If an attacker sends a large number of bogus packets to a target device, the target device is busy with these bogus packets and cannot process normal services.
Defense against flood attacks detects flood packets in real time and discards them or limits the rate of the packets to protect the device.
Flood attacks include TCP SYN flood attacks, UDP flood attacks, and ICMP flood attacks.
A TCP SYN flood attack uses the vulnerability of the TCP three-way handshake. During the TCP three-way handshake, the receiver sends an SYN+ACK message when receiving the first SYN message from a sender. When the receiver is waiting for the final ACK packet from the sender, the connection is in half-connected mode. If the receiver does not receive the ACK packet, the receiver retransmits a SYN+ACK packet to the sender. After several retransmission attempts, the receiver shuts down the session and then updates the session in memory. The period from the first SYN+ACK message being sent to session teardown is about 30s.
During this period, an attacker may send thousands of SYN messages to all open interfaces and does not respond to the SYN+ACK message from the receiver. This causes memory overloading on the receiver and prevents the receiver from accepting new connection requests. Then the receiver disconnects all existing connections.
After defense against TCP SYN flood attacks is enabled, the device limits the rate of TCP SYN packets to protect system resources.
If an attacker sends a large number of UDP packets to a target device, the target device is busy with these UDP packets and cannot process normal services. UDP flood attacks are classified into two types:
Fraggle attack
An attacker sends UDP packets of which the source address is the target device's address, the destination address is the broadcast address of the target network, and the destination port is port 7. If multiple hosts use UDP echo services on the broadcast network, the target device receives excessive response packets. As a result, the system becomes busy.
The device with attack defense configured considers packets from UDP port 7 as attack packets and discards them.
UDP diagnosis port attack
An attacker sends many packets to the UDP diagnosis port (7-echo, 13-daytime, and 19-Chargen) simultaneously, packets are flooded, and network devices cannot work properly.
The device with attack defense configured considers packets from UDP ports 7, 13, and 19 as attack packets and discards them.
Generally, a network administrator monitors a network and rectifies network faults with the ping tool as follows:
If an attacker sends many ICMP Echo messages to the target device, the target device is busy with these Echo messages and cannot process other data packets. Therefore, normal services are affected.
A device can use CAR to limit the rate of ICMP packets, thus protecting the CPU.