Overview of Attack Defense

The FW can defend Distributed Denial of Service (DDoS) attacks and single-packet attacks.

DDoS Attack

Distributed Denial of Service (DDoS) attacks use zombie hosts to send a large number of malicious attack packets to a target. These attack packets congest network links and exhaust system resources, causing the target to fail to provide services for legitimate users.

Figure 1 shows an example for DDoS attacks. Zombie hosts are online hosts controlled by the attacker. The network consisting of the attackers and zombie hosts is called a Botnet.

Figure 1 Diagram of DDoS attacks

Currently, the Internet has many zombie hosts and botnets. Driven by profits, DDoS attacks become a major security threat to the Internet.

DDoS attacks are categorized based on the packets used in the attacks. The FW has the capability to defend against the following DDoS attacks: SYN flood, UDP flood, ICMP flood, HTTP flood, HTTPS flood, DNS flood, and SIP flood attacks.

The FW supports both IPv4 and IPv6 anti-DDoS, which are not distinguished in the subsequent mechanism introduction and configuration process.

Single-Packet Attack

Single-packet attacks are classified as scanning and sniffing attacks, malformed packet attacks, or special packet attacks.

Scanning attacks include IP sweep and port scanning attacks. The IP sweep attacker sends massive TCP, UDP, and ICMP packets to different destination IP addresses to locate existing hosts and networks and determine potential targets. The port scanning attacker sends TCP and UDP packets to different ports of the target to detect the operating system of the target and potential services the target provides. By scanning and sniffing, the attacker can distinguish the types of services the target provides and potential vulnerabilities for further intrusions.
The attacker of malformed-packet attacks sends malformed IP packets to a target. The target may encounter errors or crash when handling such packets. Ping of Death and Teardrop are two major malformed-packet attacks.
Special packet attacks use legitimate packets to probe the network environment. Special packets are legitimate but rarely used on networks. Oversized ICMP, Tracert, and IP timestamp option packets are the major special packet types.

The single-IPv4 packet attacks that the FW can defend against cover all types of single-packet attacks. The single-IPv6 packet attacks that the FW can defend against cover only IP address spoofing attacks and IPv6 extension header attacks.