No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Defense Against Flood Attacks

Defense Against Flood Attacks

If an attacker sends a large number of bogus packets to a target device, the target device is busy with these bogus packets and cannot process normal services.

Defense against flood attacks detects flood packets in real time and discards them or limits the rate of the packets to protect the device.

Flood attacks include TCP SYN flood attacks, UDP flood attacks, and ICMP flood attacks.

TCP SYN Flood Attack

A TCP SYN flood attack uses the vulnerability of the TCP three-way handshake. During the TCP three-way handshake, the receiver sends an SYN+ACK message when receiving the first SYN message from a sender. When the receiver is waiting for the final ACK packet from the sender, the connection is in half-connected mode. If the receiver does not receive the ACK packet, the receiver retransmits a SYN+ACK packet to the sender. After several retransmission attempts, the receiver shuts down the session and then updates the session in memory. The period from the first SYN+ACK message being sent to session teardown is about 30s.

During this period, an attacker may send thousands of SYN messages to all open interfaces and does not respond to the SYN+ACK message from the receiver. This causes memory overloading on the receiver and prevents the receiver from accepting new connection requests. Then the receiver disconnects all existing connections.

After defense against TCP SYN flood attacks is enabled, the device limits the rate of TCP SYN packets to protect system resources.

UDP Flood Attack

If an attacker sends a large number of UDP packets to a target device, the target device is busy with these UDP packets and cannot process normal services. UDP flood attacks are classified into two types:

  • Fraggle attack

    An attacker sends UDP packets of which the source address is the target device's address, the destination address is the broadcast address of the target network, and the destination port is port 7. If multiple hosts use UDP echo services on the broadcast network, the target device receives excessive response packets. As a result, the system becomes busy.

    The device with attack defense configured considers packets from UDP port 7 as attack packets and discards them.

  • UDP diagnosis port attack

    An attacker sends many packets to the UDP diagnosis port (7-echo, 13-daytime, and 19-Chargen) simultaneously, packets are flooded, and network devices cannot work properly.

    The device with attack defense configured considers packets from UDP ports 7, 13, and 19 as attack packets and discards them.

ICMP Flood Attack

Generally, a network administrator monitors a network and rectifies network faults with the ping tool as follows:

  1. The source host sends an ICMP Echo message to a target device.
  2. When receiving the ICMP Echo message, the target device sends an ICMP Echo Reply message to the source host.

If an attacker sends many ICMP Echo messages to the target device, the target device is busy with these Echo messages and cannot process other data packets. Therefore, normal services are affected.

A device can use CAR to limit the rate of ICMP packets, thus protecting the CPU.

Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 232219

Downloads: 746

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next