This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>
Distance Education
National Research and Education Network
Education Cloud Data Center
Campus Network
Smart Experience
Smart Decision-Making
Smart Architecture
eHospital
Regional Health
Multi-Channel HD Telemedicine Solution
Over The Top/Multi-Tenant Data Center (OTT/MTDC)
Internet Exchange Point (IXP)
Internet Access Provider (IAP)
Individual Requirements
Design & Simulation
Planning & Analytics
Digital Production
After-Sales Services
Oil & Gas IoT
Digital pipeline
HPC & Operations Management
Digital Railway
Digital Urban Rail
Smart Aviation
Retail Cloud Platform
Documentation Software Download Knowledge Base Bulletins Multimedia Portal Community Online Courses Multilingual Documents
Enterprise Network
Enterprise Data Center
Intelligent Computing
Enterprise Cloud Communications
Network Management System
Enterprise Wireless
Network Energy
By Industry
ISP
Education
Public Safety
Transportation
By Application
Enterprise Network
Buy from Huawei
If you want to get more information about your project, you can submit your information and we will contact you as soon as possible.
If your company has signed an eDeal contract with Huawei, please buy your required product/solution via the link below.
Buy from resellers
Search for a nearby reseller and get direct contact information.
Locator
Become a Partner
Resources and Support
Product
Solution
Industry
Others
Huawei Certification
Huawei Training
Huawei Authorized Learning Partner
Huawei Authorized Information and Network Academy
Version information
AntiDDoS1600 V500R001C60SPC500
failure phenomena
we where surprised when the customer claimed he is receivng a lot of TCP invalid packets on his device. When we investigated we came to know he is having a second layer of protection and he is receivng lots of TCP invalid packets .The question here is when Huawei DDOS is the first line of defence then how come the customer is detecting a lot of these invalid packets.
Mechanisms
of TCP Fragment Attack and Defense.
Attack
Mechanism.
TCP
fragments rarely appear on networks. If a network has too many TCP fragments,
the network may be experiencing DDoS attacks. The attacker sends large volume
TCP fragments to the target to:
Exhaust
bandwidth resources and make the victim slow or unresponsive.
Compromise
the performance of the target network device or server or make them
unresponsive.
Defense
Mechanism
A
TCP fragment can be the first fragment or a subsequent fragment. The anti-DDoS
device defends against TCP fragment attacks based on the first fragment. If the
first fragment is discarded, the anti-DDoS device discards subsequent fragments
because the session cannot be established. The anti-DDoS device collects
statistics on the rate of the first TCP fragment by destination IP address. If
the rate exceeds the specified threshold, the anti-DDoS device:
Checks
whether the source IP address matches a whitelist entry. If no, the anti-DDoS
device discards all TCP fragments from this source IP address.
Caches
and reassembles the fragments if the source IP address matches a whitelist
entry. The anti-DDoS device then forwards the reassembled packets and discards
those that fail to be reassembled.
Limits
the rate of fragments to defend against attacks from a real source IP address.
First please check the attacked IP’s
TCP fragment traffic by the following steps. Must input IP address, otherwise
there is not so much choice. And also select the Peak Value during the attack
time.
If the traffic is not more than 2000
pps, then we can lower down this threshold value for TCP Fragment parameter.
But suggest not lower down too much.
------------------------------------------------
Another method of set threshold value
based on baseline learning.
And the learning result
is like below.
And we can see the
detail traffic of each protocol. The red line is the network’s traffic. During
the learning period, some attack may happened. The learning program just record
the traffic and cannot distinguish the attack from normal traffic. Manual
adjustment is needed to eliminate the higher value. Just apply the normal
traffic value to the policy threshold. For example, the 15,000+ value showed
below may be the attack traffic, we should not use it as threshold. We can see
the normal traffic is just 5000 or so. So we can set the threshold value to
8000.
red:real traffic
blue:current threshold
green:Suggestion(may be incorrect)
Modify parameters:just modify to 7500,and click ok. It will apply to the
corresponding policy. No need switch to the policy configuration page to set
change it.
With learned
result below default threshold:suggest to use the default value. For AntiDDoS is for defend large
DDoS attack. Also with lower threshold will cause too much alarm.
END
Author : lWX511489
Document ID: EKB1001276413
Fault Type :
Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.