Configuring Attack Detection And Prevention; Overview; Enabling Tcp Fragment Attack Prevention - HPE FlexFabric 7900 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 7900 Series:
- Layer 3 ip routing command reference (414 pages) ,
- Security configuration manual (323 pages) ,
- Security command reference (320 pages)
Table of Contents
Advertisement
Configuring attack detection and
prevention
Overview
Attack detection and prevention enables a device to detect attacks by inspecting arriving packets,
and to drop attack packets to protect a private network.
The device supports only TCP fragment attack prevention.
Enabling TCP fragment attack prevention
The TCP fragment attack prevention feature takes effect only on Layer 3 packets.
This feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that
traditional packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the
following TCP fragments:
•
First fragments in which the TCP header is smaller than 20 bytes.
•
Non-first fragments with a fragment offset of 8 bytes (FO=1).
To enable TCP fragment attack prevention:
Step
1.
Enter system view.
2.
Enable TCP fragment attack
prevention.
Command
system-view
attack-defense tcp fragment
enable
215
Remarks
N/A
By default, TCP fragment attack
prevention is enabled.
Advertisement
Table of Contents
Troubleshooting
