< Home

Configuring IP Address Sweep Attack Defense

An attacker uses programs such as ICMP packets or TCP/UDP packets to initiate connections to certain IP addresses. By checking whether there are response packets, the attacker can determine which target systems are alive and connected to the target network.

Context

After IP address sweep attack defense is configured, the FW checks received TCP, UDP, and ICMP packets. If the number of packets from one IP address to different IP addresses within 1 second exceeds the preset threshold, the FW considers that the source IP address is initiating an IP address sweep attack. Then, the FW takes either of the following actions for the source IP address:

  • If the blacklist function is enabled on the FW, and the firewall defend action discard command is used, the FW adds the source IP address to the blacklist and discards the packets from this IP address.
  • If the blacklist function is disabled on the FW, but the firewall defend action discard command is executed, the system will still generate alarms and discards the packets.

If a source IP address is whitelisted, IP sweep attack defense will not be implemented for the source IP address.

Procedure

  1. In the user view, access the system view.

    system-view

  2. Enable the blacklist function.

    firewall blacklist enable

  3. Enable IP address sweep attack defense.

    firewall defend ip-sweep enable

  4. Set the threshold of IP address sweep rate.

    firewall defend ip-sweep max-rate max-rate-number

    If the IP address sweeping rate of a certain host exceeds the threshold, the device assumes that an IP address sweep attack occurs and then blacklists the IP address.

    By default, the threshold of IP address sweep rate is 4000, in pps.

    IP address sweeping rate takes the rate of the first packet of the IP packet as the base.

  5. Set the aging time for blacklisting the IP addresses of IP address sweeping attackers.

    firewall defend ip-sweep blacklist-timeout interval

    The IP address that is blacklisted can be deleted from the blacklist after the aging time. After that, the IP address becomes available again.

    By default, the aging time of the blacklist is 20 minutes, during which the packets sent by the attacker are discarded. You can adjust the aging time as required.

  6. Set the action to discard for single-packet attacks.

    firewall defend action discard

Parent Topic: Configuring Single-Packet Attack Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >