The defense policies for TCP services cover block, traffic limiting, and defense.
Block
Discards all TCP packets.
Traffic Limiting
TCP Traffic Limiting: Limits traffic of all TCP packets destined for an IP address below Threshold.
TCP Fragment Rate Limiting: Limits traffic of all TCP fragments destined for an IP address below Threshold.
The Threshold is specified based on actual network bandwidths.
Defense
TCP Abnormal Defense
Check the flag bits (URG, ACK, PSH, RST, SYN, and FIN) of each TCP packet. If any flag bit is invalid, the TCP packet is considered abnormal. When the rate of TCP abnormal packets exceeds the Threshold value, all TCP packets are discarded.
TCP Basic Defense
Use the source authentication mode to defend against TCP attack traffic. Table 1 shows parameters.
NOTE: It is recommended that you configure link status detection to defend against the SYN-ACK flood, ACK flood, TCP fragment, and FIN/RST flood attacks in the scenario where the incoming and outgoing paths of packets are consistent.
Table 1 Parameters of configuring basic TCP defense Parameter Description Value SYN Flood Attack Defense
Authentication Mode
- error-seq
- right-seq
You are advised to perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
Threshold
If the rate of SYN packets exceeds Threshold, the device reports anomaly events to the ATIC Management center and start defense.
ACK Flood Attack Defense
Threshold
If the rate of ACK packets exceeds Threshold, the device reports anomaly events to the ATIC Management center and start defense.
When ACK flood attacks are detected, the system permits the first packet for session establishment before session check and discards subsequent packets.
Perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
TCP Fragment Attack Defense
Threshold
If the rate of TCP fragments exceeds Threshold, the device reports anomaly events to the ATIC Management center and start defense.
Perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
FIN/RST Flood Attack Defense
Threshold
If the rate of FIN/RST packets exceeds Threshold, the device reports anomaly events to the ATIC Management center and start defense.
Perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
Source IP SYN-Ratio Anomaly Limiting
SYN-Ratio Proportion Threshold, Check Cycle, SYN Packets Limiting Threshold, Limit Cycle
In this mode, rate limiting is implemented on the real source IP addresses that succeed in session check. Permanent Limiting: In all cases, this function limits the rate of SYN packets below Rate Limiting Threshold.
- TCP Connection Flood Attack Defense
For parameters, see Table 2.
Table 2 Parameters of configuring defense against connection flood attacks Parameter Description Value Concurrent connection check by destination IP address
Threshold
When the number of the concurrent TCP connections of a destination IP address exceeds Threshold, start defense against connection flood attacks. After the defense is started, start checking source IP addresses.
You are advised to perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
New connection rate check by destination IP address
Threshold
When the number of the new TCP connections per second of a destination IP address exceeds Threshold, start defense against connection flood attacks. After the defense is started, start checking source IP addresses.
New connection rate check by source IP address
Check Cycle, Threshold
After defense against connection flood attacks is enabled, if the number of the TCP connections initiated by a source IP address within Check Cycle exceeds Threshold, the source IP address is regarded as the attack source and is reported to the ATIC Management center.
-
Connection Number Check for Source IP Address
Threshold After defense against connection flood attacks is enabled, if the number of the concurrent TCP connections of a source IP address exceeds Threshold, the source IP address is regarded as the attack source and is reported to the ATIC Management center.
-
Abnormal Session Check
Abnormal connection threshold, Check Cycle
Within Check Cycle, if the number of the abnormal TCP session connections of a source IP address exceeds Abnormal connection threshold, the source IP address is regarded as the attack source and is reported to the ATIC Management center.
-
Null connection check
Minimum packets per connection, Check Cycle
Within Check Cycle, if the number of the packets of a TCP connection is lower than Minimum packets per connection, the connection is regarded as an anomaly one.
-
Retransmission session check
Retransmission Packet Number Threshold
If the number of the retransmission packets of a connection exceeds Retransmission Packet Number Threshold, the connection is regarded as an anomaly one.
-
Sockstress
TCP Window Size Threshold
If the number of the retransmission packets of a connection exceeds TCP Window Size Threshold, the connection is regarded as an anomaly one.
-