Configuring attack detection and protection
Attack detection and protection is an important network security feature. It determines whether received
packets are attack packets according to the packet contents and behaviors and, if detecting an attack,
take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting
the source IP address.
The attack protection function can detect three types of network attacks: single-packet attacks, scanning
attacks, and flood attacks. In addition, this function also supports traffic statistics for session analysis on
Types of network attacks the device can defend against
The device can defend against three types of network attacks: single-packet attacks, scanning attacks,
and flood attacks, according to the attack characteristics.
Single-packet attack is also called malformed packet attack because many single-packet attacks use
defective IP packets, such as overlapping IP fragments and packets with illegal TCP flags.
A single-packet attack occurs when:
An attacker sends defective IP packets to a target, causing the target system to malfunction or crash.
An attacker sends large quantities of junk packets to the network, using up the network bandwidth.
lists the single-packet attacks that can be prevented by the device.
Table 47 Types of single-packet attacks
An attacker sends large amounts of UDP echo requests with the UDP port number
being 7 or Chargen packets with the UDP port number being 19, resulting in a large
quantity of junk replies and eventually exhausting the bandwidth of the target
An attacker sends ICMP redirect messages to a user host to modify the host's routing
table, interfering with the normal forwarding of IP packets.
Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.
An attacker sends a great number of TCP SYN packets using target IP address as both
the source and destination IP addresses, exhausting the half-open connection
resources of the target and thereby making the target unable to provide services