Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
12345678910
4
When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the correct
username, password, or verification code (for a web login user) after the maximum number of
attempts, it considers the user an attacker, adds the IP address of the user to the blacklist, and filters
subsequent login requests from the user. This mechanism can effectively prevent attackers from
cracking login passwords through repeated login attempts. The maximum number of login failures
is six, the blacklist entry aging time is 10 minutes, and they are not configurable.
The device also allows you to add and delete blacklist entries manually. Blacklist entries added manually
can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry always exists in
the blacklist unless you delete it manually. You can configure the aging time of a non-permanent entry.
After the timer expires, the device automatically deletes the blacklist entry, allowing packets from the
corresponding IP address to pass.
Traffic statistics function
The traffic statistics function collects statistics on sessions between the internal network and external
network almost in real time. You can custom attack protection policies based on the statistics. For
example, by analyzing whether the total number of TCP or UDP session requests initiated from the
external network to the internal network exceeds the threshold, you can determine whether to limit new
sessions in the direction, or limit new sessions to a specific internal IP address.
The device supports collecting statistics on the following items:
Total number of sessions
Session establishment rate
Number of TCP sessions
Number of half-open TCP sessions
Number of half-close TCP sessions
TCP session establishment rate
Number of UDP sessions
UDP session establishment rate
Number of ICMP sessions
ICMP session establishment rate
Number of RAW IP sessions
RAW IP session establishment rate
The device collects statistics to calculate the session establishment rates at an interval of 5 seconds.
Therefore, the session establishment rates displayed on the device are based on the statistics collected
during the latest 5-second interval.
The traffic statistics function does not concern about the session status (except the TCP half-open and
half-close states). As long as a session is established, the count increases by 1. As long as a session is
deleted, the count decreases by 1.
TCP proxy
The TCP proxy function can protect servers from SYN flood attacks. A device enabled with the TCP proxy
function can function as a TCP proxy between TCP clients and servers. Upon detecting a SYN flood
attack, the device can add a protected IP address entry for the attacked server and use the TCP proxy
function to inspect and process all subsequent TCP requests destined to the server.