DoS
The HTTP server supports a limited number of users. When the number of login users reaches the upper limit, no more users can log in to the HTTP server. This situation may appear when users use the HTTP server properly or when the HTTP server is attacked.
Slow connection attack
Content-Length with a large value is defined in the Hypertext Transfer Protocol (HTTP) header. After committing the header, the attacker does not send the packet body. After receiving Content-Length, the HTTP server waits for the rest content. Then the attacker retains the connection and sends a large number of packets by transmitting a byte per 10 to 100 seconds to exhaust resources.
The HTTP server under a slow connection attack has the issues of slow login, user logout, frequent disconnection, and login failure.
To defend against the preceding attacks, configure the following security policies on a switch:
Performing AAA authentication
The HTTP server supports AAA authentication. Only authenticated users can log in to the switch and enter command line views. Users are required to enter the user name, password, and randomly generated verification code for login, reducing the password crack probability.
Disabling the HTTP server
When the HTTP server is enabled, the socket service is enabled on the switch. In this case, the switch is prone to scanning by attackers. Therefore, disable the HTTP server if it is not needed.
Changing the port number
By default, the HTTP server uses port 80, which is a well-known port and prone to scanning and attacks. Configure the HTTP server to use a private port to reduce the scanning and attack probability.
Configuring an ACL
In the system view, configure an ACL for the HTTP server to limit the source IP addresses and source port numbers that can be used for login.
Using HTTP over SSL (HTTPS)
HTTP over Secure Sockets Layer (SSL) provides secure transfer to protect transmitted data against theft. Because HTTP has security risks, since V200R005, the switch allows web Network Management System (NMS) login using only HTTPS, but not HTTP.
Configure AAA authentication.
Set the authentication mode to AAA authentication. In the AAA view, set the user name to client001 and password to Helloworld@6789.
<HUAWEI> system-view [HUAWEI] aaa [HUAWEI-aaa] local-user client001 password irreversible-cipher Helloworld@6789 [HUAWEI-aaa] local-user client001 privilege level 15 [HUAWEI-aaa] local-user client001 service-type http
Disable the HTTP server.
<HUAWEI> system-view [HUAWEI] undo http server enable
Change the port number of the HTTP server to 55535.
<HUAWEI> system-view [HUAWEI] http server port 55535
Configure ACL 3000 to allow only users with the source IP address of 10.10.10.1 and source port number of 80 to log in to the switch through HTTP.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 5 permit tcp source 10.10.10.1 0 source-port eq 80 [HUAWEI-acl-adv-3000] quit [HUAWEI] http acl 3000
Configure HTTPS.
<HUAWEI> system-view [HUAWEI] ssl policy https_der [HUAWEI-ssl-policy-https_der] certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-code cipher 123456 [HUAWEI-ssl-policy-https_der] quit [HUAWEI] http secure-server ssl-policy https_der [HUAWEI] http secure-server enable