Login
- Table of Contents
-
- 10-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-Password control configuration
- 03-Public key management configuration
- 04-PKI configuration
- 05-IPsec configuration
- 06-SSH configuration
- 07-IP source guard configuration
- 08-ARP attack protection configuration
- 09-uRPF configuration
- 10-SSL configuration
- 11-Crypto engine configuration
- 12-FIPS configuration
- 13-Portal configuration
- 14-MACsec configuration
- 15-Attack detection and prevention configuration
- 16-Object group configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-Attack detection and prevention configuration | 62.16 KB |
Configuring attack detection and prevention
Configuring TCP fragment attack prevention
Overview
Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, blacklisting, and client verification.
The device supports only TCP fragment attack prevention.
Configuring TCP fragment attack prevention
|
|
IMPORTANT: · This feature is supported only on EC1, EF and FG cards. EC1 cards refer to cards suffixed with EC1, EF cards refer to cards suffixed with EF, and FG cards refer to cards suffixed with FG. · The device does not support filtering first fragments in which the TCP header is smaller than 20 bytes. |
The TCP fragment attack prevention feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that traditional packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the following TCP fragments:
· First fragments in which the TCP header is smaller than 20 bytes.
· Non-first fragments with a fragment offset of 8 bytes (FO=1).
Configuration restrictions and guidelines
When you configure TCP fragment attack prevention, follow these restrictions and guidelines:
· For this feature to take effect, you must execute the acl hardware-mode ipv6 enable command first.
Configuration procedure
To configure TCP fragment attack prevention:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable TCP fragment attack prevention. |
attack-defense tcp fragment enable |
By default, TCP fragment attack prevention is enabled. |
