Attack Defense And Application Layer Association Supported By Ar1200-S - Huawei AR1200-S Configuration Manual

Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security
port) of the Router , the Router directly sends the packets to the CPU. As a result, the Router
CPU and system resources are wasted, which is the aim of DoS attack.
To prevent such attacks, switch control is used on some services and protocols. If the protocol
is enabled, the packet of this protocol is sent. If the protocol is disabled, the packets of this
protocol are discarded. In this way, the protocol packet is controlled and application layer
association is implemented.
Some protocols support a whitelist. The module of application layer association detects sent
protocol packet and allows the sending with larger bandwidth and higher rate if the protocol
packets to be sent match the whitelist.
14.1.2 Attack Defense and Application Layer Association
Supported by AR1200-S
The AR1200-S supports defense against various attacks such as malformed packet attacks,
fragmented packet attacks, and flooding attacks. In addition, the AR1200-S offers the application
layer association module to implement association with the application layer and packet filtering
at the application layer.
Attack Defense Supported by AR1200-S
The AR1200-S supports TCP/IP attack defense of the following types:
l
l
Issue 02 (2012-03-30)
Defense against Abnormal packets
The defense against abnormal packets prevents attacks from using excessive CPU
resources. These abnormal packets lead to system crash and network failure. Thus, the
AR1200-S directly discards these abnormal packets after they are detected. The following
actions can be taken to defend against abnormal packet attacks:
– Flood attacks without IP payload: The IP packets without any higher layer data are
considered useless and directly discarded.
– IGMP null packet attacks: If the length of the IGMP packets is smaller than 28 bytes,
the packets are considered null and thus discarded.
– LAND attacks: The router detects whether the source address and the destination
address in the TCP SYN packet are consistent and whether the source interface and the
destination interface are consistent. If they are consistent, the packets are considered
abnormal and thus directly discarded.
– Smurf attacks: The ICMP echo request packets with the broadcast address or the subnet
broadcast address as its destination address are considered abnormal and thus discarded.
– TCP flag bit invalid attacks: Check each flag bit of the TCP packets. If the URG, ACK,
PSH, RST, SYN, and FIN flag bits are all 1s or 0s, or the both SYN and FIN are 1s, the
packets are directly discarded.
Defense against packet fragment attacks
– The offsets of packet fragments may be overlapped. The system reassembles packet
fragments with excessive resources, and thus the network connection fails. This is the
principle of Teardrop attacks. When defending against Teardrop attacks, the AR1200-
S discards the packets with overlapped offsets in reassembly to guarantee correct
reassembly of packet fragments.
– The offset length of packet fragments is larger than 65515. Thus, the system reassembles
packets with excessive resources and the network services are disrupted. This is the
principle of huge offset attacks. When processing huge offset attacks, the AR1200-S
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14 Configuration of Attack Defense and Application Layer
Association
282