HCIE Security - Network Attack Overview

Network Attack Introduction

flow/flood

Like zombies from the Internet to attack some server.

ARP flood/SYN flood/Connection flood/ICMP flood/UDP flood/HTTP flood/SIP flood

threshold

source detection/fingerprint/flow suppressing

firewall defend arp-flood enable
firewall defend syn-flood enable
firewall defend tcp-illeage-session enable
firewall defend icmp-flood 
firewall defend udp-flood 
firewall defend http-flood enable

USG adopts tcp proxy and source authentication to defend SYN flood for internal servers.

abnormal packet

IP-spoofing, IP Fragment, Teardrop, Smurf, Ping of Death, Fraggle, WinNuke, Land, TCP Flag

firewall defend ip-spoofing enable
firewall defend ip-fragment enable
firewall defend teardrop enable
firewall defend smurf enable
firewall defend ping-of-death enable
firewall defend fraggle enable
firewall defend land enable
firewall defend tcp-flag enable
no need to turn on the above functions. you just need to understand those attacks.

special packet

firewall defend large-icmp enable
firewall defend icmp-unreachable enable

scanning and prying

ip or port scanning to identify potential attack targets or target weaknesses

firewall defend ip-sweep
firewall defend port-scan

General Technology of Defense

uRPF (unicast reverse path forwarding) checks if a packet’s source address has a route in FIB.

Blacklist can add user, source ip and destination ip manually or dynamically. Whitelist precedes blacklist.

[ngfw]firewall blacklist enable
firewall blacklist item user user-name [timeout minutes]

IP/MAC binding technology is only fit for static address assignment.

firewall mac-binding enable
firewall mac-binding ip-address mac-address

Port-mapping

Logging

Application Analysis

DDoS Intro

Appendix