R0106-HP MSR Router Series Security Configuration Guide(V7)
446
Configuring attack detection and prevention
In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024,
MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080.
Overview
Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to
take prevention actions to protect a private network. Prevention actions include logging, packet dropping,
blacklisting, and client verification.
Attacks that the device can prevent
The device can detect and prevent single-packet attacks, scanning attacks, and flood attacks.
Single-packet attacks
Single-packet attacks are also known as malformed packet attacks. An attacker typically launches
single-packet attacks by using the following methods:
• An attacker sends defective packets to a device, which causes the device to malfunction or even
crash.
• An attacker sends normal packets to a device, which interrupts correct connections or explores
network topologies.
• An attacker sends a large number of forged packets to a target device, which consumes network
bandwidth and causes denial of service (DoS).
Table 15 li
sts the single-packet attack types that the device can detect and prevent.
Table 15 Types of single-packet attacks
Single-packet attack Description
ICMP redirect
An attacker sends ICMP redirect messages to modify the victim's routing
table. The victim cannot forward packets correctly.
ICMP destination unreachable
An attacker sends ICMP destination unreachable messages to cut off the
connections between the victim and its destinations.
ICMP type
A receiver responds to an ICMP packet according to its type. An attacker
forges ICMP packets of a specific type to affect the packet processing of the
victim.
ICMPv6 type
A receiver responds to an ICMPv6 packet according to its type. An attacker
forges ICMPv6 packets of specific types to affect the packet processing of the
victim.
Land
An attacker sends the victim a large number of TCP SYN packets, which
contain the victim's IP address as the source and destination IP addresses.
This attack exhausts the half-open connection resources on the victim, and
locks the victim's system.