Dns Client Verification; Http Client Verification - HPE FlexNetwork HSR6600 Security Configuration Manual
Comware 7
Hide thumbs
Also See for FlexNetwork HSR6600:
- Configuration manual (605 pages) ,
- Installation manual (97 pages) ,
- High availability command reference (207 pages)
Table of Contents
Advertisement
DNS client verification
The DNS client verification feature protects DNS servers against DNS flood attacks. It is configured
on the device where packets from the DNS clients to the DNS servers pass through. The device with
DNS client verification feature configured is called a DNS client authenticator.
As shown in
1.
Upon receiving a UDP DNS query destined for a protected server, the DNS client authenticator
responds with a DNS truncate (TC) packet. The DNS truncate packet requires the client to
initiate a query in a TCP packet.
2.
When the authenticator receives a DNS query in a TCP SYN packet to port 53 from the client,
the authenticator responds with a SYN-ACK packet that contains an incorrect sequence
number.
3.
When the authenticator receives a RST packet from the client, the authenticator verifies the
client as legitimate.
4.
The authenticator adds the client's IP address to the trusted IP list and forwards the trusted
client's subsequent packets to the server.
Figure 151 DNS client verification process
The DNS client verification feature requires that clients use the standard TCP/IP protocol suite and
DNS protocol. Legitimate clients that use non-standard protocols will be verified as illegitimate by the
DNS client authenticator.
With client verification, the first DNS resolution takes more time than normal DNS resolution.
HTTP client verification
The HTTP client verification feature protects HTTP servers against HTTP flood attacks. It is
configured on the device where packets from the HTTP clients to the HTTP servers pass through. A
device with HTTP client verification feature configured is called an HTTP client authenticator.
As shown in
1.
Upon receiving a SYN packet destined for a protected HTTP server, the HTTP client
authenticator performs TCP client verification in SYN cookie mode. If the client passes the TCP
client verification, a TCP connection is established between the client and the authenticator.
For more information about TCP client verification, see
2.
When the authenticator receives an HTTP Get packet from the client, it performs the first
redirect verification. The authenticator records the client information and responds with an
HTTP Redirect packet. The HTTP Redirect packet contains a redirect URI and requires the
client to terminate the TCP connection.
Figure
151, the DNS client verification functions as follows:
Figure
152, the HTTP client verification functions as follows:
"TCP client
515
verification."
Advertisement
Table of Contents
Troubleshooting
