Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 13 - Attack Defense

    Uploaded by

    ch zhu
    8 views26 pages
    The document discusses attack defense methods on Hillstone network security gateways. It describes 5 ARP defense methods: IP-MAC binding, ARP authentication, ARP inspection, DHCP snooping, and host defense. It also discusses common attack types like SYN floods, flood attacks, and scans that devices need to defend against. The attack defense is configured by zone and can detect anomalies, spoofed packets, and limit traffic to prevent attacks like SYN floods, port scans, and address sweeps from compromising networks.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses attack defense methods on Hillstone network security gateways. It describes 5 ARP defense methods: IP-MAC binding, ARP authentication, ARP inspection, DHCP snooping, and host defense. It also discusses common attack types like SYN floods, flood attacks, and scans that devices need to defend against. The attack defense is configured by zone and can detect anomalies, spoofed packets, and limit traffic to prevent attacks like SYN floods, port scans, and address sweeps from compromising networks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views26 pages

    Chapter 13 - Attack Defense

    Uploaded by

    ch zhu
    The document discusses attack defense methods on Hillstone network security gateways. It describes 5 ARP defense methods: IP-MAC binding, ARP authentication, ARP inspection, DHCP snooping, and host defense. It also discusses common attack types like SYN floods, flood attacks, and scans that devices need to defend against. The attack defense is configured by zone and can detect anomalies, spoofed packets, and limit traffic to prevent attacks like SYN floods, port scans, and address sweeps from compromising networks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Chapter 13 – Attack Defense

    HCSA-NGFW 2022
    1 ARP Defense
    Contents
    2 Attack Defense

    6
    Cyber Kill Chain

    Reconnaissance Weaponization Delivery Exploitation Installation C2 Action on objectives

    Preparation Intrusion Active Breach

    Traditional FW

    NGFW

    Malware Detection Products


    AD/IPS/AV ATD/ABD

    iNGFW
    www.hillstonenet.com
    ARP Defense
    ARP Defense
    • ARP defense is using ARP technology to defend ARP attack from Intranet.
    Including:

    – IP-MAC Binding
    – ARP Authentication
    – ARP Inspection
    – DHCP Snooping
    – Host Defense
    – Host Blacklist

    www.hillstonenet.com
    IP-MAC Binding
    • IP-MAC Binding (ARP binding). The binding information can be obtained statically or
    dynamically
    • After manual binding need configure at interface configuration mode:
    - no arp-learning \\disable ARP learning
    - arp-disable-dynamic-entry \\disable dynamic entry, only check static entry

    www.hillstonenet.com
    Host Blacklist
    • With this blacklist function, device could control the user who is not able to access
    Internet in specific period
    • Block host IP or Service
    • WebUI can block max 3600s,CLI can block permanently

    • SG-6000# configure
    • SG-6000(config)# schedule working
    • SG-6000(config-schedule)# periodic daily 9:00 to 18:00
    • SG-6000(config-schedule)# exit
    • SG-6000(config)# host-blacklist mac 001c.5cff.acbd schedule working
    www.hillstonenet.com
    Matching Sequence

    1. MAC Blacklist -> 2. Exceptional Whitelist -> 3. Static IP Blacklist ->


    4. Blacklist Library -> 5. Dynamic IP Blacklist -> 6. Service Blacklist.

    8 www.hillstonenet.com
    Attack Defense

    9
    Attack Defense
    There are various inevitable attacks in networks, such as compromise or sabotage of
    servers, sensitive data theft, service intervention, or even direct network device
    sabotage that causes service anomaly or interruption. Security gates, belonging to a
    category of network security devices, must be designed with attack defense functions
    to detect various types of network attacks, and take appropriate actions to protect the
    Intranet against malicious attacks, thus assuring the normal operation of the Intranet
    and systems.

    Hillstone devices provide attack defense functions based on security zone.

    www.hillstonenet.com
    Attack Protocol Category

    AD

    IP UDP TCP ICMP ARP ND


    attack attack attack attack attack attack

    www.hillstonenet.com
    Attack Types

    AD

    Single Packet Protocol Spoofing


    Anomaly Flood Attack Scanning SYN Proxy
    Anomaly Attack

    www.hillstonenet.com
    Attack Defense
    Network > Zone > Threat Protection, click『Configure』of Attack Defense

    www.hillstonenet.com
    Configuring Attack Defense

    www.hillstonenet.com
    SYN Flood
    • The attacker can send large amount of SYN packets of forged source IP to the attacked host and establish
    equally large number of half-open connections until timeout. As a result, resources will be exhausted and
    normal accesses will be blocked.
    Client Server

    SYN
    SYN/ACK
    ACK

    SYN
    SYN/ACK

    SYN
    SYN/ACK

    www.hillstonenet.com
    SYN Flood Attack Defense – SYN Flood

    www.hillstonenet.com
    SYN Flood Attack Defense - SYN Proxy

    Client Stoneos Server

    SYN
    Create session
    SYN/ACK

    ACK

    Find session

    SYN
    SYN/ACK
    Find session

    ACK

    www.hillstonenet.com
    SYN Flood Attack Defense – SYN cookie

    Client Stoneos Server

    SYN
    SYN/ACK
    ACK

    Create session

    SYN
    SYN/ACK
    Find session

    ACK

    www.hillstonenet.com
    Flood Attack
    An ICMP Flood/UDP Flood attack sends huge amount of ICMP messages (such as
    ping)/UDPpackets to a target within a short period and requests for response. Due to
    the heavy load, the attacked target cannot complete its normal transmission task.

    ICMP ECHO

    ICMP REPLY

    ICMP ECHO
    ICMP REPLY

    ICMP ECHO
    ICMP ECHO

    ICMP ECHO

    ICMP ECHO

    www.hillstonenet.com
    Flood Attack Defense

    www.hillstonenet.com
    Scan Attack

    IP Address Sweep and Port Scan:

    This kind of attack makes a reconnaissance of the destination address and port via scanners, and
    determines the existence from the response. By IP address sweep or port scan, an attacker can
    determine which systems are alive and connected to the target network, and which ports are
    used by the hosts to provide services.

    www.hillstonenet.com
    Scan/Spoof Defense

    Port Scan Defense:


    • If over 10 TCP SYN packets are sent to different ports of one single destination
    address within the period specified by the threshold, StoneOS will identify them as a
    port scan attack.
    • StoneOS will only permit 10 TCP SYN packets destined to different ports of one
    single destination address to pass through

    www.hillstonenet.com
    IP Address Spoof
    IP address spoofing is a technology used to gain unauthorized access to computers. An
    attacker sends packets with a forged IP address to a computer, and the packets are
    disguised as if they were from a real host.

    www.hillstonenet.com
    ARP Spoofing Defense
    IP Address Spoof Defense:
    • After the packet enters the device, Stoneos will query reverse routing for its
    source IP address. If any IP address spoof attack has been detected, StoneOS
    will drop the packets and give an alarm.

    www.hillstonenet.com
    Questions
    1. How many ARP defense methods are supported at Hillstone device and what are they?
    2. How to configure the Whitelist of Attack Defense?
    3. Common AD attacks.

    www.hillstonenet.com
    Thanks

    You might also like