- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-Portal commands
- 03-User profile commands
- 04-Password control commands
- 05-Keychain commands
- 06-Public key management commands
- 07-PKI commands
- 08-IPsec commands
- 09-Group domain VPN commands
- 10-SSH commands
- 11-SSL commands
- 12-SSL VPN commands
- 13-ASPF commands
- 14-APR commands
- 15-Session management commands
- 16-Connection limit commands
- 17-Object group commands
- 18-Object policy commands
- 19-Attack detection and prevention commands
- 20-ARP attack protection commands
- 21-ND attack defense commands
- 22-uRPF commands
- 23-Crypto engine commands
- 24-FIPS commands
- 25-SMA commands
- Related Documents
-
Title | Size | Download |
---|---|---|
19-Attack detection and prevention commands | 392.14 KB |
Attack detection and prevention commands
attack-defense apply policy (interface view)
attack-defense apply policy (security zone view)
attack-defense local apply policy
attack-defense login reauthentication-delay
attack-defense signature log non-aggregate
attack-defense tcp fragment enable
attack-defense top-attack-statistics enable
client-verify dns enable (interface view)
client-verify dns enable (security zone view)
client-verify http enable (interface view)
client-verify http enable (security zone view)
client-verify tcp enable (interface view)
client-verify tcp enable (security zone view)
display attack-defense flood statistics ip (for interfaces)
display attack-defense flood statistics ip (for security zones)
display attack-defense flood statistics ipv6 (for interfaces)
display attack-defense flood statistics ipv6 (for security zones)
display attack-defense policy ip
display attack-defense policy ipv6
display attack-defense scan attacker ip (for interfaces)
display attack-defense scan attacker ip (for security zones)
display attack-defense scan attacker ipv6 (for interfaces)
display attack-defense scan attacker ipv6 (for security zones)
display attack-defense scan victim ip (for interfaces)
display attack-defense scan victim ip (for security zones)
display attack-defense scan victim ipv6 (for interfaces)
display attack-defense scan victim ipv6 (for security zones)
display attack-defense statistics interface
display attack-defense statistics local
display attack-defense statistics security-zone
display attack-defense top-attack-statistics
display client-verify protected ip
display client-verify protected ipv6
display client-verify trusted ip
display client-verify trusted ipv6
http-flood detect non-specific
icmp-flood detect non-specific
icmpv6-flood detect non-specific
reset attack-defense policy flood
reset attack-defense statistics interface
reset attack-defense statistics local
reset attack-defense statistics security-zone
reset attack-defense top-attack-statistics
reset client-verify protected statistics
signature { large-icmp | large-icmpv6 } max-length
syn-ack-flood detect non-specific
whitelist enable (interface view)
Attack detection and prevention commands
ack-flood action
Use ack-flood action to specify global actions against ACK flood attacks.
Use undo ack-flood action to restore the default.
Syntax
ack-flood action { client-verify | drop | logging } *
undo ack-flood action
Default
No global action is specified for ACK flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent ACK packets destined for the victim IP addresses.
logging: Enables logging for ACK flood attack events.
Usage guidelines
For the ACK flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against ACK flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood action drop
Related commands
ack-flood threshold
ack-flood detect
ack-flood detect non-specific
ack-flood detect
Use ack-flood detect to configure IP address-specific ACK flood attack detection.
Use undo ack-flood detect to remove IP address-specific ACK flood attack detection configuration.
Syntax
ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific ACK flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering ACK flood attack prevention. The value range is 1 to 1000000 in units of ACK packets sent to the specified IP address per second.
action: Specifies the actions when an ACK flood attack is detected. If no action is specified, the global actions set by the ack-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent ACK packets destined for the protected IP address.
logging: Enables logging for ACK flood attack events.
none: Takes no action.
Usage guidelines
You can configure ACK flood attack detection for multiple IP addresses in one attack defense policy.
With ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure ACK flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect ip 192.168.1.2 threshold 2000
Related commands
ack-flood action
ack-flood detect non-specific
ack-flood threshold
client-verify tcp enable
ack-flood detect non-specific
Use ack-flood detect non-specific to enable global ACK flood attack detection.
Use undo ack-flood detect non-specific to disable global ACK flood attack detection.
Syntax
ack-flood detect non-specific
undo ack-flood detect non-specific
Default
Global ACK flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global ACK flood attack detection applies to all IP addresses except those specified by the ack-flood detect command. The global detection uses the global trigger threshold set by the ack-flood threshold command and global actions specified by the ack-flood action command.
Examples
# Enable global ACK flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect non-specific
Related commands
ack-flood action
ack-flood detect
ack-flood threshold
ack-flood threshold
Use ack-flood threshold to set the global threshold for triggering ACK flood attack prevention.
Use undo ack-flood threshold to restore the default.
Syntax
ack-flood threshold threshold-value
undo ack-flood threshold
Default
The global threshold is 1000 for triggering ACK flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ACK packets sent to an IP address per second.
Usage guidelines
The device applies the global threshold to global ACK flood attack detection. Adjust the threshold according to the application scenarios. If the number of ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global ACK flood attack detection configured, the device is in attack detection state. When the sending rate of ACK packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering ACK flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood threshold 100
Related commands
ack-flood action
ack-flood detect
ack-flood detect non-specific
attack-defense apply policy (interface view)
Use attack-defense apply policy to apply an attack defense policy to an interface.
Use undo attack-defense apply policy to restore the default.
Syntax
attack-defense apply policy policy-name
undo attack-defense apply policy
Default
No attack defense policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Usage guidelines
An interface can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect.
An attack defense policy can be applied to multiple interfaces.
Examples
# Apply the attack defense policy atk-policy-1 to interface GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] attack-defense apply policy atk-policy-1
Related commands
attack-defense policy
display attack-defense policy
attack-defense apply policy (security zone view)
Use attack-defense apply policy to apply an attack defense policy to a security zone.
Use undo attack-defense apply policy to restore the default.
Syntax
attack-defense apply policy policy-name
undo attack-defense apply policy
Default
No attack defense policy is applied to a security zone.
Views
Security zone view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Usage guidelines
A security zone can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect.
An attack defense policy can be applied to multiple security zones.
Examples
# Apply the attack defense policy atk-policy-1 to the security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name dmz
[Sysname-security-zone-DMZ] attack-defense apply policy atk-policy-1
Related commands
attack-defense policy
display attack-defense policy
attack-defense local apply policy
Use attack-defense local apply policy to apply an attack defense policy to the device.
Use undo attack-defense local apply policy to restore the default.
Syntax
attack-defense local apply policy policy-name
undo attack-defense local apply policy
Default
No attack defense policy is applied to the device.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Usage guidelines
An attack defense policy applied to the device itself detects packets destined for the device and prevents attacks targeted at the device.
Applying an attack defense policy to the device can improve the efficiency of processing attack packets destined for the device.
Each device can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect.
An attack defense policy can be applied to the device itself and to multiple interfaces.
If a device and its interfaces have attack defense policies applied, a packet destined for the device is processed as follows:
1. The policy applied to the receiving interface processes the packet.
2. If the packet is not dropped by the receiving interface, the policy applied to the device processes the packet.
Examples
# Apply the attack defense policy atk-policy-1 to the device.
<Sysname> system-view
[Sysname] attack-defense local apply policy atk-policy-1
Related commands
attack-defense policy
display attack-defense policy
attack-defense login reauthentication-delay
Use attack-defense login reauthentication-delay to enable the login delay feature.
Use undo attack-defense login reauthentication-delay to restore the default.
Syntax
attack-defense login reauthentication-delay seconds
undo attack-defense login reauthentication-delay
Default
The login delay feature is disabled. The device does not delay accepting a login request from a user who has failed a login attempt.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the delay period in seconds, in the range of 4 to 60.
Usage guidelines
The login delay feature delays the device to accept a login request from a user after the user fails a login attempt. This feature can slow down login dictionary attacks.
Examples
# Enable the login delay feature and set the delay period to 5 seconds.
[Sysname] attack-defense login reauthentication-delay 5
attack-defense policy
Use attack-defense policy to create an attack defense policy and enter its view, or enter the view of an existing attack defense policy.
Use undo attack-defense policy to delete an attack defense policy.
Syntax
attack-defense policy policy-name
undo attack-defense policy policy-name
Default
No attack defense policies exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Examples
# Create the attack defense policy atk-policy-1 and enter its view.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1]
Related commands
attack-defense apply policy
display attack-defense policy
attack-defense signature log non-aggregate
Use attack-defense signature log non-aggregate to enable log non-aggregation for single-packet attack events.
Use undo attack-defense signature log non-aggregate to restore the default.
Syntax
attack-defense signature log non-aggregate
undo attack-defense signature log non-aggregate
Default
Log non-aggregation is disabled for single-packet attack events.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Log aggregation aggregates all logs generated during a period of time and sends one log. The logs with the same attributes for the following items can be aggregated:
· Interface or security zone where the attack is detected.
· Attack type.
· Attack prevention action.
· Source and destination IP addresses.
· VPN instance to which the victim IP address belongs.
As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console.
Examples
# Enable log non-aggregation for single-packet attack events.
<Sysname> system-view
[Sysname] attack-defense signature log non-aggregate
Related commands
signature detect
attack-defense tcp fragment enable
Use attack-defense tcp fragment enable to enable TCP fragment attack prevention.
Use undo attack-defense tcp fragment enable to disable TCP fragment attack prevention.
Syntax
attack-defense tcp fragment enable
undo attack-defense tcp fragment enable
Default
TCP fragment attack prevention is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command enables the device to drop attack TCP fragments to prevent TCP fragment attacks that the packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the following TCP fragments:
· First fragments in which the TCP header is smaller than 20 bytes.
· Non-first fragments with a fragment offset of 8 bytes (FO=1).
TCP fragment attack prevention takes precedence over single-packet attack prevention. When both are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by the single-packet attack defense policy.
Examples
# Enable TCP fragment attack prevention.
<Sysname> System-view
[Sysname] attack-defense tcp fragment enable
attack-defense top-attack-statistics enable
Use attack-defense top-attack-statistics enable to enable the top attack statistics ranking feature.
Use undo attack-defense top-attack-statistics enable to disable the top attack statistics ranking feature.
Syntax
attack-defense top-attack-statistics enable
undo attack-defense top-attack-statistics enable
Default
The top attack statistics ranking feature is disabled.
Views
System view.
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command collects statistics about number of dropped attack packets based on attacker, victim, and attack type and ranks the statistics by attacker and victim.
To display the top attack statistics, use the display attack-defense top-attack-statistics command.
Examples
# Enable the top attack statistics ranking feature.
<Sysname> system-view
[Sysname] attack-defense top-attack-statistics enable
Related commands
display attack-defense top-attack-statistics
client-verify dns enable (interface view)
Use client-verify dns enable to enable DNS client verification on an interface.
Use undo client-verify dns enable to disable DNS client verification on an interface.
Syntax
client-verify dns enable
undo client-verify dns enable
Default
DNS client verification is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Enable DNS client verification on the interface connected to the external network. This feature protects internal DNS servers against DNS flood attacks.
For the DNS client verification to collaborate with DNS flood attack prevention, specify client-verify as the DNS flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a DNS flood attack. You can use the display client-verify dns protected ip command to display the protected IP list for DNS client verification.
Examples
# Enable DNS client verification on interface GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] client-verify dns enable
Related commands
client-verify dns protected ip
display client-verify dns protected ip
client-verify dns enable (security zone view)
Use client-verify dns enable to enable DNS client verification on a security zone.
Use undo client-verify dns enable to disable DNS client verification on a security zone.
Syntax
client-verify dns enable
undo client-verify dns enable
Default
DNS client verification is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Enable DNS client verification on the security zone connected to the external network. This feature protects internal DNS servers against DNS flood attacks.
For the DNS client verification to collaborate with DNS flood attack prevention, specify client-verify as the DNS flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a DNS flood attack. You can use the display client-verify dns protected ip command to display the protected IP list for DNS client verification.
Examples
# Enable DNS client verification on the security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name dmz
[Sysname-security-zone-DMZ] client-verify dns enable
Related commands
client-verify dns protected ip
display client-verify dns protected ip
client-verify http enable (interface view)
Use client-verify http enable to enable HTTP client verification on an interface.
Use undo client-verify http enable to disable HTTP client verification on an interface.
Syntax
client-verify http enable
undo client-verify http enable
Default
HTTP client verification is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Enable HTTP client verification on the interface connected to the external network. This feature protects internal servers against HTTP flood attacks.
For the HTTP client verification to collaborate with HTTP flood attack prevention, specify client-verify as the HTTP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects an HTTP flood attack. You can use the display client-verify http protected ip command to display the protected IP list for HTTP client verification.
Examples
# Enable HTTP client verification on interface GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] client-verify http enable
Related commands
client-verify http protected ip
display client-verify http protected ip
client-verify http enable (security zone view)
Use client-verify http enable to enable HTTP client verification on a security zone.
Use undo client-verify http enable to disable HTTP client verification on a security zone.
Syntax
client-verify http enable
undo client-verify http enable
Default
HTTP client verification is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Enable HTTP client verification on the security zone connected to the external network. This feature protects internal servers against HTTP flood attacks.
For the HTTP client verification to collaborate with HTTP flood attack prevention, specify client-verify as the HTTP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects an HTTP flood attack. You can use the display client-verify http protected ip command to display the protected IP list for HTTP client verification.
Examples
# Enable HTTP client verification on the security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name dmz
[Sysname- security-zone-DMZ] client-verify http enable
Related commands
client-verify http protected ip
display client-verify http protected ip
client-verify protected ip
Use client-verify protected ip to specify an IPv4 address to be protected by the client verification feature.
Use undo client-verify protected ip to remove an IPv4 address protected by the client verification feature.
Syntax
client-verify { dns | http | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ]
undo client-verify { dns | http | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ]
Default
The client verification feature does not protect any IPv4 addresses.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
destination-ip-address: Specifies the IPv4 address to be protected. All connection requests destined for this address are verified by the client verification feature.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
port port-number: Specifies the port to be protected, in the range of 1 to 65535. If you do not specify this option, DNS client verification protects port 53, HTTP client verification protects port 80, and TCP client verification protects all ports.
Usage guidelines
You can specify multiple protected IP addresses by using this command multiple times.
Examples
# Configure TCP client verification to protect IPv4 address 2.2.2.5 and port 25.
<Sysname> system-view
[Sysname] client-verify tcp protected ip 2.2.2.5 port 25
# Configure DNS client verification to protect IPv4 address 2.2.2.5 and port 50.
<Sysname> system-view
[Sysname] client-verify dns protected ip 2.2.2.5 port 50
Related commands
display client-verify protected ip
client-verify protected ipv6
Use client-verify protected ipv6 to specify an IPv6 address to be protected by the client verification feature.
Use undo client-verify protected ipv6 to remove an IPv6 address protected by the client verification feature.
Syntax
client-verify { dns | http | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ]
undo client-verify { dns | http | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ]
Default
The client verification feature does not protect any IPv6 addresses.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
destination-ipv6-address: Specifies the IPv6 address to be protected. All connection requests destined for this address are verified by the client verification feature.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
port port-number: Specifies the port to be protected, in the range of 1 to 65535. If you do not specify this option, DNS client verification protects port 53, HTTP client verification protects port 80, and TCP client verification protects all ports.
Usage guidelines
You can specify multiple protected IPv6 addresses by using this command multiple times.
Examples
# Configure TCP client verification to protect IPv6 address 2013::12 and port 23.
<Sysname> system-view
[Sysname] client-verify tcp protected ipv6 2013::12 port 23
# Configure HTTP client verification to protect IPv6 address 2013::12.
<Sysname> system-view
[Sysname] client-verify http protected ipv6 2013::12
Related commands
display client-verify protected ipv6
client-verify tcp enable (interface view)
Use client-verify tcp enable to enable TCP client verification on an interface.
Use undo client-verify tcp enable to disable TCP client verification on an interface.
Syntax
client-verify tcp enable [ mode { syn-cookie | safe-reset } ]
undo client-verify tcp enable
Default
TCP client verification is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
mode: Specifies a working mode for TCP client verification. If you do not specify this keyword, the SYN cookie mode is used.
syn-cookie: Specifies the SYN cookie mode. In this mode, bidirectional TCP proxy is enabled.
safe-reset: Specifies the safe reset mode. In this mode, unidirectional TCP proxy is enabled.
Usage guidelines
Enable TCP client verification on the interface connected to the external network to check incoming packets. This feature protects internal servers against TCP flood attacks, including SYN flood attacks, SYN-ACK flood attacks, RST flood attacks, FIN flood attacks, and ACK flood attacks.
For TCP client verification to collaborate with TCP flood attack prevention, specify client-verify as the TCP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a TCP flood attack. You can use the display client-verify tcp protected ip command to display the protected IP list for TCP client verification.
TCP client verification supports the following modes:
· Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators.
· SYN cookie—Enables bidirectional TCP proxy for packets from both TCP clients and TCP servers.
Choose a TCP proxy mode according to the network scenarios.
· If packets from clients pass through the TCP proxy device, but packets from servers do not, specify the safe reset mode.
· If packets from clients and servers both pass through the TCP proxy device, specify either safe reset or SYN cookie.
Examples
# Enable TCP client verification in SYN cookie mode on interface GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] client-verify tcp enable mode syn-cookie
Related commands
client-verify tcp protected ip
display client-verify tcp protected ip
client-verify tcp enable (security zone view)
Use client-verify tcp enable to enable TCP client verification on a security zone.
Use undo client-verify tcp enable to disable TCP client verification on a security zone.
Syntax
client-verify tcp enable [ mode { syn-cookie | safe-reset } ]
undo client-verify tcp enable
Default
TCP client verification is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
mdc-admin
Parameters
mode: Specifies a working mode for TCP client verification. If you do not specify this keyword, the SYN cookie mode is used.
syn-cookie: Specifies the SYN cookie mode. In this mode, bidirectional TCP proxy is enabled.
safe-reset: Specifies the safe reset mode. In this mode, unidirectional TCP proxy is enabled.
Usage guidelines
Enable TCP client verification on the security zone connected to the external network to check incoming packets. This feature protects internal servers against TCP flood attacks, including SYN flood attacks, SYN-ACK flood attacks, RST flood attacks, FIN flood attacks, and ACK flood attacks.
For TCP client verification to collaborate with TCP flood attack prevention, specify client-verify as the TCP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a TCP flood attack. You can use the display client-verify tcp protected ip command to display the protected IP list for TCP client verification.
TCP client verification supports the following modes:
· Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators.
· SYN cookie—Enables bidirectional TCP proxy for packets from both TCP clients and TCP servers.
Choose a TCP proxy mode according to the network scenarios.
· If packets from clients pass through the TCP proxy device, but packets from servers do not, specify the safe reset mode.
· If packets from clients and servers both pass through the TCP proxy device, specify either safe reset or SYN cookie.
Examples
# Enable TCP client verification in safe reset mode on the security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name dmz
[Sysname-security-zone-DMZ] client-verify tcp enable mode safe-reset
Related commands
client-verify tcp protected ip
display client-verify tcp protected ip
display attack-defense flood statistics ip (for interfaces)
Use display attack-defense flood statistics ip to display IPv4 flood attack detection and prevention statistics.
Syntax
In standalone mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]
In IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv4 flood attacks.
http-flood: Specifies HTTP flood attack.
icmp-flood: Specifies ICMP flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays flood attack detection and prevention statistics for all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv4 address is on the public network.
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. This option is available only when you specify the device or a global interface, such as a tunnel interface. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify an IRF member device, this command displays IPv4 flood attack detection and prevention statistics on all IRF member devices. (In IRF mode.)
count: Displays the number of matching protected IPv4 addresses.
Usage guidelines
The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
If the interface and local parameters are not specified, this command display IPv4 flood attack detection and prevention statistics on all interfaces and the device.
Examples
# (In standalone mode.) Display all IPv4 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ip
Slot 0:
IP address VPN Detected on Detect type State PPS Dropped
192.168.100.221 a0123456789 GE1/1/2 SYN-ACK-FLOOD Normal 1000 4294967295
201.55.7.45 asd GE1/1/2 SYN-ACK-FLOOD Normal 1000 111111111
192.168.11.5 -- GE1/1/3 ACK-FLOOD Normal 1000 222222222
201.55.7.44 -- GE1/1/4 DNS-FLOOD Normal 1000 111111111
192.168.11.4 -- GE1/1/5 ACK-FLOOD Normal 1000 22222222
# (In IRF mode.) Display all IPv4 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ip
Slot 0 in chassis 1:
IP address VPN Detected on Detect type State PPS Dropped
192.168.100.221 a0123456789 GE1/1/1/2 SYN-ACK-FLOOD Normal 1000 4294967295
201.55.7.45 asd GE1/1/1/2 SYN-ACK-FLOOD Normal 1000 111111111
192.168.11.5 -- GE1/1/1/3 ACK-FLOOD Normal 1000 222222222
201.55.7.44 -- GE1/1/1/4 DNS-FLOOD Normal 1000 111111111
192.168.11.4 -- GE1/1/1/5 ACK-FLOOD Normal 1000 22222222
# (In standalone mode.) Display the number of IPv4 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ip count
Slot 0:
Totally 2 flood entries.
# (In IRF mode.) Display the number of IPv4 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ip count
Slot 0 in chassis 1:
Totally 2 flood entries.
# (In standalone mode.) Display the number of IPv4 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ip count
Slot 0:
Totally 2 flood entries.
# (In IRF mode.) Display the number of IPv4 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ip count
Slot 0 in chassis 1:
Totally 2 flood entries.
Table 1 Command output
Field |
Description |
IP address |
Protected IPv4 address. |
VPN |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--). |
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
Detect type |
Type of the detected flood attack. |
State |
Whether the interface or device is attacked: · Attacked. · Normal. |
PPS |
Number of packets sent to the IPv4 address per second. |
Dropped |
Number of attack packets dropped by the interface or the device. |
Totally 2 flood entries |
Total number of IPv4 addresses that are protected. |
display attack-defense flood statistics ip (for security zones)
Use display attack-defense flood statistics ip to display IPv4 flood attack detection and prevention statistics.
Syntax
In standalone mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ security-zone zone-name ] [ slot slot-number ] [ count ]
In IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ security-zone zone-name ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv4 flood attacks.
http-flood: Specifies HTTP flood attack.
icmp-flood: Specifies ICMP flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays flood attack detection and prevention statistics for all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv4 address is on the public network.
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays IPv4 flood attack detection and prevention statistics on all IRF member devices. (In IRF mode.)
count: Displays the number of matching protected IPv4 addresses.
Usage guidelines
The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
Examples
# (In standalone mode.) Display all IPv4 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ip
slot 0:
IP address VPN Detected on Detect type State PPS Dropped
192.168.100.221 a0123456789 Trust1 SYN-ACK-FLOOD Normal 1000 4294967295
201.55.7.45 asd Trust1 SYN-ACK-FLOOD Normal 1000 111111111
192.168.11.5 -- Trust2 ACK-FLOOD Normal 1000 222222222
201.55.7.44 -- Trust3 DNS-FLOOD Normal 1000 111111111
192.168.11.4 -- Trust4 ACK-FLOOD Normal 1000 22222222
# (In IRF mode.) Display all IPv4 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ip
Slot 0 in chassis 1:
IP address VPN Detected on Detect type State PPS Dropped
192.168.100.221 a0123456789 Trust1 SYN-ACK-FLOOD Normal 1000 4294967295
01234567890
123456789
201.55.7.45 asd Trust1 SYN-ACK-FLOOD Normal 1000 111111111
192.168.11.5 -- Trust2 ACK-FLOOD Normal 1000 222222222
201.55.7.44 -- Trust3 DNS-FLOOD Normal 1000 111111111
192.168.11.4 -- Trust4 ACK-FLOOD Normal 1000 22222222
# (In standalone mode.) Display the number of IPv4 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ip count
Slot 0:
Totally 2 flood entries.
# (In IRF mode.) Display the number of IPv4 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ip count
Slot 0 in chassis 1:
Totally 2 flood entries.
Table 2 Command output
Field |
Description |
IP address |
Protected IPv4 address. |
VPN |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--). |
Detected on |
The security zone where the attack is detected. |
Detect type |
Type of the detected flood attack. |
State |
Whether the security zone is attacked: · Attacked. · Normal. |
PPS |
Number of packets sent to the IPv4 address per second. |
Dropped |
Number of attack packets dropped by the security zone. |
Totally 2 flood entries |
Total number of IPv4 addresses that are protected. |
display attack-defense flood statistics ipv6 (for interfaces)
Use display attack-defense flood statistics ipv6 to display IPv6 flood attack detection and prevention statistics.
Syntax
In standalone mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]
In IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv6 flood attacks.
http-flood: Specifies HTTP flood attack.
icmpv6-flood: Specifies ICMPv6 flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays flood attack detection and prevention statistics for all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify an IRF member device, this command displays IPv6 flood attack detection and prevention statistics on all IRF member devices. (In IRF mode.)
count: Displays the number of matching protected IPv6 addresses.
Usage guidelines
The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
If the interface and local parameters are not specified, this command display IPv6 flood attack detection and prevention statistics on all interfaces and the device.
Examples
# (In standalone mode.) Display all IPv6 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ipv6
Slot 0:
IPv6 address VPN Detected on Detect type State PPS Dropped
2000::1011 a0123456789 GE1/1/2 SYN-FLOOD Normal 0 4294967295
1::2 1222232 GE1/1/2 DNS-FLOOD Normal 1000 111111111
1::3 -- GE1/1/3 SYN-ACK-FLOOD Normal 1000 222222222
1::4 -- GE1/1/4 ACK-FLOOD Normal 1000 111111111
1::5 -- GE1/1/5 SYN-FLOOD Normal 1000 22222222
# (In IRF mode.) Display all IPv6 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ipv6
Slot 0 in chassis 1:
IPv6 address VPN Detected on Detect type State PPS Dropped
2000::1011 a0123456789 GE1/1/1/2 SYN-FLOOD Normal 0 4294967295
1::2 1222232 GE1/1/1/2 DNS-FLOOD Normal 1000 111111111
1::3 -- GE1/1/1/3 SYN-ACK-FLOOD Normal 1000 222222222
1::4 -- GE1/1/1/4 ACK-FLOOD Normal 1000 111111111
1::5 -- GE1/1/1/5 SYN-FLOOD Normal 1000 22222222
# (In standalone mode.) Display the number of IPv6 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ipv6 count
Slot 0:
Totally 5 flood entries.
# (In IRF mode.) Display the number of IPv6 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ipv6 count
Slot 0 in chassis 1:
Totally 5 flood entries.
Table 3 Command output
Field |
Description |
IPv6 address |
Protected IPv6 address. |
VPN |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). |
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
Detect type |
Type of the detected flood attack. |
State |
Whether the interface or device is attacked: · Attacked. · Normal. |
PPS |
Number of packets sent to the IPv6 address per second. |
Dropped |
Number of attack packets dropped by the interface or the device. |
Totally 5 flood entries |
Total number of IPv6 addresses that are protected. |
display attack-defense flood statistics ipv6 (for security zones)
Use display attack-defense flood statistics ipv6 to display IPv6 flood attack detection and prevention statistics.
Syntax
In standalone mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ security-zone zone-name ] [ slot slot-number ] [ count ]
In IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ security-zone zone-name ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv6 flood attacks.
http-flood: Specifies HTTP flood attack.
icmpv6-flood: Specifies ICMPv6 flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays flood attack detection and prevention statistics for all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays IPv6 flood attack detection and prevention statistics on all IRF member devices. (In IRF mode.)
count: Displays the number of matching protected IPv6 addresses.
Usage guidelines
The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
Examples
# (In standalone mode.) Display all IPv6 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ipv6
Slot 0:
IPv6 address VPN Detected on Detect type State PPS Dropped
2000::1011 a0123456789 Trust1 SYN-FLOOD Normal 0 4294967295
1::2 1222232 Trust1 DNS-FLOOD Normal 1000 111111111
1::3 -- Trust2 SYN-ACK-FLOOD Normal 1000 222222222
1::4 -- Trust3 ACK-FLOOD Normal 1000 111111111
1::5 -- Trust4 SYN-FLOOD Normal 1000 22222222
# (In IRF mode.) Display all IPv6 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ipv6
Slot 0 in chassis 1:
IPv6 address VPN Detected on Detect type State PPS Dropped
2000::1011 a0123456789 Trust1 SYN-FLOOD Normal 0 4294967295
1::2 1222232 Trust1 DNS-FLOOD Normal 1000 111111111
1::3 -- Trust2 SYN-ACK-FLOOD Normal 1000 222222222
1::4 -- Trust3 ACK-FLOOD Normal 1000 111111111
1::5 -- Trust4 SYN-FLOOD Normal 1000 22222222
# (In standalone mode.) Display the number of IPv6 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ipv6 count
Slot 0:
Totally 5 flood entries.
# (In IRF mode.) Display the number of IPv6 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ipv6 count
Slot 0 in chassis 1:
Totally 5 flood entries.
Table 4 Command output
Field |
Description |
IPv6 address |
Protected IPv6 address. |
VPN |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). |
Detected on |
The security zone where the attack is detected. |
Detect type |
Type of the detected flood attack. |
State |
Whether the security zone is attacked: · Attacked. · Normal. |
PPS |
Number of packets sent to the IPv6 address per second. |
Dropped |
Number of attack packets dropped by the security zone. |
Totally 5 flood entries |
Total number of IPv6 addresses that are protected. |
display attack-defense policy
Use display attack-defense policy to display attack defense policy configuration.
Syntax
display attack-defense policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.
Usage guidelines
This command output includes the following configuration information about an attack defense policy:
· Whether attack detection is enabled.
· Attack prevention actions.
· Attack prevention trigger thresholds.
Examples
# Display the configuration of the attack defense policy abc.
<Sysname> display attack-defense policy abc
Attack-defense Policy Information
--------------------------------------------------------------------------
Policy name : abc
Applied list : GE1/1/1
Vlan1
--------------------------------------------------------------------------
Exempt IPv4 ACL: : Not configured
Exempt IPv6 ACL: : vip
--------------------------------------------------------------------------
Actions: CV-Client verify BS-Block source L-Logging D-Drop N-None
Signature attack defense configuration:
Signature name Defense Level Actions
Fragment Enabled Info L
Impossible Enabled Info L
Teardrop Disabled Info L
Tiny fragment Disabled Info L
IP option abnormal Disabled Info L
Smurf Disabled Info N
Traceroute Disabled Medium L,D
Ping of death Disabled Low L
Large ICMP Disabled Medium L,D
Max length 4000 bytes
Large ICMPv6 Disabled Low L
Max length 4000 bytes
TCP invalid flags Disabled medium L,D
TCP null flag Disabled Low L
TCP all flags Enabled Info L
TCP SYN-FIN flags Disabled Info L
TCP FIN only flag Enabled Info L
TCP Land Disabled Info L
Winnuke Disabled Info L
UDP Bomb Disabled Info L
UDP Snork Disabled Info L
UDP Fraggle Enabled Info L
IP option record route Disabled Info L
IP option internet timestamp Enabled Info L
IP option security Disabled Info L
IP option loose source routing Enabled Info L
IP option stream ID Disabled Info L
IP option strict source routing Disabled Info L
IP option route alert Disabled Info L
ICMP echo request Disabled Info L
ICMP echo reply Disabled Info L
ICMP source quench Disabled Info L
ICMP destination unreachable Enabled Info L
ICMP redirect Enabled Info L
ICMP time exceeded Enabled Info L
ICMP parameter problem Disabled Info L
ICMP timestamp request Disabled Info L
ICMP timestamp reply Disabled Info L
ICMP information request Disabled Info L
ICMP information reply Disabled Medium L,D
ICMP address mask request Disabled Medium L,D
ICMP address mask reply Disabled Medium L,D
ICMPv6 echo request Enabled Medium L,D
ICMPv6 echo reply Disabled Medium L,D
ICMPv6 group membership query Disabled Medium L,D
ICMPv6 group membership report Disabled Medium L,D
ICMPv6 group membership reduction Disabled Medium L,D
ICMPv6 destination unreachable Enabled Medium L,D
ICMPv6 time exceeded Enabled Medium L,D
ICMPv6 parameter problem Disabled Medium L,D
ICMPv6 packet too big Disabled Medium L,D
Scan attack defense configuration:
Defense: Disabled
Level: Medium
Actions: L
Flood attack defense configuration:
Flood type Global thres(pps) Global actions Service ports Non-specific
SYN flood 1000 - - Disabled
ACK flood 1000 - - Enabled
SYN-ACK flood 1000 - - Disabled
RST flood 200 - - Enabled
FIN flood 1000 L,D - Disabled
UDP flood 1000 - - Disabled
ICMP flood 1000 - - Disabled
ICMPv6 flood 1000 CV - Disabled
DNS flood 10000 - 30,61 to 62 Enabled
HTTP flood 10000 - 80,8080 Enabled
Flood attack defense for protected IP addresses:
Address VPN instance Flood type Thres(pps) Actions Ports
1::1 -- FIN-FLOOD 10 L,D -
192.168.1.1 A01234567890 SYN-ACK-FLOOD 10 - -
123456789012
3456789
1::1 -- FIN-FLOOD - L -
2013:2013:2013:2013: A0123456789 DNS-FLOOD 100 L,CV 53
2013:2013:2013:2013
Table 5 Command output
Field |
Description |
Policy name |
Name of the attack defense policy. |
Applied list |
List of interfaces to which the attack defense policy is applied. If the policy is applied to the device, this field displays Local. List of security zones to which the attack defense policy is applied. |
Exempt IPv4 ACL |
IPv4 ACL used for attack detection exemption. |
Exempt IPv6 ACL |
IPv6 ACL used for attack detection exemption. |
Actions |
Attack prevention actions: · CV—Client verification. · L—Logging. · D—Dropping packets. · N—No action. |
Signature attack defense configuration |
Configuration information about single-packet attack detection and prevention. |
Signature name |
Type of the single-packet attack. |
Defense |
Whether single-packet attack detection is enabled. |
Level |
Level of the single-packet attack, info, low, medium, or high. Currently, no high-level single-packet attacks exist. |
Actions |
Prevention actions against the single-packet attack: · L—Logging. · D—Dropping packets. · N—No action. |
Scan attack defense configuration |
Configuration information about scanning attack detection and prevention. |
Defense |
Whether scanning attack detection is enabled. |
Level |
Level of the scanning attack detection, low, medium, or high. |
Actions |
Prevention actions against the scanning attack: · D—Dropping packets. · L—Logging. |
Flood attack defense configuration |
Configuration information about flood attack detection and prevention. |
Flood type |
Type of the flood attack: · ACK flood. · DNS flood. · FIN flood. · ICMP flood. · ICMPv6 flood. · SYN flood. · SYN-ACK flood. · UDP flood. · RST flood. · HTTP flood. |
Global thres (pps) |
Global threshold for triggering the flood attack prevention, in units of packets sent to an IP address per second. The default is 1000 pps. |
Global actions |
Global prevention actions against the flood attack: · D—Dropping packets. · L—Logging. · CV—Client verification. · -—Not configured. |
Service ports |
Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-). |
Non-specific |
Whether the global flood attack detection is enabled. |
Flood attack defense for protected IP addresses |
Configuration of the IP address-specific flood attack detection and prevention. |
Address |
Protected IP address. |
VPN instance |
MPLS L3VPN instance to which the protected IP address belongs. If no MPLS L3VPN instance is specified, this field displays a hyphen (-). |
Thres(pps) |
Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no threshold is specified, this field displays 1000. |
Actions |
Prevention actions against the flood attack: · CV—Client verification. · D—Dropping packets. · L—Logging. · N—No action. |
Ports |
Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-). |
# Display brief information about all attack defense policies.
<Sysname> display attack-defense policy
Attack-defense Policy Brief Information
------------------------------------------------------------
Policy Name Applied list
Atk-policy-1 GigabitEthernet1/1/1
GigabitEthernet1/1/2
GigabitEthernet1/1/3
P2 None
P123 GigabitEthernet1/1/2
Table 6 Command output
Field |
Description |
Policy name |
Name of the attack defense policy. |
Applied list |
List of interfaces to which the attack defense policy is applied. If the policy is applied to the device, this field displays Local. List of security zones to which the attack defense policy is applied. |
Related commands
attack-defense policy
display attack-defense policy ip
Use display attack-defense policy ip to display information about IPv4 addresses protected by flood attack detection and prevention.
Syntax
In standalone mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]
In IRF mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv4 flood attacks.
http-flood: Specifies HTTP flood attack.
icmp-flood: Specifies ICMP flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays information about all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays information about IPv4 addresses protected by flood attack detection and prevention on all IRF member devices. (In IRF mode.)
count: Displays the number of matching IPv4 addresses protected by flood attack detection and prevention.
Examples
# (In standalone mode.) Display information about all IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip
Slot 0:
IP address VPN instance Type Rate threshold(PPS) Dropped
123.123.123.123 a012345678901234 SYN-ACK-FLOOD 1000 4294967295
201.55.7.45 -- ICMP-FLOOD 100 10
192.168.11.5 -- DNS-FLOOD 23 100
# (In IRF mode.) Display information about all IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip
Slot 0 in chassis 1:
IP address VPN instance Type Rate threshold(PPS) Dropped
123.123.123.123 a012345678901234 SYN-ACK-FLOOD 1000 4294967295
201.55.7.45 -- ICMP-FLOOD 100 10
192.168.11.5 -- DNS-FLOOD 23 100
# (In standalone mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip count
Slot 0:
Totally 3 flood protected IP addresses.
# (In IRF mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip count
Slot 0 in chassis 1:
Totally 3 flood protected IP addresses.
Table 7 Command output
Field |
Description |
Totally 3 flood protected IP addresses |
Total number of the IPv4 addresses protected by flood attack detection and prevention. |
IP address |
Protected IPv4 address. |
VPN instance |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--). |
Type |
Type of the flood attack. |
Rate threshold(PPS) |
Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no rate threshold is set, this field displays 1000. |
Dropped |
Number of dropped attack packets. If the prevention action is logging, this field displays 0. |
display attack-defense policy ipv6
Use display attack-defense policy ipv6 to display information about IPv6 addresses protected by flood attack detection and prevention.
Syntax
In standalone mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]
In IRF mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv6 flood attacks.
http-flood: Specifies HTTP flood attack.
icmpv6-flood: Specifies ICMPv6 flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays information about all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays information about IPv6 addresses protected by flood attack detection and prevention on all IRF member devices. (In IRF mode.)
count: Displays the number of matching IPv6 addresses protected by flood attack detection and prevention.
Examples
# (In standalone mode.) Display information about all IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6
Slot 0:
IPv6 address VPN instance Type Rate threshold(PPS) Dropped
2013::127f a012345678901234 SYN-ACK-FLOOD 1000 4294967295
2::5 -- ACK-FLOOD 100 10
1::5 -- ACK-FLOOD 100 23
# (In IRF mode.) Display information about all IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6
Slot 0 in chassis 1:
IPv6 address VPN instance Type Rate threshold(PPS) Dropped
2013::127f a012345678901234 SYN-ACK-FLOOD 1000 4294967295
2::5 -- ACK-FLOOD 100 10
1::5 -- ACK-FLOOD 100 23
# (In standalone mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6 count
Slot 0:
Totally 3 flood protected IP addresses.
# (In IRF mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6 count
Slot 0 in chassis 1:
Totally 3 flood protected IP addresses.
Table 8 Command output
Field |
Description |
Totally 3 flood protected IP addresses |
Total number of the IPv6 addresses protected by flood attack detection and prevention. |
IPv6 address |
Protected IPv6 address. |
VPN instance |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). |
Type |
Type of the flood attack. |
Rate threshold(PPS) |
Threshold for triggering the flood attack prevention, in units of packets sent to the IPv6 address per second. If no rate threshold is set, this field displays 1000. |
Dropped |
Number of dropped attack packets. If the prevention action is logging, this field displays 0. |
display attack-defense scan attacker ip (for interfaces)
Use display attack-defense scan attacker ip to display information about IPv4 scanning attackers.
Syntax
display attack-defense scan attacker ip [ interface interface-type interface-number | local ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
count: Displays the number of matching IPv4 scanning attackers.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv4 scanning attackers.
Examples
# Display information about all IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip
Slot 0:
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.31.2(--) -- TCP GE1/1/2 1284
2.2.2.3(--) -- UDP GE1/1/2 23
# Display the number of IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip count
Slot 0:
Totally 3 attackers.
Table 9 Command output
Field |
Description |
Totally 3 attackers |
Total number of IPv4 scanning attackers. |
IP addr(DslitePeer) |
The IP addr field displays the IPv4 address of the attacker. The DslitePeer field displays the DS-Lite tunnel source IPv6 address of the attacker in a DS-Lite network. In other situations, this field displays hyphens (--). |
VPN instance |
MPLS L3VPN instance to which the attacker's IPv4 address belongs. If the IPv4 address is on the public network, this field displays hyphens (--). |
Protocol |
Name of the protocol. |
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan victim ip
scan detect
display attack-defense scan attacker ip (for security zones)
Use display attack-defense scan attacker ip to display information about IPv4 scanning attackers.
Syntax
In standalone mode:
display attack-defense scan attacker ip [ security-zone zone-name [ slot slot-number ] ] [ count ]
In IRF mode:
display attack-defense scan attacker ip [ security-zone zone-name [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays information about IPv4 scanning attackers on all IRF member devices. (In IRF mode.)
count: Displays the number of matching IPv4 scanning attackers.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv4 scanning attackers.
Examples
# (In standalone mode.) Display information about all IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip
Slot 0:
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.31.2(--) -- TCP DMZ 1284
2.2.2.3(--) -- UDP DMZ 23
# (In IRF mode.) Display information about all IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip
Slot 0 in chassis 1:
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.31.2(--) -- TCP DMZ 1284
2.2.2.3(--) -- UDP DMZ 23
# (In standalone mode.) Display the number of IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip count
Slot 0:
Totally 3 attackers.
# (In IRF mode.) Display the number of IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip count
Slot 0 in chassis 1:
Totally 3 attackers.
Table 10 Command output
Field |
Description |
Totally 3 attackers |
Total number of IPv4 scanning attackers. |
IP addr(DslitePeer) |
The IP addr field displays the IPv4 address of the attacker. The DslitePeer field displays the DS-Lite tunnel source IPv6 address of the attacker in a DS-Lite network. In other situations, this field displays hyphens (--). |
VPN instance |
MPLS L3VPN instance to which the attacker's IPv4 address belongs. If the IPv4 address is on the public network, this field displays hyphens (--). |
Protocol |
Name of the protocol. |
Detected on |
The security zone where the attack is detected. |
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan victim ip
scan detect
display attack-defense scan attacker ipv6 (for interfaces)
Use display attack-defense scan attacker ipv6 to display information about IPv6 scanning attackers.
Syntax
display attack-defense scan attacker ipv6 [ interface interface-type interface-number | local ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
count: Displays the number of matching IPv6 scanning attackers.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv6 scanning attackers.
Examples
# Display information about all IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6
Slot 0:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP GE1/1/4 1234
1230::22 -- UDP GE1/1/4 10
# Display the number of IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6 count
Slot 0:
Totally 3 attackers.
Table 11 Command output
Field |
Description |
Totally 3 attackers |
Total number of IPv6 scanning attackers. |
IPv6 address |
IPv6 address of the attacker. |
VPN instance |
MPLS L3VPN instance to which the attacker IPv6 address belongs. If the attacker IPv6 address is on the public network, this field displays hyphens (--). |
Protocol |
Name of the protocol. |
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan victim ipv6
scan detect
display attack-defense scan attacker ipv6 (for security zones)
Use display attack-defense scan attacker ipv6 to display information about IPv6 scanning attackers.
Syntax
In standalone mode:
display attack-defense scan attacker ipv6 [ security-zone zone-name [ slot slot-number ] ] [ count ]
In IRF mode:
display attack-defense scan attacker ipv6 [ security-zone zone-name [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays information about IPv6 scanning attackers on all IRF member devices. (In IRF mode.)
count: Displays the number of matching IPv6 scanning attackers.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv6 scanning attackers.
Examples
# (In standalone mode.) Display information about all IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6
Slot 0:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP DMZ 1234
1230::22 -- UDP DMZ 10
# (In IRF mode.) Display information about all IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6
Slot 0 in chassis 1:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP DMZ 1234
1230::22 -- UDP DMZ 10
# (In standalone mode.) Display the number of IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6 count
Slot 0:
Totally 3 attackers.
# (In IRF mode.) Display the number of IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6 count
Slot 0 in chassis 1:
Totally 3 attackers.
Table 12 Command output
Field |
Description |
Totally 3 attackers |
Total number of IPv6 scanning attackers. |
IPv6 address |
IPv6 address of the attacker. |
VPN instance |
MPLS L3VPN instance to which the attacker IPv6 address belongs. If the attacker IPv6 address is on the public network, this field displays hyphens (--). |
Protocol |
Name of the protocol. |
Detected on |
The security zone where the attack is detected. |
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan victim ipv6
scan detect
display attack-defense scan victim ip (for interfaces)
Use display attack-defense scan victim ip to display information about IPv4 scanning attack victims.
Syntax
display attack-defense scan victim ip [ interface interface-type interface-number | local ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
count: Displays the number of matching IPv4 scanning attack victims.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv4 scanning attack victims.
Examples
# Display information about all IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip
Slot 0:
IP address VPN instance Protocol Detected on Duration(min)
192.168.31.2 -- TCP GE1/1/4 21
2.2.2.3 -- UDP GE1/1/4 1234
# Display the number of IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip count
Slot 0:
Totally 3 victim IP addresses.
Table 13 Command output
Field |
Description |
Totally 3 victim IP addresses |
Total number of IPv4 scanning attack victims. |
IP address |
IPv4 address of the victim. |
VPN instance |
MPLS L3VPN instance to which the victim IPv4 address belongs. If the victim IPv4 address is on the public network, this field displays hyphens (--). |
Protocol |
Name of the protocol. |
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan attacker ip
scan detect
display attack-defense scan victim ip (for security zones)
Use display attack-defense scan victim ip to display information about IPv4 scanning attack victims.
Syntax
In standalone mode:
display attack-defense scan victim ip [ security-zone zone-name [ slot slot-number ] ] [ count ]
In IRF mode:
display attack-defense scan victim ip [ security-zone zone-name [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays information about IPv4 scanning attack victims on all IRF member devices. (In IRF mode.)
count: Displays the number of matching IPv4 scanning attack victims.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv4 scanning attack victims.
Examples
# (In standalone mode.) Display information about all IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip
Slot 0:
IP address VPN instance Protocol Detected on Duration(min)
192.168.31.2 -- TCP DMZ 21
2.2.2.3 -- UDP DMZ 1234
# (In IRF mode.) Display information about all IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip
Slot 0 in chassis 1:
IP address VPN instance Protocol Detected on Duration(min)
192.168.31.2 -- TCP DMZ 21
2.2.2.3 -- UDP DMZ 1234
# (In standalone mode.) Display the number of IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip count
Slot 0:
Totally 3 victim IP addresses.
# (In IRF mode.) Display the number of IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip count
Slot 0 in chassis 1:
Totally 3 victim IP addresses.
Table 14 Command output
Field |
Description |
Totally 3 victim IP addresses |
Total number of IPv4 scanning attack victims. |
IP address |
IPv4 address of the victim. |
VPN instance |
MPLS L3VPN instance to which the victim IPv4 address belongs. If the victim IPv4 address is on the public network, this field displays hyphens (--). |
Protocol |
Name of the protocol. |
Detected on |
The security zone where the attack is detected. |
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan attacker ip
scan detect
display attack-defense scan victim ipv6 (for interfaces)
Use display attack-defense scan victim ipv6 to display information about IPv6 scanning attack victims.
Syntax
display attack-defense scan victim ipv6 [ interface interface-type interface-number | local ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
count: Displays the number of matching IPv6 scanning attack victims.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv6 scanning attack victims.
Examples
# Display information about all IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6
Slot 0:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP GE1/1/4 210
1230::22 -- UDP GE1/1/4 13
# Display the number of IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6 count
Slot 0:
Totally 3 victim IP addresses.
Table 15 Command output
Field |
Description |
Totally 3 victim IP addresses |
Total number of IPv6 scanning attack victims. |
IPv6 address |
IPv6 address of the victim. |
VPN instance |
MPLS L3VPN instance to which the victim IPv6 address belongs. If the victim IPv6 address is on the public network, this field displays hyphens (--). |
Protocol |
Name of the protocol. |
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan attacker ipv6
scan detect
display attack-defense scan victim ipv6 (for security zones)
Use display attack-defense scan victim ipv6 to display information about IPv6 scanning attack victims.
Syntax
In standalone mode:
display attack-defense scan victim ipv6 [ security-zone zone-name [ slot slot-number ] ] [ count ]
In IRF mode:
display attack-defense scan victim ipv6 [ security-zone zone-name [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays information about IPv6 scanning attack victims on all IRF member devices. (In IRF mode.)
count: Displays the number of matching IPv6 scanning attack victims.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv6 scanning attack victims.
Examples
# (In standalone mode.) Display information about all IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6
Slot 0:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP Untrust 210
1230::22 -- UDP Untrust 13
# (In IRF mode.) Display information about all IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6
Slot 0 in chassis 1:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP Untrust 210
1230::22 -- UDP Untrust 13
# (In standalone mode.) Display the number of IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6 count
Slot 0:
Totally 3 victim IP addresses.
# (In IRF mode.) Display the number of IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6 count
Slot 0 in chassis 1:
Totally 3 victim IP addresses.
Table 16 Command output
Field |
Description |
Totally 3 victim IP addresses |
Total number of IPv6 scanning attack victims. |
IPv6 address |
IPv6 address of the victim. |
VPN instance |
MPLS L3VPN instance to which the victim IPv6 address belongs. If the victim IPv6 address is on the public network, this field displays hyphens (--). |
Protocol |
Name of the protocol. |
Detected on |
The security zone where the attack is detected. |
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan attacker ipv6
scan detect
display attack-defense statistics interface
Use display attack-defense statistics interface to display attack detection and prevention statistics on an interface.
Syntax
display attack-defense statistics interface interface-type interface-number
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Examples
# Display attack detection and prevention statistics on interface GigabitEthernet 1/1/1.
<Sysname> display attack-defense statistics interface gigabitethernet 1/1/1
Attack policy name: abc
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
Table 17 Command output
Field |
Description |
AttackType |
Type of the attack. |
AttackTimes |
Number of times that the attack occurred. This command output displays only attacks that are detected. |
Dropped |
Number of dropped packets. |
display attack-defense statistics local
Use display attack-defense statistics local to display attack detection and prevention statistics for the device.
Syntax
In standalone mode:
display attack-defense statistics local [ slot slot-number ]
In IRF mode:
display attack-defense statistics local [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays attack detection and prevention statistics for the device on all IRF member devices. (In IRF mode.)
Examples
# (In standalone mode.) Display attack detection and prevention statistics for the device.
<Sysname> display attack-defense statistics local
Attack policy name: abc
Slot 0:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
# (In IRF mode.) Display attack detection and prevention statistics for the device.
<Sysname> display attack-defense statistics local
Attack policy name: abc
Slot 0 in chassis 1:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
Table 18 Command output
Field |
Description |
AttackType |
Type of the attack. |
AttackTimes |
Number of times that the attack occurred. This command output displays only attacks that are detected. |
Dropped |
Number of dropped packets. |
Related commands
reset attack-defense statistics local
display attack-defense statistics security-zone
Use display attack-defense statistics security-zone to display attack detection and prevention statistics on a security zone.
Syntax
In standalone mode:
display attack-defense statistics security-zone zone-name [ slot slot-number ]
In IRF mode:
display attack-defense statistics security-zone zone-name [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays attack detection and prevention statistics for a security zone on all IRF member devices. (In IRF mode.)
Examples
# (In standalone mode.) Display attack detection and prevention statistics on the security zone Untrust for the card or member device in slot 0.
<Sysname> display attack-defense statistics security-zone untrust slot 0
Slot 0:
Attack policy name: abc
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
# (In IRF mode.) Display attack detection and prevention statistics on the security zone Untrust for the card in slot 0 on member device 1.
<Sysname> display attack-defense statistics security-zone untrust chassis 1 slot 0
Slot 0 in chassis 1:
Attack policy name: abc
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
Table 19 Command output
Field |
Description |
AttackType |
Type of the attack. |
AttackTimes |
Number of times that the attack occurred. This command output displays only attacks that are detected. |
Dropped |
Number of dropped packets. |
display attack-defense top-attack-statistics
Use display attack-defense top-attack-statistics to display top ten attack statistics.
Syntax
display attack-defense top-attack-statistics { last-1-hour | last-24-hours | last-30-days } [ by- attacker | by-type | by-victim ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
last-1-hour: Specifies the most recent 1 hour.
last-24-hours: Specifies the most recent 24 hours.
last-30-days: Specifies the most recent 30 days.
by-attacker: Displays top ten attack statistics by attacker.
by-type: Displays all attack statistics by attack type.
by-victim: Displays top ten attack statistics by victim.
Usage guidelines
If you do not specify the by-attacker, by-type, or by-victim keyword, this command displays attack statistics by attacker, victim, attack type.
Examples
# Display top ten attack statistics in the most recent 1 hour.
<Sysname> display attack-defense top-attack-statistics last-1-hour
Top attackers:
No. VPN instance Attacker IP Attacks
1 vpn1 200.200.200.55 21
2 vpn1 200.200.200.21 16
3 vpn2 200.200.200.133 12
4 vpn3 200.200.200.19 10
5 vpn2 200.200.200.4 8
6 vpn2 200.200.200.155 8
7 vpn3 200.200.200.93 5
8 vpn2 200.200.200.67 3
9 vpn2 200.200.200.70 1
10 vpn1 200.200.200.23 1
Top victims:
No. VPN instance Victim IP Attacks
1 vpn2 200.200.200.12 21
2 vpn2 200.200.200.32 16
3 vpn3 200.200.200.14 12
4 vpn2 200.200.200.251 12
5 vpn1 200.200.200.10 7
6 vpn1 200.200.200.77 6
7 vpn1 200.200.200.96 2
8 vpn1 200.200.200.22 2
9 vpn2 200.200.200.154 2
10 vpn3 200.200.200.18 1
Top attack types:
Attack type Attacks
Scan 155
Syn 155
Table 20 Command output
Field |
Description |
Top attackers |
Top ten attack statistics by attacker. |
No. |
Rank on the list. |
VPN instance |
VPN instance to which the attacker or victim belongs. If the attacker or victim belongs to the public network, this field displays a hyphen (-). |
Attacks |
Number of attack packets that have been dropped. |
Top victims |
Top ten attack statistics by victim. |
Top attack types |
Attack statistics by attack type. |
Related commands
attack-defense top-attack-statistics enable
display client-verify protected ip
Use display client-verify protected ip to display protected IPv4 addresses for client verification.
Syntax
In standalone mode:
display client-verify { dns | http | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number ] [ count ]
In IRF mode:
display client-verify { dns | http | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv4 address is on the public network.
port port-number: Specifies a protected port in the range of 1 to 65535. If you do not specify a port, this command displays protected IPv4 addresses with default ports. The default port for DNS client verification is port 53, the default port for HTTP client verification is port 80, and the default port for TCP client verification is all ports.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays protected IPv4 addresses for client verification on all IRF member devices. (In IRF mode.)
count: Displays the number of matching protected IPv4 addresses.
Examples
# (In standalone mode.) Display the protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip
Slot 0:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 23 Dynamic 353452 555
201.55.7.45 -- 10 Manual 15000 222
123.123.123.123 VPN1 65535 Dynamic 4294967295 15151
# (In IRF mode.) Display the protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip
Slot 0 in chassis 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 23 Dynamic 353452 555
201.55.7.45 -- 10 Manual 15000 222
123.123.123.123 VPN1 65535 Dynamic 4294967295 15151
# (In standalone mode.) Display the number of protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 0:
Totally 3 protected IP addresses.
# (In IRF mode.) Display the number of protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 0 in chassis 1:
Totally 3 protected IP addresses.
# (In standalone mode.) Display the protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip
Slot 0:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 53 Dynamic 353452 555
201.55.7.45 -- 53 Manual 15000 222
123.123.123.123 VPN1 53 Dynamic 4294967295 15151
# (In IRF mode.) Display the protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip
Slot 0 in chassis 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 53 Dynamic 353452 555
201.55.7.45 -- 53 Manual 15000 222
123.123.123.123 VPN1 53 Dynamic 4294967295 15151
# (In standalone mode.) Display the number of protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip count
Slot 0:
Totally 3 protected IP addresses.
# (In IRF mode.) Display the number of protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip count
Slot 0 in chassis 1:
Totally 3 protected IP addresses.
# (In standalone mode.) Display the protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip
Slot 0:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 80 Dynamic 353452 555
201.55.7.45 -- 8080 Manual 15000 222
123.123.123.123 VPN1 80 Dynamic 4294967295 15151
# (In IRF mode.) Display the protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip
Slot 0 in chassis 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 80 Dynamic 353452 555
201.55.7.45 -- 8080 Manual 15000 222
123.123.123.123 VPN1 80 Dynamic 4294967295 15151
# (In standalone mode.) Display the number of protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip count
Slot 0:
Totally 3 protected IP addresses.
# (In IRF mode.) Display the number of protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip count
Slot 0 in chassis 1:
Totally 3 protected IP addresses.
Table 21 Command output
Field |
Description |
Totally 3 protected IP addresses |
Total number of protected IPv4 addresses. |
IP address |
Protected IPv4 address. |
VPN instance |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--). |
Port |
Port protected by TCP client verification. If TCP client verification protects all ports, this field displays any. |
Type |
Type of the protected IPv4 address, Manual or Dynamic. |
Requested |
Number of packets destined for the protected IPv4 address. |
Trusted |
Number of packets that passed the client verification. |
Related commands
client-verify protected ip
display client-verify protected ipv6
Use display client-verify protected ipv6 to display protected IPv6 addresses for client verification.
Syntax
In standalone mode:
display client-verify { dns | http | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number ] [ count ]
In IRF mode:
display client-verify { dns | http | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
port port-number: Specifies a protected port in the range of 1 to 65535. If you do not specify a port, this command displays protected IPv6 addresses with default ports. The default port for DNS client verification is port 53, the default port for HTTP client verification is port 80, and the default port for TCP client verification is all ports.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays protected IPv6 addresses for client verification on all IRF member devices. (In IRF mode.)
count: Displays the number of matching protected IPv6 addresses.
Examples
# (In standalone mode.) Display the protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ipv6
Slot 0:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 100 Manual 14478 5501
1023::1123 vpn1 65535 Dynamic 4294967295 15151
# (In IRF mode.) Display the protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ipv6
Slot 0 in chassis 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 100 Manual 14478 5501
1023::1123 vpn1 65535 Dynamic 4294967295 15151
# (In standalone mode.) Display the number of protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 0:
Totally 3 protected IPv6 addresses.
# (In IRF mode.) Display the number of protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 0 in chassis 1:
Totally 3 protected IPv6 addresses.
# (In standalone mode.) Display the protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6
Slot 0:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 53 Manual 14478 5501
1023::1123 vpn1 53 Dynamic 4294967295 15151
# (In IRF mode.) Display the protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6
Slot 0 in chassis 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 53 Manual 14478 5501
1023::1123 vpn1 53 Dynamic 4294967295 15151
# (In standalone mode.) Display the number of protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6 count
Slot 0:
Totally 3 protected IPv6 addresses.
# (In IRF mode.) Display the number of protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6 count
Slot 0 in chassis 1:
Totally 3 protected entries.
# (In standalone mode.) Display the protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6
Slot 0:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 8080 Manual 14478 5501
1023::1123 vpn1 80 Dynamic 4294967295 15151
# (In IRF mode.) Display the protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6
Slot 0 in chassis 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 8080 Manual 14478 5501
1023::1123 vpn1 80 Dynamic 4294967295 15151
# (In standalone mode.) Display the number of protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6 count
Slot 0:
Totally 3 protected IPv6 addresses.
# (In IRF mode.) Display the number of protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6 count
Slot 0 in chassis 1:
Totally 3 protected IPv6 addresses.
Table 22 Command output
Field |
Description |
Totally 3 protected IPv6 addresses |
Total number of protected IPv6 addresses. |
IPv6 address |
Protected IPv6 address. |
VPN instance |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). |
Port |
Port protected by TCP client verification. If TCP client verification protects all ports, this field displays any. |
Type |
Type of the protected IPv6 address, Manual or Dynamic. |
Requested |
Number of packets destined for the protected IPv6 address. |
Trusted |
Number of packets that passed the client verification. |
Related commands
client-verify protected ipv6
display client-verify trusted ip
Use display client-verify trusted ip to display trusted IPv4 addresses for client verification.
Syntax
In standalone mode:
display client-verify { dns | http | tcp } trusted ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]
In IRF mode:
display client-verify { dns | http | tcp } trusted ip [ ip-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ip-address: Specifies a trusted IPv4 address. If you do not specify an IPv4 address, this command displays all trusted IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the trusted IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the trusted IPv4 address is on the public network.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays trusted IPv4 addresses for client verification on all IRF member devices. (In IRF mode.)
count: Displays the number of matching trusted IPv4 addresses.
Examples
# (In standalone mode.) Display the trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip
Slot 0:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
# (In IRF mode.) Display the trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip
Slot 0 in chassis 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
# (In standalone mode.) Display the number of trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip count
Slot 0:
Totally 3 trusted IP addresses.
# (In IRF mode.) Display the number of trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip count
Slot 0 in chassis 1:
Totally 3 trusted IP addresses.
# (In standalone mode.) Display the trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip
Slot 0:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
# (In IRF mode.) Display the trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip
Slot 0 in chassis 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
# (In standalone mode.) Display the number of trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip count
Slot 0:
Totally 3 trusted IP addresses.
# (In IRF mode.) Display the number of trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip count
Slot 0 in chassis 1:
Totally 3 trusted IP addresses.
# (In standalone mode.) Display the trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip
Slot 0:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
# (In IRF mode.) Display the trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip
Slot 0 in chassis 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
# (In standalone mode.) Display the number of trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip count
Slot 0:
Totally 3 trusted IP addresses.
# (In IRF mode.) Display the number of trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip count
Slot 0 in chassis 1:
Totally 3 trusted IP addresses.
Table 23 Command output
Field |
Description |
Totally 3 protected IP addresses |
Total number of trusted IPv4 addresses. |
IP address |
Trusted IPv4 address. |
VPN instance |
MPLS L3VPN instance to which the trusted IPv4 address belongs. If the trusted IPv4 address is on the public network, this field displays hyphens (--). |
DS-Lite tunnel peer |
IPv6 address of the DS-Lite tunnel peer. If the device is the AFTR of a DS-Lite tunnel, this field displays the IPv6 address of the B4 element from which the packet comes. In other situations, this field displays hyphens (--). |
TTL(sec) |
Remaining aging time of the trusted IPv4 address, in seconds. If no aging time is set, this field displays Never. |
display client-verify trusted ipv6
Use display client-verify trusted ipv6 to display trusted IPv6 addresses for client verification.
Syntax
In standalone mode:
display client-verify { dns | http | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]
Distributed devices–In IRF mode:
display client-verify { dns | http | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ipv6-address: Specifies a trusted IPv6 address. If you do not specify an IPv6 address, this command displays all trusted IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the trusted IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the trusted IPv6 address is on the public network.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays trusted IPv6 addresses for client verification on all IRF member devices. (In IRF mode.)
count: Displays the number of matching trusted IPv6 addresses.
Examples
# (In standalone mode.) Display the trusted IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ipv6
Slot 0:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
# (In IRF mode.) Display the trusted IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ipv6
Slot 0 in chassis 1:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
# (In standalone mode.) Display the number of trusted IPv6 list for DNS client verification.
<Sysname> display client-verify dns trusted ipv6 count
Slot 0:
Totally 3 trusted IPv6 addresses.
# (In IRF mode.) Display the number of trusted IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ipv6 count
Slot 0 in chassis 1:
Totally 3 trusted IPv6 addresses.
# (In standalone mode.) Display the trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6
Slot 0:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
# (In IRF mode.) Display the trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6
Slot 0 in chassis 1:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
# (In standalone mode.) Display the number of trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6 count
Slot 0:
Totally 3 trusted IPv6 addresses.
# (In IRF mode.) Display the number of trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6 count
Slot 0 in chassis 1:
Totally 3 trusted IPv6 addresses.
# (In standalone mode.) Display the trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6
Slot 0:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
# (In IRF mode.) Display the trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6
Slot 0 in chassis 1:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
# (In standalone mode.) Display the number of trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6 count
Slot 0:
Totally 3 trusted IPv6 addresses.
# (In IRF mode.) Display the number of trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6 count
Slot 0 in chassis 1:
Totally 3 trusted IPv6 addresses.
Table 24 Command output
Field |
Description |
Totally 3 protected IPv6 addresses |
Number of trusted IPv6 addresses. |
IPv6 address |
Trusted IPv6 address. |
VPN instance |
MPLS L3VPN instance to which the trusted IPv6 address belongs. If the trusted IPv6 address is on the public network, this field displays hyphens (--). |
TTL(sec) |
Remaining aging time of the trusted IPv6 address, in seconds. If no aging time is set, this field displays Never. |
dns-flood action
Use dns-flood action to specify global actions against DNS flood attacks.
Use undo dns-flood action to restore the default.
Syntax
dns-flood action { client-verify | drop | logging } *
undo dns-flood action
Default
No global action is specified for DNS flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent DNS packets destined for the victim IP addresses.
logging: Enables logging for DNS flood attack events.
Usage guidelines
For the DNS flood attack detection to collaborate with the DNS client verification, make sure the client-verify keyword is specified and the DNS client verification is enabled. To enable DNS client verification, use the client-verify dns enable command.
Examples
# Specify drop as the global action against DNS flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood action drop
Related commands
dns-flood detect
dns-flood detect non-specific
dns-flood threshold
client-verify dns enable
dns-flood detect
Use dns-flood detect to configure IP address-specific DNS flood attack detection.
Use undo dns-flood detect to remove the IP address-specific DNS flood attack detection configuration.
Syntax
dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } *| none } ]
undo dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific DNS flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold threshold-value: Specifies the threshold for triggering DNS flood attack prevention. The value range is 1 to 1000000 in units of DNS packets sent to the specified IP address per second.
action: Specifies the actions when a DNS flood attack is detected. If no action is specified, the global actions set by the dns-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent DNS packets destined for the protected IP address.
logging: Enables logging for DNS flood attack events.
none: Takes no action.
Usage guidelines
You can configure DNS flood attack detection for multiple IP addresses in one attack defense policy.
With DNS flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of DNS packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure DNS flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect ip 192.168.1.2 port 53 threshold 2000
Related commands
dns-flood action
dns-flood detect non-specific
dns-flood threshold
dns-flood port
dns-flood detect non-specific
Use dns-flood detect non-specific to enable global DNS flood attack detection.
Use undo dns-flood detect non-specific to disable global DNS flood attack detection.
Syntax
dns-flood detect non-specific
undo dns-flood detect non-specific
Default
Global DNS flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global DNS flood attack detection applies to all IP addresses except for those specified by the dns-flood detect command. The global detection uses the global trigger threshold set by the dns-flood threshold command and global actions specified by the dns-flood action command.
Examples
# Enable global DNS flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific
Related commands
dns-flood action
dns-flood detect
dns-flood threshold
dns-flood port
Use dns-flood port to specify the global ports to be protected against DNS flood attacks.
Use undo dns-flood port to restore the default.
Syntax
dns-flood port port-list
undo dns-flood port
Default
The global DNS flood attack prevention protects port 53.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only DNS packets destined for the specified ports.
The global ports apply to global DNS flood attack detection and IP address-specific DNS flood attack detection with no port specified.
Examples
# Specify the ports 53 and 61000 as the global ports to be protected against DNS flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood port 53 61000
Related commands
dns-flood action
dns-flood detect
dns-flood detect non-specific
dns-flood threshold
Use dns-flood threshold to set the global threshold for triggering DNS flood attack prevention.
Use undo dns-flood threshold to restore the default.
Syntax
dns-flood threshold threshold-value
undo dns-flood threshold
Default
The global threshold is 1000 for triggering DNS flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of DNS packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global DNS flood attack detection. Adjust the threshold according to the application scenarios. If the number of DNS packets sent to a protected DNS server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global DNS flood attack detection configured, the device is in attack detection state. When the sending rate of DNS packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering DNS flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood threshold 100
Related commands
dns-flood action
dns-flood detect
dns-flood detect non-specific
exempt acl
Use exempt acl to configure attack detection exemption.
Use undo exempt acl to restore the default.
Syntax
exempt acl [ ipv6 ] { acl-number | name acl-name }
undo exempt acl [ ipv6 ]
Default
Attack detection exemption is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not use this keyword.
acl-number: Specifies an ACL by its number:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
The attack defense policy uses an ACL to identify exempted packets. The policy does not check the packets permitted by the ACL. You can configure the ACL to identify packets from trusted hosts. The exemption feature reduces the false alarm rate and improves packet processing efficiency.
If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit rules take effect:
· Source IP address.
· Destination IP address.
· Source port.
· Destination port.
· Protocol.
· L3VPN instance.
· fragment keyword for matching non-first fragments.
If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.
Examples
# Configure an ACL to permit packets sourced from 1.1.1.1. Configure attack detection exemption for packets matching the ACL in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] attack-defense policy atk-policy-1
[attack-defense-policy-atk-policy-1] exempt acl 2001
Related commands
attack-defense policy
fin-flood action
Use fin-flood action to specify global actions against FIN flood attacks.
Use undo fin-flood action to restore the default.
Syntax
fin-flood action { client-verify | drop | logging } *
undo fin-flood action
Default
No global action is specified for FIN flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent FIN packets destined for the victim IP addresses.
logging: Enables logging for FIN flood attack events.
Usage guidelines
For the FIN flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against FIN flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood action drop
Related commands
client-verify tcp enable
fin-flood detect
fin-flood detect non-specific
fin-flood threshold
fin-flood detect
Use fin-flood detect to configure IP address-specific FIN flood attack detection.
Use undo fin-flood detect to remove the IP address-specific FIN flood attack detection configuration.
Syntax
fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific FIN flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering FIN flood attack prevention. The value range is 1 to 1000000 in units of FIN packets sent to the specified IP address per second.
action: Specifies the actions when a FIN flood attack is detected. If no action is specified, the global actions set by the fin-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent FIN packets destined for the protected IP address.
logging: Enables logging for FIN flood attack events.
none: Takes no action.
Usage guidelines
You can configure FIN flood attack detection for multiple IP addresses in one attack defense policy.
With FIN flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of FIN packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure FIN flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect ip 192.168.1.2 threshold 2000
Related commands
fin-flood action
fin-flood detect non-specific
fin-flood threshold
fin-flood detect non-specific
Use fin-flood detect non-specific to enable global FIN flood attack detection.
Use undo fin-flood detect non-specific to disable global FIN flood attack detection.
Syntax
fin-flood detect non-specific
undo fin-flood detect non-specific
Default
Global FIN flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global FIN flood attack detection applies to all IP addresses except for those specified by the fin-flood detect command. The global detection uses the global trigger threshold set by the fin-flood threshold command and global actions specified by the fin-flood action command.
Examples
# Enable global FIN flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect non-specific
Related commands
fin-flood action
fin-flood detect
fin-flood threshold
fin-flood threshold
Use fin-flood threshold to set the global threshold for triggering FIN flood attack prevention.
Use undo fin-flood threshold to restore the default.
Syntax
fin-flood threshold threshold-value
undo fin-flood threshold
Default
The global threshold is 1000 for triggering FIN flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global FIN flood attack detection. Adjust the threshold according to the application scenarios. If the number of FIN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global FIN flood attack detection configured, the device is in attack detection state. When the sending rate of FIN packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering FIN flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood threshold 100
Related commands
fin-flood action
fin-flood detect
fin-flood detect non-specific
http-flood action
Use http-flood action to specify global actions against HTTP flood attacks.
Use undo http-flood action to restore the default.
Syntax
http-flood action { client-verify | drop | logging } *
undo http-flood action
Default
No global action is specified for HTTP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent HTTP packets destined for the victim IP addresses.
logging: Enables logging for HTTP flood attack events.
Usage guidelines
For the HTTP flood attack detection to collaborate with the HTTP client verification, make sure the client-verify keyword is specified and the HTTP client verification is enabled. To enable HTTP client verification, use the client-verify http enable command.
Examples
# Specify drop as the global action against HTTP flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood action drop
Related commands
client-verify http enable
http-flood detect
http-flood detect non-specific
http-flood threshold
http-flood detect
Use http-flood detect to configure IP address-specific HTTP flood attack detection.
Use undo http-flood detect to remove the IP address-specific HTTP flood attack detection configuration.
Syntax
http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific HTTP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold threshold-value: Specifies the threshold for triggering HTTP flood attack prevention. The value range is 1 to 1000000 in units of HTTP packets sent to the specified IP address per second.
action: Specifies the actions when an HTTP flood attack is detected. If no action is specified, the global actions set by the http-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent HTTP packets destined for the protected IP address.
logging: Enables logging for HTTP flood attack events.
none: Takes no action.
Usage guidelines
You can configure HTTP flood attack detection for multiple IP addresses in one attack defense policy.
With HTTP flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of HTTP packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure HTTP flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood detect ip 192.168.1.2 port 80 8080 threshold 2000
Related commands
http-flood action
http-flood detect non-specific
http-flood threshold
http-flood port
http-flood detect non-specific
Use http-flood detect non-specific to enable global HTTP flood attack detection.
Use undo http-flood detect non-specific to disable global HTTP flood attack detection.
Syntax
http-flood detect non-specific
undo http-flood detect non-specific
Default
Global HTTP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global HTTP flood attack detection applies to all IP addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command.
Examples
# Enable global HTTP flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific
Related commands
http-flood action
http-flood detect
http-flood threshold
http-flood port
Use http-flood port to specify the global ports to be protected against HTTP flood attacks.
Use undo http-flood port to restore the default.
Syntax
http-flood port port-list
undo http-flood port
Default
The global HTTP flood attack prevention protects port 80.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only HTTP packets destined for the specified ports.
The global ports apply to global HTTP flood attack detection and IP address-specific HTTP flood attack detection with no port specified.
Examples
# Specify the ports 80 and 8080 as the global ports to be protected against HTTP flood attacks in the attack the defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood port 80 8080
Related commands
http-flood action
http-flood detect
http-flood detect non-specific
http-flood threshold
Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention.
Use undo http-flood threshold to restore the default.
Syntax
http-flood threshold threshold-value
undo http-flood threshold
Default
The global threshold is 1000 for triggering HTTP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of HTTP packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global HTTP flood attack detection. Adjust the threshold according to the application scenarios. If the number of HTTP packets sent to a protected HTTP server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global HTTP flood attack detection configured, the device is in attack detection state. When the sending rate of HTTP packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering HTTP flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood threshold 100
Related commands
http-flood action
http-flood detect
http-flood detect non-specific
icmp-flood action
Use icmp-flood action to specify global actions against ICMP flood attacks.
Use undo icmp-flood action to restore the default.
Syntax
icmp-flood action { drop | logging } *
undo icmp-flood action
Default
No global action is specified for ICMP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
drop: Drops subsequent ICMP packets destined for the victim IP addresses.
logging: Enables logging for ICMP flood attack events.
Examples
# Specify drop as the global action against ICMP flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood action drop
Related commands
icmp-flood detect non-specific
icmp-flood detect ip
icmp-flood threshold
icmp-flood detect ip
Use icmp-flood detect ip to configure IP address-specific ICMP flood attack detection.
Use undo icmp-flood detect ip to remove the IP address-specific ICMP flood attack detection configuration.
Syntax
icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]
undo icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ]
Default
IP address-specific ICMP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering ICMP flood attack prevention. The value range is 1 to 1000000 in units of ICMP packets sent to the specified IP address per second.
action: Specifies the actions when an ICMP flood attack is detected. If no action is specified, the global actions set by the icmp-flood action command apply.
drop: Drops subsequent ICMP packets destined for the protected IP address.
logging: Enables logging for ICMP flood attack events.
none: Takes no action.
Usage guidelines
You can configure ICMP flood attack detection for multiple IP addresses in one attack defense policy.
With ICMP flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of ICMP packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure ICMP flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect ip 192.168.1.2 threshold 2000
Related commands
icmp-flood action
icmp-flood detect non-specific
icmp-flood threshold
icmp-flood detect non-specific
Use icmp-flood detect non-specific to enable global ICMP flood attack detection.
Use undo icmp-flood detect non-specific to disable global ICMP flood attack detection.
Syntax
icmp-flood detect non-specific
undo icmp-flood detect non-specific
Default
Global ICMP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global ICMP flood attack detection applies to all IP addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold command and global actions specified by the icmp-flood action command.
Examples
# Enable global ICMP flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect non-specific
Related commands
icmp-flood action
icmp-flood detect ip
icmp-flood threshold
icmp-flood threshold
Use icmp-flood threshold to set the global threshold for triggering ICMP flood attack prevention.
Use undo icmp-flood threshold to restore the default.
Syntax
icmp-flood threshold threshold-value
undo icmp-flood threshold
Default
The global threshold is 1000 for triggering ICMP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMP packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global ICMP flood attack detection. Adjust the threshold according to the application scenarios. If the number of ICMP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global ICMP flood attack detection configured, the device is in attack detection state. When the sending rate of ICMP packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering ICMP flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood threshold 100
Related commands
icmp-flood action
icmp-flood detect ip
icmp-flood detect non-specific
icmpv6-flood action
Use icmpv6-flood action to specify global actions against ICMPv6 flood attacks.
Use undo icmpv6-flood action to restore the default.
Syntax
icmpv6-flood action { drop | logging } *
undo icmpv6-flood action
Default
No global action is specified for ICMPv6 flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
drop: Drops subsequent ICMPv6 packets destined for the victim IP addresses.
logging: Enables logging for ICMPv6 flood attack events.
Examples
# Specify drop as the global action against ICMPv6 flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood action drop
Related commands
icmpv6-flood detect ipv6
icmpv6-flood detect non-specific
icmpv6-flood threshold
icmpv6-flood detect ipv6
Use icmpv6-flood detect ipv6 to configure IPv6 address-specific ICMPv6 flood attack detection.
Use undo icmpv6-flood detect ipv6 to remove the IPv6 address-specific ICMPv6 flood attack detection configuration.
Syntax
icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]
undo icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ]
Default
IPv6 address-specific ICMPv6 flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
Ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
threshold threshold-value: Specifies the threshold for triggering ICMPv6 flood attack prevention. The value range is 1 to 1000000 in units of ICMPv6 packets sent to the specified IP address per second.
action: Specifies the actions when an ICMPv6 flood attack is detected. If no action is specified, the global actions set by the icmpv6-flood action command apply.
drop: Drops subsequent ICMPv6 packets destined for the protected IPv6 address.
logging: Enables logging for ICMPv6 flood attack events.
none: Takes no action.
Usage guidelines
You can configure ICMPv6 flood attack detection for multiple IPv6 addresses in one attack defense policy.
With ICMPv6 flood attack detection configured for an IPv6 address, the device is in attack detection state. When the sending rate of ICMPv6 packets to the IPv6 address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure ICMPv6 flood attack detection for 2012::12 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect ipv6 2012::12 threshold 2000
Related commands
icmpv6-flood action
icmpv6-flood detect non-specific
icmpv6-flood threshold
icmpv6-flood detect non-specific
Use icmpv6-flood detect non-specific to enable global ICMPv6 flood attack detection.
Use undo icmpv6-flood detect non-specific to disable global ICMPv6 flood attack detection.
Syntax
icmpv6-flood detect non-specific
undo icmpv6-flood detect non-specific
Default
Global ICMPv6 flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global ICMPv6 flood attack detection applies to all IPv6 addresses except for those specified by the icmpv6-flood detect ipv6 command. The global detection uses the global trigger threshold set by the icmpv6-flood threshold command and global actions specified by the icmpv6-flood action command.
Examples
# Enable global ICMPv6 flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect non-specific
Related commands
icmpv6-flood action
icmpv6-flood detect ipv6
icmpv6-flood threshold
icmpv6-flood threshold
Use icmpv6-flood threshold to set the global threshold for triggering ICMPv6 flood attack prevention.
Use undo icmpv6-flood threshold to restore the default.
Syntax
icmpv6-flood threshold threshold-value
undo icmpv6-flood threshold
Default
The global threshold is 1000 for triggering ICMPv6 flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMPv6 packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global ICMPv6 flood attack detection. Adjust the threshold according to the application scenarios. If the number of ICMPv6 packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global ICMPv6 flood attack detection configured, the device is in attack detection state. When the sending rate of ICMPv6 packets to an IPv6 address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering ICMPv6 flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood threshold 100
Related commands
icmpv6-flood action
icmpv6-flood detect ipv6
icmpv6-flood detect non-specific
reset attack-defense policy flood
Use reset attack-defense policy flood statistics to clear flood attack detection and prevention statistics for protected IP addresses.
Syntax
reset attack-defense policy policy-name flood protected { ip | ipv6 } statistics
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
ip: Specifies protected IPv4 addresses.
ipv6: Specifies protected IPv6 addresses.
statistics: Clears flood attack detection and prevention statistics.
Examples
# Clear flood attack detection and prevention statistics for protected IPv4 addresses in the attack defense policy abc.
<Sysname> reset attack-defense policy abc flood protected ip statistics
# Clear flood attack detection and prevention statistics for protected IPv6 addresses in the attack defense policy abc.
<Sysname> reset attack-defense policy abc flood protected ipv6 statistics
Related commands
display attack-defense policy ip
display attack-defense policy ipv6
reset attack-defense statistics interface
Use reset attack-defense statistics interface to clear attack detection and prevention statistics for an interface.
Syntax
reset attack-defense statistics interface interface-type interface-number
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Examples
# Clear attack detection and prevention statistics for interface GigabitEthernet 1/1/1.
<Sysname> reset attack-defense statistics interface gigabitethernet 1/1/1
Related commands
display attack defense policy
reset attack-defense statistics local
Use reset attack-defense statistics local to clear attack detection and prevention statistics for the device.
Syntax
reset attack-defense statistics local
Views
User view
Predefined user roles
network-admin
mdc-admin
Examples
Clear attack detection and prevention statistics for the device.
<Sysname> reset attack-defense statistics local
Related commands
display attack-defense statistics local
reset attack-defense statistics security-zone
Use reset attack-defense statistics interface to clear attack detection and prevention statistics for a security zone.
Syntax
reset attack-defense statistics security-zone zone-name
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
Examples
# Clear attack detection and prevention statistics for the security zone DMZ.
<Sysname> reset attack-defense statistics security-zone dmz
Related commands
display attack defense policy
reset attack-defense top-attack-statistics
Use reset attack-defense top-attack-statistics to clear top 10 attack statistics.
Syntax
reset attack-defense top-attack-statistics
Views
User view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Clear top 10 attack statistics.
<Sysname> reset attack-defense top-attack-statistics
Related commands
attack-defense top-attack-statistics enable
display attack-defense top-attack-statistics
reset client-verify protected statistics
Use reset client-verify protected statistics to clear protected IP statistics for client verification.
Syntax
reset client-verify { dns | http | tcp } protected { ip | ipv6 } statistics
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ip: Specifies the protected IPv4 list.
ipv6: Specifies the protected IPv6 list.
Examples
# Clear the protected IPv4 statistics for TCP client verification.
<Sysname> reset client-verify tcp protected ip statistics
Related commands
display client-verify protected ip
display client-verify protected ipv6
reset client-verify trusted
Use reset client-verify trusted to clear the trusted IP list for client verification.
Syntax
reset client-verify { dns | http | tcp } trusted { ip | ipv6 }
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ip: Specifies the trusted IPv4 list.
ipv6: Specifies the trusted IPv6 list.
Examples
# Clear the trusted IPv4 list for DNS client verification.
<Sysname> reset client-verify dns trusted ip
Related commands
display client-verify trusted ip
display client-verify trusted ipv6
rst-flood action
Use rst-flood action to specify global actions against RST flood attacks.
Use undo rst-flood action to restore the default.
Syntax
rst-flood action { client-verify | drop | logging } *
undo rst-flood action
Default
No global action is specified for RST flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent RST packets destined for the victim IP addresses.
logging: Enables logging for RST flood attack events.
Usage guidelines
For the RST flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against RST flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood action drop
Related commands
client-verify tcp enable
rst-flood detect
rst-flood detect non-specific
rst-flood threshold
rst-flood detect
Use rst-flood detect to configure IP address-specific RST flood attack detection.
Use undo rst-flood detect to remove the IP address-specific RST flood attack detection configuration.
Syntax
rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific RST flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering RST flood attack prevention. The value range is 1 to 1000000 in units of RST packets sent to the specified IP address per second.
action: Specifies the actions when an RST flood attack is detected. If no action is specified, the global actions set by the rst-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent RST packets destined for the protected IP address.
logging: Enables logging for RST flood attack events.
none: Takes no action.
Usage guidelines
You can configure RST flood attack detection for multiple IP addresses in one attack defense policy.
With RST flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of RST packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device considers returns to the attack detection state.
Examples
# Configure RST flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect ip 192.168.1.2 threshold 2000
Related commands
rst-flood action
rst-flood detect non-specific
rst-flood threshold
rst-flood detect non-specific
Use rst-flood detect non-specific to enable global RST flood attack detection.
Use undo rst-flood detect non-specific to disable global RST flood attack detection.
Syntax
rst-flood detect non-specific
undo rst-flood detect non-specific
Default
Global RST flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global RST flood attack detection applies to all IP addresses except for those specified by the rst-flood detect command. The global detection uses the global trigger threshold set by the rst-flood threshold command and global actions specified by the rst-flood action command.
Examples
# Enable global RST flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect non-specific
Related commands
rst-flood action
rst-flood detect
rst-flood threshold
rst-flood threshold
Use rst-flood threshold to set the global threshold for triggering RST flood attack prevention.
Use undo rst-flood threshold to restore the default.
Syntax
rst-flood threshold threshold-value
undo rst-flood threshold
Default
The global threshold is 1000 for triggering RST flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of RST packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global RST flood attack detection. Adjust the threshold according to the application scenarios. If the number of RST packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global RST flood attack detection configured, the device is in attack detection state. When the sending rate of RST packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering RST flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100
Related commands
rst-flood action
rst-flood detect
rst-flood detect non-specific
scan detect
Use scan detect to configure scanning attack detection.
Use undo scan detect to remove the scanning attack detection configuration.
Syntax
scan detect level { high | low | medium } action { drop | logging } *
undo scan detect level { high | low | medium }
Default
No scanning attack detection is configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
level: Specifies the level of the scanning attack detection.
low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected. Statistics are collected every 60 seconds for the low level detection.
high: Specifies the high level. This level can detect most of the scanning attacks, but has a high false alarm rate. Some packets from active hosts might be considered as attack packets. Statistics are collected every 600 seconds for the high level detection.
medium: Specifies the medium level. Compared with the high and low levels, this level has medium false alarm rate and attack detection accuracy. Statistics are collected every 90 seconds for the medium level detection.
action: Specifies the actions against scanning attacks.
drop: Drops subsequent packets from detected scanning attack sources.
logging: Enables logging for scanning attack events.
Examples
# Configure low level scanning attack detection and specify the prevention action as drop in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action drop
signature { large-icmp | large-icmpv6 } max-length
Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.
Use undo signature { large-icmp | large-icmpv6 } max-length to restore the default.
Syntax
signature { large-icmp | large-icmpv6 } max-length length
undo signature { large-icmp | large-icmpv6 } max-length
Default
The maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
large-icmp: Specifies large ICMP packet attack signature.
large-icmpv6: Specifies large ICMPv6 packet attack signature.
length: Specifies the maximum length of safe ICMP or ICMPv6 packets, in bytes. The value range for ICMP packet is 28 to 65534. The value range for ICMPv6 packet is 48 to 65534.
Examples
# Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature large-icmp max-length 50000
Related commands
signature detect
signature detect
Use signature detect to enable signature detection for single-packet attacks and specify the prevention actions.
Use undo signature detect to disable signature detection for single-packet attacks.
Syntax
signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]
undo signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke }
signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } *
undo signature detect { ip-option-abnormal | ping-of-death | teardrop }
signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]
undo signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request }
signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]
undo signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded }
signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]
undo signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing }
signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]
undo signature detect ipv6-ext-header next-header-value
Default
Signature detection is disabled for all single-packet attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
fraggle: Specifies the fraggle attack.
fragment: Specifies the IP fragment attack.
icmp-type: Specifies an ICMP packet attack by the packet type. You can specify the packet type by a number or a keyword:
· icmp-type-value: Specifies the ICMP packet type in the range of 0 to 255.
· address-mask-reply: Specifies the ICMP address mask reply type.
· address-mask-request: Specifies the ICMP address mask request type.
· destination-unreachable: Specifies the ICMP destination unreachable type.
· echo-reply: Specifies the ICMP echo reply type.
· echo-request: Specifies the ICMP echo request type.
· information-reply: Specifies the ICMP information reply type.
· information-request: Specifies the ICMP information request type.
· parameter-problem: Specifies the ICMP parameter problem type.
· redirect: Specifies the ICMP redirect type.
· source-quench: Specifies the ICMP source quench type.
· time-exceeded: Specifies the ICMP time exceeded type.
· timestamp-reply: Specifies the ICMP timestamp reply type.
· timestamp-request: Specifies the ICMP timestamp request type.
icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword.
· icmpv6-type-value: Specifies the ICMPv6 packet type in the range of 0 to 255.
· destination-unreachable: Specifies the ICMPv6 destination unreachable type.
· echo-reply: Specifies the ICMPv6 echo reply type.
· echo-request: Specifies the ICMPv6 echo request type.
· group-query: Specifies the ICMPv6 group query type.
· group-reduction: Specifies the ICMPv6 group reduction type.
· group-report: Specifies the ICMPv6 group report type.
· packet-too-big: Specifies the ICMPv6 packet too big type.
· parameter-problem: Specifies the ICMPv6 parameter problem type.
· time-exceeded: Specifies the ICMPv6 time exceeded type.
impossible: Specifies the IP impossible packet attack.
ip-option: Specifies an IP option. You can specify the IP option by a number or a keyword:
· option-code: Specifies the IP option in the range of 0 to 255.
· internet-timestamp: Specifies the timestamp option.
· loose-source-routing: Specifies the loose source routing option.
· record-route: Specifies the record route option.
· route-alert: Specifies the route alert option.
· security: Specifies the security option.
· stream-id: Specifies the stream identifier option.
· strict-source-routing: Specifies the strict source route option.
ip-option-abnormal: Specifies the abnormal IP option attack.
ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255.
land: Specifies the Land attack.
large-icmp: Specifies the large ICMP packet attack.
large-icmpv6: Specifies the large ICMPv6 packet attack.
ping-of-death: Specifies the ping-of-death attack.
smurf: Specifies the smurf attack.
snork: Specifies the UDP snork attack.
tcp-all-flags: Specifies the attack where the TCP packet has all flags set.
tcp-fin-only: Specifies the attack where the TCP packet has only the FIN flag set.
tcp-invalid-flags: Specifies the attack that uses TCP packets with invalid flags.
tcp-null-flag: Specifies the attack where the TCP packet has no flags set.
tcp-syn-fin: Specifies the attack where the TCP packet has both SYN and FIN flags set.
teardrop: Specifies the teardrop attack.
tiny-fragment: Specifies the tiny fragment attack.
traceroute: Specifies the traceroute attack.
udp-bomb: Specifies the UDP bomb attack.
winnuke: Specifies the WinNuke attack.
action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.
drop: Drops packets that match the specified signature.
logging: Enables logging for the specified single-packet attack.
none: Takes no action.
Usage guidelines
You can use this command multiple times to enable signature detection for multiple single-packet attack types.
When you specify a packet type by a number, if the packet type has a corresponding keyword, the keyword is displayed in command output. If the packet type does not have a corresponding keyword, the number is displayed.
Examples
# Enable signature detection for smurf attack and specify the prevention action as drop in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature detect smurf action drop
Related commands
signature level action
signature level action
Use signature level action to specify the actions against single-packet attacks on a specific level.
Use undo signature level action to restore the default.
Syntax
signature level { high | info | low | medium } action { { drop | logging } * | none }
undo signature level { high | info | low | medium } action
Default
For informational-level and low-level single-packet attacks, the action is logging.
For medium-level and high-level single-packet attacks, the actions are logging and drop.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.
info: Specifies the informational level. For example, large ICMP packet attack is on this level.
low: Specifies the low level. For example, the traceroute attack is on this level.
medium: Specifies the medium level. For example, the WinNuke attack is on this level.
drop: Drops packets that match the specified level.
logging: Enable logging for single-packet attacks on the specified level.
none: Takes no action.
Usage guidelines
According to their severity, single-packet attacks are divided into four levels: info, low, medium, and high. Enabling signature detection for a specific level enables signature detection for all single-packet attacks on that level.
If you enable signature detection for a single-packet attack also by using the signature detect command, action parameters in the signature detect command take effect.
Examples
# Specify the action against informational-level single-packet attacks as drop in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature level info action drop
Related commands
signature detect
signature level detect
signature level detect
Use signature level detect to enable signature detection for single-packet attacks on a specific level.
Use undo signature level detect to disable signature detection for single-packet attacks on a specific level.
Syntax
signature level { high | info | low | medium } detect
undo signature level { high | info | low | medium } detect
Default
Signature detection is disabled for all levels of single-packet attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.
info: Specifies the informational level. For example, large ICMP packet attack is on this level.
low: Specifies the low level. For example, the traceroute attack is on this level.
medium: Specifies the medium level. For example, the WinNuke attack is on this level.
Usage guidelines
According to their severity, single-packet attacks are divided into four levels: info, low, medium, and high. Enabling signature detection for a specific level enables signature detection for all single-packet attacks on that level. Use the signature level action command to specify the actions against single-packet attacks on a specific level. If you enable signature detection for a single-packet attack also by using the signature detect command, action parameters in the signature detect command take effect.
To display the level to which a single-packet attack belongs, use the display attack-defense policy command.
Examples
# Enable signature detection for informational-level single-packet attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature level info detect
Related commands
display attack-defense policy
signature detect
signature level action
syn-ack-flood action
Use syn-ack-flood action to specify global actions against SYN-ACK flood attacks.
Use undo syn-ack-flood action to restore the default.
Syntax
syn-ack-flood action { client-verify | drop | logging } *
undo syn-ack-flood action
Default
No global action is specified for SYN-ACK flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN-ACK packets destined for the victim IP addresses.
logging: Enables logging for SYN-ACK flood attack events.
Usage guidelines
For the SYN-ACK flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against SYN-ACK flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood action drop
Related commands
client-verify tcp enable
syn-ack-flood detect
syn-ack-flood detect non-specific
syn-ack-flood threshold
syn-ack-flood detect
Use syn-ack-flood detect to configure IP address-specific SYN-ACK flood attack detection.
Use undo syn-ack-flood detect to remove the IP address-specific SYN-ACK flood attack detection configuration.
Syntax
syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific SYN-ACK flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering SYN-ACK flood attack prevention. The value range is 1 to 1000000 in units of SYN-ACK packets sent to the specified IP address per second.
action: Specifies the actions when a SYN-ACK flood attack is detected. If no action is specified, the global actions set by the syn-ack-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN-ACK packets destined for the protected IP address.
logging: Enables logging for SYN-ACK flood attack events.
none: Takes no action.
Usage guidelines
You can configure SYN-ACK flood attack detection for multiple IP addresses in one attack defense policy.
With SYN-ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN-ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure SYN-ACK flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect ip 192.168.1.2 threshold 2000
Related commands
syn-ack-flood action
syn-ack-flood detect non-specific
syn-ack-flood threshold
syn-ack-flood detect non-specific
Use syn-ack-flood detect non-specific to enable global SYN-ACK flood attack detection.
Use undo syn-ack-flood detect non-specific to disable global SYN-ACK flood attack detection.
Syntax
syn-ack-flood detect non-specific
undo syn-ack-flood detect non-specific
Default
Global SYN-ACK flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global SYN-ACK flood attack detection applies to all IP addresses except for those specified by the syn-ack-flood detect command. The global detection uses the global trigger threshold set by the syn-ack-flood threshold command and global actions specified by the syn-ack-flood action command.
Examples
# Enable global SYN-ACK flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect non-specific
Related commands
syn-ack-flood action
syn-ack-flood detect
syn-ack-flood threshold
syn-ack-flood threshold
Use syn-ack-flood threshold to set the global threshold for triggering SYN-ACK flood attack prevention.
Use undo syn-ack-flood threshold to restore the default.
Syntax
syn-ack-flood threshold threshold-value
undo syn-ack-flood threshold
Default
The global threshold is 1000 for triggering SYN-ACK flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of SYN-ACK packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global SYN-ACK flood attack detection. Adjust the threshold according to the application scenarios. If the number of SYN-ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global SYN-ACK flood attack detection configured, the device is in attack detection state. When the sending rate of SYN-ACK packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering SYN-ACK flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood threshold 100
Related commands
syn-ack-flood action
syn-ack-flood detect
syn-ack-flood detect non-specific
syn-flood action
Use syn-flood action to specify global actions against SYN flood attacks.
Use undo syn-flood action to restore the default.
Syntax
syn-flood action { client-verify | drop | logging } *
undo syn-flood action
Default
No global action is specified for SYN flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN packets destined for the victim IP addresses.
logging: Enables logging for SYN flood attack events.
Usage guidelines
For the SYN flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against SYN flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood action drop
Related commands
syn-flood detect
syn-flood detect non-specific
syn-flood threshold
syn-flood detect
Use syn-flood detect to configure IP address-specific SYN flood attack detection.
Use undo syn-flood detect to remove the IP address-specific SYN flood attack detection configuration.
Syntax
syn-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo syn-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific SYN flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering SYN flood attack prevention. The value range is 1 to 1000000 in units of SYN packets sent to the specified IP address per second.
action: Specifies the actions when a SYN flood attack is detected. If no action is specified, the global actions set by the syn-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN packets destined for the protected IP address.
logging: Enables logging for SYN flood attack events.
none: Takes no action.
Usage guidelines
You can configure SYN flood attack detection for multiple IP addresses in one attack defense policy.
With SYN flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure SYN flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood detect ip 192.168.1.2 threshold 2000
Related commands
syn-flood action
syn-flood detect non-specific
syn-flood threshold
syn-flood detect non-specific
Use syn-flood detect non-specific to enable global SYN flood attack detection.
Use undo syn-flood detect non-specific to disable global SYN flood attack detection.
Syntax
syn-flood detect non-specific
undo syn-flood detect non-specific
Default
Global SYN flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global SYN flood attack detection applies to all IP addresses except for those specified by the syn-flood detect command. The global detection uses the global trigger threshold set by the syn-flood threshold command and global actions specified by the syn-flood action command.
Examples
# Enable global SYN flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood detect non-specific
Related commands
syn-flood action
syn-flood detect
syn-flood threshold
syn-flood threshold
Use syn-flood threshold to set the global threshold for triggering SYN flood attack prevention.
Use undo syn-flood threshold to restore the default.
Syntax
syn-flood threshold threshold-value
undo syn-flood threshold
Default
The global threshold is 1000 for triggering SYN flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of SYN packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global SYN flood attack detection. Adjust the threshold according to the application scenarios. If the number of SYN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global SYN flood attack detection configured, the device is in attack detection state. When the sending rate of SYN packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering SYN flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood threshold 100
Related commands
syn-flood action
syn-flood detect
syn-flood detect non-specific
udp-flood action
Use udp-flood action to specify global actions against UDP flood attacks.
Use undo udp-flood action to restore the default.
Syntax
udp-flood action { drop | logging } *
undo udp-flood action
Default
No global action is specified for UDP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
drop: Drops subsequent UDP packets destined for the victim IP addresses.
logging: Enables logging for UDP flood attack events.
Examples
# Specify drop as the global action against UDP flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood action drop
Related commands
udp-flood detect
udp-flood detect non-specific
udp-flood threshold
udp-flood detect
Use udp-flood detect to configure IP address-specific UDP flood attack detection.
Use undo udp-flood detect to remove the IP address-specific UDP flood attack detection configuration.
Syntax
udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]
undo udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific UDP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering UDP flood attack prevention. The value range is 1 to 64000 in units of UDP packets sent to the specified IP address per second.
action: Specifies the actions when a UDP flood attack is detected. If no action is specified, the global actions set by the udp-flood action command apply.
drop: Drops subsequent UDP packets destined for the protected IP address.
logging: Enables logging for UDP flood attack events.
none: Takes no action.
Usage guidelines
You can configure UDP flood attack detection for multiple IP addresses in one attack defense policy.
With UDP flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of UDP packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure UDP flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect ip 192.168.1.2 threshold 2000
Related commands
udp-flood action
udp-flood detect non-specific
udp-flood threshold
udp-flood detect non-specific
Use udp-flood detect non-specific to enable global UDP flood attack detection.
Use undo udp-flood detect non-specific to disable global UDP flood attack detection.
Syntax
udp-flood detect non-specific
undo udp-flood detect non-specific
Default
Global UDP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The global UDP flood attack detection applies to all IP addresses except for those specified by the udp-flood detect command. The global detection uses the global trigger threshold set by the udp-flood threshold command and global actions specified by the udp-flood action command.
Examples
# Enable global UDP flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect non-specific
Related commands
udp-flood action
udp-flood detect
udp-flood threshold
udp-flood threshold
Use udp-flood threshold to set the global threshold for triggering UDP flood attack prevention.
Use undo udp-flood threshold to restore the default.
Syntax
udp-flood threshold threshold-value
undo udp-flood threshold
Default
The global threshold is 1000 for triggering UDP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of UDP packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global UDP flood attack detection. Adjust the threshold according to the application scenarios. If the number of UDP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global UDP flood attack detection configured, the device is in attack detection state. When the sending rate of UDP packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering UDP flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100
Related commands
udp-flood action
udp-flood detect
udp-flood detect non-specific
whitelist enable (interface view)
Use whitelist enable to enable the whitelist feature on an interface.
Use undo whitelist enable to disable the whitelist feature on an interface.
Syntax
whitelist enable
undo whitelist enable
Default
The whitelist feature is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
If the global whitelist feature is enabled, the whitelist feature is enabled on all interfaces. If the global whitelist feature is disabled, you can use this command to enable the whitelist feature on individual interfaces.
Examples
# Enable the whitelist feature on interface GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] whitelist enable
whitelist enable (security zone view)
Use whitelist enable to enable the whitelist feature on a security zone.
Use undo whitelist enable to disable the whitelist feature on a security zone.
Syntax
whitelist enable
undo whitelist enable
Default
The whitelist feature is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
If the global whitelist feature is enabled, the whitelist feature is enabled on all security zones. If the global whitelist feature is disabled, you can use this command to enable the whitelist feature on individual security zones.
Examples
# Enable the whitelist feature on security zone Untrust.
<Sysname> system-view
[Sysname] security-zone name untrust
[Sysname-security-zone-Untrust] whitelist enable
whitelist global enable
Use whitelist global enable to enable the global whitelist feature.
Use undo whitelist global enable to disable the global whitelist feature.
Syntax
whitelist global enable
undo whitelist global enable
Default
The global whitelist feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
If you enable the global whitelist feature, the whitelist feature is enabled on all interfaces or security zones.
Examples
# Enable the global whitelist feature.
<Sysname> system-view
[Sysname] whitelist global enable
whitelist object-group
Use whitelist object-group to add an address object group to the whitelist.
Use undo whitelist object-group to restore the default.
Syntax
whitelist object-group object-group-name
undo whitelist object-group
Default
No address object group is added to the whitelist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command must be used together with the address object group feature. For more information about address object groups, see "Configuring object groups."
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Add address object group object-group1 to the whitelist.
<Sysname> system-view
[Sysname] whitelist object-group object-group1