TCP Defense Policy

The defense policies for TCP services cover block, traffic limiting, and defense.

• Block

  Discards all TCP packets.

• Traffic Limiting

  • TCP Traffic Limiting: Limits traffic of all TCP packets destined for an IP address below Threshold.

  • TCP Fragment Rate Limiting: Limits traffic of all TCP fragments destined for an IP address below Threshold.

  • TCP New Session Limiting: Limits the number of new TCP sessions to the destination IP address per second below the specified Threshold.

  The Threshold is specified based on actual network bandwidths.

• Defense

  • TCP Malformed

    Check the flag bits (URG, ACK, PSH, RST, SYN, and FIN) of each TCP packet. If any flag bit is invalid, the TCP packet is considered abnormal. When the rate of TCP abnormal packets exceeds the Threshold value, all TCP packets are discarded.

  • TCP Basic Defense

    Use the source authentication mode to defend against TCP attack traffic. Table 1 shows parameters.

    NOTE:

    It is recommended that you configure link status detection to defend against the SYN-ACK flood, ACK flood, TCP fragment, and FIN/RST flood attacks in the scenario where the incoming and outgoing paths of packets are consistent.

    Table 1 Parameters of configuring basic TCP defense

    Parameter			Description	Value
    SYN Flood Attack Defense	Threshold		If the rate of SYN packets exceeds Threshold, the device reports anomaly events to the ATIC Management center and start defense.	You are advised to perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
    	SYN First Packet Check		Supports the configuration of the upper and lower limits of the interval for discarding the first packets. If the actual interval is lower than the lower limit or higher than the upper limit, the packet is considered as the first packet and is discarded. If the actual interval is between the configured lower and upper limits, the packet is a follow-up packet and is permitted.
    	Authentication Mode		error-seq right-seq
    	Interval		Upper and lower limits of the first packet discarded interval.
    Source IP SYN-Ratio Anomaly Limiting	SYN-Ratio Proportion Threshold, Threshold for the number of SYN packets, Check Cycle, SYN Packets Limiting Threshold, Limit Cycle		Within Check Cycle, if the proportion of source IP SYN packets is greater than SYN-Ratio Proportion Threshold and the number of source IP SYN packets is greater than Threshold for the number of SYN packets, an anomaly event is reported to the ATIC management center, and defense is enabled. After defense is enabled, within Limit Cycle, a maximum of SYN Packets Limiting Threshold SYN packets are allowed to pass through.	-
    	Condition for adding a source IP address to the blacklist	Number of exceptions	Within Total number of check times, if the number of anomalies of a source IP address is greater than Number of exceptions, this source IP address is blacklisted.
    		Total number of check times
    SYN-ACK Flood Attack Defense	Threshold		If the rate of SYN-ACK Flood packets exceeds Threshold, the device reports anomaly events to the ATIC Management center and start defense.	Perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
    	SYN-ACK Source Authentication Defense		Indicates the defense mode that the cleaning device defends against SYN-ACK attack sources.
    	SYN-ACK First Packet Check		Supports the configuration of the upper and lower limits of the interval for discarding the first packets. If the actual interval is lower than the lower limit or higher than the upper limit, the packet is considered as the first packet and is discarded. If the actual interval is between the configured lower and upper limits, the packet is a follow-up packet and is permitted.
    	Interval		Upper and lower limits of the first packet discarded interval.
    ACK Flood Attack Defense	Threshold		If the rate of ACK packets exceeds Threshold, the device reports anomaly events to the ATIC Management center and start defense.	When ACK flood attacks are detected, the system permits the first packet for session establishment before session check and discards subsequent packets. Perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
    	Defense Mode		Loose Strict
    TCP Fragment Attack Defense	Threshold		If the rate of TCP fragments exceeds Threshold, the device reports anomaly events to the ATIC Management center and start defense.	Perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
    FIN/RST Flood Attack Defense	Threshold		If the rate of FIN/RST packets exceeds Threshold, the device reports anomaly events to the ATIC Management center and start defense.	Perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.

  • TCP First Packet Check

    Supports the configuration of the upper and lower limits of the interval for discarding the first packets. If the actual interval is lower than the lower limit or higher than the upper limit, the packet is considered as the first packet and is discarded. If the actual interval is between the configured lower and upper limits, the packet is a follow-up packet and is permitted.

  • TCP Connection Flood Attack Defense

    For parameters, see Table 2.

    Table 2 Parameters of configuring defense against connection flood attacks

    Parameter			Description	Value
    Concurrent connection check by destination IP address	Threshold		When the number of the concurrent TCP connections of a destination IP address exceeds Threshold, start defense against connection flood attacks. After the defense is started, start checking source IP addresses.	You are advised to perform configurations through baseline learning. For details, see Configuring a Baseline Learning Task.
    New connection rate check by destination IP address	Threshold		When the number of the new TCP connections per second of a destination IP address exceeds Threshold, start defense against connection flood attacks. After the defense is started, start checking source IP addresses.
    New connection rate check by source IP address	Check Cycle, Threshold		After defense against connection flood attacks is enabled, if the number of the TCP connections initiated by a source IP address within Check Cycle exceeds Threshold, the source IP address is regarded as the attack source and is reported to the ATIC Management center.	-
    Connection Number Check for Source IP Address	Threshold		After defense against connection flood attacks is enabled, if the number of the concurrent TCP connections of a source IP address exceeds Threshold, the source IP address is regarded as the attack source and is reported to the ATIC Management center.	-
    Abnormal Session Check	Abnormal connection threshold, Check Cycle		Within Check Cycle, if the number of the abnormal TCP session connections of a source IP address exceeds Abnormal connection threshold, the source IP address is regarded as the attack source and is reported to the ATIC Management center.	-
    	Null connection check	Minimum packets per connection, Check Cycle	Within Check Cycle, if the number of the packets of a TCP connection is lower than Minimum packets per connection, the connection is regarded as an anomaly one.	-
    	Retransmission session check	Retransmission Packet Number Threshold	If the number of the retransmission packets of a connection exceeds Retransmission Packet Number Threshold, the connection is regarded as an anomaly one.	-
    	Sockstress	TCP Window Size Threshold	If the number of the retransmission packets of a connection exceeds TCP Window Size Threshold, the connection is regarded as an anomaly one.	-
    Session behavior analysis	Threshold for the number of abnormal connections, Check interval		Within Check Cycle, if the number of abnormal TCP session connections initiated by a source IP address is greater than Threshold for the number of abnormal connections, this source IP address is reported to the ATIC management center as an attack source.	-
    	ACK session check	Minimum number of packets for each connection, Large packet length, Large packet proportion threshold	If the number of packets on a single connection exceeds Minimum number of packets for each connection and the ratio of the number of ACK packets whose length is greater than Large packet length to the total number of packets on the connection is greater than Large packet proportion threshold, it can be determined that the connection is abnormal.	-
    	SYN session check	Threshold for the number of SYN packets for each connection	If the number of SYN packets on a TCP connection is greater than Threshold for the number of SYN packets for each connection, the connection is abnormal.	-