Configuring the Defense Against Single-Packet Attacks
This section describes how to enable the defense against single-packet attacks.
Context
Single-packet attacks are classified as scanning and sniffing attacks, malformed packet attacks, or special packet attacks.
Scanning attacks, including IP sweep and port scanning
Malformed packet attacks, including IP spoofing, IP fragment detection, Teardrop, Smurf, Ping of Death, Fraggle, WinNuke, Land, and TCP flag validity check.
Special control packet attacks, including oversized ICMP packet control, ICMP unreachable packet control, ICMP redirect packet control, Tracert, IP source route packet control, IP route record packet control, and IP timestamp packet control.
By default, the defense against various single-packet attacks is disabled. You can enable the defense based on the actual situation over the network.
Procedure
- Choose .
- Click Single Attack.
- Click Alert or Discard to configure the defense action.
Parameter
Description
Alert
The FW generates alarms on detected attacks, but does not discard attack packets.
The FW does not add attack source addresses to the blacklist.
Discard
The FW generates alarms on detected attacks and discards attack packets. The default action is Discard.
The FW adds attack source addresses to the blacklist. The blacklisted attack traffic will be discarded by the FW.
- Select the attack types to enable corresponding defense functions.
- When you enable IP Sweep and Port Scanning attack defense, you also need to set Maximum Scanning Rate and Blacklist Aging Time.
- When you enable Large ICMP Packet Control attack defense, you also need to set Maximum Length.
Parameter
Description
Maximum Scanning rate (IP Sweep)
If the IP scanning rate of a certain host exceeds the threshold, the FW blacklists the host IP address. The default value 4000 is recommended.
Blacklist Aging Time (IP Sweep)
A blacklist entry is automatically deleted from the blacklist when the aging period expires. The default value 20 is recommended.
Maximum Scanning Rate (Port Scanning)
If the port scanning rate of a certain host exceeds the threshold, the FW blacklists the host IP address. The default value 4000 is recommended.
Blacklist Aging Time (Port Scanning)
A blacklist entry is automatically deleted from the blacklist when the aging period expires. The default value 20 is recommended.
Maximum length (Large ICMP Packet Control)
If the length of a received ICMP packet exceeds the maximum packet length, the FW discards the packet. The default value 4000 is recommended.
Enable the blacklist function while you select IP Sweep and Port Scanning to ensure that the packets that match the blacklist are discarded. For details on the blacklist function, see Blacklist.
- Click Apply.
Follow-up Procedure
After the configuration is complete, the FW logs detected attacks and outputs threat reports. Choose to view threat logs.
If Action is set to Alert, the FW outputs threat logs when an attack starts and ends. If Action is set to Discard, the FW outputs logs at the interval specified in the firewall defend log-time command.
For IP Sweep and Port Scanning attacks, the FW blacklists the IP address of the attack host. Choose to view the blacklisted IP addresses, when the traffic of IP sweep attacks or port scanning attacks from these IP addresses are detected, and the times that the traffic from these IP addresses matches the blacklist.
- For IP Sweep and Port Scanning attacks, the FW blacklists the IP address of the attack host. Choose to view the blacklisted IP addresses, when the traffic of IP sweep attacks or port scanning attacks from these IP addresses are detected, and the times that the traffic from these IP addresses matches the blacklist.