HP 6125G HP Networking guide to hardening Comware-based devices - Page 19
HTTPS ACLs, Control plane protection, Rate limiting packets on network management interfaces
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 19 highlights
For more information about ACL, see "ACL" in the Security Command Reference Guide. HTTPS ACLs Use the ip https acl command to control HTTPS access with an ACL. Only the clients permitted by the ACL can access the HTTPS server on the device. Control plane protection The control plane policing feature allows you to configure a quality of service (QoS) policy that manages control plane packets to protect the control plane from denial-of-service (DoS) attacks. In this way, the control plane can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch. # system-view control-plane [ slot slot-number ] # Apply a QoS policy. For more information, see "QoS" in the ACL and QoS Configuration Guide. qos apply policy policy-name { inbound | outbound } # Rate limiting packets on network management interfaces This feature is used to limit the rate of incoming packets on a network management interface to prevent DoS attacks. When the rate exceeds the threshold, excessive packets are discarded. TCP SYN Cookie and protection against Naptha attacks To prevent TCP connection attacks, the device provides the following features: • SYN Cookie • Protection against Naptha attacks In an SYN flood attack, the attacking host sends a large number of SYN messages to the server to establish TCP connections, but it never makes any response. The server establishes a large number of incomplete TCP connections and is unable to handle services normally. The SYN Cookie feature can prevent SYN flood attacks. After receiving a TCP connection request, the server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only after receiving an ACK message from the client can the server establish a connection, and then enter the ESTABLISHED state. Follow these steps to enable the SYN Cookie feature: # tcp syn-cookie enable # A Naptha attack uses the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and while an SYN flood attack uses only the SYN_RECEIVED state. The Naptha attacker controls a huge number of hosts to establish TCP connections with the server, keep these connections in the same state (any of the six), and request for no data so as to exhaust the memory resources of the server. As a result, the server cannot process normal services. Follow these steps to enable the protection against Naptha attacks: # tcp anti-naptha enable tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number number 19