No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 09

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Attack Defense Principle

Attack Defense Principle

The NGFW provides attack defense functions to detect network attacks and to protect intranets against possible attacks.

DDoS Attack Defense

DDoS attacks use zombie hosts to send a large number of malicious attack packets to a target. These attack packets congest network links and exhaust system resources, causing the target to fail to provide services for legitimate users. Zombie hosts are online hosts controlled by the attacker. The network consisting of the attackers and zombie hosts is called a Botnet.

  • Anti-DDoS workflow of the NGFW
Table 12-76 Control options of application behavior control

Defense Process

Description

1. Enable the collection of traffic statistics.

Because various types of packets are used in DDoS attacks, to distinguish normal traffic from the attack traffic, you need to enable the collection of traffic statistics on the NGFW. Based on the collected statistics, the system checks whether the volume of attack traffic exceeds the threshold.

The NGFW bind certain interfaces for collecting the statistics on the traffic destined for these interfaces. The NGFW mainly protects intranet servers from Internet attacks. Therefore, the interfaces to be bound must be the internal Ethernet interfaces of the NGFW.

2. The traffic volume exceeds the specified threshold.

You need to set thresholds for various types of attack traffic. Once the volume of a certain type of traffic exceeds the specified threshold, the NGFW regards the traffic as DDoS attack traffic and takes corresponding measures to defend against it. In another word, the NGFW implements attack defense only when the volume of certain traffic exceeds the specified threshold. Therefore, the setting of the threshold impacts the actual defense.

You can manually set the threshold or refer to the threshold learning result if threshold learning is enabled on the NGFW.

3. The NGFW automatically starts the defense against detected attacks.

Once the volume of the traffic destined for a specific destination address exceeds the specified threshold, the system automatically starts the defense. The NGFW uses multiple technologies in defending against different DDoS attacks. Table 12-77 describes these technologies.

4. The NGFW implements the specified action to the traffic.

Normal traffic is permitted, whereas attack traffic is discarded and corresponding threat logs are generated.

Table 12-77 Attack defense technologies

Attack Defense Technology

Mechanism

Applicable Attack Types

Source detection

The device detects the source IP address of the request packet, forwards the packet from the real source IP address, and discards the packet from the forged source IP address.

SYN Flood, HTTP Flood, HTTPS Flood, DNS Request Flood, DNS Reply Flood, SIP Flood

Fingerprint

The NGFW learns about the characteristics of detected attack packets and saves them as fingerprints. Once a packet matches a fingerprint, the packet is discarded.

UDP Flood, UDP Fragment Flood

Traffic limiting

Once the volume of any traffic exceeds the specified threshold, the follow-up packets are discarded.

ICMP Flood, UDP Flood

Various types of DDoS attacks exist based on the attack packet type. The NGFW can defend against the following types of DDoS attacks.

Table 12-78 Principles of DDoS attack defense

DDoS Attack Type

Attack Mechanism

Defense Mechanism

SYN Flood

By exploiting this mechanism, an attacker forges a SYN packet whose source IP address is spurious or unreachable and initiates a connection to the attacked server. After receiving this packet, the server replies a SYN-ACK packet. After the response packet is sent, no SYN-ACK packet is received. As a result, a large number of half-open connections are established on the attacked server. These half-open connections are valid until they time out. If the half-open connections have exhausted system resources, the attacked server cannot process normal TCP connections.

For details, see SYN Flood Defense Mechanism.

UDP Flood

The attacker that initiates UDP flood attacks sends a large number of UDP packets (generally large packets) to the target server through Botnets. As a result, the server resources are exhausted, and therefore the server cannot respond to normal requests. In the worst cases, the links are congested.

The mechanism of UDP fragment flood attacks is the same as that of the UDP flood attacks. The only difference is that the former uses UDP fragments instead of UDP packets for a faster traffic rate.

For details, see UDP Flood Defense Mechanism.

ICMP Flood

An attacker sends massive ICMP packets to the target in a short period of time, exhausting session resources on network devices. If the attacker sends oversized packets over a network link, the network link may be congested.

For details, see ICMP Flood Defense Mechanism.

DNS Request Flood

An attacker sends a great number of non-existent domain name resolution requests to the DNS server through Botnets, resulting in the severe overload of the DNS server. Therefore, the DNS server cannot respond to DNS requests from normal users. The IP addresses of the attack packets are usually forged. To achieve overwhelming attack effects, the attacker resets recursive query fields. In so doing, the current server fails to query required packets and sends requests to its upper-level server. Therefore, massive DNS servers are under attack. Once DNS request flood attacks occur, massive DNS servers are affected or even crashed because of resource exhaustion.

For details, see DNS Request Flood Defense Mechanism.

DNS Reply Flood

For the DNS reply flood attack, also called DNS spoofing attack, an attacker sends a great number of bogus DNS reply packets to a DNS server or host. Such packets are of spurious relationship, that is, legitimate domain names correspond to malicious IP addresses. In so doing, receivers are spoofed and the network is interfered.

For details, see DNS Reply Flood Defense Mechanism.

HTTP Flood

An attacker sends large numbers of HTTP packets to the target server through proxies or Botnets. Such requests involve URL access, leading to continuous database operations. As a result, the resources of the server are exhausted, and therefore the server cannot respond to normal requests.

For details, see HTTP Flood Defense Mechanism.

HTTPS Flood

An attacker launches massive HTTPS connections to the target server directly or through proxies or botnets. As a result, the server is overloaded and unable to respond to legitimate requests.

For details, see HTTPS Flood Defense Mechanism.

SIP Flood

An attacker can send massive INVITE messages to the target SIP server to exhaust the SIP server resources and make the server unable to respond to legitimate call requests. An attacker can also exploit the vulnerabilities of SIP implementation on the VoIP devices to forge and send malformed packets, resulting in the DoS of the SIP server.

For details, see SIP Flood Defense Mechanism.

  • SYN flood defense mechanism
    • TCP proxy

      As a TCP proxy, the NGFW is deployed between the client and server to establish a three-way handshake with the client on behalf of the server and relay the TCP connection to the server if the three-way handshake is complete. TCP proxy applies only to scenarios in which the forward and return paths are the same.

      Figure 12-43 TCP proxy
      • As shown in Figure 12-43, the NGFW receives a SYN message, blocks the SYN message, and returns an SYN-ACK message on behalf of the server.
      • If the client fails to return an ACK message, the NGFW considers the SYN message abnormal, and maintains the half-open connection on behalf of the server until the half-open connection expires.
      • If the client returns an ACK message, the NGFW considers the SYN message normal and establishes a three-way handshake with the client. Then, the NGFW reestablishes a three-way handshake with the server. The subsequent messages on the connection are sent to the server.

        The TCP proxy procedure is transparent to both the client and server.

        During the TCP proxy procedure, the NGFW proxies and responds to each SYN message received and maintains half-open connections. Therefore, if a large number of SYN messages are sent to the NGFW, the NGFW must have high performance to handle them.

        TCP proxy applies only to scenarios in which the forward and return paths are the same.

    • TCP source authentication
      TCP source authentication enables the NGFW can defend against SYN flood attacks when forward and return paths are different. Therefore, compared with TCP proxy, TCP source authentication is more widely used.
      Figure 12-44 TCP source authentication
      • As shown in Figure 12-44, after the NGFW receives a SYN message from the client, it blocks the SYN message, forges an SYN-ACK message carrying an incorrect sequence number, and sends this message to the client.
      • If the source address is fake, no message is sent in response to the incorrect SYN-ACK message.
      • If the source address is real, the client replies with an RST message after receiving the incorrect SYN-ACK message so that the NGFW can send a correct SYN-ACK message. After the NGFW receives the RST message, it determines that the client is the real source and whitelists the source address. The NGFW considers the packets sent by this source legitimate and permits the packets without authentication until the whitelist entry expires.

        In TCP source authentication, the source client is whitelisted once the client passes the authentication, and authentication is not performed on subsequent SYN messages sent by this source. This implementation greatly improves the defense efficiency and performance and minimizes the resource consumption.

        NOTE:

        If there are devices that discard source detection packets, the source detection function cannot be used.

  • UDP flood defense mechanism
    • UDP fingerprint learning

      UDP flood attack packets have certain characteristics. Generally, UDP flood attack packets have some common features, such as the same character string or content. Therefore, UDP fingerprint learning can be used to prevent UDP flood attacks.

      As shown in Figure 12-45, when the UDP traffic exceeds a specific threshold, fingerprint learning is triggered. The NGFW dynamically generates fingerprints based on the characteristics of attack packets and then discards the packets matching the fingerprints.

      Figure 12-45 UDP fingerprint learning
    • Rate limit

      The NGFW can limit the rate of UDP packets destined for the same destination IP address and discard excess UDP packets to prevent network congestion.

      The rate limit technique cannot distinguish normal packets from attack packets. Therefore, it is recommended that the rate limit technique be used only when UDP fingerprint learning and UDP-TCP association fail to defend against UDP flood attacks.

  • ICMP flood defense mechanism

    If the number of ICMP packets destined for the same IP address exceeds the specified threshold, the NGFW discards all follow-up packets to ensure the server availability.

  • DNS request flood defense mechanism
    • Defense mechanism (against cache server attacks)

      The DNS server supports queries using TCP and UDP. However, most of queries are performed using UDP. UDP provides a connectionless service, which is faster and has a smaller overhead compared with TCP. However, the DNS server can be configured to use TCP. In this situation, when the client sends a query request to the DNS server, the DNS server receives a query request, it replies with a message whose TC flag is set to 1, indicating that TCP must be used. The NGFW uses this mechanism to defend against DNS flood attacks on the cache server. Figure 12-46 shows the procedure of source authentication by the DNS cache server.

      Figure 12-46 Source authentication by the DNS cache server

    During source authentication, the NGFW instructs the client to send TCP DNS request packets to check the validity of source IP addresses. This implementation consumes the TCP connection resources of the DNS cache server.

    Source authentication in this mode effectively defends against DNS request attacks on the DNS cache server. However, this mode does not apply to all scenarios on live networks because not all clients can send TCP DNS requests. If a client cannot send TCP DNS requests, requests of the client cannot be honored.

    • Defense mechanism (for authoritative servers)

      Source authentication by the authoritative server, also called the redirection mode, can be used to defend against DNS request flood attacks. To minimize false positives and avoid slowing down response to legitimate requests, the NGFW implements redirection only on source IP addresses that request targeted domain names.

      As shown in Figure 12-47, the NGFW collects statistics on DNS requests by destination address and enables redirection when the transmission rate of DNS request packets exceeds a specified threshold.
      1. The NGFW returns an alias address to the source address. If the source address is forged, no reply will be received. If so, the source address is considered illegitimate, and the packet is discarded.
      2. If the source address is real, the DNS client will send a DNS request for the alias address. The source address passes the authentication, and the NGFW whitelists the source address.
      3. The NGFW redirects the correct address. When the source request the correct address, the request matches the whitelist and is forwarded to the authoritative server.
        Figure 12-47 Source authentication by the authoritative server
  • Working mechanism of DNS reply flood defense

    Upon receiving a DNS reply packet, the NGFW constructs a DNS request probe packet with a new Query ID and source port. The source responds to the probe packet with a DNS reply packet. Then the NGFW compares the Query ID and source port in the DNS reply packet with those in the DNS request packet. If they match, the source IP address is whitelisted. Figure 12-48 shows the procedure of source authentication for preventing DNS reply flood attacks.

    Figure 12-48 Source authentication for preventing DNS reply flood attacks
  • HTTP flood defense mechanism
    • Source authentication by application protocol (basic)

      This mode prevents access from non-browser clients. If a zombie tool does not support the complete HTTP protocol stack, it does not support automatic redirection and will fail to be authenticated. However, browsers support automatic redirection and can be authenticated. Figure 12-49 shows the process.

      Figure 12-49 Basic source detection

      If an HTTP proxy server is deployed on a network, the NGFW whitelists the IP address of the proxy server if the proxy server passes source authentication once. Zombie hosts can use this proxy server to bypass authentication. To resolve this problem, enable the proxy detection function to check whether the HTTP request is proxied. If yes, the NGFW obtains the real source IP address of the HTTP packet. If this IP address is authenticated, the NGFW whitelists this address and the IP address of the proxy server. For non-whitelisted source addresses that use the same proxy server, the NGFW implements source authentication to prevent HTTP flood attacks.

    • Verification code authentication (advanced)
      Some zombie tools can implement redirection or use free proxies to support redirection. As a result, source authentication in basic mode does not achieve the desired defense effect. To resolve this problem, enable advanced source authentication to push verification codes to users. In this case, the user can enter the verification code to check whether the HTTP access is initiated by a real user because zombies are automatically implanted into the PCs and cannot respond to random verification codes. To avoid affecting user experience, implement this mode only on abnormal sources. Figure 12-50 shows the procedure of verification code-based source authentication.
      Figure 12-50 Verification code authentication

      Verification code-based source authentication does not apply to certain mobile networks or scenarios where the STB provides VoD services, because STB clients or clients that use some mobile networks do not support verification codes. In these scenarios, enable 302 redirect mode.

    • 302 redirect mode

      The redirection function of the basic mode redirects only the entire web page, but not specific to embedded resources, such as images. If the requested web page is not hosted on the same server as the embedded resource and the server that hosts the embedded resource experiences an error, enable 302 redirect for the server hosting the embedded resource to detect whether the source is a real browser. Real browsers support automatic redirection without compromising user experience.

  • HTTPS flood defense mechanism

    To prevent such attacks, you can enable source authentication on the NGFW to defend against HTTPS flood attacks. The NGFW collects statistics on the rate of HTTPS request packets by destination address and starts source authentication when the rate reaches a specified threshold. Figure 12-51 shows the procedure of HTTPS source authentication.

    Figure 12-51 HTTPS source authentication
  • SIP flood defense mechanism
    The OPTIONS method is used by the two parties to query the method, content type, and extension supported by each other. The SIP source authentication function of a firewall sends an OPTIONS request packet to verify whether the source IP address exists. If it exists, the source will reply, and the firewall will verify the reply. If the reply is in response to the OPTIONS packet, the firewall permits the traffic and whitelists this IP address. If the reply is not in response to the OPTIONS packet, the firewall discards all packets from this IP address. Figure 12-52 shows the procedure of source authentication in SIP flood attack defense.
    Figure 12-52 SIP source authentication

Single-Packet Attack Defense

Single-packet attacks are classified as scanning and sniffing attacks, malformed packet attacks, or special packet attacks.

  • Scanning attacks
    As potential attack behaviors, scanning attacks do not directly bring damages to network devices. Generally, these attacks are network probe behaviors that occur before real attack delivery. The NGFW can be used to defend against scanning attacks in Table 12-79.
    Table 12-79 Scanning attacks

    Type

    Attack Mechanism

    Defense Mechanism

    Address sweeping

    Address sweeping attacks use ICMP packets or TCP/UDP packets to initiate connections to certain IP addresses. In analyzing the response packets, the attacker can determine which target systems are alive and connected to the target network.

    After the IP address sweeping attack defense is enabled, the NGFW detects the received TCP, UDP, and ICMP packets. If the number of packets with different destination ports from a specific source IP address per second exceeds the threshold, the NGFW determines that the host at this IP address launches IP address sweeping attacks and blacklists this IP address.

    Port scanning

    The attacker uses port scanning to probe the network topology and locate the ports currently enabled on the target, and uses the information to specify the attack mode. In port scanning attacks, the attacker generally uses the Port Scan software to initiate connections to a series of TCP or UDP ports on a wide range of hosts. In analyzing the response packets, the attacker can determine whether these hosts provide services through these ports.

    After the port scanning attack defense is enabled, the NGFW detects the received TCP and UDP packets. If the number of packets with different destination ports from a specific source IP address per second exceeds the threshold, the NGFW determines that the host at this IP address launches port scanning attacks and blacklists this IP address.

  • Malformed packet attacks
    In malformed packet attacks, the attacker sends defective packets to a target. The target may encounter errors or crash when handling such packets. The NGFW can be used to defend against malformed packet attacks in Table 12-80.
    Table 12-80 Malformed packet attacks

    Type

    Attack Mechanism

    Defense Mechanism

    IP spoofing

    IP spoofing is a common type of attacks type and usually used as the basis of other types of attacks. This is determined by the features of the IP protocol. The Internet protocol forwards an IP packet based on the destination address in the IP header. If the destination of the IP packet is within the subnet, the packet is directly sent to its destination. If the destination of the packet is outside the subnet, the packet is forwarded to the gateway. The gateway does not check the source address in the packet and considers the source address where the packet comes from. Attackers may send packets with forged source IP addresses to target hosts to obtain superior access and control permissions, endangering target host resources and causing information leaks.

    After the IP spoofing attack defense is enabled, the NGFW traces the route to the source IP address of received packets and checks whether the outbound interface corresponding to the source IP address in the routing table is the same as the inbound interface of each packet. If they are different, the NGFW discards the packets and logs the attack.

    IP fragment detection

    The DF and MF flags in the IP packet header are used for fragment control. Attackers send fragments to control invalid packets. As a result, the host fails to receive packets. This causes abnormal packet processing, and the host crashes.

    After the IP fragment detection function is enabled, the device checks packet control flag. Attack logs are recorded if any of the following conditions is met:

    • Both DF and MF flags are 1.
    • The DF flag is 1, and the offset flag is greater than 0.
    • The DF bit is 0 and the total bytes of the fragment offset field and the length field exceeds 65535 bytes.

    Teardrop

    To comply with the Maximum Transmission Unit (MTU) at the link layer, the NGFW fragments each large IP data packet into several small IP packets during transmission. Each fragmented IP packet header has an offset field and an MF flag bit. The offset field records the position of the fragment in the large packet. After obtaining IP packets, the attacker changes the values in the offset fields. After receiving fragmented packets, the receiver cannot correctly reassemble the fragmented packets according to offset fields in the packets. In this case, the receiver repeats the attempts of packet reassembly, causing the operating system to crash due to resource exhaustion.

    After the Teardrop attack defense is enabled, the NGFW analyzes received fragments and checks whether the packet offset is correct. If the packet offset is incorrect, the NGFW discards the packets and logs the attacks.

    Smurf

    A simple Smurf attack is used to attack a single network. The attacker broadcasts ICMP echo requests to all hosts on the target network, so that all hosts reply to this ICMP echo request and the network is congested. The traffic of this attack is one or two times heavier than the traffic of a large ping packet. An advanced Smurf attack is used to attack a single host. The attacker changes the source address of the ICMP echo request packet to the address of the target host, and therefore hosts on the network send their replies to the target host, causing the host to crash. To launch a real attack, sufficient packets and time are necessary. Theoretically, the more hosts on the network, the more obvious the attack effect is.

    After the Smurf attack defense is enabled, the NGFW checks whether the destination IP address of ICMP request packets is a broadcast address of Class A, B, or C. If yes, the NGFW discards the packets and logs the attack.

    Ping of Death

    Ping of Death uses oversized ICMP packets to attack the operating systems. The Length field of an IP packet is 16 bits, meaning that the maximum length of an IP packet is 65535 bytes. If the data length of an ICMP echo request packet is more than 65515 bytes, the sum of ICMP data length, IP header length (20 bytes), and ICMP header length (8 bytes) is more than 65535 bytes. After receiving such packets, some routers or systems crash, stop responding, or restart due to improper processing. The attacker can make the TCP/IP stack on target hosts crash and therefore the target hosts crash only by running the ping command to continuously send packets that are larger than 65535 bytes.

    After the Ping of Death attack defense is enabled, the NGFW checks whether the packet size is greater than 65535 bytes. If yes, the NGFW discards the packets and logs the attack.

    Fraggle

    If a UDP port (usually port 19) on which the Chargen service is running receives a data packet, the port replies with a character string. If a UDP port (usually port 7) on which the Echo service is running receives a data packet, it simply replies with the data content of this packet. These two types of services may be used by attackers to launch Fraggle attacks. As a result, the victim systems are busy, and the links are congested.

    An attacker sends UDP packets to the network where the target host resides. The source IP address of each UDP packet is the IP address of the target host, the destination IP addresses of UDP packets are the broadcast address or network address of the subnet where the target host resides, and the destination port is port 7 or port 19. On the subnet, each system enabled with this function sends a response message to the target host. Therefore, heavy traffic is generated and the bandwidth is exhausted, congesting the target network or making the target host crash.

    Systems without this function also return ICMP unreachable messages, consuming bandwidth. If the attacker changes the source port to port 19 and the destination port to port 7, a large number of response packets are continuously generated and excessive damages are caused.

    After the Fraggle attack defense is enabled, the NGFW detects received UDP packets. If the destination port number of packets is 7 or 19, the NGFW discards the packets and logs the attack.

    WinNuke

    A WinNuke attack is also called the out-of-band (OOB) transmission attack. The attacked port is usually port 139 and the URG flag bit is 1 (indicating emergency mode). The WinNuke attack exploits the vulnerabilities of the Windows operating system. The attacker sends certain TCP out-of-band packets to the port. However, these attack packets are different from normal OOB packets because their pointer fields are inconsistent with the actual locations of data; this causes overlapping. The Windows operating system crashes when processing the data. Moreover, the attacker sends IGMP fragments that cannot be processed by the operating system and also causes the operating system to crash.

    After the WinNuke attack defense is enabled, the NGFW discards packets with destination port 139, URG tag set to 1, and URG pointer not null, and logs the attack.

    In addition, when IGMP fragments are received, the device considers that a WinNuke attack occurs and discards the fragments, and then logs the attack.

    Land

    Land attacks are also called loopback attacks. The attacker sends a SYN packet with the same source and destination IP addresses, or with the source IP address as a loopback interface (the source port is the same as the destination port) to the target host. As a result, the attacked host sends an SYN-ACK message to its own IP address, and a large number of empty connections are established. The attacked hosts encounter different problems under Land attacks: the UNIX hosts crash and the Windows NT hosts run slowly.

    After the Land attack defense is enabled, the NGFW checks whether the source and destination IP addresses of TCP packets are the same, or the source IP address of TCP packets is a loopback interface. If yes, the NGFW discards the packets and logs the attack.

    TCP flag validity check

    A TCP packet has the following flag bits: URG, ACK, PSH, RST, SYN, and FIN. The attacker sends a large number of illegitimate packets with combinations of these flag bits. The attacked host must identify these packets, deteriorating host performance. Certain operating systems fail to process packets normally, or the host may crash.

    After the TCP packet flag bit attack defense is enabled, the NGFW checks the flag bits of each TCP packet. The NGFW discards the packets and logs the attack if any of the following conditions occur:

    • All flag bits are set to 1.
    • All flag bits are set to 0.
    • Both the SYN bit and the FIN bit are set to 1.
    • Both the SYN bit and the RST bit are set to 1.
    • The FIN bit is set to 1 and the ACK bit to 0.
  • Special packet control attacks
    Special packet control attacks do not directly bring damages to network devices. The attacker probes the network topology by sending special packets, preparing for further intrusion. The NGFW can be used to defend against special packet control attacks in Table 12-81.
    Table 12-81 Special packet control attacks

    Type

    Attack Mechanism

    Defense Mechanism

    Oversized ICMP packet control

    Legitimate ICMP packets are not typically very large. If oversized ICMP packets are detected on the network, attacks, such as ICMP flood or Ping of Death, may occur.

    You must specify the length threshold of legitimate ICMP packets when enabling the control over oversized ICMP packets. If the length of any received ICMP packet exceeds the specified threshold, the NGFW discards the packets and logs the attack.

    ICMP unreachable packet control

    After receiving an ICMP packet indicating that a network or host is unreachable, some systems directly regard subsequent packets destined for the IP address unreachable and terminate the connection between the destination IP address and the host. The attacker can therefore forge ICMP unreachable packets to launch attacks to break the connections between targets and destinations.

    After the ICMP unreachable packet attack defense is enabled, the NGFW discards ICMP unreachable packets and logs the attack.

    ICMP redirect packet control

    A network device sends an ICMP redirect packet to hosts on the same subnet, requesting the hosts to change the route. Generally, the NGFW sends ICMP redirect packets only to the hosts on the same subnet. Certain malicious attackers, however, may send fraudulent redirect packets to the hosts on another network to change the routing table of the hosts and interfere with normal IP packet forwarding.

    After the ICMP redirect packet attack defense is enabled, the NGFW discards ICMP redirect packets and logs the attack.

    Tracert

    In a Tracert packet attack, the attacker discovers the path between the source and destination hosts using the replied ICMP timeout packet when TTL is 0 and the ICMP port unreachable packet replied by the destination.

    After the Tracert packet attack defense is enabled, the NGFW discards timeout ICMP or UDP packets and destination port unreachable packets, and logs the attack.

    IP source route packet control

    The transmission path of an IP packet is determined by the routers on the network according to the destination address of the packet. A method is also provided for the packet sender to determine the packet transmission path with the source route option. This option allows the source site to specify a route to the destination and replace the routes specified by intermediate routers. The source route option is generally used to diagnose faults on network paths and temporarily transmit special services. The IP source route option may be utilized by malicious attackers to probe the network structure because it neglects the intermediate forwarding processes through various devices along the packet transmission path, regardless of the working status of forwarding interfaces.

    After the IP source route packet control is enabled, the NGFW checks whether the IP source route option is set in each received packet. If yes, the NGFW discards the packets and logs the attack.

    IP route record packet control

    The IP route record option is used to record the transmission path of an IP packet from the source IP address to the destination IP address. The path is a list of routers that are involved in processing this packet. The IP route record option is generally used to diagnose faults on network paths, but may also be utilized by malicious attackers to probe the network topology.

    After the IP route record packet control is enabled, the NGFW checks whether the IP route record option is set in each received packet. If yes, the NGFW discards the packets and logs the attack.

    IP timestamp packet control

    The IP timestamp option in an IP packet is used to record the transmission path of an IP packet from the source IP address to the destination IP address and the time spent in the transmission. The path is a list of routers that are involved in processing this packet. The IP timestamp option is generally used to diagnose faults on network paths, but may also be utilized by malicious attackers to probe the network topology.

    After the IP timestamp packet control is enabled, the NGFW checks whether the IP timestamp option is specified in each received packet. If yes, the NGFW discards the packets and logs the attack.

Download
Updated: 2019-05-17

Document ID: EDOC1100011877

Views: 282822

Downloads: 536

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next