No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, AR531, AR550, AR1500, and AR2500 Security Hardening And Maintenance Guide

This document provides guidance for strengthening network and device security in terms of network security risks, security architecture, and security hardening policies. It also provides guidance for routine maintenance of device security in terms of the management, control, and forwarding planes.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Socket Security

Socket Security

Defense Against Malformed Packet Attacks

Security Policy

Malformed packet attacks use abnormal packets. That is, the attacker sends defective IP packets to the target system, and the target system may crash when processing such IP packets.

Malformed packet attacks include:

  • Flood attacks without IP payload

  • IGMP null packet attacks

  • LAND attacks

  • Smurf attacks

  • TCP flag bit invalid attacks

Attack Modes
  • Flood attacks without IP payload

    Flood attackers send massive IP packets without any high layer data. These massive IP packets form flood attacks. The IP packets without high layer data are useless, and thus must be discarded.

  • IGMP null packets

    An IGMP packet consists of a 20-byte IP header and an 8-byte IGMP body. If an IGMP packet is shorter than 28 bytes, the VRP considers it malformed and discards it directly.

  • LAND attacks

    LAND attacks were invented by the Hacker organization RootShell and issued on Nov 20, 1997. The principle is based on the defects during three handshaking processes of TCP connection. LAND attackers send a packet of which the source address and the destination address are the same. As a result, the destination host resolves LAND packets by using excessive resources and the network fails. That is, the LAND attackers create a special SYN packet with the source address and the source port the same as the destination address and destination port respectively. After a computer receives a SYN packet, it sends its address a SYN+ACK packet. Consequently its address sends back a SYN+ACK packet and creates a null connection that persists until expiration.

    Figure 2-3  LAND Attack

    As shown in the preceding figure, if the destination host receives its SYN+ACK, it considers the packet as a connection request (neglecting the ACK packet) and sends back a SYN+ACK packet. The ACK packet is for acknowledging the last SYN packet, and is unrelated to the last SYN packet. Consequently, the destination host determines that it receives a connection request again. The circulation goes on.

    Though the destination host does not consider the SYN+ACK packet as a connection request, it considers the SYN+ACK packet as half connection due to the sending of the SYN+ACK packet. If there are excessive packets, the SYN flood attacks are present. As a result, excessive half connections are set up and the system fails.

    The VRP may determine whether the LAND attacks are malformed packet attacks by matching the source address and the destination address in the TCP SYN packets. If they are consistent, the VRP considers the packets malformed and discards them.

  • Smurf attacks

    The principle of Smurf attack is that the attacker sends ICMP echo request packets with a broadcast address as the destination address and with the victim address as the source address. In this way, all hosts on the network send reply packets to the victim. The victim receives too many packets, causing an excessively high CPU usage. For packets with a broadcast address or a subnet broadcast address as the destination address, the victim considers them as malformed and discards them.

  • TCP flag bit invalid attacks

    A TCP packet contains six flag bits, including URG, ACK, PSH, RST, SYN, and FIN. Replies to combinations of these flag bits vary with systems.

    If the six flag bits are all 1s, the attack is a Christmas tree attack.

    If the six flag bits are all 0s and the port is disabled, the receiver responds with an RST|ACK packet. For an enabled port, a device on which the Linux and Unix system runs does not send a response packet, but a device on which the Windows system runs responds with an RST|ACK packet. This helps identify the operating system.

    If ACK is used with another flag bit (except RST) as a combination, the receiver that does not send any request yet sends an RST response packet, regardless of whether the port is enabled. This helps determine whether a host exists.

    No matter whether the port is enabled or disabled, a SYN|FIN|URG packet will make the receiver send an RST|ACK response packet. This helps determine whether a host exists.

    If the port is disabled, a SYN, SYN|FIN, SYN|PUSH, SYN|FIN|PUSH, SYN|URG, SYN|URG|PUSH, or SYN|FIN|URG|PUSH packet makes the receiver return an RST|ACK packet. If the port is enabled, these packets make the receiver return an SYN|ACK packet. This assists in host detection and port detection.

    If the port is disabled, a FIN, URG, PUSH, URG|FIN, URG|PUSH, FIN|PUSH, or URG|FIN|PUSH packet makes the receives return an RST|ACK packet. For an open port, a device on which the Linux and Unix system runs does not send a response packet, but a device on which the Windows system runs responds with an RST|ACK packet. This helps identify the operating system.

    The system checks flag bits of a TCP packet and discards the packet if the packet meets any of the following conditions:

    • The six flag bits are all 1s.

    • The six flag bits are all 0s.
    • Both SYN and FIN are 1s.
Configuration and Maintenance Methods
  • Enable or disable the defense against malformed packet attacks. (By default, the defense against malformed packet attacks is enabled.)

    anti-attack abnormal enable

    undo anti-attack abnormal enable

  • View the statistics on malformed packet attacks on all the interface boards or a specified interface board.

    display anti-attck statistics abnormal

  • Clear the statistical data about malformed packet attacks on all the interface boards or a specified interface board.

    reset anti-attack statistics abnormal

    Statistics cannot be restored after they are cleared. Exercise caution when you clear them.
Configuration and Maintenance Suggestions

N/A

Defense Against Packet Fragment Attacks

Security Policy

The target of teardrop attacks is the packet fragments that are not properly reassembled. To defend the system against teardrop attacks, the system needs to ensure that packet fragments are reassembled properly and discards packets that are not properly reassembled. For repeated packet fragment attacks, no effective measures are available. An interface board may fail to receive all fragments due to the trunk and load sharing on the IP network. Therefore, packet fragments cannot be reassembled on an interface board. If packet fragments are reassembled on a main control board, the CPU of the main control board and the inter-board communication resources are occupied. To defend the system against repeated packet fragment attacks, the forwarding engine set committed access rate (CAR) separately for packet fragments on an interface board to prevent a large number of packet fragments from attacking the CPU. The CAR is configurable.

Attack Modes

Packet fragment attacks are classified into the following types:

  • Excessive fragments

    Attackers produce a great number of small fragments with a minimum size of eight bytes. Normally, the IP header contains 20 bytes and the maximum IP payload is 65515 bytes. If the data is fragmented and each IP payload contains eight bytes, a total of 8189. 375 fragments are obtained. (If a packet is divided into 8189 fragments, the IP payload does not reach 65515 bytes. If a packet is divided into 8190 fragments, the IP payload exceeds 65515 bytes.) A large amount of small fragments are often malicious. If these small fragments are sent to a router, the route attempts to reassemble these fragments, which consumes a lot of CPU resources.

  • Teardrop attacks

    The teardrop attack is the most famous IP fragmented attack. Its basis is that the IP packets are incorrectly fragmented and the second fragment is contained in the first one. In the first fragment, the IP payload is 36 bytes, the total length is 56 bytes (correct), the protocol is UDP, and the UDP checksum is 0 (no CRC). In the second fragment, the IP payload is 4 bytes, the total length is 24 bytes (correct), the protocol is UDP, and the offset is 3 x 8 = 24, which is incorrect. The correct offset is 36.

  • Syndrop attacks

    The principle is similar to that of a teardrop attack, except that the TCP protocol is used, the fag is SYN, and a packet contains the padding. In the first fragment, the IP payload is 28 bytes (byte 0 to byte 27, including the TCP header) and the IP header is 20 bytes. In the second fragment, the offset is 24, the total length of the payload is 4 bytes (byte 24 to byte 27), and the IP header is 20 bytes.

  • Nesta attacks

    A packet is divided into three fragments. In the first fragment, the IP payload is 18 bytes (byte 0 to byte 17), the protocol is UDP, and the checksum is 0. In the second fragment, the offset is 6 x 8 = 48, the IP payload is 116 bytes. If there is no subsequent fragment, the second fragment is the end fragment. In the third fragment, the offset is 0, the more flag is 1 (namely, there are subsequent fragments), the size of IP option is 40 bytes (all EOL), and the IP payload is 224 bytes.

  • FAWX attacks

    During an FAWX attack, IGMP packets that are not properly fragmented are sent. Two IGMP packet fragments are sent. The first fragment is 9 bytes. In the second fragment, the offset is 8, the IP payload is 16 bytes, and there is no end fragment.

  • BONK attacks

    BONK attacks are similar to NewTear attacks, except that the IP payload of the first fragment is 36 bytes and the UDP checksum is 0; the offset of the second fragment is 32 and the length is 4 bytes.

  • Dead Ping attacks

    The total length of the ICMP echo request exceeds 65535 bytes, causing collapse of the protocol stack. During this type of attacks, IP packets are fragmented to make the total length of the IP payload and the IP header exceed 65535 bytes.

  • Jolt attacks

    Jolt attacks are similar to Dead Ping attacks. A packet contains a total of 173 fragments. The IP payload of each fragment is 380 bytes. Therefore, the total length is 170 x 380 + 20 = 65760 bytes, which far exceeds 65535 bytes.

  • Repeated packet fragment attacks

    During this type of attacks, the same fragment is sent for more than twice. Two cases may arise. In the first case, the first and second fragments have the same sequence number because fragments may be retransmitted during IP packet transmission. In the second case, the first and second fragments have different sequence numbers and the system needs to determine which fragment should be reserved and which fragment should be discarded, or whether both fragments should be discarded.

  • NewTear attacks

    NewTear attacks are similar to Syndrop attacks in terms of fragments, except that the protocol is UDP, the IP payload of the first fragment is 28 bytes (byte 0 to byte 27; including the UDP header; UDP checksum is 0), and the offset of the second fragment is 24 and the total payload length is 4 bytes (byte 24 to byte 27).

  • Rose attacks

    The IP protocol can be UDP or TCP, which can be selected.

    • TCP: There are a total of two fragments. The IP payload length of the first fragment is 48 bytes. The IP payload length of the second fragment is 32 bytes, but the offset is 65408, and the more flag is 0 (indicating there is no subsequent fragment).

    • UPD: There are a total of two fragments. The IP payload length of the first fragment is 40 bytes. The IP payload length of the second fragment is 32 bytes, but the offset is 65408, and the more flag is 0 (indicating there is no subsequent fragment).
Configuration and Maintenance Methods
  • Enable or disable the defense against packet fragment attacks. (By default, the defense against packet fragment attacks is enabled.)

    anti-attack fragment enable

    undo anti-attack fragment enable

  • View the statistics on packet fragment attacks on all the interface boards or a specified interface board.

    display anti-attack statistics fragment

  • Clear the statistics on packet fragment attacks on all the interface boards or a specified interface board.

    reset anti-attack statistics fragment

    Statistics cannot be restored after they are cleared. Exercise caution when you clear them.
Configuration and Maintenance Suggestions

N/A

TCP SYN Flood Attack

Security Policy

The TCP SYN flood attacks are old and effective. The TCP SYN flood attack is one of the Denial of Service (DOS) attacks, which are all based on the establishment method of TCP connection.

Huawei devices limit the rate of TCP SYN packets to prevent exhaustion of system resources when a TCP SYN flood attack occurs.

Attack Modes

During the three handshaking processes of TCP connection, when the server receives the initial SYN packet from the client, it sends back a SYN-ACK packet to the client and creates an input interface in memory. When the server is waiting for the final ACK packet from the client, the connection is in half-connected mode. If the server fails to receive the ACK packet, it resends a SYN-ACK packet to the client. If the server sends the SYN-ACK packet multiple times and does not receive any ACK packet from the client, it ends the session and refreshes the session in memory. The time from sending the first SYN-ACK packet to ending the session is about 30s.

During the period, the attacker may send thousands of SYN packets to the open port without replying to the SYN-ACK packet from the server. The server soon is overloaded and can support no new connection requests. Thus, the server disconnects all the present connections.

The attacker seldom receives the SYN-ACK packet. Thus, they can forge a source address of the SYN packet to make locating the actual address of attacks more different.

The SYN-ACK packet are not sent to the attacker, which saves bandwidth for the attacker.

Configuration and Maintenance Methods
  • Enable or disable the defense against TCP SYN flood attacks. (By default, the defense against TCP SYN flood attacks is enabled.)

    Run the system-view command to enter the system view.

    Enter the anti-attack tcp-syn enable command to enable defense against TCP SYN flood attacks.

    Run the anti-attack tcp-syn car cir cir command to limit TCP SYN packet receiving rate.

    By default, the TCP SYN packet receiving rate is 155000000 bit/s.

  • View the statistics on TCP SYN flood attacks on all the interface boards or a specified interface board.

    display anti-attack statistics tcp-syn

  • Clear the statistics on TCP SYN flood attacks on all the interface boards or a specified interface board.

    reset anti-attack statistics tcp-syn

Configuration and Maintenance Suggestions

N/A

Defense Against UDP Flood Attacks

Security Policy

Packets sent from UDP ports 7, 13, and 19 are considered as attack packets and directly discarded.

A command line can be executed to enable the defense against UDP flood attacks.

Attack Modes
  • Fraggle attacks

    During a Fraggle attack, attackers use UPD port 7 (UDP echo request) to attack network devices. The service of port 7 is basically the same as that of ICMP echo, that is, port 7 sends back all the received packet payloads without making any modifications to test the network connection between the source IP address and the destination IP address. Fraggle attacks are similar to Smurf attacks. During a Fraggle attack, the IP address of the victim is used as the source IP address and a broadcast address is used as the destination IP address. The destination port ID is 7, and the source port ID may be 7 or another ID. If the UDP echo service is enabled on a lot of hosts on this broadcast network, the victim will receive a lot of response packets. In this way, the victim is attacked.

  • UDP diagnosis port attacks

    Packets are sent to a diagnosis port (7-echo, 13-daytime, or 19-Chargen) at random. If a great number of packets are sent simultaneously, UPD packets flood occurs, affecting the normal running of network devices. This problem has occurred on other vendors' devices. A lot of vendors enable small servers by default for network diagnosis or device management, which results in potential attacks. For example, during a Pepsi attack, attackers send a huge number of packets to a diagnosis port of an other vendors' device, causing DoS of the device.

Configuration and Maintenance Methods
  • Enable or disable defense against UDP flood attacks. By default, defense against UDP flood attacks is enabled.

    anti-attack udp-flood enable

    undo anti-attack udp-flood enable

  • View statistics on UDP flood attacks.

    display anti-attack statistics udp-flood

  • Clear statistics on UDP flood attacks.

    reset anti-attack statistics udp-flood

Configuration and Maintenance Suggestions

N/A

Defense Against ICMP Flood Attacks

Security Policy

The rate of ICMP packets is limited on the interface boards. A command line is provided to configure the ICMP packet rate. In addition, a command line is provided to enable the defense against ICMP flood attacks based on boards.

Attack Modes

During an ICMP flood attack, ICMP packets are sent at a high rate. When a program sends more than 1000 packets in a second, the program becomes a flood generator. A lot of ICMP Echo Request packets are sent to the victim. The host of the victim has to return a lot of ICMP Echo Reply or ICMP unreachable packets. After the attacker forges a false source IP address, the host of the victim sends back a lot of ICMP packets to the false address in vain. This consumes system resources of the host and eventually the server may stop responding. The attack may also come from other types of ICMP packets.

Configuration and Maintenance Methods
  • Enable or disable the defense against ICMP flood attacks. (By default, the defense against ICMP flood attacks is enabled.)

    anti-attack icmp-flood enable

    undo anti-attack icmp-flood enable

  • View statistics on ICMP flood attacks.

    display anti-attack statistics icmp-flood

  • Clear statistics on ICMP flood attacks.

    reset anti-attack statistics icmp-flood

Configuration and Maintenance Suggestions

N/A

Translation
Download
Updated: 2019-05-06

Document ID: EDOC1000097300

Views: 4829

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next