Protection against scanning attacks, Protection against flood attacks, Configuring the blacklist function – H3C Technologies H3C MSR 50 User Manual

169

Protection against scanning attacks

Scanning attackers usually use some scanning tools to scan host addresses and ports in a network, so as

to find possible targets and the services enabled on the targets and figure out the network topology,
preparing for further attacks to the target hosts.
The scanning attack protection function takes effect to only incoming packets. It monitors the rate at which

an IP address initiates connections to destination systems. If the rate reaches or exceeds 4000

connections per second, it logs the event, adds the IP address to the blacklist, and discards subsequent
packets from the IP address.

Protection against flood attacks

Flood attackers send a large number of forged requests to the targets in a short time, so that the target

systems will be too busy to provide services for legal users, resulting in denial of services.
The device can defend against three types of flood attacks:

•

SYN flood attack
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP
connections. A SYN flood attacker sends a great quantity of SYN packets to a target server, using

a forged address as the source address. After receiving the SYN packets, the server replies with

SYN ACK packets. As the destination address of the SYN ACK packets is unreachable, the server

can never receive the expected ACK packets, resulting in large amounts of half-open connections.

In this way, the attacker exhausts the system resources, making the server unable to service normal
clients.

•

ICMP flood attack
An ICMP flood attacker sends a large number of ICMP requests to the target in a short time by, for
example, using the ping program, causing the target too busy to process normal services.

•

UDP flood attack
A UDP flood attacker sends a large number of UDP messages to the target in a short time, so that
the target gets too busy to process normal services.
The flood attack protection function takes effect to only outgoing packets. It is mainly used to
protect servers. It monitors the connection establishment rate and number of half-open connections

of a server. If the rate reaches or exceeds 1000 connections per second or the number of half-open

connections reaches or exceeds 10000 (only SYN flood attack protection supports restriction of
half-open connections), it logs the event, and discards subsequent connection requests to the

server.

Configuring the blacklist function

Recommended configuration procedure

Step Remarks

1. Enabling the blacklist function

Required.
By default, the blacklist function is disabled.

2.

Configuring the scanning attack
protection function to add

blacklist entries automatically

Required.
Perform at least one of the two tasks.