Configuring traffic abnormality detection, Overview, Flood detection – H3C Technologies H3C SecPath F1000-E User Manual
Page 18
10
Configuring traffic abnormality detection
The traffic abnormality detection configuration is available only in the Web interface.
Overview
The traffic abnormality detection feature analyzes the characteristics of traffic to detect abnormal traffic
and take countermeasures accordingly. Supported countermeasures include outputting alarm logs,
dropping packets, and blacklisting the source of the packets.
Flood detection
A flood attack occurs when large amounts of fake packets are sent to a target system in a short period
of time. A flood attack depletes the resources of the target system, making the system unable to provide
services normally.
The firewall can protect against the following categories of attacks:
•
ICMP flood attacks—Overwhelm the target with large amounts of ICMP echo requests, such as ping
packets.
•
UDP flood attacks—Flood the target system with a barrage of UDP packets.
•
DNS flood attacks—Overwhelm the target with large amounts of DNS query requests.
•
SYN flood attacks—Exploit TCP SYN packets. Due to resource limitation, the number of TCP
connections that can be created on the firewall is limited. A SYN flood attacker sends a barrage of
spurious SYN packets with forged source IP addresses to a victim to initiate TCP connections. As the
SYN_ACK packets that the victim sends in response can never get acknowledgments, large
amounts of half-open connections are created and retained on the victim, making the victim
inaccessible before the number of half-open connections drops to a reasonable level due to timeout
of half-open connections. In this way, a SYN flood attack exhausts system resources such as memory
on a system whose implementation does not limit creation of connections.
Flood detection mainly protects servers against flood attacks. It detects flood attacks by tracking the
connection rates at which certain types of connection establishment requests are initiated to a server.
Usually, flood detection is deployed on the firewall for an internal security zone and takes effect for
packets entering the security zone when an attack prevention policy is configured for the security zone.
After you configure flood detection (except for DNS flood detection) for the firewall, the firewall enters the
attack detection state and starts to track the sending rates of packets destined for certain servers. If the
sending rate of a certain type of packets destined for a server constantly reaches or exceeds the
protection action threshold, the firewall considers the server is under attack, transitions to the attack
protection state, logs the event, and takes attack protection actions as configured. Later, if the sending
rate drops below the silent threshold, the firewall considers the attack is over, returns to the attack
detection state, and stops the attack protection actions.
DNS flood detection is different from other types of flood detection in that it uses only one threshold, the
action threshold. Upon detecting that the sending rate of DNS query requests destined for a server
constantly reaches or exceeds the action threshold, the firewall drops all extra packets and logs the event.