HC120119013 Attack Defence and Configurations

Attack Defense and
Configurations
www.huawei.com
HUAWEI TECHNOLOGIES CO., All rights

LTD. reserved
Foreword
The attack defense of the USG can detect various types of

network attacks and take the measures to protect internal
networks from malicious attacks. As a result, the Eudemon can
assure the normal operations of the internal networks and
systems.
This section mainly describes the principles and USG firewall
preventive configurations for IP network attacks.
All rights
HUAWEI TECHNOLOGIES CO., LTD. Page 2
reserved
Objectives
Upon completion of this section, you will be able to:

 Understand IP network attack principles
 Master USG firewall attack prevention configuration
All rights
reserved
Contents
DDoS
Deformity packet attack
IP sweep attack
All rights
reserved
Attack Types
 Defective Packet
 Tear Drop
 Ping of Death
Attack Types
 Dos Attack  Snooping
 SYN Flood Attack
 UDP Flood  IP Sweep
 ICMP Flood  Port Scan
All rights
HUAWEI TECHNOLOGIES CO., LTD. Page5
reserved
Smurf Attack
Ping broadcast address

Attacker
Victim
All rights
reserved
Fraggle Attack
UDP Request (Port 7 or 19)
Attacker
Victim
All rights
reserved
IP Spoofing Attack
Packet Source IP is IP address of A
Attacker
 B trusts the IP address of A

 Attacker spoofs IP address of A
All rights
reserved
Land Attack
Attacker
Packet Source IP and SYN
Destination IP both are B
B TCP Self
Connections
All rights
reserved
Winnuke Attack
Attacker
Server
Fragmented IGMP Packet Or Packet Port 139 with URG
All rights
reserved
SYN Flood Attack
Keep Why
Server no
Waiting ACK?
SYN
SYN/ACK
Attacker
？？？ Server
All rights
reserved
TCP SYN Flood Attack (Cont.)
 Configuration
 statistic enable ip { inzone | outzone }

 firewall defend syn-flood interface { interface-type interface-
number | all } [ alert-rate alert-rate-number1 ] [ max-rate max-
rate-number1 ] [ tcp-proxy { auto | off | on } ]
 firewall defend syn-flood zone [ vpn-instance vpn-instance-
name ] zone-name [ alert-rate alert-rate-number2 ] [ max-rate
max-rate-number2 ] [ tcp-proxy { auto | on | off } ]
 firewall defend syn-flood enable
All rights
reserved
TCP Proxy Technology
Without TCP Proxy Client sends TCP SYN

Server responds (SYN ACK)
Client sends ACK
Enable TCP Proxy Client send TCP SYN

Firewall responds (SYN ACK)
Fake Client Without ACK Firewall sends TCP SYN for
Real Client sends ACK Client
If TCP attack comes from Server responds (SYN ACK)
fake source ， it will not
Firewall sends ACK for Client
respond, and the request
packet will be discarded
FTP server
Client Eudemon 19.49.10.10
192.168.0.1 Firewall
All rights
reserved
TCP Source Detect
 Used for SYN-Flood attack defense of firewall bypass deployment
Access Google ， send SYN
Send packet to Validate
Confirm, pass
Normal User Internet
Eudemon
Attacker Use spoofed address to attack
All rights
reserved
UDP/ICMP Flood Attack
Attacker
UDP or ICMP packets
…
Server
Attacker UDP or ICMP packets
All rights
reserved
UDP/ICMP Flood Attack (Cont.)
Configuration
 statistic enable ip { inzone | outzone }
 firewall defend udp-flood interface { interface-type interface-number | all } [ max-rate

max-rate-number1 ]
 firewall defend udp-flood zone [ vpn-instance vpn-instance-name ] zone-name [ alert-
rate alert-rate-number ] [ max-rate max-rate-number2 ]
 firewall defend icmp-flood interface { interface-type interface-number | all } [ max-
rate max-rate-number1 ]
 firewall defend icmp-flood zone [ vpn-instance vpn-instance-name ] zone-name
[ max-rate max-rate-number2
 firewall defend udp/icmp-flood enable
All rights
reserved
Other Flood Attacks
 DNS Flood
 Get Flood
 Tcp-illeage-session
All rights
reserved
Contents
DDoS
IP sweep attack
All rights
reserved
TCP Flag Attack
SYN/ACK/FIN/RST
Attacker Server
All rights
reserved
IP Fragment Attack
Fragments
n … 3 2 1
Attacker Server
Total Packet Length

exceeds 65535
All rights
reserved
Tear Drop Attack
Fragments
n … 3 2 1
Attacker Server
IP PING DATA
TEAR 20 8 1472
Flag MF IP DATA
Offset 0 20 remainder
Flag Last Fragment
Offset 500
IP PING DATA
NORMAL 20 8 1472
Flag MF IP DATA
Offset 0 20 remainder
Flag Last Fragment
Offset 1480
All rights
reserved
Ping of Death Attack
ICMP Ping Fragments

n … 3 2 1
Attacker Server
Total Packet Length

exceeds 65535
All rights
reserved
Contents
DDoS
IP sweep attack
All rights
reserved
IP Sweep Attack
n … 3 2 1
Attacker
Dest IP Dest IP Dest IP Dest IP

…
n C B A
All rights
reserved
IP Sweep Attack (Cont.)
 Configuration:
 Statistic enable ip outzone

 firewall defend ip-sweep { max-rate rate-number | blacklist-timeout
interval }
 firewall blacklist enable
 Prevention:
 The firewall builds statistics based on the source address of packets. If

the external connection rate of an IP address exceeds the present
upper threshold, the firewall will add the IP address into the blacklist
for isolation.
All rights
reserved
Port Scan Attack
n … 3 2 1
Attacker Server
Dest IP Dest IP Dest IP Dest IP

…
n C B A
All rights
reserved
Port Scan Attack (Cont.)
 Configuration
 Statistic enable ip outzone

 firewall defend port-scan [ max-rate rate-number ] [ blacklist-
timeout interval ]
 firewall blacklist enable
 Prevention
 The firewall builds statistics based on the source address of packets. If

an IP address sends connection requests to another IP address at a
rate higher than the preset upper threshold, it will be added into the
blacklist for isolation.
All rights
reserved
Other Attacks
 ICMP Redirect
 ICMP Unreachable
 Large ICMP
 Route Record
 Tracert
All rights
reserved
Summary
 How can the MAC address of the PC

and the gateway be bound to defend
against ARP spoofing?
All rights
reserved
Thank You
www.huawei.com

HC120119013 Attack Defence and Configurations

Uploaded by

Copyright:

Available Formats

HC120119013 Attack Defence and Configurations

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HC120119013 Attack Defence and Configurations

Uploaded by

Copyright:

Available Formats

Attack Defense and

HUAWEI TECHNOLOGIES CO., All rights

The attack defense of the USG can detect various types of

Upon completion of this section, you will be able to:

 Master USG firewall attack prevention configuration

Ping broadcast address

UDP Request (Port 7 or 19)

Packet Source IP is IP address of A

 B trusts the IP address of A

Fragmented IGMP Packet Or Packet Port 139 with URG

 statistic enable ip { inzone | outzone }

Without TCP Proxy Client sends TCP SYN

Enable TCP Proxy Client send TCP SYN

Access Google ， send SYN

Send packet to Validate

Normal User Internet

Attacker Use spoofed address to attack

Attacker UDP or ICMP packets

 firewall defend udp-flood interface { interface-type interface-number | all } [ max-rate

 firewall defend udp/icmp-flood enable

Total Packet Length

ICMP Ping Fragments

Total Packet Length

Dest IP Dest IP Dest IP Dest IP

 Statistic enable ip outzone

 The firewall builds statistics based on the source address of packets. If

Dest IP Dest IP Dest IP Dest IP

 Statistic enable ip outzone

 The firewall builds statistics based on the source address of packets. If

 How can the MAC address of the PC

You might also like