Land Attack Defense Configuration Example

This section describes a Land attack defense configuration example.

Ethernet 0/0 is bound to the trust zone, ethernet 0/2 is bound to the untrust zone, and ethernet 0/1 is bound to the DMZ zone. Protect the server in the DMZ zone against Land attacks.

The defense networking topology is shown as follows:

Take the following steps:

Step 1: Configure ethernet0/0, ethernet0/2 and ethernet0/1.

  1. On the Navigation pane, click Configure > Network > Network to visit the Network page.
  2. Select ethernet0/0 from the interface list, and click Edit. In the Interface Configuration dialog, configure the options as below:
  1. Click OK to save the changes and return to the main page.
  2. Select ethernet0/2 from the interface list, and click Edit. In the Interface Configuration dialog, configure the options as below:
  1. Click OK to save the changes and return to the main page.
  2. Select ethernet0/1 from the interface list, and click Edit. In the Interface Configuration dialog, configure the options as below:
  1. Click OK to save the changes and return to the main page.

Step 2: Configure a policy rule.

  1. On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
  2. Click New. On the Basic tab in the Policy Configuration dialog, configure the options as below:
  1. Click OK to save the settings and return to the main page.

Step 3: Enable Land attack defense for the untrust zone.

  1. On the Navigation pane, click Configure >Security > Attack Defense to visit the Attack Defense page.
  2. Select untrust from the Zone drop-down list.
  3. In the Denial of service defense section, select the Land attack check box to enable Land attack defense, and select Drop from the Action drop-down list.
  4. Click OK to save the changes and return to the main page.

Step 4: Test the Land attack defense configured for the server. Craft a packet with identical source and destination IP address, and send it to 10.110.1.1. The device will detect a Land attack, and then give an alarm and drop the packet.