Enabling protection against naptha attacks, Displaying and maintaining tcp attack protection – H3C Technologies H3C SecPath F1000-E User Manual

Page 60

Advertising
background image

52

Enabling protection against Naptha attacks

Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the
six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and

SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.
Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these

connections in the same state (any of the six), and request for no data so as to exhaust the memory
resource of the server. As a result, the server cannot process normal services.
Protection against Naptha attacks mitigates such attacks by accelerating the aging of TCP connections

in a state. After the feature is enabled, the firewall (serving as a TCP server) periodically checks the

number of TCP connections in each state. If the firewall detects that the number of TCP connections in a
state exceeds the maximum number, it considers that a Naptha attack occurs and accelerates the aging

of TCP connections in this state. The firewall will stop accelerating the aging of TCP connections when the

number of TCP connections in the state is less than 80% of the maximum number (1 at least).
To enable the protection against Naptha attack:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable the protection
against Naptha attack.

tcp anti-naptha enable

Disabled by default.

3.

Configure the maximum
number of TCP

connections in a state.

tcp state { closing | established |
fin-wait-1 | fin-wait-2 | last-ack |

syn-received } connection-number
number

Optional.
5 by default.
If the maximum number of TCP
connections in a state is 0, the aging

of TCP connections in this state will
not be accelerated.

4.

Configure the TCP state

check interval.

tcp timer check-state timer-value

Optional.
30 seconds by default.

Displaying and maintaining TCP attack protection

Task Command

Remarks

Display current TCP connection state.

display tcp status [ | { begin | exclude |
include } regular-expression ]

Available in any view

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals