MSR 2660 防火墙及DDOS攻击防御
- 0关注
- 0收藏,795浏览
问题描述:
现在的问题是,我已经在2个拨号口dialer10、dialer11上开启了deny 所有的ICMP包,那为什么还会有这么多的ICMP destination unreachable攻击呢?还有就是UDP FLOOD的攻击,我该怎么防御呢?
下面的被攻击的数据只是2个小时产生的。
组网及组网描述:
MSR 2660有2个Wan口,XGE0/0/10 XGE0/0/11连接了2个光猫,由MSR2660拨号。
开启了DDOS防御和防火墙限制ICMP,配置如下。
Advanced IPv4 ACL named Ten-GigabitEthernet0/0/10, 1 rule,
ACL's step is 5, start ID is 5
rule 5 deny icmp destination object-group wan time-range icmp (Active) (15828 times matched)
Advanced IPv4 ACL named Ten-GigabitEthernet0/0/11, 1 rule,
ACL's step is 5, start ID is 5
rule 5 deny icmp destination object-group wan time-range icmp (Active) (5141 times matched)
Ip address object group wan: 1 object(in use)
0 network subnet 118.76.0.0 255.255.0.0 (这个地址是联通分配给PPPOE拨号的公网IP段)
dialer 10
packet-filter name Ten-GigabitEthernet0/0/10 inbound
attack-defense apply policy AtkInterface65541
dialer 11
packet-filter name Ten-GigabitEthernet0/0/11 inbound
attack-defense apply policy AtkInterface65542
配置验证如下:
Advanced IPv4 ACL named Ten-GigabitEthernet0/0/10, 1 rule,
ACL's step is 5, start ID is 5
rule 5 deny icmp destination object-group wan time-range icmp (Active) (15828 times matched)
Advanced IPv4 ACL named Ten-GigabitEthernet0/0/11, 1 rule,
ACL's step is 5, start ID is 5
rule 5 deny icmp destination object-group wan time-range icmp (Active) (5141 times matched)
dis attack-defense statistics interface Dialer 10
Attack policy name: AtkInterface65541
Slot 0:
Scan attack defense statistics:
AttackType AttackTimes Dropped
No scanning attacks detected.
Flood attack defense statistics:
AttackType AttackTimes Dropped
UDP flood 244 372977
Signature attack defense statistics:
AttackType AttackTimes Dropped
TCP null flag 5 5
TCP all flags 3 3
ICMP destination unreachable 1807 1807
dis attack-defense statistics interface Dialer 11
Attack policy name: AtkInterface65542
Slot 0:
Scan attack defense statistics:
AttackType AttackTimes Dropped
No scanning attacks detected.
Flood attack defense statistics:
AttackType AttackTimes Dropped
UDP flood 153 49238
Signature attack defense statistics:
AttackType AttackTimes Dropped
TCP null flag 1 1
TCP all flags 4 4
ICMP destination unreachable 1332 1332
- 2023-10-17提问
- 举报
-
(0)
最佳答案
你deny了而已,但是他们这些数据包还是会到达你的设备,这么做就够了,不需要再额外配置了,这些都是广域网的没有针对性的探测和扫描
- 2023-10-17回答
- 评论(3)
- 举报
-
(0)
那请问UDP FLOOD我该怎么防御呢?
参考这个文档,里面都有: https://www.h3c.com/cn/Service/Document_Software/Document_Center/Routers/Catalog/MSR/MSR_50/Command/Command_Manual/H3C_MSR_CR-Release_2104(V1.10)/11/201011/698510_30005_0.htm#_Toc273287200
好的,非常感谢靓仔
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
好的,非常感谢靓仔