security/AntiDDoS/Internal network still receiving TCP invalid packets

Version information

AntiDDoS1600 V500R001C60SPC500

failure phenomena

we where surprised when the customer claimed he is receivng a lot of TCP invalid packets on his device. When we investigated we came to know he is having a second layer of protection and he is receivng lots of TCP invalid packets .The question here is when Huawei DDOS is the first line of defence then how come the customer is detecting a lot of these invalid packets.

Mechanisms of TCP Fragment Attack and Defense.

Attack Mechanism.

TCP fragments rarely appear on networks. If a network has too many TCP fragments, the network may be experiencing DDoS attacks. The attacker sends large volume TCP fragments to the target to:

Exhaust bandwidth resources and make the victim slow or unresponsive.

Compromise the performance of the target network device or server or make them unresponsive.

Defense Mechanism

A TCP fragment can be the first fragment or a subsequent fragment. The anti-DDoS device defends against TCP fragment attacks based on the first fragment. If the first fragment is discarded, the anti-DDoS device discards subsequent fragments because the session cannot be established. The anti-DDoS device collects statistics on the rate of the first TCP fragment by destination IP address. If the rate exceeds the specified threshold, the anti-DDoS device:

Checks whether the source IP address matches a whitelist entry. If no, the anti-DDoS device discards all TCP fragments from this source IP address.

Caches and reassembles the fragments if the source IP address matches a whitelist entry. The anti-DDoS device then forwards the reassembled packets and discards those that fail to be reassembled.

Limits the rate of fragments to defend against attacks from a real source IP address.

First please check the attacked IP’s TCP fragment traffic by the following steps. Must input IP address, otherwise there is not so much choice. And also select the Peak Value during the attack time.

If the traffic is not more than 2000 pps, then we can lower down this threshold value for TCP Fragment parameter.  But suggest not lower down too much.

------------------------------------------------

Another method of set threshold value based on baseline learning.

And the learning result is like below.

And we can see the detail traffic of each protocol. The red line is the network’s traffic. During the learning period, some attack may happened. The learning program just show the traffic and cannot distinguish the attack from normal traffic. Manual adjustment is needed to eliminate the higher value. Just apply the normal traffic value to the policy threshold. For example, the 15,000+ value showed below may be the attack traffic, we should not use it as threshold. We can see the normal traffic is just 5000 or so. So we can set the threshold value to 8000.

red：real traffic

blue：current threshold

green：Suggestion(may be incorrect)

Modify parameters：just modify to 7500，and click ok. It will apply to the corresponding policy. No need switch to the policy configuration page to set change it.

With learned result below default threshold：suggest to use the default value. For AntiDDoS is for defend large DDoS attack. Also with lower threshold will cause too much alarm.