No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring TCP/IP Attack Defense

Configuring TCP/IP Attack Defense

Defense against TCP/IP attacks protects the CPU of the router against malformed packets, fragmented packets, TCP SYN packets, and UDP packets, ensuring that normal services can be processed.

Usage Scenario

Defense against TCP/IP attacks is applied to the router on the edge of the network or other routers that are easily to be attacked by illegal TCP/IP packets. Defense against TCP/IP attacks can protect the CPU of the router against malformed packets, fragmented packets, TCP SYN packets, and UDP packets, ensuring that normal services can be processed.

This feature is supported only on the Admin-VS.

Pre-configuration Tasks

Before configuring TCP/IP attack defense, configure the parameters of the link layer protocol and IP addresses for interfaces and ensure that the link layer protocol on the interfaces is Up.

Configuration Procedure

Figure 8-2 Flowchart for configuring defense against TCP/IP attacks

Creating an Attack Defense Policy

All local attack defense features must be added to an attack defense policy. These features take effect after the attack defense policy is applied to the interface board.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    An attack defense policy is created.

  3. (Optional) Run description text

    The description of the attack defense policy is configured.

  4. Run commit

    The configuration is committed.

Follow-up Procedure

You must run the cpu-defend-policy command on the interface board to apply the attack defense policy to the interface board. In this manner, the configured attack defense policy can take effect.

Enabling Defense Against Malformed Packet Attacks

With defense against malformed packet attacks, the router checks the validity of received packets and filters out illegal packets, thus defending the CPU against attacks of IP packets with null load, null IGMP packets, LAND attack packets, Smurf attack packets, and packets with invalid TCP flag bits.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run abnormal-packet-defend enable

    Defense against malformed packet attacks is enabled.

    Defense against malformed packet attacks can defend against attacks of various malformed packets, including IP packets with null load, null IGMP packets, LAND attack packets, Smurf attack packets, and packets with invalid TCP flag bits.

  4. Run commit

    The configuration is committed.

Enabling Defense Against Fragmented Packet Attacks

Defense against fragmented packet attacks protects the CPU by restricting the sending rate of fragmented packets and ensuring the correctness of packet reassembly.

Procedure

  1. Run system-view

    The system view is displayed

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run fragment-flood enable

    Defense against fragmented packet attacks is enabled.

  4. Run commit

    The configuration is committed.

Enabling Defense Against TCP SYN Flooding Attacks

The TCP SYN flooding attack is a denial-of-service attack. Defense against TCP SYN flooding attacks protects the CPU by restricting the rate at which packets are sent to the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run tcpsyn-flood enable

    Defense against TCP SYN flooding attacks is enabled.

    The TCP SYN flooding attack is a denial-of-service attack in which an attacker sends a flood of TCP SYN packets to the target host, causing the target host to become too busy to answer legitimate requests. In extreme cases, the target host is suspended.

  4. Run commit

    The configuration is committed.

Enabling Defense Against UDP Packet Attacks

With defense against UDP packet attacks, the router can identify packets in Fraggle attacks and attack packets on UDP diagnosis ports according to the destination port of the received UDP packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run udp-packet-defend enable

    Defense against UDP packet attacks is enabled.

    Defense against UDP packet attacks protects the router against Fraggle attacks and UDP diagnosis port attacks. UDP packets with the destination port number being 7, 13, or 19 are regarded as malformed packets and directly discarded by the router.

  4. Run commit

    The configuration is committed.

Applying the Attack Defense Policy

The configured attack defense policy takes effect only after being applied to the interface board.

Context

The NE20E defines a default attack defense policy. This policy cannot be modified or deleted. When the NE20E starts, this policy is automatically applied to the interface board. Configurations in the policy are default configurations of each feature. To apply a specified attack defense policy to the interface board, you need to run the cpu-defend-policy policy-number command on the interface board to bind the policy to be applied to the interface board. If the cpu-defend-policy policy-number command is not used, the default attack defense policy is applied to the interface board.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run cpu-defend-policy policy-number

    The attack defense policy is applied to the interface board.

    You must apply the attack defense policy to the interface board; otherwise, the policy does not take effect.

    The attack defense policy specified by policy-number must be a configured one. Otherwise, the policy cannot be applied.

  4. Run commit

    The configuration is committed.

Verifying the TCP/IP Attack Defense Configuration

After defense against TCP/IP attacks is configured, you can view the statistics about it, including the total number of illegal TCP/IP packets, the number of legal TCP/IP packets, and the number of discarded packets.

Procedure

  1. Run the display cpu-defend tcpip-defend statistics [ slot slot-id ] command to view information about defense against TCP/IP attacks.

Example

Run the display cpu-defend tcpip-defend statistics command to view statistics about defense against TCP/IP attacks.

<HUAWEI> display cpu-defend tcpip-defend statistics
Slot/Intf Attack-Type              Total-Packets  Passed-Packets Dropped-Packets
--------------------------------------------------------------------------------
3         Tcpip-defend                         0               0               0
--------------------------------------------------------------------------------
          Abnormal-packet                      0               0               0
          Udp-packet                           0               0               0
          Tcpsyn-packet                        0               0               0
--------------------------------------------------------------------------------
4         Tcpip-defend                         0               0               0
--------------------------------------------------------------------------------
          Abnormal-packet                      0               0               0
          Udp-packet                           0               0               0
          Tcpsyn-packet                        0               0               0
--------------------------------------------------------------------------------
6         Tcpip-defend                         0               0               0
--------------------------------------------------------------------------------
          Abnormal-packet                      0               0               0
          Udp-packet                           0               0               0
          Tcpsyn-packet                        0               0               0
--------------------------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19694

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next