Configuring attack detection and
prevention
Overview
Attack detection and prevention enables a device to detect attacks by inspecting arriving packets,
and to take prevention actions to protect a private network. Prevention actions include logging,
packet dropping, blacklisting, and client verification.
Command and hardware compatibility
Commands and descriptions for centralized devices apply to the following routers:
•
MSR1002-4/1003-8S.
•
MSR2003.
•
MSR2004-24/2004-48.
•
MSR3012/3024/3044/3064.
•
MSR954(JH296A/JH297A/JH299A)
Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers.
Attacks that the device can prevent
The device can detect and prevent single-packet attacks, scanning attacks, and flood attacks.
Single-packet attacks
Single-packet attacks are also known as malformed packet attacks. An attacker typically launches
single-packet attacks by using the following methods:
•
An attacker sends defective packets to a device, which causes the device to malfunction or
crash.
•
An attacker sends normal packets to a device, which interrupts connections or probes network
topologies.
•
An attacker sends a large number of forged packets to a target device, which consumes
network bandwidth and causes denial of service (DoS).
Table 13
lists the single-packet attack types that the device can detect and prevent.
Table 13 Types of single-packet attacks
Single-packet attack
ICMP redirect
ICMP destination unreachable
Description
An attacker sends ICMP redirect messages to modify the victim's routing
table. The victim cannot forward packets correctly.
An attacker sends ICMP destination unreachable messages to cut off the
connections between the victim and its destinations.
481