Configuring a Zone Defense Policy (AntiDDoS1820-N/Netflow Detection)

The AntiDDoS1820-N inbound defense policy is used to detect various types of attack traffic. When the rate or bandwidth of the attack traffic exceeds the preset threshold, the AntiDDoS1820-N reports an anomaly event to the ATIC.

• Host Total Traffic Overflow attack

  Attackers send heavy traffic to the target IP address. This attack may cause link congestion, slow server response, and even network crash.

• TCP abnormal packet attack

  TCP packets have six flag bits: URG, ACK, PSH, RST, SYN, and FIN. If any flag bit is abnormal, the TCP packets are considered abnormal.

• TCP SYN Flood attack

  Attackers send SYN packets with forged source addresses to hosts. The hosts reply with SYN-ACK packets to the source addresses, but will not receive any ACK packets. As a result, the hosts keep many half-open connections until the connections time out. These half-open connections can exhaust host resources so that the hosts cannot establish normal TCP connections.

• TCP Fragment Flood attack

  TCP fragments seldom occur in normal network traffic. If the number of TCP fragments increases on the network, DDoS attacks may occur. Attackers send large numbers of TCP fragments to the targets, which bring the following adverse impacts:

  • The large numbers of TCP fragments consume bandwidth resources. As a result, the targets respond slowly or even fail to respond.
  • After receiving large numbers of TCP fragments, network devices or servers reassemble the fragments. As a result, the performance of network devices or servers deteriorates, and even they fail to work properly.

• TCP ACK Flood attack

  Attackers use botnets to send a large number of ACK packets, which bring the following adverse impacts:

  • If attackers send ACK floods with oversized payloads, the links may be congested.
  • If attackers send high-rate ACK floods with changing source IP addresses or ports, the forwarding performances of the network devices that require session resources for packet forwarding may be compromised, or even the network may become paralyzed.
  • If attackers send mass attack packets to overload a server, the server cannot respond to legitimate services.

• TCP RST/FIN Flood attack

  An attacker uses a botnet to send a large number of FIN/RST packets with changing source IP addresses and ports. Such attack packets compromise the performance of session-based forwarding devices or even crash the network to cause a denial of service.

• UDP Flood attack

  Attackers use botnets to send large numbers of oversized UDP packets at a high rate to target servers, which bring the following adverse impacts:

  • The UDP flood attacks exhaust network bandwidth resources or even congest links.
  • The large numbers of UDP attack packets with changing source IP addresses or ports compromise the performance of session-based forwarding devices or even crash the network to cause a denial of service.
  • If the UDP service port of the target server receives attack packets, the server consumes computing resources to verify the attack packets, affecting the processing of legitimate services.

• UDP Fragment Flood attack

  Attackers send large numbers of UDP fragments to the targets, which bring the following adverse impacts:

  • The UDP fragment flood attacks exhaust network bandwidth resources or even congest links.
  • The performance of network devices capable of packet reassembly severely deteriorates.
  • The large numbers of UDP fragments with changing source IP addresses or ports compromise the performance of session-based forwarding devices or even crash the network to cause a denial of service.
  • If the UDP service port of the target server receives attack packets, the server consumes computing resources to verify the attack packets, causing the server to respond slowly or fail to respond to legitimate services.

• DNS Query Flood attack

  DNS Query Flood attacks can be launched on DNS cache servers and DNS authoritative servers.

  • Attacks on cache servers

    Attackers send mass DNS query carrying invalid domain names to overload the DNS cache server. As a result, the DNS cache server cannot respond to users' DNS query.

  • Attacks on authoritative servers

    Attackers send mass DNS query carrying invalid subdomain names to overload the DNS authoritative server. As a result, the DNS authoritative server fails to respond to users' DNS query.

• DNS Reply Flood attack

  An attacker sends a large number of forged DNS reply packets to a certain DNS server or host to consume server performance.

  The DNS reflection attack is a typical DNS reply flood attack. By imitating the attack target, the attacker sends a large number of DNS query query to the DNS server and enlarges the reply packets, and forwards them to the attack target to congest the network.

• HTTP Flood attack

  Attackers send mass HTTP packets to the target server using proxies or zombie hosts. Such query involve operation-related URIs or other resource-consuming URIs to exhaust server resources. For example, portal websites are frequently attacked by HTTP Flood attacks. Such attacks consume server CPU resources or URIs of memory resources, such as database operation-related URIs.

• HTTPS Flood attack

  Attackers launch a large number of HTTPS connections to the target server directly or through proxies or botnets. As a result, the server is overloaded and unable to respond to legitimate requests.

• SIP Flood attack

  SIP is an application-layer signaling control protocol. It is used to create, modify, and release one or more sessions, such as Internet multimedia conferences, IP phone calls, or multimedia distribution. For example, SIP service providers can create new media that include voice, video, and chat content.

  Attackers can send mass INVITE messages to the target SIP server to exhaust the SIP server resources and make the server unable to respond to legitimate call requests. Attackers can also exploit the vulnerabilities of SIP implementation on the VoIP devices to forge and send malformed packets, resulting in the DoS of the SIP server.

• ICMP Flood attack

  Attackers send mass ICMP packets to the target in a short period of time, exhausting session resources on network devices. If the attackers send oversized packets over a network link, the network link may be congested.

• Other Flood attack

  Other Flood attacks refer to service attacks except TCP, UDP, ICMP, DNS, SIP, HTTP, and HTTPS attacks.

• Dark IP attack

  Dark IP addresses indicate the IP addresses that do not appear on the Internet, including:

  • IPv4 addresses

    • 10.0.0.0 to 10.255.255.255
    • 172.16.0.0 to 172.31.255.255
    • 192.168.0.0 to 192.168.255.255

• IPv6 address: FEC0::/10