H3C Technologies H3C SecPath F1000-E User Manual

3

Attack type

Description

SYN Flood

A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the number
of TCP connections that can be created on a device is limited. A SYN flood attacker
sends a barrage of spurious SYN packets to a victim to initiate TCP connections. As

the SYN_ACK packets that the victim sends in response can never get

acknowledgments, large amounts of half-open connections are created and retained
on the victim, making the victim inaccessible before the number of half-open

connections drops to a reasonable level due to timeout of half-open connections. In

this way, a SYN flood attack exhausts system resources such as memory on a system
whose implementation does not limit creation of connections.

ICMP Flood

An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo
requests (such as ping packets) in a short period, preventing the victim from providing

services normally.

UDP Flood

A UDP flood attack overwhelms the victim with an enormous number of UDP packets
in a short period, disabling the victim from providing services normally.

DNS Flood

A DNS flood attack overwhelms the victim with an enormous number of DNS query
requests in a short period, disabling the victim from providing services normally.

Number of
connections per
source IP exceeds the

threshold

When an internal user initiates a large number of connections to a host on the
external network in a short period of time, system resources on the device will be used
up soon. This will make the device unable to service other users.

Number of
connections per dest

IP exceeds the
threshold

If an internal server receives large quantities of connection requests in a short period
of time, the server will not be able to process normal connection requests from other

hosts.