05-attack protection configuration guide-book

8/19/2019 05-Attack Protection Configuration Guide-book

1/181

H3C SecPath Series Firewalls and UTM Devices

Attack Protection Configuration Guide

Hangzhou H3C Technologies Co., Ltd.http://www.h3c.com

Software version: F100 series: ESS 5132F1000-A-EI: Feature 3722F1000-E-SI: Feature 3722F1000-S-AI: Feature 3722F5000-A5: Feature 3211

F5000-S/F5000-C: A3801

F1000-E: Feature 3174F1000-S-EI: Demo 5132P01Firewall card: Feature 3174Enhanced firewall card: ESS 3807U200-A/M/CA: ESS 5132U200-S/CM/CS: ESS 5132

Document version: 6PW100-20121210


2/181

Copyright © 2012, Hangzhou H3C Technologies Co., Ltd. and its licensors

All rights reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior

written consent of Hangzhou H3C Technologies Co., Ltd.Trademarks

H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H3Care, , IRF, NetPilot, Netflow,SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks ofHangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.


3/181

Preface

The H3C SecPath Series Firewalls and UTM Devices documentation set includes 10 configuration guides,which describe the software features for the H3C SecPath Series Firewalls and UTM Devices and guideyou through the software configuration procedures. These configuration guides also provideconfiguration examples to help you apply software features to different network scenarios.

The Attack Protection Configuration Guide describes how to configure attack detection and protection, ARP attack protection, TCP attack protection, ND attack protection, firewall, content filtering, URPF, IDScollaboration, and advanced security protection.

This preface includes:

Audience

Conventions

Obtaining documentation Technical support

Documentation feedback

AudienceThis documentation is intended for:

Network planners

Field technical support and servicing engineers

Network administrators working with the H3C SecPath Series Firewalls and UTM Devices

ConventionsThis section describes the conventions used in this documentation set.

Command conventions

Convention Description

Boldface

Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from whichyou select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical bars, fromwhich you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by verticalbars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by verticalbars, from which you select one choice, multiple choices, or none.


4/181


&The argument or keyword and argument combination before the ampersand (&) sign canbe entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions


Boldface Window names, button names, field names, and menu items are in Boldface. Forexample, the New User window appears; click OK .

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder .

Symbols


WARNING An alert that calls attention to important information that if not understood or followed canresult in personal injury.

CAUTION An alert that calls attention to important information that if not understood or followed canresult in data loss, data corruption, or damage to hardware or software.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supportsLayer 2 forwarding and other Layer 2 features.

Represents a firewall

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.

Obtaining documentationYou can access the most up-to-date H3C product documentation on the World Wide Webat http://www.h3c.com.

Click the links on the top navigation bar to obtain different categories of product documentation:

http://www.h3c.com/http://www.h3c.com/


5/181

[Technical Support & Documents > Technical Documents] – Provides hardware installation, softwareupgrading, and software feature configuration and maintenance documentation.

[Products & Solutions] – Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] – Provides the documentation released with thesoftware version.

Technical [email protected]

http://www.h3c.com

Documentation feedbackYou can e-mail your comments about product documentation to [email protected].

We appreciate your comments.

http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/http://www.h3c.com/portal/Products___Solutions/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/http://www.h3c.com/portal/Technical_Support___Documents/Software_Download/http://www.h3c.com/portal/Products___Solutions/http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/


6/181

i

Contents

Configuring attack detection and protection ············································································································· 1

Overview ············································································································································································ 1 Types of network attacks the device can defend against ···················································································· 1

Connection limit ························································································································································ 3 Blacklist function ······················································································································································· 3

Traffic statistics function ··········································································································································· 4

TCP proxy ·································································································································································· 4 Intrusion detection statistics ····································································································································· 6

Configuring attack detection and protection in the Web interface ············································································· 7

Configuring packet inspection ································································································································ 7

Packet inspection configuration example ·············································································································· 8 Configuring traffic abnormality detection ·············································································································· 9

Traffic abnormality detection configuration example ························································································ 18

Configuring TCP proxy ········································································································································· 22

TCP proxy configuration example ······················································································································· 25 Configuring blacklist ············································································································································· 27

Blacklist configuration example ··························································································································· 29

Displaying intrusion detection statistics ··············································································································· 32 Configuring the attack detection and protection at the CLI ······················································································· 34

Attack detection and protection configuration task list ····················································································· 34

Creating an attack protection policy ··················································································································· 35

Enabling attack protection logging ····················································································································· 35 Configuring an attack protection policy ············································································································· 35

Applying an attack protection policy to a security zone ·················································································· 39

Configuring TCP proxy ········································································································································· 40

Configuring the blacklist function ························································································································ 40

Displaying and maintaining attack detection and protection ··········································································· 41

Attack protection functions on security zones configuration example ····························································· 42

Blacklist configuration example ··························································································································· 44 Traffic statistics configuration example ··············································································································· 45

TCP proxy configuration example ······················································································································· 47

Configuring ARP attack protection ···························································································································· 49 Overview ········································································································································································· 49

ARP attack protection configuration task list ··············································································································· 49 Configuring unresolvable IP attack protection ············································································································ 50

Configuring ARP source suppression ·················································································································· 50

Enabling ARP black hole routing ························································································································· 50 Displaying and maintaining ARP source suppression ······················································································· 51

Unresolvable IP attack protection configuration example ························································································· 51 Configuring source MAC based ARP attack detection ······························································································ 52

Displaying and maintaining source MAC based ARP attack detection ·························································· 53 Source MAC based ARP attack detection configuration example ··································································· 53

Configuring ARP packet source MAC consistency check ·························································································· 54

Configuring ARP active acknowledgement ················································································································· 55

Configuring periodic sending of gratuitous ARP packets ·························································································· 56 Configuration restrictions and guidelines ··········································································································· 57 Configuring periodic sending of gratuitous ARP packets ················································································· 57

Configuring ARP detection ············································································································································ 58


7/181

ii

Configuring user validity check ··························································································································· 58 Configuring ARP packet validity check ··············································································································· 59

Configuring ARP restricted forwarding ··············································································································· 59 Displaying and maintaining ARP detection ········································································································ 60

Configuring ARP automatic scanning and fixed ARP ································································································· 60 Configuring the ARP automatic scanning and fixed ARP in the Web interface ······················································ 60

Configuring the ARP automatic scanning and fixed ARP at the CLI ································································ 63

Configuring TCP attack protection ···························································································································· 64 Overview ········································································································································································· 64

Enabling the SYN Cookie feature ································································································································ 64

Enabling protection against Naptha attacks ··············································································································· 65 Displaying and maintaining TCP attack protection ···································································································· 65

Configuring ND attack defense ································································································································ 66 Feature and hardware compatibility ···························································································································· 66

Overview ········································································································································································· 66

Enabling source MAC consistency check for ND packets ························································································· 67

Configuring firewall ··················································································································································· 68 Overview ········································································································································································· 68

ACL based packet filter········································································································································· 68

ASPF········································································································································································ 69 Configuring an IPv6 packet-filter firewall ···················································································································· 71

IPv6 packet-filter firewall configuration task list ································································································· 71 Enabling the IPv6 firewall function ······················································································································ 71

Configuring the default filtering action of the IPv6 firewall ·············································································· 71 Configuring packet filtering on an interface ······································································································ 72

Configuring an ASPF ····················································································································································· 73

ASPF configuration task list ·································································································································· 73

Configuring port mapping···································································································································· 73

Enabling ASPF for an interzone instance············································································································ 73 Displaying ASPF ···················································································································································· 74

ASPF configuration example ································································································································ 74

Configuring content filtering ······································································································································ 76 Overview ········································································································································································· 76

HTTP packet content filtering ································································································································ 76 SMTP packet content filtering ······························································································································· 77

POP3 packet content filtering ······························································································································· 77

FTP packet content filtering ··································································································································· 77 Telnet packet content filtering······························································································································· 78

Configuration guidelines ··············································································································································· 78

Configuring content filtering in the Web interface ····································································································· 79

Recommended configuration procedure ············································································································· 79

Configuring a keyword filtering policy ··············································································································· 79

Configuring a content filtering policy·················································································································· 86

Configuring a content filtering policy template ·································································································· 93 Displaying content filtering statistics ···················································································································· 95 Content filtering configuration example ·············································································································· 95

Configuring content filtering at the CLI ······················································································································ 106

Content filtering configuration task list ·············································································································· 106 Displaying and maintaining content filtering ··································································································· 115

Interzone content filtering configuration example ···························································································· 115

Configuring URPF ···················································································································································· 119

Overview ······································································································································································· 119


8/181

iii

URPF check modes ·············································································································································· 119 URPF features ······················································································································································· 119

URPF work flow ···················································································································································· 120 Network application ··········································································································································· 121

Configuring the URPF in the Web interface ·············································································································· 122 Configuring URPF ················································································································································ 122

URPF configuration example ······························································································································ 122

Configuring the URPF at the CLI ································································································································· 125

Configuring URPF ················································································································································ 125 URPF configuration example ······························································································································ 125

Configuring IDS collaboration ······························································································································· 127 Feature and hardware compatibility ·························································································································· 127

IDS collaboration overview ········································································································································· 127 Enabling IDS collaboration ········································································································································· 128 Configuration guidelines ············································································································································· 128

Configuring advanced security protection ············································································································ 129 Feature and hardware compatibility ·························································································································· 129

Configuration guidelines ············································································································································· 129 Time tables ···································································································································································· 129

Creating a time table ·········································································································································· 130

Licenses ········································································································································································· 130 Viewing license information ······························································································································· 131

Importing a license ·············································································································································· 131 Exporting a license ·············································································································································· 131

Signature upgrade ······················································································································································· 131

Upgrading the signature database ··················································································································· 132 IPS ·················································································································································································· 133

Recommended configuration procedure ··········································································································· 133 Configuring IPS log output parameters ············································································································· 133

Creating an IPS policy ········································································································································ 134 Applying an IPS policy ······································································································································· 135

Antivirus ········································································································································································ 137

Recommended configuration procedure ··········································································································· 137

Configuring antivirus log output parameters ···································································································· 137 Creating an antivirus policy ······························································································································· 138

Applying an antivirus policy ······························································································································ 139

Content monitoring ······················································································································································ 141 Recommended configuration procedure ··········································································································· 141

Configuring the content monitoring log output parameter ·············································································· 141 Creating a content monitoring policy················································································································ 142

Applying a content monitoring policy ··············································································································· 144

Bandwidth management ············································································································································· 146


Configuring a protocol ······································································································································· 147 Configuring a service ·········································································································································· 149 Configuring bandwidth management log output parameters ········································································ 152 Creating a bandwidth management policy ······································································································ 152

Applying a bandwidth management policy ····································································································· 155 Protocol audit ································································································································································ 156


Configuring protocol audit log output parameters ·························································································· 157

Creating a protocol audit policy ······················································································································· 157 Applying a protocol audit policy ······················································································································· 158


9/181

iv

Advanced security prevention configuration example ····························································································· 160

Index ········································································································································································ 172


10/181

1

Configuring attack detection and protection

Overview Attack detection and protection is an important network security feature. It determines whether receivedpackets are attack packets according to the packet contents and behaviors and, if detecting an attack,take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklistingthe source IP address.

The attack protection function can detect three types of network attacks: single-packet attacks, scanningattacks, and flood attacks. In addition, this function also supports traffic statistics for session analysis onsecurity zones.

Types of network attacks the device can defend againstThe device can defend against three types of network attacks: single-packet attacks, scanning attacks,and flood attacks, according to the attack characteristics.

Single-packet attack

Single-packet attack is also called malformed packet attack because many single-packet attacks usedefective IP packets, such as overlapping IP fragments and packets with illegal TCP flags.

A single-packet attack occurs when:

An attacker sends defective IP packets to a target, causing the target system to malfunction or crash.

An attacker sends large quantities of junk packets to the network, using up the network bandwidth.

Table 1 lists the single-packet attacks that can be prevented by the device.

Table 1 Types of single-packet attacks

Single-packet attack Description

Fraggle

An attacker sends large amounts of UDP echo requests with the UDP port numberbeing 7 or Chargen packets with the UDP port number being 19, resulting in a largequantity of junk replies and eventually exhausting the bandwidth of the targetnetwork.

ICMP Redirect An attacker sends ICMP redirect messages to a user host to modify the host's routingtable, interfering with the normal forwarding of IP packets.

ICMP Unreachable

Upon receiving an ICMP unreachable response, some systems conclude that thedestination is unreachable and drop all subsequent packets destined for thedestination. By sending ICMP unreachable packets, an attacker can cut off theconnection between the target host and the network.

Land

An attacker sends a great number of TCP SYN packets using the target IP address asboth the source and destination IP addresses, exhausting the half-open connectionresources of the target and thereby making the target unable to provide servicesnormally.

Large ICMPFor some hosts and devices, large ICMP packets cause memory allocation error andthus crash down the protocol stack. A large ICMP attacker sends large ICMP packetsto a target to make it crash down.


11/181

2

Single-packet attack Description

Route Record An attacker exploits the route record option in the IP header to probe the topology ofa network.

Smurf

An attacker sends an ICMP echo request to the broadcast address or the networkaddress of the target network. As a result, all hosts on the target network reply to the

request, causing the network congested and hosts on the target network unable toprovide services.

Source Route An attacker exploits the source route option in the IP header to probe the topology ofa network.

TCP Flag

Some TCP flags are processed differently on different operating systems. A TCP flagattacker sends TCP packets with such TCP flags to a target host to probe its operatingsystem. If the operating system cannot process such packets properly, the attackersuccessfully makes the host crash down.

Tracert

An attacker exploits the Tracert program to probe the network topology.

The Tracert program sends batches of UDP packets with a large destination portnumber and an increasing TTL (starting from 1). The TTL of a packet is decreased by

1 when the packet passes each router. Upon receiving a packet with a TTL of 0, arouter must send an ICMP time exceeded message back to the source IP address of thepacket. The Tracert program uses these returning packets to figure out the hosts thatthe packets have traversed from the source to the destination.

WinNuke An attacker sends Out-of-Band (OOB) data with the pointer field values overlapped tothe NetBIOS port (139) of a Windows system with an established connection tointroduce a NetBIOS fragment overlap, causing the system to crash.

Scanning attack

An attacker uses some scanning tools to scan host addresses and ports in a network, so as to find

possible targets and the services enabled on the targets and figure out the network topology, preparingfor further attacks to the target hosts.

Scanning detection detects scanning attempts by tracking the rates at which connections are initiated toprotected systems. Usually, it is deployed on the device for the external security zone and takes effect forpackets from the security zone.

If detecting that a connection rate of an IP address has reached or exceeded the threshold, the deviceoutputs an attack alarm log, blocks the subsequent connection requests from the IP address, andblacklists the IP address, depending on your configuration.

Flood attack

An attacker sends a large number of forged requests to the targets in a short time, so that the target

systems are too busy to provide services for legal users, resulting in denial of services.

The device can effectively defend against the following types of flood attacks:

SYN flood attack

Because of the limited resources, the TCP/IP stack permits only a limited number of TCPconnections. An attacker sends a great quantity of SYN packets to a target server, using a forgedaddress as the source address. After receiving the SYN packets, the server replies with SYN ACKpackets. As the destination address of the SYN ACK packets is unreachable, the server can neverreceive the expected ACK packets, and thus have to maintain large amounts of half-openconnections. In this way, the attacker exhausts the system resources of the server, making theserver unable to service normal clients.


12/181

3

ICMP flood attack

An attacker sends a large number of ICMP requests to the target in a short time by, for example,using the ping program, causing the target too busy to process normal services.

UDP flood attack

An attacker sends a large number of UDP packets to the target in a short time, making the target

too busy to process normal services.DNS flood attack

An attacker sends a large number of DNS request packets to the target in a short time, making thetarget too busy to process normal services.

Flood detection mainly protects servers against flood attacks. It detects flood attacks by tracking theconnection rates at which certain types of connection establishment requests are initiated to a server.Usually, flood detection is deployed on the device for an internal security zone, and takes effect forpackets entering the security zone when an attack detection policy is configured for the security zone.

After you configure flood detection for a device, the device enters the attack detection state, and starts totrack the sending rates of packets destined for certain servers. If the sending rate of a certain type of

packets destined for a server constantly reaches or exceeds the protection action threshold, the deviceconsiders the server is under attack, transitions to the attack protection state, logs the event, and takesattack protection actions as configured. Later, if the sending rate drops below the silent threshold, thedevice considers the attack is over, returns to the attack detection state, and stops the attack protectionactions.

Connection limit When an internal user initiates a large number of connections to a host on the external network in a shortperiod of time, system resources on the device are used up soon. This will make the device unable toservice other users. In addition, if an internal server receives large number of connection requests in a

short period of time, the server is not able to process normal connection requests from other hosts.

To protect internal network resources (including hosts and servers) and distribute resources of the devicereasonably, you can set connection limits based on source or destination IP addresses for security zones.

When a limit based on source or destination IP address is reached or exceeded, the device will outputan alarm log and discard subsequent connection requests from or to the IP address.

Blacklist functionThe blacklist function is an attack protection measure that filters packets by source IP address. Comparedwith ACL packet filtering, blacklist filtering is simpler in matching packets and therefore can filter packetsat a high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.

Working in conjunction with the scanning attack protection function or the user login authenticationfunction, the device can add blacklist entries automatically and can age such blacklist entries. Morespecifically:

When the device detects a scanning attack from an IP address according to the packet behavior, itadds the IP address to the blacklist. Thus, packets from the IP address are filtered.

When the device detects that an FTP, Telnet, SSH, SSL, or web user has failed to provide the correctusername, password, or verification code (for a web login user) after the maximum number ofattempts, it considers the user an attacker, adds the IP address of the user to the blacklist, and filterssubsequent login requests from the user. This mechanism can effectively prevent attackers from


13/181

4

cracking login passwords through repeated login attempts. The maximum number of login failuresis six, the blacklist entry aging time is 10 minutes, and they are not configurable.

The device also allows you to add and delete blacklist entries manually. Blacklist entries added manuallycan be permanent blacklist entries or non-permanent blacklist entries. A permanent entry always exists inthe blacklist unless you delete it manually. You can configure the aging time of a non-permanent entry.

After the timer expires, the device automatically deletes the blacklist entry, allowing packets from thecorresponding IP address to pass.

Traffic statistics functionThe traffic statistics function collects statistics on sessions between the internal network and externalnetwork almost in real time. You can custom attack protection policies based on the statistics. Forexample, by analyzing whether the total number of TCP or UDP session requests initiated from theexternal network to the internal network exceeds the threshold, you can determine whether to limit newsessions in the direction, or limit new sessions to a specific internal IP address.

The device supports collecting statistics on the following items:

Total number of sessionsSession establishment rate

Number of TCP sessions

Number of half-open TCP sessions

Number of half-close TCP sessions

TCP session establishment rate

Number of UDP sessions

UDP session establishment rate

Number of ICMP sessions

ICMP session establishment rate

Number of RAW IP sessions

RAW IP session establishment rate

The device collects statistics to calculate the session establishment rates at an interval of 5 seconds.Therefore, the session establishment rates displayed on the device are based on the statistics collectedduring the latest 5-second interval.

The traffic statistics function does not concern about the session status (except the TCP half-open andhalf-close states). As long as a session is established, the count increases by 1. As long as a session isdeleted, the count decreases by 1.

TCP proxyThe TCP proxy function can protect servers from SYN flood attacks. A device enabled with the TCP proxyfunction can function as a TCP proxy between TCP clients and servers. Upon detecting a SYN floodattack, the device can add a protected IP address entry for the attacked server and use the TCP proxyfunction to inspect and process all subsequent TCP requests destined to the server.

TCP proxy can operate in two modes:

Unidirectional proxy—Processes only packets from TCP clients.

Bidirectional proxy—Processes packets from both TCP clients and TCP servers.


14/181

5

You can choose a proper mode according to your network scenario. For example, if packets from TCPclients to a server go through the TCP proxy but packets from the server to clients do not, as shownin Figure 1, configure unidirectional proxy.

Figure 1 Network diagram for unidirectional proxy

If all packets between TCP clients and a server go through the TCP proxy, as shown in Figure 2, you canconfigure unidirectional proxy or bidirectional proxy as desired.

Figure 2 Network diagram for unidirectional/bidirectional proxy

Unidirectional proxy

Figure 3 Data exchange process in unidirectional proxy mode

When the TCP proxy receives a SYN message sent from a client to a protected server, it sends back aSYN ACK message that uses a wrong sequence number on behalf of the server. The client, if legitimate,responds with an RST message. If the TCP proxy receives an RST message from the client, it considers theclient legitimate, and forwards SYN messages that the client sends to the server during a period of timeso that the client can establish a TCP connection to the server. After the TCP connection is established, theTCP proxy forwards the subsequent packets of the connection without any processing.

TCP client TCP proxy TCP server

1) SYN

2) SYN ACK (invalid sequence

number)

3) RST

4) SYN (retransmitting)

5) SYN (forwarding)

6) SYN ACK

7) ACK

8) ACK (forwarding)


15/181

6

Unidirectional proxy mode can satisfy the requirements of most environments. Generally, servers do notinitiate attacks to clients, and packets from servers to clients do not need to be inspected by the TCP proxy.In this case, you can configure a TCP proxy to inspect only packets that clients send to servers. To filterpackets destined to clients, you can deploy a firewall as required.

The unidirectional proxy mode requires that the clients use the standard TCP protocol suite. Legitimateclients that use non-standard TCP protocol suites may be considered illegitimate by the TCP proxy. Inaddition, when the TCP proxy function works, a client takes more time to establish a TCP connection toa server because the client must send an RST message to the server to reinitiate a TCP connection request.

Bidirectional proxy

Figure 4 Data exchange process in bidirectional proxy mode

After receiving a SYN message from a client to a protected server, the TCP proxy sends back a SYN ACKmessage with the window size of 0 on behalf of the server. If the client is legitimate, the TCP proxyreceives an ACK message. Upon receiving an ACK message from the client, the TCP proxy sets up a

connection between itself and the server through a three-way handshake on behalf of the client. Thus,two TCP connections are established, and the two connections use different sequence numbers.

In bidirectional proxy mode, the TCP proxy plays two roles: a virtual server that communicates withclients and a virtual client that communicates with servers. To use this mode, you must deploy the TCPproxy on the key path that passes through the ingress and egress of the protected servers, and make sureall packets that the clients send to the server and all packets that the servers send to the clients passthrough the TCP proxy device.

Intrusion detection statisticsIntrusion detection is an important network security feature. By analyzing the contents and behaviors ofpackets passing by, it determines whether the packets are attack packets. If so, it takes actionsaccordingly, as configured. Supported actions include outputting alarm logs, discarding packets, andadding the attacker to the blacklist.

The intrusion detection statistics reflect the counts of attacks as per attack type, and the counts of attackpackets dropped. This helps you analyze the intrusion types and quantities present to generate betternetwork security policies.

For information about packet inspection, see "Configuring packet inspection." For information abouttraffic abnormality detection, see "Types of network attacks the device can defend against."


16/181

7

Configuring attack detection and protection in the Web interface

Configuring packet inspection1. From the navigation tree, select Intrusion Detection > Packet Inspection.

Figure 5 Packet inspection configuration page

2. Configure packet inspection, as described in Table 2.

3. Click Apply.

Table 2 Configuration items

Item Description

Zone

Select a zone to detect attacks from the zone.

Discard Packets when the specified attack is detected Select this option to discard detected attack packets.

Enable Fraggle Attack Detection

Enable or disable detection of Fraggle attacks.

Enable Land Attack Detection

Enable or disable detection of Land attacks.

Enable WinNuke Attack Detection

Enable or disable detection of WinNuke attacks.

Enable TCP Flag Attack Detection

Enable or disable detection of TCP flag attacks.

Enable ICMP Unreachable Packet Attack Detection

Enable or disable detection of ICMP unreachableattacks.

Enable ICMP Redirect Packet Attack Detection

Enable or disable detection of ICMP redirect attacks.

Enable Tracert Packet Attack Detection

Enable or disable detection of Tracert attacks.

Enable Smurf Attack Detection

Enable or disable detection of Smurf attacks.


17/181

8

Item Description

Enable IP Packet Carrying Source Route AttackDetection

Enable or disable detection of source route attacks.

Enable Route Record Option Attack Detection

Enable or disable detection of route record attacks.

Enable Large ICMP Packet Attack Detection

Enable detection of large ICMP attacks and set thepacket length limit, or disable detection of suchattacks.Max Packet Length

Packet inspection configuration exampleNetwork requirements

As shown in Figure 6, the internal network is the trusted zone and the external network is the untrustedzone.

Configure the firewall to protect the trusted zone against Land attacks and Smurf attacks from the

untrusted zone.Figure 6 Network diagram

Configuring Firewall

1. Assign IP addresses and security zones to interfaces. (Details not shown.)

2. Enable Land attack detection and Smurf attack detection for the untrusted zone:

a. From the navigation tree, select Intrusion Detection > Packet Inspection.

b. The packet inspection configuration page appears, as shown in Figure 7.

c. Select Untrust from the Zone list. Then select Discard Packets when the specified attack isdetected, Enable Land Attack Detection, and Enable Smurf Attack Detection.

d. Click Apply.


18/181

9

Figure 7 Enabling Land and Smurf attack detection for the untrusted zone

Verifying the configuration

Check that the firewall can detect Land and Smurf attacks from the untrusted zone, output alarm logsaccordingly, and drop the attack packets.

You can select Intrusion Detection > Statistics from the navigation tree to view the counts of Land andSmurf attacks and the counts of dropped attack packets.

Configuring traffic abnormality detectionConfiguring ICMP flood detection

ICMP flood detection is mainly intended to protect servers and is usually configured for an internal zone.

1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > ICMP Flood.

The ICMP flood detection configuration page appears, as shown in Figure 8.


19/181

10

Figure 8 ICMP flood detection configuration page

2. Select a security zone.

3. In the Attack Prevention Policy area, select the Discard packets when the specified attack isdetected box. Click Apply.

If you do not select the box, the device only collects ICMP flood attack statistics.

4. In the ICMP Flood Configuration area, click Add.

Figure 9 Adding an ICMP flood detection rule

5. Configure an ICMP flood detection rule, as described in Table 3.6. Click Apply.


20/181

11


Item Description

Protected HostConfiguration

IP Address Specify the IP address of the protected host.

ActionThreshold

Set the protection action threshold for ICMPflood attacks that target the protected host.

If the sending rate of ICMP packets destinedfor the specified IP address constantlyreaches or exceeds this threshold, the deviceenters the attack protection state and takesattack protection actions as configured.

By default, the silentthreshold is threequarters of the actionthreshold that is 1000packets per second.

SilentThreshold

Set the silent threshold for actions that protectagainst ICMP flood attacks targeting theprotected host.

If the sending rate of ICMP packets destinedfor the specified IP address drops below thisthreshold, the device returns to the attack

detection state and stops the protectionactions.

GlobalConfiguration ofSecurity Zone

ActionThreshold

Set the protection action threshold for ICMPflood attacks that target a host in theprotected security zone.

If the sending rate of ICMP packets destinedfor a host in the security zone constantlyreaches or exceeds this threshold, the deviceenters the attack protection state and takesattack protection actions as configured.

By default, the silentthreshold is threequarters of the actionthreshold that is 1000

packets per second.

SilentThreshold

Set the silent threshold for actions that protect

against ICMP flood attacks targeting a hostin the protected security zone.

If the sending rate of ICMP packets destinedfor a host in the security zone drops belowthis threshold, the device returns to the attackdetection state and stops the protectionactions.

NOTE:

Host-specific settings take precedence over the global settings for security zones.

Configuring UDP flood detectionUDP flood detection is mainly intended to protect servers and is usually configured for an internal zone.

1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > UDP Flood.

The UDP flood detection configuration page appears.


21/181

12

Figure 10 UDP flood detection configuration page


3. In the Attack Prevention Policy area, select the Discard packets when the specified attack isdetected box. Click Apply.

If you do not select the box, the device only collects UDP flood attack statistics.

4. In the UDP Flood Configuration area, click Add.

Figure 11 Adding a UDP flood detection rule

5. Configure a UDP flood detection rule, as described in Table 4.

6. Click Apply.


22/181

13


Item Description



ActionThreshold

Set the protection action threshold for UDPflood attacks that target the protected host.

If the sending rate of UDP packets destined forthe specified IP address constantly reaches orexceeds this threshold, the device enters theattack protection state and takes attackprotection actions as configured.

By default, the silentthreshold is threequarters of the actionthreshold that is 1000packets per second.

SilentThreshold

Set the silent threshold for actions that protectagainst UDP flood attacks targeting theprotected host.

If the sending rate of UDP packets destined forthe specified IP address drops below thisthreshold, the device returns to the attack

detection state and stops the protectionactions.


ActionThreshold

Set the protection action threshold for UDPflood attacks that target a host in the protectedsecurity zone.

If the sending rate of UDP packets destined fora host in the security zone constantly reachesor exceeds this threshold, the device enters theattack protection state and takes attackprotection actions as configured.

By default, the silentthreshold is threequarters of the actionthreshold that is 1000

packets per second.

SilentThreshold

Set the silent threshold for actions that protect

against UDP flood attacks targeting a host inthe protected security zone.

If the sending rate of UDP packets destined fora host in the security zone drops below thisthreshold, the device returns to the attackdetection state and stops the protectionactions.

NOTE:


Configuring DNS flood detectionDNS flood detection is mainly intended to protect servers and is usually configured for an internal zone.

You cannot configure the DNS flooding detection silent threshold through Web. By default, the globalsilent threshold for DNS flood detection in a security zone is 750 packets per second, which is threequarters of the action threshold.

1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > DNS Flood.

The DNS flood detection configuration page appears.


23/181

14

Figure 12 DNS flood detection configuration page


3. In the DNS Flood Attack Prevention Policy area, select Enable DNS Flood Attack Detection, andthen click Apply.

The device will collect DNS flood attack statistics of the specified security zone, and output logsupon detecting DNS flood attacks.

4. In the DNS Flood Configuration area, click Add.

Figure 13 Adding a DNS flood detection rule

5. Configure a DNS flood detection rule, as described in Table 5.

6. Click Apply.


Item Description



Action Threshold

Set the protection action threshold for DNS flood attacks thattarget the protected host.

If the sending rate of DNS query requests destined for thespecified IP address constantly reaches or exceeds thisthreshold, the device drops all extra requests and logs theevent.


24/181

15

Item Description

Global Configurationof Security Zone

Action Threshold

Set the protection action threshold for DNS flood attacks thattarget a host in the protected security zone.

If the sending rate of DNS query requests destined for a host inthe security zone constantly reaches or exceeds this threshold,

the device enters all extra requests and logs the event.

NOTE:


Configuring SYN flood detection

SYN flood detection is mainly intended to protect servers and is usually configured for an internal zone.

1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood.

The SYN flood detection configuration page appears.

Figure 14 SYN flood detection configuration page


3. In the Attack Prevention Policy area, specify the protection actions to be taken upon detection of aSYN flood attack for the specified security zone. Click Apply.

If you do not select any option, the device only collects SYN flood attack statistics depending on

your configuration. The available protection actions include: Discard packets when the specified attack is detected. If detecting that a protected object in the

security zone is under SYN flood attack, the device drops the TCP connection requests to theprotected host to block subsequent TCP connections.

Add protected IP entry to TCP Proxy. If detecting that a protected object in the security zone isunder SYN flood attack, the device adds the target IP address to the protected IP list on the TCPproxy as a dynamic one, setting the port number as any. If TCP proxy is configured for thesecurity zone, all TCP connection requests to the IP address will be processes by the TCP proxyuntil the protected IP entry gets aged out. If you select this option, configure the TCP proxyfeature on the page you can enter after selecting Intrusion Detection > TCP Proxy.

4. In the SYN Flood Configuration area, click Add.


25/181

16

Figure 15 Adding a SYN flood detection rule

5. Configure a SYN flood detection rule, as described in Table 6.

6. Click Apply.


Item Description



By default, the silentthreshold is three quartersof the action threshold thatis 1000 packets persecond.

ActionThreshold

Set the protection action threshold for SYNflood attacks that target the protected host.

If the sending rate of SYN packets destinedfor the specified IP address constantlyreaches or exceeds this threshold, thedevice enters the attack protection stateand takes attack protection actions asconfigured.

SilentThreshold

Set the silent threshold for actions thatprotect against SYN flood attacks targetingthe protected host.

If the sending rate of SYN packets destinedfor the specified IP address drops belowthis threshold, the device returns to theattack detection state and stops theprotection actions.


ActionThreshold

Set the protection action threshold for SYNflood attacks that target a host in the

protected security zone.

If the sending rate of SYN packets destinedfor a host in the security zone constantlyreaches or exceeds this threshold, thedevice enters the attack protection stateand takes attack protection actions asconfigured.

By default, the silentthreshold is three quartersof the action threshold thatis 1000 packets persecond.


26/181

17

Item Description

SilentThreshold

Set the silent threshold for actions thatprotect against SYN flood attacks targetinga host in the protected security zone.

If the sending rate of SYN packets destined

for a host in the security zone drops belowthis threshold, the device returns to theattack detection state and stops theprotection actions.

NOTE:


Configuring connection limits

1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Connection Limit.

The connection limit configuration page appears.

Figure 16 Connection limit configuration page

2. Configure the connection limits for the security zone, as described in Table 7.

3. Click Apply.


Item Description

Security Zone

Select a security zone to perform connection limit configurationfor it.

Discard packets when the specified attackis detected

Select this option to discard subsequent packets destined for orsourced from an IP address when the number of the connectionsfor that IP address has exceeded the limit.

Enable connection limit per source IP Select the option to set the maximum number of connections that

can be present for a source IP address. Threshold

Enable connection limit per dest IP Select the option to set the maximum number of connections that

can be present for a destination IP address. Threshold

Configuring scanning detection

Scanning detection is intended to detect scanning behaviors and is usually configured for an externalzone.

Scanning detection can be configured to add blacklist entries automatically.

To configure scanning detection:


27/181

18

1. From the navigation tree, select Intrusion Detection > Traffic Abnormality > Scanning Detection.

The scanning detection configuration page appears.

Figure 17 Scanning detection configuration page

2. Configure the scanning detection rule for the security zone, as described in Table 8.

3. Click Apply.


Item Description

Security Zone

Select a security zone to perform scanning detection configuration for it.

Enable Scanning Detection Select this option to enable scanning detection for the security zone.

Scanning Threshold Set the maximum connection rate for a source IP address.

Add a source IP to theblacklist

Select this option to allow the system to blacklist a suspicious source IP address.

If this option is selected, you can then set the lifetime of the blacklisted source IPaddresses.

IMPORTANT:

Only when the blacklist feature is enabled, can the scanning detection function

blacklist a suspect and discard subsequent packets from the suspect.

Lifetime Set the lifetime of the blacklist entry.

Traffic abnormality detection configuration exampleNetwork requirements

As shown in Figure 18, the internal network is the trusted zone, the subnet where the internal servers arelocated is the DMZ, and the external network is the untrusted zone.

Configure the firewall to perform the following operations:

Protect the internal network against scanning attacks from the external network.

Limit the number of connections initiated by each internal host.

Limit the number of connections to the internal server.

Protect the internal server against SYN flood attacks from the external network.


28/181

19

Figure 18 Network diagram

Configuration considerations

To satisfy the requirements, perform the following configurations on the firewall:Configure scanning detection for the untrusted zone, enable the function to add entries to theblacklist, and set the scanning threshold to 4500 connections per second.

Configure source IP address-based connection limit for the trusted zone, and set the number ofconnections each host can initiate to 100.

Configure destination IP address-based connection limit for the DMZ, and set the number ofconnections the server can accommodate to 10000.

Configure SYN flood detection for the DMZ, and set the action threshold for attacks targeting theinternal server (for example, to 5000 packets per second) and the silent threshold (for example, to1000 packets per second). Set the attack protection action to blocking subsequent packets destined

for the server.Configuring the firewall

1. Assign IP addresses and security zones to interfaces. (Details not shown.)

2. Enable the blacklist feature:

a. From the navigation tree, select Intrusion Detection > Blacklist.

b. In the Global Configuration area, select Enable Blacklist as shown in Figure 19.

c. Click Apply.


29/181

20

Figure 19 Enabling the blacklist feature

3. Configure scanning detection for the untrusted zone:

a. From the navigation tree, select Intrusion Detection > Traffic abnormality > Scanning Detection.The sc