No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Defense Against Malformed Packet Attacks

Defense Against Malformed Packet Attacks

A malformed packet attack occurs when malformed IP packets are sent to a target system, causing the system to work abnormally or break down. With the capability of defending against such attacks, a device can detect and discard malformed packets in real time.

Malformed packet attacks are classified into the following types.

Flood Attacks from IP Null Payload Packets

An IP null payload packet has only a 20-byte IP header, but does not have a data field. When a target system is processing such an IP packet, the system may work abnormally or crash.

After defense against malformed packet attacks is enabled, a device directly discards such packets.

Attacks from IGMP Null Payload Packets

An IGMP packet consists of a 20-byte IP header and an 8-byte IGMP body. An IGMP null payload packet consists of less than 28 bytes. When a network device processes IGMP null payload packets, errors may occur or the device may break down.

After defense against malformed packet attacks is enabled, the device directly discards the received IGMP null payload packets.

LAND Attacks

By utilizing the defects in the three-way handshake mechanism of TCP, a Local Area Network Denial (LAND) attacker sends an SYN packet in which the source and destination addresses are the same as the target host's address and the source port is the same as the destination port. After receiving the SYN packet, the target host creates a null TCP connection by using its own address as both the source and destination addresses. The connection is kept until expiration. The target host will create many null TCP connections after receiving a large number of such SYN packets, leading to a waste of network resources or even system breakdown.

After defense against malformed packet attacks is enabled, the device checks source and destination addresses in TCP SYN packets. The device considers TCP SYN packets with the same source and destination addresses as malformed packets and discards them.

Smurf Attack

An attacker sends an ICMP Request packet of which the source address is the target host's address and the destination address is the broadcast address of the target network. After all hosts on the target network receive the ICMP Request packet, they send ICMP Reply packets to the target host. The target host receives an excessive number of packets, which consume many resources, leading to a system or network breakdown.

After defense against malformed packet attacks is enabled, the device checks whether the destination addresses in ICMP Request packets are the broadcast or subnet broadcast addresses. When detecting that the destination addresses of ICMP Request packets are the broadcast addresses or subnet broadcast addresses, the device discards them.

Attacks from Packets with Invalid TCP Flag Bits

A TCP packet contains six flag bits: URG, ACK, PSH, RST, SYN, and FIN. Different systems respond differently to the combination of these flag bits.

  • If the six flag bits are all 1s, the attack is a Christmas tree attack. A device undergoing a Christmas tree attack may break down.

  • An attacker sends a TCP packet in which the SYN and FIN are 1 to a target host. If the receiving port is disabled, the receiver replies with an RST | ACK message. If the receiving interface is enabled, the receiver replies with an SYN | ACK message. This attack is used to detect whether a host is online or offline and whether an interface is enabled or disabled.

  • An attacker sends a TCP packet in which the six flag bits are all 0s. If the receiving interface is disabled, the receiver replies with an RST | ACK message to detect whether the host is online or offline. If the receiving interface is enabled, Linux and UNIX operating systems do not respond but the Windows operating system replies with an RST | ACK message. This attack is used to detect the type of operating system (Windows, Linux, or UNIX) on the target host.

After defense against malformed packet attacks is enabled, the device checks each flag bit in TCP packets to prevent attacks from packets with invalid TCP flag bits. If any of the following conditions is met, the device discards the TCP packets:

  • The six flag bits are all 1s.

  • The SYN and FIN bits are all 1s.

  • The six flag bits are all 0s.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18681

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next