Basic attacks are traditional single-packet Denial of Service (DoS) attacks. The basic attack defense mainly defends against scanning and sniffing attacks, malformed packet attacks, and special packet attacks. By default, basic attack defense is disabled. You can determine whether to enable attack defense functions according to actual services on the network.
Procedure
- Choose .
- Click
in
the Operation column. - In the Basic Attack Defense group
box, select the check box of an attack type and enable the attack
defense function. For parameters, see Table 1.
If Large ICMP Packet or Large UDP Packet is selected, the packet length needs to be specified. The AntiDDoS discards the ICMP or UDP packet whose length exceeds the value.
Table 1 Configuring basic attack defense Parameter Description Fraggle
After the Fraggle attack defense is enabled, the AntiDDoS detects received UDP packets. If the destination port number of packets is 7 or 19, the AntiDDoS discards the packets and logs the attack.
ICMP Redirection Packet
After the ICMP redirection packet attack defense is enabled, the AntiDDoS discards ICMP redirection packets and logs the attack.
ICMP Unreachable Packet
After the ICMP unreachable packet attack defense is enabled, the AntiDDoS discards ICMP unreachable packets and logs the attack.
WinNuke
After the WinNuke attack defense is enabled, the AntiDDoS discards packets whose destination port is 139, URG tag is set to 1, and URG pointer is not null, and logs the attack.
In addition, when ICMP fragments are received, the device considers that a WinNuke attack occurs and hence discards the fragments, and then logs the attack.
Land
After the Land attack (loopback attack) defense is enabled, the AntiDDoS checks whether the source and destination addresses of TCP packets are the same, or the source address of TCP packets is a loopback one. If the source and destination addresses are the same, the AntiDDoS discards the packets and logs the attack.
Ping of Death
After the Ping of Death attack defense is enabled, the AntiDDoS checks whether the packet size is larger than 65,535 bytes. If a packet is larger than 65,535 bytes, the AntiDDoS discards the packet and logs the attack.
IP Packet with Route Record Option
After the IP packet with route record option attack defense is enabled, the AntiDDoS checks whether the IP route record option is specified in the received packet. If the IP route record option is specified, the device discards the packet and logs the attack.
Smurf
After the Smurf attack defense is enabled, the AntiDDoS checks whether the destination IP address of ICMP request packets is the broadcast address of category A, B, or C. If the destination IP address is the broadcast address of category A, B, or C, the device discards the packet and logs the attack.
IP Packet with Source Route Option
After the IP packet with source route option attack defense is enabled, the AntiDDoS checks whether the IP source route option is specified in the received packet. If the IP source route option is specified, the device discards the packet and logs the attack.
NOTE:In the IP routing technology, the transmission path of an IP packet is determined by the routers on the network according to the destination address of the packet. Nevertheless, a method is also provided for the packet sender to determine the packet transmission path, that is, the source route option. This option means allowing the source site to specify a route to the destination and replace the routes specified by intermediate routers. The source route option is generally used for fault diagnosis of network paths and temporary transmission of some special services. The IP source route option may be utilized by malicious attackers to probe the network structure because it neglects the intermediate forwarding processes through various devices along the packet transmission path, regardless of the working status of forwarding interfaces.
TCP Flag Bit
After the TCP flag bit attack defense is enabled, the AntiDDoS checks the flag bits (URG, ACK, PSH, RST, SYN, and FIN) of each TCP packet. In either of the following cases, the device discards the packet and logs the attack.
All flag bits are set to 1.
All flag bits are set to 0.
Both the SYN bit and the FIN bit are set to 1.
Both the SYN bit and the RST bit are set to 1.
The FIN bit is set to 1 and the ACK bit to 0.
TearDrop
After the TearDrop attack defense is enabled, the AntiDDoS analyzes received fragments and checks whether the packet offset is correct. If the packet offset is incorrect, the device discards the packet and logs the attack.
Large ICMP Packet
After the large ICMP packet attack defense is enabled, the AntiDDoS discards the ICMP packet whose length exceeds the threshold and logs the attack.
IP Packet with Timestamp Option
After the IP packet with timestamp option attack defense is enabled, the AntiDDoS checks whether the IP timestamp option is specified in the received packet. If the IP timestamp option is specified, the device discards the packet and logs the attack.
Tracert
After the Tracert packet attack defense is enabled, the anti-DDoS discards timeout ICMP or UDP packets and destination port unreachable packets, and logs the attack.
Large UDP Packet
After the large UDP packet attack defense is enabled, the AntiDDoS discards the UDP packet whose length exceeds the threshold and logs the attack.
- Click Confirm.
- Click
to deliver configurations to the device. - In the Deploy dialog box, display
the deployment progress. After the deployment is complete, the dialog
box is closed automatically.
If the deployment succeeds, Deployment of the Zone is displayed as Deploy Succeed.
If the deployment fails, Deployment of the device is displayed as Deploy Failed.
Move the pointer to Deploy Failed to view details on the failure in deploying the basic attack defense on the device.
