【SHA256SUM】
77e04a12dad5dd63ffe2f97f6d7f65eccf4156afdf20821454e5811971a9dfe4
【版本号】
V4.5R90F03
【升级基础版本】
V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp01.C236,V4.5R90F02.sp01.C236.HD,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F02.sp04.HD8500,V4.5R90F02.sp04.12000,V4.5R90F02.sp04.12000v2
【升级版本】
V4.5R90F03
【配套联动】
NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F03
ADSM: V4.5R90F03
【功能变更说明】
1.新增HTTP2协议防护
2.新增TCP反射攻击防护
3.新增DNS响应防护
4.新增HTTP Malformed报文防护
5.分片报文支持限速
6.SYN重传时序检查算法支持时序可配
7.新增群组黑名单
8.默认群组替代缺省ddos策略
9.支持VLAN牵引优先回注功能
10.BGP支持自定义router-id
11.更新国际联系方式
12.限制型号、版本、运行模式不匹配的配置文件的导入
13.添加刚果GMT+1时区
14.群组自学习的规格扩大到15个
15.大包分片群组化
【BUG修复说明】
ADS-49282 【黑名单】生产后,不使用web,直接使用CLI开启黑名单,web与引擎生效情况不一致
ADS-49264 【系统用户管理】CLI用户在启用状态下,点击保存后重启设备,routerman账户远程登录失败
ADS-49262 【ADS_云端认证】ads在未启用绿盟云的情况下,需提供能够监控A接口进程的功能
ADS-48625 【手工流量牵引】路由daemon条数在50条时,“确定”和“取消”按钮显示不完整
ADS-25715 【BGP】修改BGP配置并点击保存后,正在牵引的IP不会重新下发生效,导致对端路由器没有生成BGP路由
ADS-25697 【防护策略事件统计】当生成上万条事件时,页面访问约10s才能打开
ADS-25696 【icmp防护策略】持续打恒定大小的icmp flood攻击后,在icmp进入防护状态后,存在少量透包
ADS-25682 【配置导入】配置文件导入未检查配置文件版本号,导入配置文件后系统可能会出现异常
ADS-25512 【业务口】设备启起来后,ifconfig下接口没加载出来
ADS-25399 【注入高级功能】注入冗余探测到注入路由不通后,未撤回由NTA下发的路由
ADS-48441 【URL-ACL规则】匹配中url-acl规则的攻击报文源IP无法被加入到黑名单
ADS-49414 【ADS_防护群组】防护群组配置http js算法,收到1514字节的http get报文,设备挂死
ADS-49603 【注入路由】在ADSM集群环境下,主从设备注入路由配置相同的情况下仍周期性同步
ADS-48337 【管理口访问控制】频繁操作增删改,iptables会出现重复规则
ADS-48429 【管理口访问控制】邮件配置等管理口访问控制forbid时需要解析的文件配置中存在域名时,IPV6 forbid all管理口访问控制规则下发失败
ADS-50017 【HTTP防护】JS动态防护算法的验证码自动更新策略有问题
【注意事项】
若升级时出现升级失败,请检查防护群组中是否存在名称为default_protection_group的群组,若存在,请修改该群组名称或删除该群组后再进行升级操作。
– END –
[SHA256SUM]
77e04a12dad5dd63ffe2f97f6d7f65eccf4156afdf20821454e5811971a9dfe4
[Software Package Version No.]
V4.5R90F03
[Source Version]
V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp01.C236,V4.5R90F02.sp01.C236.HD,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F02.sp04.HD8500,V4.5R90F02.sp04.12000,V4.5R90F02.sp04.12000v2
[Target Version]
V4.5R90F03
[Matching Versions of Collaborative Devices]
NTA: V4.5R90F02,V4.5R90F02.sp01,V4.5R90F02.sp02,V4.5R90F02.sp03,V4.5R90F02.sp04,V4.5R90F02.sp05,V4.5R90F02.sp06,V4.5R90F02.sp07,V4.5R90F03
ADSM: V4.5R90F03
[Function Changes]
1. HTTP2 protection is added.
2. TCP reflection protection is added.
3. DNS response protection is added.
4. Malformed HTTP packets can be blocked.
5. The transmission rate of fragments can be restricted.
6. The SYN retransmission time sequence algorithms support custom time sequences.
7. Blacklists specific to protection groups can be added.
8. The default protection group module replaces the default anti-DDoS policy module.
9. The VLAN-preferred diversion and injection function is added.
10. BGP routes accept custom router IDs.
11. The contact information is updated.
12. Configuration files cannot be imported to devices across models, versions, or running modes.
13. The Congo GMT+1 time zone is added.
14. The number of protection groups subject to auto-learning is increased to 15.
15. Fragment specific to protection groups can be added.
[Fixed Bugs]
ADS-49282 [blacklist]: For a newly produced device, if the blacklist function is enabled on a command-line interface, the web-based manager shows that both the blacklist and proxy monitoring are enabled. Actually, only the blacklist is enabled and proxy monitoring is still disabled.
ADS-49264 [system user management] After a user enables the CLI user account, routerman, clicks Save, and restarts the device, the user cannot log in to the system remotely via this account.
ADS-49262 [cloud authentication]: The system cannot monitor the A interface process when NSFOCUS cloud is disabled.
ADS-48625 [manual traffic diversion]: When there are 50 route daemons, the Cancel and OK buttons cannot be properly displayed.
ADS-25715 [BGP] When BGP configurations are modified, ADS does not dispatch the peer router the diversion route for the IP address involved in ongoing diversion. As a result, on the peer router, there is no BGP route for the IP address in question.
ADS-25697 [statistics of events triggered by protection policies ] If tens of thousands of events are generated, it takes about 10 seconds to open the Protection Event Statistics page under Logs > Protection Logs.
ADS-25696 [ICMP protection policy]: Once ICMP packets are sent at a constant rate to cause ICMP flood attacks, a few packets are found to pass through the ADS device when ICMP protection is triggered.
ADS-25682 [configuration import]: Importing configuration files may cause the system to fail due to the lack of version check on the files.
ADS-25512 [working interface] When the user runs the ifconfig command after the device is started, the command returns information of some interfaces, instead of all interfaces.
ADS-25399 [advanced functions for injection]: After injection route redundancy is enabled, ADS does not revoke the diversion route dispatched by NTA when detecting that the injection route is unreachable.
ADS-48441 [URL-ACL rules]: For attack packets matching URL-ACL rules with the action of Monitor+blacklist, their source IP addresses cannot be added to the blacklist.
ADS-49414 [protection group]: When the HTTP JavaScript algorithm is configured, the device hangs when receiving 1514-byte HTTP GET packets.
ADS-49603: [injection route] For an ADS cluster, the master device still regularly synchronizes injection route configurations to the standby devices even if no changes are made to such configurations.
ADS-48337 [management interface access control]: Frequent rule additions, changes, or deletions may lead to duplicate rules in iptables.
ADS-48429 [management port access control]: When the default management interface access control rule is configured to block all IP addresses, ADS needs to resolve the domain names (including the domain name of the SNMP server) specified on the UI into IP addresses and adds these addresses to the whitelist. However, the management interface access rule that forbids all IPv6 addresses fails to be dispatched to the system.
ADS-50017 [HTTP protection policy]: Something wrong with auto-updating the Verification code of HTTP JavaScript algorithm.
[Important Notes]
If the update fails, check whether the protection group named default_protection_group exists. If yes, change the protection group name or delete the group before updating the system again.
原文链接:http://update.nsfocus.com/update/listAdsDetail/v/v45R90F03
原创文章,作者:优速盾-小U,如若转载,请注明出处:https://www.cdnb.net/bbs/archives/21275
