The software attack detection function is realized by adopting the software mode, performing the attack detection only for the packet with the destination address as the device itself, so as to prevent the device from getting the network attack.
Before configuring intercepting the ICMP flood, and TCP SYN flood attack detection functions, first complete the following tasks:
When the device receives the IP packet with the IP length (including the IP head and load) smaller than the configured length, drop the packet.
Configure Intercepting Unreasonable Fragment Packet
When the device receives the IP fragment packet and the fragment offset plus its own load length exceeds the configured length, drop the packet.
Table 17-3 Configure intercepting unreasonable fragment packet
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure intercepting unreasonable fragment packet
|
anti-attack drop fragment [ max-off length ]
|
Mandatory
By default, do not configure the function of intercepting the unreasonable fragment packet. After configuring the function and if not specifying the length, intercept the fragment whose offset plus its own load length exceeds 65535 by default.
|
Configure Intercepting Specified ICMP Packet
When the device receives the ICMP packet which is specified to filter, drop it.
Table 17-4 Configure intercepting the specified ICMP packet
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure intercepting the ICMPv4 packet of the specified type to the local device
|
anti-attack drop icmp type{ ECHOREPLY | UNREACH | SOURCEQUENCH | REDIRECT | ECHO | ROUTERADVERT | ROUTERSOLICIT | TIMXCEED | PARAMPROB | TSTAMP | TSTAMPREPLY | IREQ | IREQREPLY | MASKREQ | MASKREPLY}
|
Mandatory
By default, do not configure intercepting the ICMPv4 packet of the specified type to the local device.
|
Configure Intercepting ICMP code Non-zero Packet
When the device receives the ICMP_ECHO, ICMP_MASKREQ, and ICMP_TSTAMP packets, drop them.
Table 17-5 Configure intercepting the ICMP code none-zero packet
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Intercept the ICMP request packet with the non-zero code field to the local device
|
anti-attack drop icmp code none-zero
|
Mandatory
By default, do not configure intercepting the ICMP request packet with the non-zero code field to the local device.
|
Configure Intercepting Land Attack Packet
Land attack adopts the same source and destination IP and port to send the TCP SYN packet to the target machine, making the target system with the hole create one TCP empty connection with itself, even resulting in the breakdown of the target system.
When the device receives the TCP SYN packet with the same source and destination IP and the same source and destination port, drop the packet.
Table 17-6 Configure intercepting the Land attack packet
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure intercepting the Land attack packet
|
anti-attack detect tcp-land
|
Mandatory
By default, do not configure intercepting the Land attack packet.
|
Configure Intercepting Fraggle Attack Packet
The Fraggle attack makes use of the destination port 19 or 7 of the UDP packet to attack.
When the device receives the UDP packet and the destination port is 19 or 7, it is regarded as the Fraggle attack packet and is dropped.
Table 17-7 Configure intercepting the Fraggle attack packet
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure intercepting the Fraggle attack packet
|
anti-attack detect fraggle access-list-name } [ masklen length ]
|
Mandatory
By default, do not configure the function of intercepting the Fraggle attack packet.
|
Configure Intercepting ICMP Flood Attack Packet
ICMP flood attack sends lots of ICMP echo requests to the target host to make the network of the target host be blocked. The target host consumes lots of resources to answer and cannot provide services normally.
When the number of the ICMP packets with the same destination IP received by the device within one second exceeds the threshold, the packets exceeding the threshold are dropped.
Table 17-8 Configure intercepting the ICMP flood attack packet
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure intercepting the ICMP flood attack packet
|
anti-attack flood icmp list { access-list-number | access-list-name } [ maxcount number ]
|
Mandatory
By default, do not configure the function of intercepting the ICMP flood attack packet. After configuring the function and if not specifying the threshold, the default value is 500.
|
-
When configuring intercepting the ICMP flood attack packet, first need to create the ACL, used to specify the protected data flow. We check whether it is the ICMP flood attack packet only for the data flow permitted by the ACL. Otherwise, permit the packet to pass.
Configure Intercepting TCP SYN Flood Attack Packet
TCP SYN Flood attack sends lots of TCP SYN requests to the target host, but does not answer the ACK message. As a result, the target host has lots of semi-connections waiting for receiving the ACK message of the requester, which occupy the available resources of the target host. As a result, the target host cannot provide the normal network services.
When the number of the TCP SYN packets with the same destination IP received by the device within one second exceeds the threshold, the packets exceeding the threshold are dropped.
Table 17-9 Configure intercepting the TCP SYN flood attack packet
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure intercepting the TCP SYN flood attack packet
|
anti-attack flood tcp list { access-list-number | access-list-name } [ maxcount number ]
|
Mandatory
By default, do not configure the function of intercepting the TCP SYN flood attack packet. After configuring the function and if not specifying the threshold, the default value is 500.
|
-
When configuring intercepting the TCP SYN flood attack packet, first need to create the ACL, used to specify the protected data flow. We check whether it is the TCP SYN flood attack packet only for the data flow permitted by the ACL. Otherwise, permit the packet to pass.
Configure Intercepting Address and Port Scanning Attack Packet
The address scanning attack means that the attacker sends the CMP packets to detect the active host on the network, while the port scanning means that the attacker sends the TCP or UDP packet to detect the enabled port of the active host on the network.
With the address and port scanning, the attacker can get the active host information on the network. Usually, the address and port scanning is the omen of the attacker initiating the network attack.
When the number of the ICMP packets with the same IP and different destination IPs received by the device within one second exceeds the threshold, it is regarded as the address scanning attack and the packets exceeding the threshold are dropped. When the number of the TCP or UDP packets with the same source IP and different destination ports received by the device within on second exceeds the threshold, it is regarded as the port scanning attack and the packets exceeding the threshold are dropped.
Table 17-10 Configure intercepting the address and port scanning attack packet
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the interface configuration mode
|
interface interface-name
|
-
|
|
Configure intercepting the address and port scanning attack packet
|
anti-attack scanprotect { default | interval { default | interval-value } addr-limit { default | max-addr-value } port-limit { default | max-port-value } ban-timeout { default | max-ban-timeout } }
|
Mandatory
By default, do not configure the function of intercepting the address and port scanning attack packets.
After configuring the function, the default interval is 1s, the default address scanning threshold is 10 different IPs, and the default port scanning threshold is 10 different destination ports.
|
Configure Software Attack Detection Log Recording
When the device software attack detection intercepts the attack packet, record the log information.
Table 17-11 Configure the software attack detection log recording
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure the software attack detection log recording
|
anti-attack log
|
Mandatory
By default, do not configure the software attack detection log function.
|
Switch
.png){kind=icon}
.png){kind=logo}
.jpg)
.png){kind=logo}
