R3303-HP HSR6800 Routers Security Configuration Guide
6
After receiving a SYN message from a client to a protected server, the TCP proxy sends back a
SYN ACK message with the window size of 0 on behalf of the server. If the client is legitimate, the
TCP proxy receives an ACK message. Upon receiving an ACK message from the client, the TCP
proxy sets up a connection between itself and the server through a three-way handshake on behalf
of the client. Thus, two TCP connections are established, and the two connections use different
sequence numbers.
In bidirectional proxy mode, the TCP proxy plays two roles: a virtual server that communicates with
clients and a virtual client that communicates with servers. To use this mode, you must deploy the
TCP proxy on the key path that passes through the ingress and egress of the protected servers, and
make sure all packets that the clients send to the server and all packets that the servers send to the
clients pass through the TCP proxy device.
Attack detection and protection configuration task
list
The attack detection and protection configuration tasks include three categories:
• Configuring attack protection functions for an interface. To do so, you need to create an attack
protection policy, configure the required attack protection functions (such as Smurf attack protection,
scanning attack protection, and flood attack protection) in the policy, and then apply the policy to
the interface. There is no specific configuration order for the attack functions, and you can configure
them as needed.
• Configuring a TCP proxy when the SYN flood attack protection policy specifies the processing
method for SYN flood attack packets as TCP proxy.
• Configuring the blacklist function. This function can be used independently or used in conjunction
with the scanning attack protection function on an interface.
• Enabling the traffic statistics function. This function can be used independently.
Complete the following tasks to configure attack detection and protection:
Task Remarks
Configuring attack
protection functions for
an interface
Creating an attack protection policy Required.
Configuring an attack protection policy:
• Configuring a single-packet attack protection policy
• Configuring a scanning attack protection policy
• Configuring a flood attack protection policy
Required.
Configure one or
more policies as
needed.
Applying an attack protection policy to an interface Required.
Configuring TCP proxy Optional.
Configuring the blacklist function Optional.
Enabling traffic statistics on an interface Optional.