Configuring TCP/IP Attack Defense

Defense against TCP/IP attacks protects the CPU of the router against malformed packets, fragmented packets, TCP SYN packets, and UDP packets, ensuring that normal services can be processed.

Usage Scenario

Defense against TCP/IP attacks is applied to the router on the edge of the network or other routers that are easily to be attacked by illegal TCP/IP packets. Defense against TCP/IP attacks can protect the CPU of the router against malformed packets, fragmented packets, TCP SYN packets, and UDP packets, ensuring that normal services can be processed.

In VS mode, this feature is supported only by the admin VS.

Pre-configuration Tasks

Before configuring TCP/IP attack defense, configure the parameters of the link layer protocol and IP addresses for interfaces and ensure that the link layer protocol on the interfaces is Up.

Creating an Attack Defense Policy: All local attack defense features must be added to an attack defense policy. These features take effect after the attack defense policy is applied to the interface board.

Enabling Defense Against Malformed Packet Attacks: With defense against malformed packet attacks, the router checks the validity of received packets and filters out illegal packets, thus defending the CPU against attacks of IP packets with null load, null IGMP packets, LAND attack packets, Smurf attack packets, and packets with invalid TCP flag bits.

Enabling Defense Against Fragmented Packet Attacks: Defense against fragmented packet attacks protects the CPU by restricting the sending rate of fragmented packets and ensuring the correctness of packet reassembly.

Enabling Defense Against TCP SYN Flooding Attacks: The TCP SYN flooding attack is a denial-of-service attack. Defense against TCP SYN flooding attacks protects the CPU by restricting the rate at which packets are sent to the CPU.

Enabling Defense Against UDP Packet Attacks: With defense against UDP packet attacks, the router can identify packets in Fraggle attacks and attack packets on UDP diagnosis ports according to the destination port of the received UDP packets.

Applying the Attack Defense Policy: The configured attack defense policy takes effect only after being applied to the interface board.

Verifying the TCP/IP Attack Defense Configuration: After defense against TCP/IP attacks is configured, you can view the statistics about it, including the total number of illegal TCP/IP packets, the number of legal TCP/IP packets, and the number of discarded packets.