Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router
461462463464465466467468469470
449
A DNS flood attacker sends a large number of forged DNS queries. This attack consumes the
bandwidth and resources of the DNS server, which prevents the server from processing and
replying legal DNS queries.
HTTP flood attack.
Upon receiving an HTTP GET request, the HTTP server performs complex operations including
character string searching, database traversal, data reassembly, and format switching. These
operations consume a large amount of system resources.
An HTTP flood attacker sends a large number of HTTP GET requests that exceed the processing
capacity of the HTTP server, which causes the server to crash.
ICMP flood attack.
An ICMP flood attacker sends ICMP request packets, such as ping packets, to a host at a fast rate.
Because the target host is busy replying to these requests, it is unable to provide services.
ICMPv6 flood attack.
An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast
rate. Because the target host is busy replying to these requests, it is unable to provide services.
UDP flood attack.
A UDP flood attacker sends UDP packets to a host at a fast rate. These packets consume a large
amount of the target host's bandwidth, so the host cannot provide other services.
Blacklist function
The blacklist function is an attack prevention method that filters packets by source IP addresses in blacklist
entries. Compared with ACL-based packet filter, blacklist filtering is simpler and provides effective
screening at a higher speed.
Client verification
TCP client verification
The TCP client verification function protects TCP servers against the following flood attacks:
SYN.
ACK.
SYN-ACK.
FIN.
RST.
The TCP client verification function enables a TCP proxy on the device.
TCP client verification can operate in the following modes:
Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators. The
unidirectional TCP proxy is sufficient for most scenarios because attacks are often seen from clients.
As shown in Figure 136,
if packets from TCP clients passes through the proxy device, but the
packets from servers do not, only the safe reset mode can be used.