Users failed to access the Internet after
attack defense was configured on the firewall.
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend ip-spoofing enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
Run the undo firewall defend ip-spoofing enable command to disable
IP-spoofing attack defense.
1. Query session information based on the
client IP address on the firewall. No session information is displayed on the
firewall. The possible cause is that the client does not send packets to the
firewall or the firewall discards received packets.
[USG9000] display firewall session table
verbose source inside 10.224.1.130
Info: Current total sessions: 0
The problem occurred after the
configuration of attack defense and was resolved after the attack defense
commands were deleted. It is preliminarily determined that the packets were
discarded due to attack defense.
2. Check the logs of the firewall. It is
found that the firewall has IP-spoofing attack logs, and the attack IP address
is the IP address of the Internet access user. It can be determined that the
user packets are discarded by the anti-spoofing mechanism of the firewall.
SEC/4/ATCKDF(l):AttackType: IP spoof
attack; slot: 16; cpu: 1; Receive Interface: Eth-Trunk2.20; from: 10.244.1.130
10.244.0.35 10.244.3.80 10.244.1.58 10.244.1.154 10.244.3.96 10.244.3.168 10.244.0.123;
to: 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
184.108.40.206 220.127.116.11 18.104.22.168; begin time: 2013-12-13 17:05:18;
end time: 2013-12-13 17:05:37; total packets: 764
With the anti-spoofing mechanism, the
firewall searches routes based on the source address of a packet and checks
whether the outgoing interface of the route is the same as the incoming
interface of the packet. If yes, the firewall considers it as an attack packet
and discards it.
Based on the attack log, the firewall
receives the packet at Eth-Trunk2.20, but the outgoing interface of the route
for 10.244.1.130 is Eth-Trunk2.10. The firewall discards the packet as an
[USG9000] display ip routing-table
10.244.0.0/16 Static 60
0 RD 22.214.171.124
route configuration on the firewall is incorrect. After the IP-spoofing attack
defense function is enabled, normal Internet access packets are discarded by
the firewall. Therefore, it is recommended that the outbound interface of the
IP route be the same as the inbound interface of the IP packet that enters the
firewall. In addition, you are advised to disable the IP-spoofing attack
defense function on the firewall in normal cases.