Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
461462463464465466467468469470
452
DNS client verification
The DNS client verification function protects DNS servers against DNS flood attacks. It is configured on
the device where packets from the DNS clients to the DNS servers pass through. The device with DNS
client verification function configured is called a DNS client authenticator.
As shown in Figure 140, the D
NS client verification functions as follows:
1. Upon receiving a UDP DNS query destined for a protected server, the DNS client authenticator
responds with a DNS truncate (TC) packet. The DNS truncate packet requires the client to initiate
a query in a TCP packet.
2. When the authenticator receives a DNS query in a TCP SYN packet to port 53 from the client, the
authenticator responds with a SYN-ACK packet.
3. When the authenticator receives a RST packet from the client, the authenticator verifies the client
as legitimate.
4. The authenticator adds the client's IP address to the trusted IP list and forwards the trusted client's
subsequent packets to the server.
Figure 140 DNS client verification process
The DNS client verification function requires that clients use the standard TCP/IP protocol suite and DNS
protocol. Legitimate clients that use non-standard protocols will be verified as illegitimate by the DNS
client authenticator. The verification makes the first DNS resolution take more time.
HTTP client verification
The HTTP client verification function protects HTTP servers against HTTP flood attacks. It is configured on
the device where packets from the HTTP clients to the HTTP servers pass through. A device with HTTP
client verification function configured is called an HTTP client authenticator.
As shown in Figure 141, the
HTTP client verification functions as follows:
1. Upon receiving a SYN packet destined for a protected HTTP server, the HTTP client authenticator
performs TCP client verification in SYN cookie mode. If the client passes the TCP client verification,
a TCP connection is established between the client and the authenticator. For more information
about TCP client verification, see "TCP client verification."
2. When the aut
henticator receives an HTTP Get packet from the client, it performs the first redirect
verification. The authenticator records the client information and responds with an HTTP Redirect