Example: Applying an attack defense policy to the device
Network requirements
Configure attack detection and prevention on the switch (the gateway) to protect against network attacks from the user side or the network side.
To prevent TCP flag attacks and low level scanning attacks that aim at the switch, enable TCP flag attack prevention and scanning attack prevention. Configure the device to output logs if it detects such attacks.
To prevent the SYN flood attacks that aim at the external interface of the switch, enable IP address-specific SYN flood attack detection for 192.168.2.1/24. When the device receives 5000 or more SYN packets sent to the protected IP address per second, it outputs logs and drops the packets.
To prevent the SYN flood attacks that aim at the internal interface of the switch, enable global SYN flood attack detection. When the device receives 2000 or more SYN packets that are destined to the switch but not to the protected IP address per second, it outputs logs.
Figure 148: Network diagram
Configuration procedure
# Create an attack defense policy named a1.
[Switch] attack-defense policy a1
# Enable signature detection for TCP single packet attacks and specify logging as the attack prevention action. A TCP packet is identified as an attack packet if it has all flags set, only FIN flag set, invalid flags, no TCP flags set, or both SYN and FIN flags set.
[Switch-attack-defense-policy-a1] signature detect tcp-all-flags action logging [Switch-attack-defense-policy-a1] signature detect tcp-fin-only action logging [Switch-attack-defense-policy-a1] signature detect tcp-invalid-flags action logging [Switch-attack-defense-policy-a1] signature detect tcp-null-flag action logging [Switch-attack-defense-policy-a1] signature detect tcp-syn-fin action logging
# Enable low level scanning attack detection and specify logging as the attack prevention action.
[Router-attack-defense-policy-a1] scan detect level low action logging
# Enable SYN flood attack detection for 192.168.2.1. Set the threshold for triggering SYN flood attack prevention to 5000 and specify logging and drop as the attack prevention actions.
[Switch-attack-defense-policy-a1] syn-flood detect ip 192.168.2.1 threshold 5000 action logging drop
# Enable global SYN flood attack detection, set the global threshold for triggering SYN flood attack prevention to 2000, and specify logging as the global attack prevention action.
[Switch-attack-defense-policy-a1] syn-flood detect non-specific [Switch-attack-defense-policy-a1] syn-flood threshold 2000 [Switch-attack-defense-policy-a1] syn-flood action logging [Switch-attack-defense-policy-a1] quit
# Apply the attack defense policy to the device.
[Switch] attack-defense local apply policy a1
Verifying the configuration
# Verify that attack defense policy a1 is correctly configured.
[Switch] display attack-defense policy a1 Attack-defense Policy Information -------------------------------------------------------------------------- Policy name : a1 Applied list : Local -------------------------------------------------------------------------- Exempt IPv4 ACL : Not configured Exempt IPv6 ACL : Not configured -------------------------------------------------------------------------- Actions: CV-Client verify BS-Block source L-Logging D-Drop N-None Signature attack defense configuration: Signature name Defense Level Actions Fragment Disabled low L Impossible Disabled medium L,D Teardrop Disabled medium L,D Tiny fragment Disabled low L IP option abnormal Disabled medium L,D Smurf Enabled medium L,D Traceroute Disabled low L Ping of death Disabled medium L,D Large ICMP Disabled info L Max length 4000 bytes Large ICMPv6 Disabled info L Max length 4000 bytes TCP invalid flags Disabled medium L TCP null flag Disabled medium L TCP all flags Disabled medium L TCP SYN-FIN flags Disabled medium L TCP FIN only flag Disabled medium L TCP Land Disabled medium L,D Winnuke Disabled medium L,D UDP Bomb Disabled medium L,D UDP Snork Disabled medium L,D UDP Fraggle Disabled medium L,D IP option record route Disabled info L IP option internet timestamp Disabled info L IP option security Disabled info L IP option loose source routing Disabled info L IP option stream ID Disabled info L IP option strict source routing Disabled info L IP option route alert Disabled info L ICMP echo request Disabled info L ICMP echo reply Disabled info L ICMP source quench Disabled info L ICMP destination unreachable Disabled info L ICMP redirect Disabled info L ICMP time exceeded Disabled info L ICMP parameter problem Disabled info L ICMP timestamp request Disabled info L ICMP timestamp reply Disabled info L ICMP information request Disabled info L ICMP information reply Disabled info L ICMP address mask request Disabled info L ICMP address mask reply Disabled info L ICMPv6 echo request Disabled info L ICMPv6 echo reply Disabled info L ICMPv6 group membership query Disabled info L ICMPv6 group membership report Disabled info L ICMPv6 group membership reduction Disabled info L ICMPv6 destination unreachable Disabled info L ICMPv6 time exceeded Disabled info L ICMPv6 parameter problem Disabled info L ICMPv6 packet too big Disabled info L Scan attack defense configuration: Defense : Enabled Level : low Actions : L Flood attack defense configuration: Flood type Global thres(pps) Global actions Service ports Non-specific SYN flood 2000 L - Enabled ACK flood 1000(default) - - Disabled SYN-ACK flood 1000(default) - - Disabled RST flood 1000(default) - - Disabled FIN flood 1000(default) - - Disabled UDP flood 1000(default) - - Disabled ICMP flood 1000(default) - - Disabled ICMPv6 flood 1000(default) - - Disabled DNS flood 1000(default) - 53 Disabled HTTP flood 1000(default) - 80 Disabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 192.168.2.1 -- SYN-FLOOD 5000 L,D -
If the device receives TCP flag attack packets or scanning attack packets that are destined for the device, the device outputs logs. If the device receives TCP SYN flood attack packets that are destined for the protected IP address, the device outputs logs and drops the attack packets. If the device receives TCP SYN flood attack packets that are destined for the device but not to the protected IP address, the device outputs logs.
# Display the attack detection and prevention statistics.
[Switch] display attack-defense statistics local Attack policy name: a1 Slot 1: Scan attack defense statistics: AttackType AttackTimes Dropped Port scan 4 0 Flood attack defense statistics: AttackType AttackTimes Dropped No flood attacks detected. Signature attack defense statistics: AttackType AttackTimes Dropped TCP invalid flags 116 0 TCP null flag 709 0 TCP all flags 251 0 TCP SYN-FIN flags 46 0 TCP FIN only flag 130 0