華為 SecPath 防火牆 常見flood攻擊防範典型配置
一、 組網需求
SecPath 開啟syn-flood、icmp-flood和udp-flood的攻擊 防範,防止對Server的flood攻擊 。
二、組網圖
軟體版本如下:
SecPath10F : VRP 3.40 ESS 1604 ;
三、配置 步驟
[Quidway]dis cur
#
sysname Quidway
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo connection-limit enable
connection-limit default deny
connection-limit default amount upper-limit 50 lower-limit 20
#
firewall statistic system enable //開啟報文全域性統計
#
radius scheme system
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
#
acl number 3000
rule 1 permit ip source 192.168.1.0 0.0.0.255
#
interface Ethernet1/0
ip address 10.0.0.254 255.255.0.0
#
interface Ethernet2/0
speed 10
duplex full
ip address 192.168.1.254 255.255.255.0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet2/0
set priority 85
#
firewall zone untrust
add interface Ethernet1/0 //伺服器加入非信任域
set priority 5
statistic enable ip inzone //開啟所在域入方向的報文統計
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
firewall defend land
firewall defend smurf
firewall defend winnuke
firewall defend syn-flood enable //使能syn-flood攻擊範
firewall defend icmp-flood enable //使能imcp-flood攻擊防範
//設定受保護主機和啟用tcp代理
firewall defend syn-flood ip 10.0.0.1 max-rate 100 tcp-proxy
firewall defend icmp-flood ip 10.0.0.1 //設定受保護的主機
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
#
return
四、 配 置關鍵點
1. 在全域性下開啟報文統 計;
2. 開啟受保護主機所在域 的入方向的報文統計;
3. 使能相應的 flood 攻擊防範;
4. 設定受保護主機。
五、 驗 證結果
在攻擊機 Attacker : 192.168.1.1 上對 10.0.0.1 進行 syn-flood 和 icmp-flood 攻擊,防火牆 告警。
[Quidway]
%Jan1 08:01:06:125 2000 Quidway SEC/5/ATCKDF:atckType(1016)=(6)ICMP-flood;rcvIfNa
me(1023)=Ethernet2/0;srcIPAddr(1017)=192.168.1.1;srcMacAddr(1021)=;destIPAddr(1019)=10.0.0.1;destMacAddr(1022)=;atckSpeed(1047)=1000;atckTime_cn(1048)=20000101080102
[Quidway]
%Jan1 08:01:36:125 2000 Quidway SEC/5/ATCKDF:atckType(1016)=(5)SYN-flood;rcvIfNam
e(1023)=Ethernet2/0;srcIPAddr(1017)=192.168.1.1;srcMacAddr(1021)=;destIPAddr(1019)=10.0.0.1;destMacAddr(1022)=;atckSpeed(1047)=100;atckTime_cn(1048)=20000101080117