No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

security/AntiDDoS/Internal network still receiving TCP invalid packets

Publication Date:  2018-02-01 Views:  86 Downloads:  0
Issue Description

Version information

AntiDDoS1600 V500R001C60SPC500

failure phenomena

we where surprised when the customer claimed he is receivng a lot of TCP invalid packets on his device. When we investigated we came to know he is having a second layer of protection and he is receivng lots of TCP invalid packets .The question here is when Huawei DDOS is the first line of defence then how come the customer is detecting a lot of these invalid packets.


Handling Process

Mechanisms of TCP Fragment Attack and Defense.

 

Attack Mechanism.

TCP fragments rarely appear on networks. If a network has too many TCP fragments, the network may be experiencing DDoS attacks. The attacker sends large volume TCP fragments to the target to:

 

Exhaust bandwidth resources and make the victim slow or unresponsive.

Compromise the performance of the target network device or server or make them unresponsive.

Defense Mechanism

A TCP fragment can be the first fragment or a subsequent fragment. The anti-DDoS device defends against TCP fragment attacks based on the first fragment. If the first fragment is discarded, the anti-DDoS device discards subsequent fragments because the session cannot be established. The anti-DDoS device collects statistics on the rate of the first TCP fragment by destination IP address. If the rate exceeds the specified threshold, the anti-DDoS device:

 

Checks whether the source IP address matches a whitelist entry. If no, the anti-DDoS device discards all TCP fragments from this source IP address.

Caches and reassembles the fragments if the source IP address matches a whitelist entry. The anti-DDoS device then forwards the reassembled packets and discards those that fail to be reassembled.

Limits the rate of fragments to defend against attacks from a real source IP address.


Solution

First please check the attacked IP’s TCP fragment traffic by the following steps. Must input IP address, otherwise there is not so much choice. And also select the Peak Value during the attack time.

 

   

 

If the traffic is not more than 2000 pps, then we can lower down this threshold value for TCP Fragment parameter.  But suggest not lower down too much.

 

------------------------------------------------

Another method of set threshold value based on baseline learning.

And the learning result is like below.


And we can see the detail traffic of each protocol. The red line is the network’s traffic. During the learning period, some attack may happened. The learning program just record the traffic and cannot distinguish the attack from normal traffic. Manual adjustment is needed to eliminate the higher value. Just apply the normal traffic value to the policy threshold. For example, the 15,000+ value showed below may be the attack traffic, we should not use it as threshold. We can see the normal traffic is just 5000 or so. So we can set the threshold value to 8000.

redreal traffic

bluecurrent threshold

greenSuggestion(may be incorrect)

Modify parametersjust modify to 7500and click ok. It will apply to the corresponding policy. No need switch to the policy configuration page to set change it.

With learned result below default thresholdsuggest to use the default value. For AntiDDoS is for defend large DDoS attack. Also with lower threshold will cause too much alarm.



END