Enabling IP spoofing attack defense on the USG6000 series

22

The USG6000 looks up the routing table for the outgoing interfaces of reverse traffic destined to the source. If the incoming interface of the traffic and the outgoing interface of the reverse traffic are different, the packets are considered IP spoofing packets and discarded.
Run the firewall defend ip-spoofing enable command to enable IP spoofing attack defense.

Other related questions:
Whether the USG6000 series supports IP spoofing attack defense
Yes. When the USG6000 works in transparent or multi-egress mode, or policy-based routing is applied, IP spoofing attack defense cannot be configured.

Enabling IP spoofing attack defense on the USG2000&5000 series
The USG2000&5000 looks up the routing table for the outgoing interfaces of reverse traffic destined to the source. If the incoming interface of the traffic and the outgoing interface of the reverse traffic are different, the packets are considered IP spoofing packets and discarded. Run the firewall defend ip-spoofing enable command to enable IP spoofing attack defense.

Whether the USG2000&5000 supports IP spoofing attack defense
Yes. When the USG2000&5000 works in transparent or multi-egress mode, or policy-based routing is applied, IP spoofing attack defense cannot be configured.

Configuration of IP sweep attack defense for the USG6000 series on the CLI
You can configure IP sweep attack defense for the USG6000 series on the CLI. 1. Run the firewall defend ip-sweep enable command to enable IP sweep attack defense. By default, IP sweep attack defense is disabled. 2. Run the firewall defend ip-sweep max-rate max-rate-number command to set the IP sweep maximum connection rate. By default, the maximum connection rate is 4000 pps. 3. Run the firewall defend ip-sweep blacklist-timeout interval command to set the blacklist aging time. By default, the blacklist aging time is 20 minutes. 4. Run the firewall blacklist enable command to enable the blacklist function. After IP sweep attack defense is enabled, the device checks received TCP, UDP, and ICMP packets. If the number of packets that a source address sends per second to different destination IP addresses exceeds the specified threshold, the USG6000 considers that the source address is initiating an IP sweep attack. It blacklists the IP address and: Discards the packets from the source address if the blacklist function is enabled. Forwards the packets from the source address and generates an alarm if the blacklist function is disabled.

Configuration of IP sweep attack defense for the USG6000 series on the web UI
You can configure port scan attack defense for the USG6000 series on the web UI. 1. Choose Policy > Security Protection > Attack Defense. 2. Click the Single-Packet Attack tab. 3. Select the IP Sweep check box to enable the attack defense function. 4. Set the maximum scanning rate and blacklist aging time. If you enable IP sweep attack defense, enable the blacklist function as well to ensure that the device discards blacklisted packets.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top