normally.
The LB module can protect these types of flood attacks:
ICMP flood attack: An ICMP flood attack overwhelms the target with large amounts of ICMP echo
requests, such as ping packets.
UDP flood attack: A UDP flood attack floods the target system with a barrage of UDP packets.
SYN flood attack: A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the
number of TCP connections that can be created on a module is limited. A SYN flood attacker sends
a barrage of spurious SYN packets with forged source IP addresses to a victim to initiate TCP
connections. As the SYN_ACK packets that the victim sends in response can never get
acknowledgments, large amounts of half-open connections are created and retained on the victim,
making the victim inaccessible before the number of half-open connections drops to a reasonable
level due to timeout of half-open connections. In this way, a SYN flood attack exhausts system
resources such as memory on a system whose implementation does not limit creation of
connections.
Flood detection is mainly used to protect servers against flood attacks. It detects flood attacks by tracking
the connection rates at which certain types of connection establishment requests are initiated to a server
and the number of half-open connections on the server (the latter is for SYN flood detection only). Usually,
flood detection is deployed on the module for an internal security zone and takes effect for packets
entering the security zone when an attack prevention policy is configured for the security zone.
If the module detects that a tracked parameter has reached or exceeded the threshold, it outputs an
attack alarm log and, depending on your configuration, blocks the subsequent packets from the suspects
to the server.
When used to protect a specified object, an attack prevention policy supports IP address based attack
protection configuration. If no specific protection object is specified, the global settings will be used for
protection.