Manualshelf

User's Manual

ManualsBrandsPLANET Technology ManualsLAN SwitchesLayer 3 48-Port 10G SFP+ + 2-Port 40G QSFP+ + 4-Port 100G QSFP28 Managed Switch
361362363364365366367368369370
367
Chapter 48 Attack Prevention Introduction
48.1 Overview of Filter
To guarantee the reasonable usage of network bandwidth, this switch series provides the function to prevent
vicious traffic from occupying lots of network bandwidth.
Filter can identify the packets received by the interface of the switch and calculate them according to the packet
type. In light of current attack modes, Filter can calculate the number of ARP, IGMP or IP message that a host
sends in a time. Once the number exceeds the threshold, the SWITCH will not provide any service to these
hosts.
Filter limits the packet from a certain host by blocking the source address. For ARP attack, Filter blocks source
MAC address; for IP attacks, such as Ping scan and TCP/UDP scan, Filter blocks source IP address.
48.2 The Mode of Filter
The mode of Filter determines how the switch specifies the attack source. There are two modes of Filter.
Source Address Block Time (Raw)
In Raw mode, the switch will drop packets from the attack source in scheduled block-time since the attack
source is determined. After block-time, the restriction on the attack source will be removed and a new
calculation will be enabled.
In Raw mode, all the packets from the source address will be blocked. For instance, when the MAC address
of the attack source is blocked, all packets whose source MAC address are the same with that of the attack
source will be dropped, no matter it is ARP, ICMP, DHCP or other types.
Source Address Block Polling (Hybrid)
After blocking the attack source, the switch will continue calculate the packets from the attack source and
detect whether the packet number exceeds the threshold before the end of Polling Interval. If the packet
number exceeds the threshold, the blocking state keeps. Otherwise, the blocking will be removed. In Hybrid
Mode, the packet number when initially determining the attack source and the threshold of the packet number
in Polling can be configured independently.
To realize continually calculate the packet, in the hybrid mode the packet type will be matched while the source
address is blocked. For instance, if the MAC address of a host is blocked as it triggers ARP attack, IP packets
from the host will be sent by the switch continually, unless the host is also identified with the existence of IP
attack.
Please select the mode of Filter according to your application environment. If you want to set a strict limit on
the attack source and reduce the burden of switch CPU, please use Raw mode; if you want to control the
attack source flexibly and resume communication of the host as soon as possible after the end of the attack,
please use Hybrid mode. Note that the Filter number a switch can support in Hybrid mode is limited. In condition
of inadequate Filter number, Raw mode will be adopted automatically.