No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPv4 Protocol Stack Security

Configuring IPv4 Protocol Stack Security

By controlling ICMP packets and IP packets carrying route options, you can effectively defend against attacks by sending these packets on the network.

Usage Scenario

The route options in an IP packet can be used to diagnose link faults and temporarily transmit special services. Network attackers may use packets carrying route options to probe the network structure and launch attacks. Therefore, by configuring whether to process IP packets carrying route options, you can effectively defend against attacks by sending these packets.

Network attackers perform scanning by using various types of packets, and devices reply to these packets with ICMP packets. Network attackers then obtain network information from these received ICMP packets and launch attacks on the network. In addition, the devices are busy sending ICMP packets, affecting transmission of normal service packets. By controlling the sending and receiving of ICMP packets, you can effectively defend against attacks by sending these packets.

Pre-configuration Tasks

Before configuring IPv4 protocol stack security, configure link layer protocol parameters for the interfaces to ensure that the link layer protocol status of the interfaces is Up.

Configuration Procedures

Perform one or more of the following configurations as required.

Controlling the Processing of IP Packets Carrying Route Options

By disabling devices from processing IP packets carrying route options, you can effectively defend networks against attacks by sending these packets.

Context

IP packets can carry the following route options:
  • Route alert option

  • Record route option

  • Source route option

  • Timestamp option

These options are used to diagnose link faults and temporarily transmit special services. These options may also be utilized by network attackers to probe the network structure and launch attacks.

By default, routers process IP packets carrying route options. To defend networks against attacks by sending IP packets carrying route options, disable the system from processing these IP packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run any of the following commands based on the route options:

    • Run undo ip option route-alert enable

      The system is disabled from processing IP packets carrying the route alert option.

    • Run undo ip option route-record enable

      The system is disabled from processing IP packets carrying the record route option.

    • Run undo ip option source-route enable

      The system is disabled from processing IP packets carrying the source route option.

    • Run undo ip option time-stamp enable

      The system is disabled from processing IP packets carrying the timestamp option.

  3. Run commit

    The configuration is committed.

Controlling ICMP Packets

By controlling the sending and receiving of ICMP packets, you can effectively defend against attacks by sending these packets.

Context

In the case of heavy traffic on a network, if hosts or ports frequently become unreachable, routers receive a large number of ICMP packets. As a result, the network is more heavily burdened, and router performance deteriorates. In addition, most attackers use ICMP packets to launch attacks, such as sending a large number of packets with the TTL value 1, packets carrying options, and ICMP packets whose destination addresses are broadcast addresses.

Perform the following configurations to reduce traffic burdens over the network and defend against ICMP packet attacks:

Procedure

  • Control the sending and receiving of ICMP packets.

    1. Run system-view

      The system view is displayed.

    2. Run undo icmp receive or undo icmp send

      The sending or receiving of ICMP packets is disabled.

    3. Run commit

      The configuration is committed.

  • Control the source IP address of ICMP Port Unreachable or Time Exceeded messages in the loopback interface view.

    1. Run system-view

      The system view is displayed.

    2. Run interface loopback loopback-number

      The loopback interface view is displayed.

    3. Run ip icmp { ttl-exceeded | port-unreachable } source-address

      The source IP address of ICMP Port Unreachable or Time Exceeded messages is configured.

    4. Run commit

      The configuration is committed.

Setting the Timeout Period for the Reassembly Queue

To improve the router performance and prevent against network attacks, configure a proper reassembly timeout period so that reassembly queues that have waited for all fragments to be reassembled for a long period can be aged in time.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipv4 reassembling timeout time

    The timeout period of IPv4 fragment reassembly is set.

    time ranges from 5 to 120, in seconds. Using the default value 30 seconds is recommended.

  3. (Optional) Run reset ip reassembly

    The fragment and assembly data are initialized.

Configuring IP Source Address Check

This section describes how to configure IP source address check to prevent routers from network attacks.

Usage Scenario

By default, an interface does not perform source address validity check on the received packets. The reason for this is that broadcast or multicast addresses may be used as the source address in actual situations. However, hackers may use a broadcast or multicast address as the source address to launch a network attack. You can enable source address validity check to filter this type of illegitimate packets with the purpose of improving device security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run ip verify source-address

    Source address validity check is enabled on the interface, and the interface will drop packets with an illegitimate source address.

Verifying the Configuration of IPv4 Protocol Stack Security

After configuring IPv4 protocol stack security, verify the configuration.

Prerequisites

IPv4 protocol stack security has been configured.

Procedure

  • Run the display icmp statistics [ interface interface-type interface-num ] command to check ICMP traffic statistics.
  • Run the display ip statistics command to check IP traffic statistics.

Example

Run the display icmp statistics command. The command output shows ICMP traffic statistics.

<HUAWEI> display icmp statistics
Input:  bad format      0          bad checksum              0   
        echo                 0          destination unreachable   0   
        source quench        0          redirects                 0   
        echo reply           0          parameter problem         0   
        timestamp request    0          information request       0   
        mask requests        0          mask replies              0   
        time exceeded        0          timestamp reply           0   
        Mping request        0          Mping reply               0   
Output: echo                 0          destination unreachable   132360   
        source quench        0          redirects                 0   
        echo reply           0          parameter problem         0   
        timestamp request    0          information reply         0   
        mask requests        0          mask replies              0   
        time exceeded        0          timestamp reply           0
        Mping request        0          Mping reply               0   

Run the display ip statistics command. The command output shows IP traffic statistics.

<HUAWEI> display ip statistics
Input:        sum                2209077    local           528839    
              bad protocol       1150       bad format      0         
              bad checksum       43379      bad options     0         
              discard srr        0          discard rr      0         
              discard ra         0          discard ts      0         
              TTL exceeded       0         
Output:       forwarding         0          local           0         
              dropped            0          no route        0         
Fragment:     input              0          output          0         
              dropped            0          fragmented      0         
              couldn't fragment  0         
Reassembling: sum                0          timeouts        0
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 15776

Downloads: 33

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next