Recommended attack defense configuration on the USG2000&5000&6000

1

The following attack defense configurations are recommended if there are no special attack defense requirements:
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable

Other related questions:
Attack defense concept and configuration method for the USG2000&5000
Overview of attack defense Common network attacks generally intrude or overload web servers (hosts), steal sensitive server data, consume bandwidth resources, or interrupt the services provided by the servers for external users. Certain network attacks directly target at network devices. Such attacks may cause anomalies in network services and bring in adverse impacts, or even interrupt the operations of these services. Network attacks fall into traffic attacks, scanning and sniffing attacks, malformed-packet attacks, and special-packet attacks. The details are as follows: ?raffic attacks In a traffic attack, an attacker sends mass useless data to exhaust server resources, causing denial of services on the server. This type of attack has mass data packets sent, overloads devices, and exhausts network bandwidth or device resources. Usually, routers, servers, and firewalls provide limited resources. Once overloaded, they may fail to process normal services, causing denial of services. The commonest traffic attack is flood attacks. In flood attacks, attackers send a large number of seemly legitimate TCP, UDP, and ICMP packets to targets. Some attackers even forge the source addresses to evade detection and monitoring. ?canning and sniffing attacks Scanning and sniffing attacks mainly refer to IP sweep and port scan. In IP sweep, an attacker constantly sends IP (TCP/UDP/ICMP) packets with changing destination addresses to search existing hosts and networks for a target. In port scan, an attacker scans TCP and UDP ports to detect the operating system and potential services of the target. Through scanning and sniffing, attackers can roughly understand the types of services that targets provide and potential vulnerabilities for further intrusions. ?alformed-packet attacks In malformed-packet attacks, attackers send defective IP packets to target systems. The target systems may encounter errors or crash when handling such packets. Malformed-packet attacks mainly include Ping-of-Death and Teardrop attacks. ?pecial-packet attacks In special-packet attacks, attackers use legitimate packets to probe networks or detect data. The packets are legitimate application packets but seldom used on networks.

Configuration of IP sweep attack defense for the USG2000&5000 series on the CLI
You can configure IP sweep attack defense for the USG2000&5000 series on the CLI. 1. Run the firewall defend ip-sweep enable command to enable IP sweep attack defense. By default, IP sweep attack defense is disabled. 2. Run the firewall defend ip-sweep max-rate max-rate-number command to set the IP sweep maximum connection rate. The default maximum connection rate is 4000 pps. 3. Run the firewall defend ip-sweep blacklist-timeout interval command to set the blacklist aging time. By default, the blacklist aging time is 20 minutes. 4. Run the firewall blacklist enable command to enable the blacklist function. After IP sweep attack defense is enabled, the device checks received TCP, UDP, and ICMP packets. If the number of packets that a source address sends per second to different destination IP addresses exceeds the specified threshold, the USG2000&5000 considers that the source address is initiating an IP sweep attack. It blacklists the IP address and: Discards the packets from the source address if the blacklist function is enabled. Forwards the packets from the source address and generates an alarm if the blacklist function is disabled.

Configuration of SIP flood attack defense for the USG2000&5000 series on the CLI
You can configure SIP flood attack defense for the USG2000&5000 series on the CLI. 1. In the user view, run the system-view command to access the system view. 2. Run the firewall defend sip-flood enable command to enable the SIP flood attack defense function. 3. According to the attack defense scope, run either of the following commands to set SIP flood attack parameters: (a) Run the firewall defend sip-flood ip ip-address [ vpn-instance vpn-instance-name ] [ alert-rate alert-rate ] [ max-rate rate-number ] [ source-detect [ on | off ] ] command to set SIP flood attack defense parameters based on IP addresses. The source detection function is enabled by default. (b) Run the firewall defend sip-flood zone [ vpn-instance vpn-instance-name ] zone-name [ alert-rate alert-rate ] [ max-rate rate-number ] [ source-detect [ on | off ] ] command to set SIP flood attack defense parameters based on security zones. The source detection function is enabled by default. 4. Run the firewall defend sip-flood port range [start-port end-port ] command to set a port range for SIP flood attack defense.

Whether the USG2000&5000 supports IP spoofing attack defense
Yes. When the USG2000&5000 works in transparent or multi-egress mode, or policy-based routing is applied, IP spoofing attack defense cannot be configured.

Configuration of port scan attack defense for the USG2000&5000 series on the web UI
You can configure port scan attack defense for the USG2000&5000 series on the web UI. 1. Choose Firewall > Security Protection > Attack Defense. 2. In the attack defense configuration list, choose Attack Defense Type > Scan. 3. On the Configure Scan Attack Defense page, select Enable corresponding to Port Scan. 4. Set parameters for port scan attack defense. 5. Click Apply.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top