No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Users Failed to Access the Internet Due to Attack Defense

Publication Date:  2019-07-03 Views:  214 Downloads:  0

Issue Description

Users failed to access the Internet after attack defense was configured on the firewall.

firewall defend land enable


firewall defend smurf enable


firewall defend fraggle enable


firewall defend winnuke enable


firewall defend ip-spoofing enable


firewall defend route-record enable


firewall defend time-stamp enable


firewall defend ping-of-death enable

Handling Process

Run the undo firewall defend ip-spoofing enable command to disable IP-spoofing attack defense.

Root Cause

1. Query session information based on the client IP address on the firewall. No session information is displayed on the firewall. The possible cause is that the client does not send packets to the firewall or the firewall discards received packets.

[USG9000] display firewall session table verbose source inside

20:00:46  2014/05/13                                                                                                                

Info: Current total sessions: 0


The problem occurred after the configuration of attack defense and was resolved after the attack defense commands were deleted. It is preliminarily determined that the packets were discarded due to attack defense.

2. Check the logs of the firewall. It is found that the firewall has IP-spoofing attack logs, and the attack IP address is the IP address of the Internet access user. It can be determined that the user packets are discarded by the anti-spoofing mechanism of the firewall.

SEC/4/ATCKDF(l)[6399]:AttackType: IP spoof attack; slot: 16; cpu: 1; Receive Interface: Eth-Trunk2.20; from:; to:; begin time: 2013-12-13 17:05:18; end time: 2013-12-13 17:05:37; total packets: 764

With the anti-spoofing mechanism, the firewall searches routes based on the source address of a packet and checks whether the outgoing interface of the route is the same as the incoming interface of the packet. If yes, the firewall considers it as an attack packet and discards it.

Based on the attack log, the firewall receives the packet at Eth-Trunk2.20, but the outgoing interface of the route for is Eth-Trunk2.10. The firewall discards the packet as an attack packet.

[USG9000] display ip routing-table  Static 60  0     RD     Eth-Trunk2.10


The route configuration on the firewall is incorrect. After the IP-spoofing attack defense function is enabled, normal Internet access packets are discarded by the firewall. Therefore, it is recommended that the outbound interface of the IP route be the same as the inbound interface of the IP packet that enters the firewall. In addition, you are advised to disable the IP-spoofing attack defense function on the firewall in normal cases.