Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure Software Attack Detection Function

The software attack detection function is realized by adopting the software mode, performing the attack detection only for the packet with the destination address as the device itself, so as to prevent the device from getting the network attack.

Configuration Condition

Before configuring intercepting the ICMP flood, and TCP SYN flood attack detection functions, first complete the following tasks:

  • Configure ACL

Configure Intercepting Packet with Too Small IP Length

When the device receives the IP packet with the IP length (including the IP head and load) smaller than the configured length, drop the packet.

Table 17-2 Configure intercepting the packet with too small IP length

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure intercepting the packet with too small IP length

anti-attack drop small-packet [ length ]

Mandatory

By default, do not configure the function of intercepting the packet with too small IP length. After configuring the function and if not specifying the length, intercept the packet with the IP length smaller than 64 bytes by default.

note


  • After configuring the command, the BFD packet may be dropped.

Configure Intercepting Unreasonable Fragment Packet

When the device receives the IP fragment packet and the fragment offset plus its own load length exceeds the configured length, drop the packet.

Table 17-3 Configure intercepting unreasonable fragment packet

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure intercepting unreasonable fragment packet

anti-attack drop fragment [ max-off length ]

Mandatory

By default, do not configure the function of intercepting the unreasonable fragment packet. After configuring the function and if not specifying the length, intercept the fragment whose offset plus its own load length exceeds 65535 by default.

Configure Intercepting Specified ICMP Packet

When the device receives the ICMP packet which is specified to filter, drop it.

Table 17-4 Configure intercepting the specified ICMP packet

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure intercepting the ICMPv4 packet of the specified type to the local device

anti-attack drop icmp type{ ECHOREPLY | UNREACH | SOURCEQUENCH | REDIRECT | ECHO | ROUTERADVERT | ROUTERSOLICIT | TIMXCEED | PARAMPROB | TSTAMP | TSTAMPREPLY | IREQ | IREQREPLY | MASKREQ | MASKREPLY}

Mandatory

By default, do not configure intercepting the ICMPv4 packet of the specified type to the local device.

Configure Intercepting ICMP code Non-zero Packet

When the device receives the ICMP_ECHO, ICMP_MASKREQ, and ICMP_TSTAMP packets, drop them.

Table 17-5 Configure intercepting the ICMP code none-zero packet

Step

Command

Description

Enter global configuration mode

configure terminal

-

Intercept the ICMP request packet with the non-zero code field to the local device

anti-attack drop icmp code none-zero

Mandatory

By default, do not configure intercepting the ICMP request packet with the non-zero code field to the local device.

Configure Intercepting Land Attack Packet

Land attack adopts the same source and destination IP and port to send the TCP SYN packet to the target machine, making the target system with the hole create one TCP empty connection with itself, even resulting in the breakdown of the target system.

When the device receives the TCP SYN packet with the same source and destination IP and the same source and destination port, drop the packet.

Table 17-6 Configure intercepting the Land attack packet

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure intercepting the Land attack packet

anti-attack detect tcp-land

Mandatory

By default, do not configure intercepting the Land attack packet.

Configure Intercepting Fraggle Attack Packet

The Fraggle attack makes use of the destination port 19 or 7 of the UDP packet to attack.

When the device receives the UDP packet and the destination port is 19 or 7, it is regarded as the Fraggle attack packet and is dropped.

Table 17-7 Configure intercepting the Fraggle attack packet

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure intercepting the Fraggle attack packet

anti-attack detect fraggle access-list-name } [ masklen length ]

Mandatory

By default, do not configure the function of intercepting the Fraggle attack packet.

Configure Intercepting ICMP Flood Attack Packet

ICMP flood attack sends lots of ICMP echo requests to the target host to make the network of the target host be blocked. The target host consumes lots of resources to answer and cannot provide services normally.

When the number of the ICMP packets with the same destination IP received by the device within one second exceeds the threshold, the packets exceeding the threshold are dropped.

Table 17-8 Configure intercepting the ICMP flood attack packet

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure intercepting the ICMP flood attack packet

anti-attack flood icmp list { access-list-number | access-list-name } [ maxcount number ]

Mandatory

By default, do not configure the function of intercepting the ICMP flood attack packet. After configuring the function and if not specifying the threshold, the default value is 500.

note


  • When configuring intercepting the ICMP flood attack packet, first need to create the ACL, used to specify the protected data flow. We check whether it is the ICMP flood attack packet only for the data flow permitted by the ACL. Otherwise, permit the packet to pass.

Configure Intercepting TCP SYN Flood Attack Packet

TCP SYN Flood attack sends lots of TCP SYN requests to the target host, but does not answer the ACK message. As a result, the target host has lots of semi-connections waiting for receiving the ACK message of the requester, which occupy the available resources of the target host. As a result, the target host cannot provide the normal network services.

When the number of the TCP SYN packets with the same destination IP received by the device within one second exceeds the threshold, the packets exceeding the threshold are dropped.

Table 17-9 Configure intercepting the TCP SYN flood attack packet

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure intercepting the TCP SYN flood attack packet

anti-attack flood tcp list { access-list-number | access-list-name } [ maxcount number ]

Mandatory

By default, do not configure the function of intercepting the TCP SYN flood attack packet. After configuring the function and if not specifying the threshold, the default value is 500.

note


  • When configuring intercepting the TCP SYN flood attack packet, first need to create the ACL, used to specify the protected data flow. We check whether it is the TCP SYN flood attack packet only for the data flow permitted by the ACL. Otherwise, permit the packet to pass.

Configure Intercepting Address and Port Scanning Attack Packet

The address scanning attack means that the attacker sends the CMP packets to detect the active host on the network, while the port scanning means that the attacker sends the TCP or UDP packet to detect the enabled port of the active host on the network.

With the address and port scanning, the attacker can get the active host information on the network. Usually, the address and port scanning is the omen of the attacker initiating the network attack.

When the number of the ICMP packets with the same IP and different destination IPs received by the device within one second exceeds the threshold, it is regarded as the address scanning attack and the packets exceeding the threshold are dropped. When the number of the TCP or UDP packets with the same source IP and different destination ports received by the device within on second exceeds the threshold, it is regarded as the port scanning attack and the packets exceeding the threshold are dropped.

Table 17-10 Configure intercepting the address and port scanning attack packet

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the interface configuration mode

interface interface-name

-

Configure intercepting the address and port scanning attack packet

anti-attack scanprotect { default | interval { default | interval-value } addr-limit { default | max-addr-value } port-limit { default | max-port-value } ban-timeout { default | max-ban-timeout } }

Mandatory

By default, do not configure the function of intercepting the address and port scanning attack packets.

After configuring the function, the default interval is 1s, the default address scanning threshold is 10 different IPs, and the default port scanning threshold is 10 different destination ports.

Configure Software Attack Detection Log Recording

When the device software attack detection intercepts the attack packet, record the log information.

Table 17-11 Configure the software attack detection log recording

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure the software attack detection log recording

anti-attack log

Mandatory

By default, do not configure the software attack detection log function.