we where surprised when the customer claimed he is receivng a lot of TCP invalid packets on his device. When we investigated we came to know he is having a second layer of protection and he is receivng lots of TCP invalid packets .The question here is when Huawei DDOS is the first line of defence then how come the customer is detecting a lot of these invalid packets.
of TCP Fragment Attack and Defense.
fragments rarely appear on networks. If a network has too many TCP fragments,
the network may be experiencing DDoS attacks. The attacker sends large volume
TCP fragments to the target to:
bandwidth resources and make the victim slow or unresponsive.
the performance of the target network device or server or make them
TCP fragment can be the first fragment or a subsequent fragment. The anti-DDoS
device defends against TCP fragment attacks based on the first fragment. If the
first fragment is discarded, the anti-DDoS device discards subsequent fragments
because the session cannot be established. The anti-DDoS device collects
statistics on the rate of the first TCP fragment by destination IP address. If
the rate exceeds the specified threshold, the anti-DDoS device:
whether the source IP address matches a whitelist entry. If no, the anti-DDoS
device discards all TCP fragments from this source IP address.
and reassembles the fragments if the source IP address matches a whitelist
entry. The anti-DDoS device then forwards the reassembled packets and discards
those that fail to be reassembled.
the rate of fragments to defend against attacks from a real source IP address.
First please check the attacked IP’s
TCP fragment traffic by the following steps. Must input IP address, otherwise
there is not so much choice. And also select the Peak Value during the attack
If the traffic is not more than 2000
pps, then we can lower down this threshold value for TCP Fragment parameter.
But suggest not lower down too much.
Another method of set threshold value
based on baseline learning.
And the learning result
is like below.
And we can see the
detail traffic of each protocol. The red line is the network’s traffic. During
the learning period, some attack may happened. The learning program just show
the traffic and cannot distinguish the attack from normal traffic. Manual
adjustment is needed to eliminate the higher value. Just apply the normal
traffic value to the policy threshold. For example, the 15,000+ value showed
below may be the attack traffic, we should not use it as threshold. We can see
the normal traffic is just 5000 or so. So we can set the threshold value to
green：Suggestion(may be incorrect)
Modify parameters：just modify to 7500，and click ok. It will apply to the
corresponding policy. No need switch to the policy configuration page to set
result below default threshold：suggest to use the default value. For AntiDDoS is for defend large
DDoS attack. Also with lower threshold will cause too much alarm.