No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Users Failed to Access the Internet Due to Attack Defense

Publication Date:  2019-07-03 Views:  214 Downloads:  0

Issue Description

Users failed to access the Internet after attack defense was configured on the firewall.

firewall defend land enable

 

firewall defend smurf enable

 

firewall defend fraggle enable

 

firewall defend winnuke enable

 

firewall defend ip-spoofing enable

 

firewall defend route-record enable

 

firewall defend time-stamp enable

 

firewall defend ping-of-death enable

Handling Process

Run the undo firewall defend ip-spoofing enable command to disable IP-spoofing attack defense.

Root Cause

1. Query session information based on the client IP address on the firewall. No session information is displayed on the firewall. The possible cause is that the client does not send packets to the firewall or the firewall discards received packets.

[USG9000] display firewall session table verbose source inside 10.224.1.130

20:00:46  2014/05/13                                                                                                                

Info: Current total sessions: 0

 

The problem occurred after the configuration of attack defense and was resolved after the attack defense commands were deleted. It is preliminarily determined that the packets were discarded due to attack defense.

2. Check the logs of the firewall. It is found that the firewall has IP-spoofing attack logs, and the attack IP address is the IP address of the Internet access user. It can be determined that the user packets are discarded by the anti-spoofing mechanism of the firewall.

SEC/4/ATCKDF(l)[6399]:AttackType: IP spoof attack; slot: 16; cpu: 1; Receive Interface: Eth-Trunk2.20; from: 10.244.1.130 10.244.0.35 10.244.3.80 10.244.1.58 10.244.1.154 10.244.3.96 10.244.3.168 10.244.0.123; to: 221.131.143.69 61.155.106.176 208.73.211.230 112.3.151.13 112.2.98.13 112.25.58.170 223.66.190.18 117.135.169.19; begin time: 2013-12-13 17:05:18; end time: 2013-12-13 17:05:37; total packets: 764

With the anti-spoofing mechanism, the firewall searches routes based on the source address of a packet and checks whether the outgoing interface of the route is the same as the incoming interface of the packet. If yes, the firewall considers it as an attack packet and discards it.

Based on the attack log, the firewall receives the packet at Eth-Trunk2.20, but the outgoing interface of the route for 10.244.1.130 is Eth-Trunk2.10. The firewall discards the packet as an attack packet.

[USG9000] display ip routing-table 10.244.1.130

 

10.244.0.0/16  Static 60  0     RD   11.1.1.2     Eth-Trunk2.10

Suggestions

The route configuration on the firewall is incorrect. After the IP-spoofing attack defense function is enabled, normal Internet access packets are discarded by the firewall. Therefore, it is recommended that the outbound interface of the IP route be the same as the inbound interface of the IP packet that enters the firewall. In addition, you are advised to disable the IP-spoofing attack defense function on the firewall in normal cases.

END