Protection against scanning attacks, Protection against flood attacks, Configuring the blacklist function – H3C Technologies H3C MSR 50 User Manual
Page 190: Recommended configuration procedure
169
Protection against scanning attacks
Scanning attackers usually use some scanning tools to scan host addresses and ports in a network, so as
to find possible targets and the services enabled on the targets and figure out the network topology,
preparing for further attacks to the target hosts.
The scanning attack protection function takes effect to only incoming packets. It monitors the rate at which
an IP address initiates connections to destination systems. If the rate reaches or exceeds 4000
connections per second, it logs the event, adds the IP address to the blacklist, and discards subsequent
packets from the IP address.
Protection against flood attacks
Flood attackers send a large number of forged requests to the targets in a short time, so that the target
systems will be too busy to provide services for legal users, resulting in denial of services.
The device can defend against three types of flood attacks:
•
SYN flood attack
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP
connections. A SYN flood attacker sends a great quantity of SYN packets to a target server, using
a forged address as the source address. After receiving the SYN packets, the server replies with
SYN ACK packets. As the destination address of the SYN ACK packets is unreachable, the server
can never receive the expected ACK packets, resulting in large amounts of half-open connections.
In this way, the attacker exhausts the system resources, making the server unable to service normal
clients.
•
ICMP flood attack
An ICMP flood attacker sends a large number of ICMP requests to the target in a short time by, for
example, using the ping program, causing the target too busy to process normal services.
•
UDP flood attack
A UDP flood attacker sends a large number of UDP messages to the target in a short time, so that
the target gets too busy to process normal services.
The flood attack protection function takes effect to only outgoing packets. It is mainly used to
protect servers. It monitors the connection establishment rate and number of half-open connections
of a server. If the rate reaches or exceeds 1000 connections per second or the number of half-open
connections reaches or exceeds 10000 (only SYN flood attack protection supports restriction of
half-open connections), it logs the event, and discards subsequent connection requests to the
server.
Configuring the blacklist function
Recommended configuration procedure
Step Remarks
1. Enabling the blacklist function
Required.
By default, the blacklist function is disabled.
2.
Configuring the scanning attack
protection function to add
blacklist entries automatically
Required.
Perform at least one of the two tasks.