10-Security

HomeSupportResource CenterH3C Access Controllers Command References(E5208P03 E5215P01 R5215P01)-6W10210-Security
15-Attack detection and prevention commands
Title Size Download
15-Attack detection and prevention commands 256.42 KB

Contents

Attack detection and prevention commands· 1

ack-flood action· 1

ack-flood detect 2

ack-flood detect non-specific· 3

ack-flood threshold· 4

attack-defense apply policy· 5

attack-defense local apply policy· 5

attack-defense login reauthentication-delay· 6

attack-defense policy· 7

attack-defense signature log non-aggregate· 7

attack-defense tcp fragment enable· 8

display attack-defense flood statistics ip· 9

display attack-defense flood statistics ipv6· 10

display attack-defense policy· 12

display attack-defense policy ip· 16

display attack-defense policy ipv6· 18

display attack-defense scan attacker ip· 19

display attack-defense scan attacker ipv6· 21

display attack-defense scan victim ip· 22

display attack-defense scan victim ipv6· 23

display attack-defense statistics interface· 24

display attack-defense statistics local 26

dns-flood action· 28

dns-flood detect 29

dns-flood detect non-specific· 30

dns-flood port 31

dns-flood threshold· 31

exempt acl 32

fin-flood action· 33

fin-flood detect 34

fin-flood detect non-specific· 35

fin-flood threshold· 36

http-flood action· 36

http-flood detect 37

http-flood detect non-specific· 38

http-flood port 39

http-flood threshold· 40

icmp-flood action· 40

icmp-flood detect ip· 41

icmp-flood detect non-specific· 42

icmp-flood threshold· 43

icmpv6-flood action· 43

icmpv6-flood detect ipv6· 44

icmpv6-flood detect non-specific· 45

icmpv6-flood threshold· 46

reset attack-defense policy flood· 46

reset attack-defense statistics interface· 47

reset attack-defense statistics local 47

rst-flood action· 48

rst-flood detect 49

rst-flood detect non-specific· 50

rst-flood threshold· 50

scan detect 51

signature { large-icmp | large-icmpv6 } max-length· 52

signature detect 53

signature level action· 55

signature level detect 56

syn-ack-flood action· 57

syn-ack-flood detect 58

syn-ack-flood detect non-specific· 59

syn-ack-flood threshold· 60

syn-flood action· 60

syn-flood detect 61

syn-flood detect non-specific· 62

syn-flood threshold· 63

udp-flood action· 64

udp-flood detect 64

udp-flood detect non-specific· 65

udp-flood threshold· 66


Attack detection and prevention commands

The following matrix shows the feature and hardware compatibility:

 

Hardware series

Model

Attack detection and prevention compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

Yes

WX2500H series

WX2510H

WX2540H

WX2560H

Yes

WX3000H series

WX3010H

WX3010H-L

WX3010H-X

WX3024H

WX3024H-L

No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3540H

Yes

WX5500E series

WX5510E

WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

Yes

Access controller modules

EWPXM1MAC0F

EWPXM1WCME0

EWPXM2WCMD0F

LSQM1WCMX20

LSQM1WCMX40

LSUM1WCME0

LSUM1WCMX20RT

LSUM1WCMX40RT

Yes

 

The WX1800H series and WX2500H series access controllers do not support the slot keyword or the slot-number argument.

ack-flood action

Use ack-flood action to specify global actions against ACK flood attacks.

Use undo ack-flood action to restore the default.

Syntax

ack-flood action { drop | logging } *

undo ack-flood action

Default

No global action is specified for ACK flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent ACK packets destined for the victim IP addresses.

logging: Enables logging for ACK flood attack events.

Examples

# Specify drop as the global action against ACK flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] ack-flood action drop

Related commands

·     ack-flood threshold

·     ack-flood detect

·     ack-flood detect non-specific

ack-flood detect

Use ack-flood detect to configure IP address-specific ACK flood attack detection.

Use undo ack-flood detect to remove IP address-specific ACK flood attack detection configuration.

Syntax

ack-flood detect { ip ip-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo ack-flood detect { ip ip-address | ipv6 ipv6-address }

Default

IP address-specific ACK flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

threshold threshold-value: Sets the threshold for triggering ACK flood attack prevention. The value range is 1 to 1000000 in units of ACK packets sent to the specified IP address per second.

action: Specifies the actions when an ACK flood attack is detected. If no action is specified, the global actions set by the ack-flood action command apply.

drop: Drops subsequent ACK packets destined for the protected IP address.

logging: Enables logging for ACK flood attack events.

none: Takes no action.

Usage guidelines

With ACK flood attack detection configured, the device is in attack detection state. An attack occurs when the device detects that the sending rate of ACK packets to a protected IP address reaches the threshold. The device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Examples

# Configure ACK flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect ip 192.168.1.2 threshold 2000

Related commands

·     ack-flood action

·     ack-flood detect non-specific

·     ack-flood threshold

ack-flood detect non-specific

Use ack-flood detect non-specific to enable global ACK flood attack detection.

Use undo ack-flood detect non-specific to restore the default.

Syntax

ack-flood detect non-specific

undo ack-flood detect non-specific

Default

Global ACK flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global ACK flood attack detection applies to all IP addresses except those specified by the ack-flood detect command. The global detection uses the global trigger threshold set by the ack-flood threshold command and global actions specified by the ack-flood action command.

Examples

# Enable global ACK flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect non-specific

Related commands

·     ack-flood action

·     ack-flood detect

·     ack-flood threshold

ack-flood threshold

Use ack-flood threshold to set the global threshold for triggering ACK flood attack prevention.

Use undo ack-flood threshold to restore the default.

Syntax

ack-flood threshold threshold-value

undo ack-flood threshold

Default

The global threshold is 1000 for triggering ACK flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of ACK packets sent to an IP address per second.

Usage guidelines

The device applies the global threshold to global ACK flood attack detection.

Adjust the threshold according to the application scenarios. If the number of ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering ACK flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] ack-flood threshold 100

Related commands

·     ack-flood action

·     ack-flood detect

·     ack-flood detect non-specific

attack-defense apply policy

Use attack-defense apply policy to apply an attack defense policy to an interface.

Use undo attack-defense apply policy to remove the attack defense policy application.

Syntax

attack-defense apply policy policy-name

undo attack-defense apply policy

Default

No attack defense policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

Usage guidelines

An interface can have only one attack defense policy applied. If you use this command for an interface multiple times, the most recent configuration takes effect.

An attack defense policy can be applied to multiple interfaces.

Examples

# Apply the attack defense policy atk-policy-1 to interface VLAN-interface 200.

<Sysname> system-view

[Sysname] interface vlan-interface 200

[Sysname-Vlan-interface200] attack-defense apply policy atk-policy-1

Related commands

·     attack-defense policy

·     display attack-defense policy

attack-defense local apply policy

Use attack-defense local apply policy to apply an attack defense policy to the device.

Use undo attack-defense local apply policy to restore the default.

Syntax

attack-defense local apply policy policy-name

undo attack-defense local apply policy

Default

No attack defense policy is applied to the device.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

Usage guidelines

An attack defense policy applied to the device itself detects packets destined for the device and prevents attacks targeted at the device.

Applying an attack defense policy to the device can improve the efficiency of processing attack packets destined for the device.

Each device can have only one attack defense policy applied. If you use this command multiple times, the most recent configuration takes effect.

An attack defense policy can be applied to the device itself and to multiple interfaces.

If a device and its interfaces have attack defense policies applied, a packet destined for the device is processed as follows:

1.     The policy applied to the receiving interface processes the packet.

2.     If the packet is not dropped by the receiving interface, the policy applied to the device processes the packet.

Examples

# Apply the attack defense policy atk-policy-1 to the device.

<Sysname> system-view

[Sysname] attack-defense local apply policy atk-policy-1

Related commands

·     attack-defense policy

·     display attack-defense policy

attack-defense login reauthentication-delay

Use attack-defense login reauthentication-delay to enable the login delay feature.

Use undo attack-defense login reauthentication-delay to restore the default.

Syntax

attack-defense login reauthentication-delay seconds

undo attack-defense login reauthentication-delay

Default

The login delay feature is disabled. The device does not delay accepting a login request from a user who has failed a login attempt.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Sets the delay period in seconds, in the range of 4 to 60.

Usage guidelines

The login delay feature delays the device to accept a login request from a user after the user fails a login attempt.

This feature can slow down login dictionary attacks.

Examples

# Enable the login delay feature and set the delay period to 5 seconds.

<Sysname> system-view

[Sysname] attack-defense login reauthentication-delay 5

attack-defense policy

Use attack-defense policy to create an attack defense policy and enter attack defense policy view.

Use undo attack-defense policy to remove an attack defense policy.

Syntax

attack-defense policy policy-name

undo attack-defense policy policy-name

Default

No attack defense policy exists.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

Examples

# Create the attack defense policy atk-policy-1 and enter its view.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1]

Related commands

·     attack-defense apply policy

·     display attack-defense policy

attack-defense signature log non-aggregate

Use attack-defense signature log non-aggregate to disable log aggregation for single-packet attack events.

Use undo attack-defense signature log non-aggregate to restore the default.

Syntax

attack-defense signature log non-aggregate

undo attack-defense signature log non-aggregate

Default

Log aggregation is enabled for single-packet attack events.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Log aggregation aggregates all logs generated during a period of time and sends one log. The logs with the same attributes for the following items can be aggregated:

·     Interface where the attack is detected.

·     Attack type.

·     Attack defense action.

·     Source and destination IP addresses.

H3C recommends that you not disable log aggregation. A large number of logs will consume the display resources of the console.

Examples

# Disable log aggregation for single-packet attack events.

<Sysname> system-view

[Sysname] attack-defense signature log non-aggregate

Related commands

signature detect

attack-defense tcp fragment enable

Use attack-defense tcp fragment enable to enable TCP fragment attack prevention.

Use undo attack-defense tcp fragment enable to disable TCP fragment attack prevention.

Syntax

attack-defense tcp fragment enable

undo attack-defense tcp fragment enable

Default

TCP fragment attack prevention is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to drop attack TCP fragments to prevent TCP fragment attacks that the packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the following TCP fragments:

·     First fragments in which the TCP header is smaller than 20 bytes.

·     Non-first fragments with a fragment offset of 8 bytes (FO=1).

TCP fragment attack prevention takes precedence over single-packet attack prevention. When both are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by the single-packet attack defense policy.

Examples

# Enable TCP fragment attack prevention.

<Sysname> System-view

[Sysname] attack-defense tcp fragment enable

display attack-defense flood statistics ip

Use display attack-defense flood statistics ip to display flood attack detection and prevention statistics for a protected IPv4 address.

Syntax

display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address ] [ interface interface-type interface-number [ slot slot-number ] | local [ slot slot-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ack-flood: Specifies ACK flood attack.

dns-flood: Specifies DNS flood attack.

fin-flood: Specifies FIN flood attack.

flood: Specifies all IPv4 flood attacks.

http-flood: Specifies HTTP flood attack.

icmp-flood: Specifies ICMP flood attack.

rst-flood: Specifies RST flood attack.

syn-ack-flood: Specifies SYN-ACK flood attack.

syn-flood: Specifies SYN flood attack.

udp-flood: Specifies UDP flood attack.

ip-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays flood attack detection and prevention statistics for all protected IPv4 addresses.

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays IPv4 flood attack detection and prevention statistics for all member devices.

count: Displays the number of matching protected IPv4 addresses.

Usage guidelines

The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.

If the interface and local parameters are not specified, this command display IPv4 flood attack detection and prevention statistics on all interfaces and the device.

Examples

# Display flood attack detection and prevention statistics for all IPv4 addresses.

<Sysname> display attack-defense flood statistics ip

<Sysname> display attack-defense flood statistics ip

slot 1:

IPv6 address    VPN    Detected on  Detect type    State    PPS    Dropped

2000::1011      --     Vlan-int2    SYN-FLOOD      Normal   0      4294967295

1::2            --     Vlan-int2    DNS-FLOOD      Normal   1000   111111111

1::3            --     Vlan-int3    SYN-ACK-FLOOD  Normal   1000   222222222

1::4            --     Vlan-int4    ACK-FLOOD      Normal   1000   111111111

1::5            --     Vlan-int5    SYN-FLOOD      Normal   1000   22222222

# Display the number of IPv4 addresses that are protected against flood attacks.

<Sysname> display attack-defense flood statistics ip count

Slot 1:

Totally 2 flood entries.

Table 1 Command output

Field

Description

IP address

Protected IPv4 address.

VPN

MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--).

The device does not support this field in the current software version.

Detected on

Where the attack is detected, on the device (Local) or an interface.

Detect type

Type of the detected flood attack.

State

Whether the interface or device is attacked:

·     Attacked.

·     Normal.

PPS

Number of packets sent to the IPv4 address per second.

Dropped

Number of attack packets dropped by the interface or the device.

Totally 2 flood entries

Total number of IPv4 addresses that are protected.

 

display attack-defense flood statistics ipv6

Use display attack-defense flood statistics ipv6 to display flood attack detection and prevention statistics for a protected IPv6 address.

Syntax

display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address ] [ interface interface-type interface-number [ slot slot-number ] | local [ slot slot-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ack-flood: Specifies ACK flood attack.

dns-flood: Specifies DNS flood attack.

fin-flood: Specifies FIN flood attack.

flood: Specifies all IPv6 flood attacks.

http-flood: Specifies HTTP flood attack.

icmpv6-flood: Specifies ICMPv6 flood attack.

rst-flood: Specifies RST flood attack.

syn-ack-flood: Specifies SYN-ACK flood attack.

syn-flood: Specifies SYN flood attack.

udp-flood: Specifies UDP flood attack.

ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command displays flood attack detection and prevention statistics for all protected IPv6 addresses.

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays IPv6 flood attack detection and prevention statistics for all member devices.

count: Displays the number of matching protected IPv6 addresses.

Usage guidelines

The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.

If the interface and local parameters are not specified, this command display IPv6 flood attack detection and prevention statistics on all interfaces and the device.

Examples

# Display flood attack detection and prevention statistics for all IPv6 addresses.

<Sysname> display attack-defense flood statistics ipv6

Slot 1:

IPv6 address    VPN         Detected on  Detect type   State    PPS    Dropped

2000::1011      a0123456789 Vlan-int2    SYN-FLOOD     Normal   0      4294967295

1::2            1222232     Vlan-int2    DNS-FLOOD     Normal   1000   111111111

1::3            --          Vlan-int3    SYN-ACK-FLOOD Normal   1000   222222222

1::4            --          Vlan-int4    ACK-FLOOD     Normal   1000   111111111

1::5            --          Vlan-int5    SYN-FLOOD     Normal   1000   22222222

# Display the number of IPv6 addresses that are protected against flood attacks.

<Sysname> display attack-defense flood statistics ipv6 count

Slot 1:

Totally 5 flood entries.

Table 2 Command output

Field

Description

IPv6 address

Protected IPv6 address.

VPN

MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--).

The device does not support this field in the current software version.

Detected on

Where the attack is detected, on the device (Local) or an interface.

Detect type

Type of the detected flood attack.

State

Whether the interface or device is attacked:

·     Attacked.

·     Normal.

PPS

Number of packets sent to the IPv6 address per second.

Dropped

Number of attack packets dropped by the interface or the device.

Totally 5 flood entries

Total number of IPv6 addresses that are protected.

 

display attack-defense policy

Use display attack-defense policy to display attack defense policy configuration.

Syntax

display attack-defense policy [ policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.

Usage guidelines

This command output includes the following configuration information about an attack defense policy:

·     Whether attack detection is enabled.

·     Attack prevention actions.

·     Attack prevention trigger thresholds.

Examples

# Display the configuration of attack defense policy abc.

<Sysname> display attack-defense policy abc

          Attack-defense Policy Information

--------------------------------------------------------------------------

Policy name                        : abc

Applied list                       : Local

                                     Vlan1

--------------------------------------------------------------------------

Exempt IPv4 ACL:                  : Not configured

Exempt IPv6 ACL:                  : vip

--------------------------------------------------------------------------

  Actions: CV-Client verify  BS-Block source  L-Logging  D-Drop  N-None

 

Signature attack defense configuration:

Signature name                     Defense      Level             Actions

Fragment                           Enabled      Info              L

Impossible                         Enabled      Info              L

Teardrop                           Disabled     Info              L

Tiny fragment                      Disabled     Info              L

IP option abnormal                 Disabled     Info              L

Smurf                              Disabled     Info              N

Traceroute                         Disabled     Medium            L,D

Ping of death                      Disabled     Low               L

Large ICMP                         Disabled     Medium            L,D

  Max length                       4000 bytes

Large ICMPv6                       Disabled     Low               L

  Max length                       4000 bytes

TCP invalid flags                  Disabled     medium            L,D

TCP null flag                      Disabled     Low               L

TCP all flags                      Enabled      Info              L

TCP SYN-FIN flags                  Disabled     Info              L

TCP FIN only flag                  Enabled      Info              L

TCP Land                           Disabled     Info              L

Winnuke                            Disabled     Info              L

UDP Bomb                           Disabled     Info              L

UDP Snork                          Disabled     Info              L

UDP Fraggle                        Enabled      Info              L

IP option record route             Disabled     Info              L

IP option internet timestamp       Enabled      Info              L

IP option security                 Disabled     Info              L

IP option loose source routing     Enabled      Info              L

IP option stream ID                Disabled     Info              L

IP option strict source routing    Disabled     Info              L

IP option route alert              Disabled     Info              L

ICMP echo request                  Disabled     Info              L

ICMP echo reply                    Disabled     Info              L

ICMP source quench                 Disabled     Info              L

ICMP destination unreachable       Enabled      Info              L

ICMP redirect                      Enabled      Info              L

ICMP time exceeded                 Enabled      Info              L

ICMP parameter problem             Disabled     Info              L

ICMP timestamp request             Disabled     Info              L

ICMP timestamp reply               Disabled     Info              L

ICMP information request           Disabled     Info              L

ICMP information reply             Disabled     Medium            L,D

ICMP address mask request          Disabled     Medium            L,D

ICMP address mask reply            Disabled     Medium            L,D

ICMPv6 echo request                Enabled      Medium            L,D

ICMPv6 echo reply                  Disabled     Medium            L,D

ICMPv6 group membership query      Disabled     Medium            L,D

ICMPv6 group membership report     Disabled     Medium            L,D

ICMPv6 group membership reduction  Disabled     Medium            L,D

ICMPv6 destination unreachable     Enabled      Medium            L,D

ICMPv6 time exceeded               Enabled      Medium            L,D

ICMPv6 parameter problem           Disabled     Medium            L,D

ICMPv6 packet too big              Disabled     Medium            L,D

 

Scan attack defense configuration:

 Defense: Disabled

 Level: Medium

 Actions: L

 

Flood attack defense configuration:

Flood type      Global thres(pps)  Global actions  Service ports   Non-specific

SYN flood       1000               -               -               Disabled

ACK flood       1000               -               -               Enabled

SYN-ACK flood   1000               -               -               Disabled

RST flood       200                -               -               Enabled

FIN flood       1000               L,D             -               Disabled

UDP flood       1000               -               -               Disabled

ICMP flood      1000               -               -               Disabled

ICMPv6 flood    1000               D               -               Disabled

DNS flood       10000              -               30,61 to 62     Enabled

HTTP flood      10000              -               80,8080         Enabled

 

Flood attack defense for protected IP addresses:

 Address                 VPN instance   Flood type    Thres(pps)  Actions Ports

 1::1                    --             FIN-FLOOD     10          L,D     -

 1::1                    --             RST-FLOOD     -           L       -

 2013:2013:2013:2013:    --             DNS-FLOOD     100         L       53

 2013:2013:2013:2013

Table 3 Command output

Field

Description

Policy name

Name of the attack defense policy.

Applied list

List of objects to which the attack defense policy is applied. If the policy is applied to the local device, this field displays Local.

Exempt IPv4 ACL

IPv4 ACL used for attack detection exemption.

Exempt IPv6 ACL

IPv6 ACL used for attack detection exemption.

Actions

Attack prevention actions:

·     CV—Client verification. The device does not support this action in the current software version.

·     BS—Blocking sources. The device does not support this action in the current software version.

·     L—Logging.

·     D—Dropping packets.

·     N—No action.

Signature attack defense configuration

Configuration information about single-packet attack detection and prevention.

Signature name

Type of the single-packet attack.

Defense

Whether attack detection is enabled.

Level

Level of the single-packet attack, info, low, medium, or high.

Actions

Prevention actions against the single-packet attack:

·     L—Logging.

·     D—Dropping packets.

·     N—No action.

Scan attack defense configuration

Configuration information about scanning attack detection and prevention.

Defense

Whether attack detection is enabled.

Level

Level of the scanning attack detection, low, medium, or high.

Actions

Prevention actions against the scanning attack:

·     D—Dropping packets.

·     L—Logging.

Flood attack defense configuration

Configuration information about flood attack detection and prevention.

Flood type

Type of the flood attack:

·     ACK flood.

·     DNS flood.

·     FIN flood.

·     ICMP flood.

·     ICMPv6 flood.

·     SYN flood.

·     SYN-ACK flood.

·     UDP flood.

·     RST flood.

·     HTTP flood.

Global thres (pps)

Global threshold for triggering the flood attack prevention, in units of packets sent to an IP address per second. The default is 1000 pps.

Global actions

Global prevention actions against the flood attack:

·     D—Dropping packets.

·     L—Logging.

·     -—Not configured.

Service ports

Ports that are protected against the flood attack. This field is displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).

Non-specific

Whether the global flood attack detection is enabled.

Flood attack defense for protected IP addresses

Configuration of the IP address-specific flood attack detection and prevention.

Address

Protected IP address.

VPN instance

MPLS L3VPN instance to which the protected IP address belongs. If no MPLS L3VPN instance is specified, this field displays a hyphen (-).

Thres(pps)

Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no threshold is specified, this field displays 1000.

Actions

Prevention actions against the flood attack:

·     D—Dropping packets.

·     L—Logging.

·     N—No action.

Ports

Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).

 

# Display brief information about all attack defense policies.

<Sysname> display attack-defense policy

           Attack-defense Policy Brief Information

------------------------------------------------------------

Policy Name                        Applied list

Atk-policy-1                       Local

                                   Vlan100

                                   Vlan200

P2                                 None

P123                               Vlan200

Table 4 Command output

Field

Description

Policy name

Name of the attack defense policy.

Applied list

List of objects to which the attack defense policy is applied. If the policy is applied to the local device, this field displays Local.

 

Related commands

attack-defense policy

display attack-defense policy ip

Use display attack-defense policy ip to display information about IPv4 addresses protected by flood attack detection and prevention.

Syntax

display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address ] [ slot slot-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

ack-flood: Specifies ACK flood attack.

dns-flood: Specifies DNS flood attack.

fin-flood: Specifies FIN flood attack.

flood: Specifies all IPv4 flood attacks.

http-flood: Specifies HTTP flood attack.

icmp-flood: Specifies ICMP flood attack.

rst-flood: Specifies RST flood attack.

syn-ack-flood: Specifies SYN-ACK flood attack.

syn-flood: Specifies SYN flood attack.

udp-flood: Specifies UDP flood attack.

ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays information about all protected IPv4 addresses.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information about IPv4 addresses protected by flood attack detection and prevention for all IRF member devices.

count: Displays the number of matching IPv4 addresses protected by flood attack detection and prevention.

Examples

# Display information about all IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.

<Sysname> display attack-defense policy abc flood ip

Slot 1:

IP address      VPN instance     Type          Rate threshold(PPS) Dropped

123.123.123.123 --               SYN-ACK-FLOOD 1000                4294967295

201.55.7.45     --               ICMP-FLOOD    100                 10

192.168.11.5    --               DNS-FLOOD     23                  100

# Display the number of IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.

<Sysname> display attack-defense policy abc flood ip count

Slot 1:

Totally 3 flood protected IP addresses.

Table 5 Command output

Field

Description

Totally 3 flood protected IP addresses

Total number of the IPv4 addresses protected by flood attack detection and prevention.

IP address

Protected IPv4 address.

VPN instance

MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--).

The device does not support this field in the current software version.

Type

Type of the flood attack.

Rate threshold(PPS)

Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no rate threshold is set, this field displays 1000.

Dropped

Number of dropped attack packets. If the prevention action is logging, this field displays 0.

 

display attack-defense policy ipv6

Use display attack-defense policy ipv6 to display information about IPv6 addresses protected by flood attack detection and prevention.

Syntax

display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address ] [ slot slot-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

ack-flood: Specifies ACK flood attack.

dns-flood: Specifies DNS flood attack.

fin-flood: Specifies FIN flood attack.

flood: Specifies all IPv4 flood attacks.

http-flood: Specifies HTTP flood attack.

icmpv6-flood: Specifies ICMPv6 flood attack.

rst-flood: Specifies RST flood attack.

syn-ack-flood: Specifies SYN-ACK flood attack.

syn-flood: Specifies SYN flood attack.

udp-flood: Specifies UDP flood attack.

ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays information about all protected IPv6 addresses.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information about IPv6 addresses protected by flood attack detection and prevention for all IRF member devices.

count: Displays the number of matching IPv6 addresses protected by flood attack detection and prevention.

Examples

# Display information about all IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.

<Sysname> display attack-defense policy abc flood ipv6

Slot 1:

IPv6 address    VPN instance     Type          Rate threshold(PPS) Dropped

2013::127f      --               SYN-ACK-FLOOD 1000                4294967295

2::5            --               ACK-FLOOD     100                 10

1::5            --               ACK-FLOOD     100                 23

# Display the number of IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.

<Sysname> display attack-defense policy abc flood ipv6 count

Slot 1:

Totally 3 flood protected IP addresses.

Table 6 Command output

Field

Description

Totally 3 flood protected IP addresses

Total number of the IPv6 addresses protected by flood attack detection and prevention.

IPv6 address

Protected IPv6 address.

VPN instance

MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--).

The device does not support this field in the current software version.

Type

Type of the flood attack.

Rate threshold(PPS)

Threshold for triggering the flood attack prevention, in units of packets sent to the IPv6 address per second. If no rate threshold is set, this field displays 1000.

Dropped

Number of dropped attack packets. If the prevention action is logging, this field displays 0.

 

display attack-defense scan attacker ip

Use display attack-defense scan attacker ip to display information about IPv4 scanning attackers.

Syntax

display attack-defense scan attacker ip [ interface interface-type interface-number [ slot slot-number ] | local ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv4 scanning attackers for all member devices.

count: Displays the number of matching IPv4 scanning attackers.

Usage guidelines

If no parameter is specified, this command displays information about all IPv4 scanning attackers.

Examples

# Display information about all IPv4 scanning attackers.

<Sysname> display attack-defense scan attacker ip

Slot 1:

IP addr(DslitePeer)   VPN instance     Protocol      Detected on   Duration(min)

192.168.31.2(--)      --               TCP           Vlan-int1    1284

2.2.2.3(--)           --               UDP           Vlan-int1    23

# Display the number of IPv4 scanning attackers.

<Sysname> display attack-defense scan attacker ip count

Slot 1:

Totally 3 attackers.

Table 7 Command output

Field

Description

Totally 3 attackers

Total number of IPv4 scanning attackers.

IP addr(DslitePeer)

The IP addr field displays the IPv4 address of the attacker.

The DslitePeer field displays the DS-Lite tunnel source IPv6 address of the attacker in a DS-Lite network. In other situations, this field displays hyphens (--).

VPN instance

MPLS L3VPN instance to which the attacker's IPv4 address belongs. If the IPv4 address is on the public network, this field displays hyphens (--).

The device does not support this field in the current software version.

Protocol

Name of the protocol.

Detected on

Where the attack is detected, on the device (Local) or an interface.

Duration(min)

How long the attack lasts, in minutes.

 

Related commands

·     display attack-defense scan victim ip

·     scan detect

display attack-defense scan attacker ipv6

Use display attack-defense scan attacker ipv6 to display information about IPv6 scanning attackers.

Syntax

display attack-defense scan attacker ipv6 [ interface interface-type interface-number [ slot slot-number ] | local ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv6 scanning attackers for all member devices.

count: Displays the number of matching IPv6 scanning attackers.

Usage guidelines

If no parameter is specified, this command displays information about all IPv6 scanning attackers.

Examples

# Display information about all IPv6 scanning attackers.

<Sysname> display attack-defense scan attacker ipv6

Slot 1:

IPv6 address      VPN instance     Protocol     Detected on      Duration(min)

2013::2           --               TCP          Vlan-int1    1234

1230::22          --               UDP          Vlan-int1    10

# Display the number of IPv6 scanning attackers.

<Sysname> display attack-defense scan attacker ipv6 count

Slot 1:

Totally 3 attackers.

Table 8 Command output

Field

Description

Totally 3 attackers

Total number of IPv6 scanning attackers.

IPv6 address

IPv6 address of the attacker.

VPN instance

MPLS L3VPN instance to which the attacker IPv6 address belongs. If the attacker IPv6 address is on the public network, this field displays hyphens (--).

The device does not support this field in the current software version.

Protocol

Name of the protocol.

Detected on

Where the attack is detected, on the device (Local) or an interface.

Duration(min)

How long the attack lasts, in minutes.

 

Related commands

·     display attack-defense scan victim ipv6

·     scan detect

display attack-defense scan victim ip

Use display attack-defense scan victim ip to display information about IPv4 scanning attack victims.

Syntax

display attack-defense scan victim ip [ interface interface-type interface-number [ slot slot-number ] | local ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv4 scanning attack victims for all member devices.

count: Displays the number of matching IPv4 scanning attack victims.

Usage guidelines

If no parameter is specified, this command displays information about all IPv4 scanning attack victims.

Examples

# Display information about all IPv4 scanning attack victims.

<Sysname> display attack-defense scan victim ip

Slot 1:

IP address      VPN instance      Protocol      Detected on        Duration(min)

192.168.31.2    --                TCP           Vlan-int1          21

2.2.2.3         --                UDP           Vlan-int1          1234

# Display the number of IPv4 scanning attack victims.

<Sysname> display attack-defense scan victim ip count

Slot 1:

Totally 3 victim IP addresses.

Table 9 Command output

Field

Description

Totally 3 victim IP addresses

Total number of IPv4 scanning attack victims.

IP address

IPv4 address of the victim.

VPN instance

MPLS L3VPN instance to which the victim IPv4 address belongs. If the victim IPv4 address is on the public network, this field displays hyphens (--).

The device does not support this field in the current software version.

Protocol

Name of the protocol.

Detected on

Where the attack is detected, on the device (Local) or an interface.

Duration(min)

How long the attack lasts, in minutes.

 

Related commands

·     display attack-defense scan attacker ip

·     scan detect

display attack-defense scan victim ipv6

Use display attack-defense scan victim ipv6 to display information about IPv6 scanning attack victims.

Syntax

display attack-defense scan victim ipv6 [ interface interface-type interface-number [ slot slot-number ] | local ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv6 scanning attack victims for all member devices.

count: Displays the number of matching IPv6 scanning attack victims.

Usage guidelines

If no parameter is specified, this command displays information about all IPv6 scanning attack victims.

Examples

# Display information about all IPv6 scanning attack victims.

<Sysname> display attack-defense scan victim ipv6

Slot 1:

IPv6 address      VPN instance     Protocol      Detected on      Duration(min)

2013::2           --               TCP           Vlan-int1        210

1230::22          --               UDP           Vlan-int1        13

# Display the number of IPv6 scanning attack victims.

<Sysname> display attack-defense scan victim ipv6 count

Slot 1:

Totally 3 victim IP addresses.

Table 10 Command output

Field

Description

Totally 3 victim IP addresses

Total number of IPv6 scanning attack victims.

IPv6 address

IPv6 address of the victim.

VPN instance

MPLS L3VPN instance to which the victim IPv6 address belongs. If the victim IPv6 address is on the public network, this field displays hyphens (--).

The device does not support this field in the current software version.

Protocol

Name of the protocol.

Detected on

Where the attack is detected, on the device (Local) or an interface.

Duration(min)

How long the attack lasts, in minutes.

 

Related commands

·     display attack-defense scan attacker ipv6

·     scan detect

display attack-defense statistics interface

Use display attack-defense statistics interface to display attack detection and prevention statistics on an interface.

Syntax

display attack-defense statistics interface interface-type interface-number [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this commands displays attack detection and prevention statistics for all member devices.

Examples

# Display attack detection and prevention statistics on interface VLAN-interface 200 for the member device in slot 1.

<Sysname> display attack-defense statistics interface vlan-interface 200 slot 1

Attack policy name: abc

Slot 1:

Scan attack defense statistics:

 AttackType                          AttackTimes Dropped

 Port scan                           2           23

 IP sweep                            3           33

 Distribute port scan                1           10

Flood attack defense statistics:

 AttackType                          AttackTimes Dropped

 SYN flood                           1           0

 ACK flood                           1           0

 SYN-ACK flood                       3           5000

 RST flood                           2           0

 FIN flood                           2           0

 UDP flood                           1           0

 ICMP flood                          1           0

 ICMPv6 flood                        1           0

 DNS flood                           1           0

 HTTP flood                          1           0

Signature attack defense statistics:

 AttackType                          AttackTimes Dropped

 IP option record route              1           100

 IP option security                  2           0

 IP option stream ID                 3           0

 IP option internet timestamp        4           1

 IP option loose source routing      5           0

 IP option strict source routing     6           0

 IP option route alert               3           0

 Fragment                            1           0

 Impossible                          1           1

 Teardrop                            1           1

 Tiny fragment                       1           0

 IP options abnormal                 3           0

 Smurf                               1           0

 Ping of death                       1           0

 Traceroute                          1           0

 Large ICMP                          1           0

 TCP NULL flag                       1           0

 TCP all flags                       1           0

 TCP SYN-FIN flags                   1           0

 TCP FIN only flag                   1           0

 TCP invalid flag                    1           0

 TCP Land                            1           0

 Winnuke                             1           0

 UDP Bomb                            1           0

 Snork                               1           0

 Fraggle                             1           0

 Large ICMPv6                        1           0

 ICMP echo request                   1           0

 ICMP echo reply                     1           0

 ICMP source quench                  1           0

 ICMP destination unreachable        1           0

 ICMP redirect                       2           0

 ICMP time exceeded                  3           0

 ICMP parameter problem              4           0

 ICMP timestamp request              5           0

 ICMP timestamp reply                6           0

 ICMP information request            7           0

 ICMP information reply              4           0

 ICMP address mask request           2           0

 ICMP address mask reply             1           0

 ICMPv6 echo request                 1           1

 ICMPv6 echo reply                   1           1

 ICMPv6 group membership query       1           0

 ICMPv6 group membership report      1           0

 ICMPv6 group membership reduction   1           0

 ICMPv6 destination unreachable      1           0

 ICMPv6 time exceeded                1           0

 ICMPv6 parameter problem            1           0

 ICMPv6 packet too big               1           0

Table 11 Command output

Field

Description

AttackType

Type of the attack.

AttackTimes

Number of times that the attack occurred.

Dropped

Number of dropped packets.

 

display attack-defense statistics local

Use display attack-defense statistics local to display attack detection and prevention statistics for the device.

Syntax

display attack-defense statistics local [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays attack detection and prevention statistics for all IRF member devices.

Examples

# Display attack detection and prevention statistics for the device.

<Sysname> display attack-defense statistics local

Attack policy name: abc

Slot 1:

Scan attack defense statistics:

 AttackType                          AttackTimes Dropped

 Port scan                           2           23

 IP sweep                            3           33

 Distribute port scan                1           10

Flood attack defense statistics:

 AttackType                          AttackTimes Dropped

 SYN flood                           1           0

 ACK flood                           1           0

 SYN-ACK flood                       3           5000

 RST flood                           2           0

 FIN flood                           2           0

 UDP flood                           1           0

 ICMP flood                          1           0

 ICMPv6 flood                        1           0

 DNS flood                           1           0

 HTTP flood                          1           0

Signature attack defense statistics:

 AttackType                          AttackTimes Dropped

 IP option record route              1           100

 IP option security                  2           0

 IP option stream ID                 3           0

 IP option internet timestamp        4           1

 IP option loose source routing      5           0

 IP option strict source routing     6           0

 IP option route alert               3           0

 Fragment                            1           0

 Impossible                          1           1

 Teardrop                            1           1

 Tiny fragment                       1           0

 IP options abnormal                 3           0

 Smurf                               1           0

 Ping of death                       1           0

 Traceroute                          1           0

 Large ICMP                          1           0

 TCP NULL flag                       1           0

 TCP all flags                       1           0

 TCP SYN-FIN flags                   1           0

 TCP FIN only flag                   1           0

 TCP invalid flag                    1           0

 TCP Land                            1           0

 Winnuke                             1           0

 UDP Bomb                            1           0

 Snork                               1           0

 Fraggle                             1           0

 Large ICMPv6                        1           0

 ICMP echo request                   1           0

 ICMP echo reply                     1           0

 ICMP source quench                  1           0

 ICMP destination unreachable        1           0

 ICMP redirect                       2           0

 ICMP time exceeded                  3           0

 ICMP parameter problem              4           0

 ICMP timestamp request              5           0

 ICMP timestamp reply                6           0

 ICMP information request            7           0

 ICMP information reply              4           0

 ICMP address mask request           2           0

 ICMP address mask reply             1           0

 ICMPv6 echo request                 1           1

 ICMPv6 echo reply                   1           1

 ICMPv6 group membership query       1           0

 ICMPv6 group membership report      1           0

 ICMPv6 group membership reduction   1           0

 ICMPv6 destination unreachable      1           0

 ICMPv6 time exceeded                1           0

 ICMPv6 parameter problem            1           0

 ICMPv6 packet too big               1           0

Table 12 Command output

Field

Description

AttackType

Type of the attack.

AttackTimes

Number of times that the attack occurred.

Dropped

Number of dropped packets.

 

Related commands

reset attack-defense statistics local

dns-flood action

Use dns-flood action to specify global actions against DNS flood attacks.

Use undo dns-flood action to restore the default.

Syntax

dns-flood action { drop | logging } *

undo dns-flood action

Default

No global action is specified for DNS flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent DNS packets destined for the victim IP addresses.

logging: Enables logging for DNS flood attack events.

Examples

# Specify drop as the global action against DNS flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood action drop

Related commands

·     dns-flood detect

·     dns-flood detect non-specific

·     dns-flood threshold

dns-flood detect

Use dns-flood detect to configure IP address-specific DNS flood attack detection.

Use undo dns-flood detect to remove the IP address-specific DNS flood attack detection configuration.

Syntax

dns-flood detect { ip ip-address | ipv6 ipv6-address } [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } *| none } ]

undo dns-flood detect { ip ip-address | ipv6 ipv6-address }

Default

IP address-specific DNS flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.

threshold threshold-value: Sets the threshold for triggering DNS flood attack prevention. The value range is 1 to 1000000 in units of DNS packets sent to the specified IP address per second.

action: Specifies the actions when a DNS flood attack is detected. If no action is specified, the global actions set by the dns-flood action command apply.

drop: Drops subsequent DNS packets destined for the protected IP address.

logging: Enables logging for DNS flood attack events.

none: Takes no action.

Usage guidelines

With DNS flood attack detection configured, the device is in attack detection state. When the sending rate of DNS packets to a protected IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Examples

# Configure DNS flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect ip 192.168.1.2 port 53 threshold 2000

Related commands

·     dns-flood action

·     dns-flood detect non-specific

·     dns-flood threshold

·     dns-flood port

dns-flood detect non-specific

Use dns-flood detect non-specific to enable global DNS flood attack detection.

Use undo dns-flood detect non-specific to restore the default.

Syntax

dns-flood detect non-specific

undo dns-flood detect non-specific

Default

Global DNS flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global DNS flood attack detection applies to all IP addresses except for those specified by the dns-flood detect command. The global detection uses the global trigger threshold set by the dns-flood threshold command and global actions specified by the dns-flood action command.

Examples

# Enable global DNS flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific

Related commands

·     dns-flood action

·     dns-flood detect

·     dns-flood threshold

dns-flood port

Use dns-flood port to specify the global ports to be protected against DNS flood attacks.

Use undo dns-flood port to restore the default.

Syntax

dns-flood port port-list

undo dns-flood port

Default

The DNS flood attack prevention protects port 53.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

port-list: Specifies a global list of ports to be protected. Specify this argument in the format of { start-port-number [ to end-port-number ] } &<1-65535>. &<1-65535> indicates that you can specify up to 65535 ports or port lists. The end-port-number cannot be smaller than the start-port-number.

Usage guidelines

The device detects only DNS packets destined for the specified ports.

The global ports apply to global DNS flood attack detection and IP address-specific DNS flood attack detection with no port specified.

Examples

# Specify the ports 53 and 61000 as the global ports to be protected against DNS flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood port 53 61000

Related commands

·     dns-flood action

·     dns-flood detect

·     dns-flood detect non-specific

dns-flood threshold

Use dns-flood threshold to set the global threshold for triggering DNS flood attack prevention.

Use undo dns-flood threshold to restore the default.

Syntax

dns-flood threshold threshold-value

undo dns-flood threshold

Default

The global threshold is 1000 for triggering DNS flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of DNS packets sent to an IP address per second.

Usage guidelines

The global threshold applies to global DNS flood attack detection.

Adjust the threshold according to the application scenarios. If the number of DNS packets sent to a protected DNS server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering DNS flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood threshold 100

Related commands

·     dns-flood action

·     dns-flood detect

·     dns-flood detect non-specific

exempt acl

Use exempt acl to configure attack detection exemption.

Use undo exempt acl to restore the default.

Syntax

exempt acl [ ipv6 ] { acl-number | name acl-name }

undo exempt acl [ ipv6 ]

Default

Attack detection exemption is not configured. The attack defense policy applies to all incoming packets.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 ACL. Do not specify this keyword if you specify an IPv4 ACL.

acl-number: Specifies an ACL by its number:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

The attack defense policy uses an ACL to identify exempted packets. The policy does not check the packets permitted by the ACL. You can configure the ACL to identify packets from trusted servers. The exemption feature reduces the false alarm rate and improves packet processing efficiency.

If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit rules take effect:

·     Source IP address.

·     Destination IP address.

·     Source port.

·     Destination port.

·     Protocol.

·     fragment keyword for matching non-first fragments.

If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.

Examples

# Configure an ACL to permit packets sourced from 1.1.1.1.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0

[Sysname-acl-ipv4-basic-2001] quit

# Configure attack detection exemption for packets matching the ACL.

[Sysname] attack-defense policy atk-policy-1

[attack-defense-policy-atk-policy-1] exempt acl 2001

Related commands

attack-defense policy

fin-flood action

Use fin-flood action to specify global actions against FIN flood attacks.

Use undo fin-flood action to restore the default.

Syntax

fin-flood action { drop | logging } *

undo fin-flood action

Default

No global action is specified for FIN flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent FIN packets destined for the victim IP addresses.

logging: Enables logging for FIN flood attack events.

Examples

# Specify drop as the global action against FIN flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] fin-flood action drop

Related commands

·     fin-flood detect

·     fin-flood detect non-specific

·     fin-flood threshold

fin-flood detect

Use fin-flood detect to configure IP address-specific FIN flood attack detection.

Use undo fin-flood detect to remove the IP address-specific FIN flood attack detection configuration.

Syntax

fin-flood detect { ip ip-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo fin-flood detect { ip ip-address | ipv6 ipv6-address }

Default

IP address-specific FIN flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

threshold threshold-value: Sets the threshold for triggering FIN flood attack prevention. The value range is 1 to 1000000 in units of FIN packets sent to the specified IP address per second.

action: Specifies the actions when a FIN flood attack is detected. If no action is specified, the global actions set by the fin-flood action command apply.

drop: Drops subsequent FIN packets destined for the protected IP address.

logging: Enables logging for FIN flood attack events.

none: Takes no action.

Usage guidelines

With FIN flood attack detection configured, the device is in attack detection state. When the sending rate of FIN packets to a protected IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Examples

# Configure FIN flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect ip 192.168.1.2 threshold 2000

Related commands

·     fin-flood action

·     fin-flood detect non-specific

·     fin-flood threshold

fin-flood detect non-specific

Use fin-flood detect non-specific to enable global FIN flood attack detection.

Use undo fin-flood detect non-specific to restore the default.

Syntax

fin-flood detect non-specific

undo fin-flood detect non-specific

Default

Global FIN flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global FIN flood attack detection applies to all IP addresses except for those specified by the fin-flood detect command. The global detection uses the global trigger threshold set by the fin-flood threshold command and global actions specified by the fin-flood action command.

Examples

# Enable global FIN flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect non-specific

Related commands

·     fin-flood action

·     fin-flood detect

·     fin-flood threshold

fin-flood threshold

Use fin-flood threshold to set the global threshold for triggering FIN flood attack prevention.

Use undo fin-flood threshold to restore the default.

Syntax

fin-flood threshold threshold-value

undo fin-flood threshold

Default

The global threshold is 1000 for triggering FIN flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second.

Usage guidelines

The global threshold applies to global FIN flood attack detection.

Adjust the threshold according to the application scenarios. If the number of FIN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering FIN flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] fin-flood threshold 100

Related commands

·     fin-flood action

·     fin-flood detect

·     fin-flood detect non-specific

http-flood action

Use http-flood action to specify global actions against HTTP flood attacks.

Use undo http-flood action to restore the default.

Syntax

http-flood action { drop | logging } *

undo http-flood action

Default

No global action is specified for HTTP flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent HTTP packets destined for the victim IP addresses.

logging: Enables logging for HTTP flood attack events.

Examples

# Specify drop as the global action against HTTP flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] http-flood action drop

Related commands

·     http-flood detect

·     http-flood detect non-specific

·     http-flood threshold

http-flood detect

Use http-flood detect to configure IP address-specific HTTP flood attack detection.

Use undo http-flood detect to remove the IP address-specific HTTP flood attack detection configuration.

Syntax

http-flood detect { ip ip-address | ipv6 ipv6-address } [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo http-flood detect { ip ip-address | ipv6 ipv6-address }

Default

IP address-specific HTTP flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.

threshold threshold-value: Sets the threshold for triggering HTTP flood attack prevention. The value range is 1 to 1000000 in units of HTTP packets sent to the specified IP address per second.

action: Specifies the actions when an HTTP flood attack is detected. If no action is specified, the global actions set by the http-flood action command apply.

drop: Drops subsequent HTTP packets destined for the protected IP address.

logging: Enables logging for HTTP flood attack events.

none: Takes no action.

Usage guidelines

With HTTP flood attack detection configured, the device is in attack detection state. When the sending rate of HTTP packets to a protected IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Examples

# Configure HTTP flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] http-flood detect ip 192.168.1.2 port 80 8080 threshold 2000

Related commands

·     http-flood action

·     http-flood detect non-specific

·     http-flood threshold

·     http-flood port

http-flood detect non-specific

Use http-flood detect non-specific to enable global HTTP flood attack detection.

Use undo http-flood detect non-specific to restore the default.

Syntax

http-flood detect non-specific

undo http-flood detect non-specific

Default

Global HTTP flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global HTTP flood attack detection applies to all IP addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command.

Examples

# Enable global HTTP flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific

Related commands

·     http-flood action

·     http-flood detect

·     http-flood threshold

http-flood port

Use http-flood port to specify the global ports to be protected against HTTP flood attacks.

Use undo http-flood port to restore the default.

Syntax

http-flood port port-list

undo http-flood port

Default

The HTTP flood attack prevention protects port 80.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.

Usage guidelines

The device detects only HTTP packets destined for the specified ports.

The global ports apply to global HTTP flood attack detection and IP address-specific HTTP flood attack detection with no port specified.

Examples

# Specify the ports 80 and 8080 as the global ports to be protected against HTTP flood attacks in attack the defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] http-flood port 80 8080

Related commands

·     http-flood action

·     http-flood detect

·     http-flood detect non-specific

http-flood threshold

Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention.

Use undo http-flood threshold to restore the default.

Syntax

http-flood threshold threshold-value

undo http-flood threshold

Default

The global threshold is 1000 for triggering HTTP flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of HTTP packets sent to an IP address per second.

Usage guidelines

The global threshold applies to global HTTP flood attack detection.

Adjust the threshold according to the application scenarios. If the number of HTTP packets sent to a protected HTTP server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering HTTP flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] http-flood threshold 100

Related commands

·     http-flood action

·     http-flood detect

·     http-flood detect non-specific

icmp-flood action

Use icmp-flood action to specify global actions against ICMP flood attacks.

Use undo icmp-flood action to restore the default.

Syntax

icmp-flood action { drop | logging } *

undo icmp-flood action

Default

No global action is specified for ICMP flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent ICMP packets destined for the victim IP addresses.

logging: Enables logging for ICMP flood attack events.

Examples

# Specify drop as the global action against ICMP flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmp-flood action drop

Related commands

·     icmp-flood detect non-specific

·     icmp-flood detect ip

·     icmp-flood threshold

icmp-flood detect ip

Use icmp-flood detect ip to configure IP address-specific ICMP flood attack detection.

Use undo icmp-flood detect ip to remove the IP address-specific ICMP flood attack detection configuration.

Syntax

icmp-flood detect ip ip-address [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo icmp-flood detect ip ip-address

Default

IP address-specific ICMP flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

threshold threshold-value: Sets the threshold for triggering ICMP flood attack prevention. The value range is 1 to 1000000 in units of ICMP packets sent to the specified IP address per second.

action: Specifies the actions when an ICMP flood attack is detected. If no action is specified, the global actions set by the icmp-flood action command apply.

drop: Drops subsequent ICMP packets destined for the protected IP address.

logging: Enables logging for ICMP flood attack events.

none: Takes no action.

Usage guidelines

With ICMP flood attack detection configured, the device is in attack detection state. When the sending rate of ICMP packets to a protected IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Examples

# Configure ICMP flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect ip 192.168.1.2 threshold 2000

Related commands

·     icmp-flood action

·     icmp-flood detect non-specific

·     icmp-flood threshold

icmp-flood detect non-specific

Use icmp-flood detect non-specific to enable global ICMP flood attack detection.

Use undo icmp-flood detect non-specific to restore the default.

Syntax

icmp-flood detect non-specific

undo icmp-flood detect non-specific

Default

Global ICMP flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global ICMP flood attack detection applies to all IP addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold command and global actions specified by the icmp-flood action command.

Examples

# Enable global ICMP flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect non-specific

Related commands

·     icmp-flood action

·     icmp-flood detect ip

·     icmp-flood threshold

icmp-flood threshold

Use icmp-flood threshold to set the global threshold for triggering ICMP flood attack prevention.

Use undo icmp-flood threshold to restore the default.

Syntax

icmp-flood threshold threshold-value

undo icmp-flood threshold

Default

The global threshold is 1000 for triggering ICMP flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of ICMP packets sent to an IP address per second.

Usage guidelines

The global threshold applies to global ICMP flood attack detection.

Adjust the threshold according to the application scenarios. If the number of ICMP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering ICMP flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmp-flood threshold 100

Related commands

·     icmp-flood action

·     icmp-flood detect ip

·     icmp-flood detect non-specific

icmpv6-flood action

Use icmpv6-flood action to specify global actions against ICMPv6 flood attacks.

Use undo icmpv6-flood action to restore the default.

Syntax

icmpv6-flood action { drop | logging } *

undo icmpv6-flood action

Default

No global action is specified for ICMPv6 flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent ICMPv6 packets destined for the victim IP addresses.

logging: Enables logging for ICMPv6 flood attack events.

Examples

# Specify drop as the global action against ICMPv6 flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood action drop

Related commands

·     icmpv6-flood detect ipv6

·     icmpv6-flood detect non-specific

·     icmpv6-flood threshold

icmpv6-flood detect ipv6

Use icmpv6-flood detect ipv6 to configure IPv6 address-specific ICMPv6 flood attack detection.

Use undo icmpv6-flood detect ipv6 to remove the IPv6 address-specific ICMPv6 flood attack detection configuration.

Syntax

icmpv6-flood detect ipv6 ipv6-address [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo icmpv6-flood detect ipv6 ipv6-address

Default

IPv6 address-specific ICMPv6 flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address to be protected.

threshold threshold-value: Sets the threshold for triggering ICMPv6 flood attack prevention. The value range is 1 to 1000000 in units of ICMPv6 packets sent to the specified IP address per second.

action: Specifies the actions when an ICMPv6 flood attack is detected. If no action is specified, the global actions set by the icmpv6-flood action command apply.

drop: Drops subsequent ICMPv6 packets destined for the protected IPv6 address.

logging: Enables logging for ICMPv6 flood attack events.

none: Takes no action.

Usage guidelines

With ICMPv6 flood attack detection configured, the device is in attack detection state. When the sending rate of ICMPv6 packets to a protected IPv6 address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Examples

# Configure ICMPv6 flood attack detection for 2012::12 in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect ipv6 2012::12 threshold 2000

Related commands

·     icmpv6-flood action

·     icmpv6-flood detect non-specific

·     icmpv6-flood threshold

icmpv6-flood detect non-specific

Use icmpv6-flood detect non-specific to enable global ICMPv6 flood attack detection.

Use undo icmpv6-flood detect non-specific to restore the default.

Syntax

icmpv6-flood detect non-specific

undo icmpv6-flood detect non-specific

Default

Global ICMPv6 flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global ICMPv6 flood attack detection applies to all IPv6 addresses except for those specified by the icmpv6-flood detect ipv6 command. The global detection uses the global trigger threshold set by the icmpv6-flood threshold command and global actions specified by the icmpv6-flood action command.

Examples

# Enable global ICMPv6 flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect non-specific

Related commands

·     icmpv6-flood action

·     icmpv6-flood detect ipv6

·     icmpv6-flood threshold

icmpv6-flood threshold

Use icmpv6-flood threshold to set the global threshold for triggering ICMPv6 flood attack prevention.

Use undo icmpv6-flood threshold to restore the default.

Syntax

icmpv6-flood threshold threshold-value

undo icmpv6-flood threshold

Default

The global threshold is 1000 for triggering ICMPv6 flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of ICMPv6 packets sent to an IP address per second.

Usage guidelines

The global threshold applies to global ICMPv6 flood attack detection.

Adjust the threshold according to the application scenarios. If the number of ICMPv6 packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering ICMPv6 flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood threshold 100

Related commands

·     icmpv6-flood action

·     icmpv6-flood detect ipv6

·     icmpv6-flood detect non-specific

reset attack-defense policy flood

Use reset attack-defense policy flood statistics to clear flood attack detection and prevention statistics.

Syntax

reset attack-defense policy policy-name flood protected { ip | ipv6 } statistics

Views

User view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

ip: Clears flood attack detection and prevention statistics for IPv4 addresses.

ipv6: Clears flood attack detection and prevention statistics for IPv6 addresses.

Examples

# Clear flood attack detection and prevention statistics for IPv4 addresses in the attack defense policy abc.

<Sysname> reset attack-defense policy abc flood protected ip statistics

# Clear flood attack detection and prevention statistics for IPv6 addresses in the attack defense policy abc.

<Sysname> reset attack-defense policy abc flood protected ipv6 statistics

Related commands

·     display attack-defense policy ip

·     display attack-defense policy ipv6

reset attack-defense statistics interface

Use reset attack-defense statistics interface to clear attack detection and prevention statistics for an interface.

Syntax

reset attack-defense statistics interface interface-type interface-number

Views

User view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Examples

# Clear attack detection and prevention statistics for interface VLAN-interface 200.

<Sysname> reset attack-defense statistics interface vlan-interface 200

Related commands

display attack defense policy

reset attack-defense statistics local

Use reset attack-defense statistics local to clear attack detection and prevention statistics for the device.

Syntax

reset attack-defense statistics local

Views

User view

Predefined user roles

network-admin

network-operator

Examples

Clear attack detection and prevention statistics for the device.

<Sysname> reset attack-defense statistics local

Related commands

display attack-defense statistics local

rst-flood action

Use rst-flood action to specify global actions against RST flood attacks.

Use undo rst-flood action to restore the default.

Syntax

rst-flood action { drop | logging } *

undo rst-flood action

Default

No global action is specified for RST flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent RST packets destined for the victim IP addresses.

logging: Enables logging for RST flood attack events.

Examples

# Specify drop as the global action against RST flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] rst-flood action drop

Related commands

·     rst-flood detect

·     rst-flood detect non-specific

·     rst-flood threshold

rst-flood detect

Use rst-flood detect to configure IP address-specific RST flood attack detection.

Use undo rst-flood detect to remove the IP address-specific RST flood attack detection configuration.

Syntax

rst-flood detect { ip ip-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo rst-flood detect { ip ip-address | ipv6 ipv6-address }

Default

IP address-specific RST flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

threshold threshold-value: Sets the threshold for triggering RST flood attack prevention. The value range is 1 to 1000000 in units of RST packets sent to the specified IP address per second.

action: Specifies the actions when an RST flood attack is detected. If no action is specified, the global actions set by the rst-flood action command apply.

drop: Drops subsequent RST packets destined for the protected IP address.

logging: Enables logging for RST flood attack events.

none: Takes no action.

Usage guidelines

With RST flood attack detection configured, the device is in attack detection state. When the sending rate of RST packets to a protected IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device considers returns to the attack detection state.

Examples

# Configure RST flood attack detection for 192.168.1.2 in the  attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect ip 192.168.1.2 threshold 2000

Related commands

·     rst-flood action

·     rst-flood detect non-specific

·     rst-flood threshold

rst-flood detect non-specific

Use rst-flood detect non-specific to enable global RST flood attack detection.

Use undo rst-flood detect non-specific to restore the default.

Syntax

rst-flood detect non-specific

undo rst-flood detect non-specific

Default

Global RST flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global RST flood attack detection applies to all IP addresses except for those specified by the rst-flood detect command. The global detection uses the global trigger threshold set by the rst-flood threshold command and global actions specified by the rst-flood action command.

Examples

# Enable global RST flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect non-specific

Related commands

·     rst-flood action

·     rst-flood detect

·     rst-flood threshold

rst-flood threshold

Use rst-flood threshold to set the global threshold for triggering RST flood attack prevention.

Use undo rst-flood threshold to restore the default.

Syntax

rst-flood threshold threshold-value

undo rst-flood threshold

Default

The global threshold is 1000 for triggering RST flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of RST packets sent to an IP address per second.

Usage guidelines

The global threshold applies to global RST flood attack detection.

Adjust the threshold according to the application scenarios. If the number of RST packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering RST flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100

Related commands

·     rst-flood action

·     rst-flood detect

·     rst-flood detect non-specific

scan detect

Use scan detect to configure scanning attack detection.

Use undo scan detect to restore the default.

Syntax

scan detect level { high | low | medium } action { drop | logging } *

undo scan detect level { high | low | medium }

Default

Scanning attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

level: Specifies the level of the scanning attack detection.

low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected. Statistics are collected every 60 seconds for the low level detection.

high: Specifies the high level. This level can detect most of the scanning attacks, but has a high false alarm rate. Some packets from active hosts might be considered as attack packets. Statistics are collected every 600 seconds for the high level detection.

medium: Specifies the medium level. Compared with the high and low levels, this level has a medium false alarm rate and attack detection rate. Statistics are collected every 90 seconds for the medium level detection.

action: Specifies the actions against scanning attacks.

drop: Drops subsequent packets from detected scanning attack sources.

logging: Enables logging for scanning attack events.

Examples

# Configure low level scanning attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action drop

# Configure scanning attack detection in the attack defense policy atk-policy-1. Specify the detection level as low and the prevention actions as logging.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action logging

signature { large-icmp | large-icmpv6 } max-length

Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.

Use undo signature { large-icmp | large-icmpv6 } max-length to restore the default.

Syntax

signature { large-icmp | large-icmpv6 } max-length length

undo signature { large-icmp | large-icmpv6 } max-length

Default

The maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

large-icmp: Specifies large ICMP packet attack signature.

large-icmpv6: Specifies large ICMPv6 packet attack signature.

length: Specifies the maximum length of safe ICMP or ICMPv6 packets, in bytes. The value range for ICMP packet is 28 to 65534. The value range for ICMPv6 packet is 48 to 65534.

Examples

# Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] signature large-icmp max-length 50000

Related commands

signature detect

signature detect

Use signature detect to configure signature detection for single-packet attacks.

Use undo signature detect to remove the signature detection configuration for single-packet attacks.

Syntax

signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]

undo signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke }

signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } *

undo signature detect { ip-option-abnormal | ping-of-death | teardrop }

signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]

undo signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request }

signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]

undo signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded }

signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]

undo signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing }

signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]

undo signature detect ipv6-ext-header next-header-value

Default

Signature detection is not configured for any single-packet attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

fraggle: Specifies the fraggle attack.

fragment: Specifies the fragment attack.

icmp-type: Specifies an ICMP packet attack by its signature type. You can specify the signature by the ICMP packet type value or keyword:

·     icmp-type-value: Specifies the ICMP type value in the range of 0 to 255.

·     address-mask-reply: Specifies the ICMP address mask reply type.

·     address-mask-request: Specifies the ICMP address mask request type.

·     destination-unreachable: Specifies the ICMP destination unreachable type.

·     echo-reply: Specifies the ICMP echo reply type.

·     echo-request: Specifies the ICMP echo request type.

·     information-reply: Specifies the ICMP information reply type.

·     information-request: Specifies the ICMP information request type.

·     parameter-problem: Specifies the ICMP parameter problem type.

·     redirect: Specifies the ICMP redirect type.

·     source-quench: Specifies the ICMP source quench type.

·     time-exceeded: Specifies the ICMP time exceeded type.

·     timestamp-reply: Specifies the ICMP timestamp reply type.

·     timestamp-request: Specifies the ICMP timestamp request type.

icmpv6-type: Specifies an ICMPv6 packet attack by its signature type. You can specify the signature by the ICMPv6 packet type value or keyword.

·     icmpv6-type-value: Specifies the ICMPv6 type value in the range of 0 to 255.

·     destination-unreachable: Specifies the ICMPv6 destination unreachable type.

·     echo-reply: Specifies the ICMPv6 echo reply type.

·     echo-request: Specifies the ICMPv6 echo request type.

·     group-query: Specifies the ICMPv6 group query type.

·     group-reduction: Specifies the ICMPv6 group reduction type.

·     group-report: Specifies the ICMPv6 group report type.

·     packet-too-big: Specifies the ICMPv6 packet too big type.

·     parameter-problem: Specifies the ICMPv6 parameter problem type.

·     time-exceeded: Specifies the ICMPv6 time exceeded type.

impossible: Specifies the IP impossible packet attack.

ip-option: Specifies an IP option. You can specify the IP option by its value or keyword:

·     option-code: Specifies the IP option value in the range of 0 to 255.

·     internet-timestamp: Specifies the timestamp option.

·     loose-source-routing: Specifies the loose source routing option.

·     record-route: Specifies the record route option.

·     route-alert: Specifies the route alert option.

·     security: Specifies the security option.

·     stream-id: Specifies the stream identifier option.

·     strict-source-routing: Specifies the strict source route option.

ip-option-abnormal: Specifies the abnormal IP option attack.

ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255. An IPv6 extension header attack occurs when the specified IPv6 extension header value is detected.

land: Specifies the Land attack.

large-icmp: Specifies the large ICMP packet attack.

large-icmpv6: Specifies the large ICMPv6 packet attack.

ping-of-death: Specifies the ping-of-death attack.

smurf: Specifies the smurf attack.

snork: Specifies the UDP snork attack.

tcp-all-flags: Specifies the attack where a TCP packet has all flags set.

tcp-fin-only: Specifies the attack where a single TCP FIN packet is sent to a privileged port (port number lower than 1024).

tcp-invalid-flags: Specifies the attack that uses TCP packets with invalid flags.

tcp-null-flag: Specifies the attack where a single TCP packet has no TCP flags set.

tcp-syn-fin: Specifies the attack where a TCP packet has both SYN and FIN flags set.

teardrop: Specifies the teardrop attack.

tiny-fragment: Specifies the tiny fragment attack.

traceroute: Specifies the traceroute attack.

udp-bomb: Specifies the UDP bomb attack.

winnuke: Specifies the WinNuke attack.

action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.

drop: Drops packets that match the specified signature.

logging: Enables logging for the specified single-packet attack.

none: Takes no action.

Usage guidelines

One command execution enables signature detection only for one single-packet attack type. You can use this command multiple times to configure signature detection for multiple single-packet attack types.

When you specify a packet type by its value, if the packet type has a corresponding keyword, the keyword is displayed in command output. Otherwise, the value is displayed.

Examples

# Configure signature detection for smurf attack in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] signature detect smurf action drop

Related commands

signature level action

signature level action

Use signature level action to specify the actions against single-packet attacks of a specific level.

Use undo signature level action to restore the default.

Syntax

signature level { high | info | low | medium } action { { drop | logging } * | none }

undo signature level { high | info | low | medium } action

Default

For informational-level and low-level single-packet attacks, the action is logging.

For medium-level and high-level single-packet attacks, the actions are logging and drop.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.

info: Specifies the informational level. For example, large ICMP packet attack is of this level.

low: Specifies the low level. For example, the traceroute attack is of this level.

medium: Specifies the medium level. For example, the WinNuke attack is of this level.

drop: Drops packets that match the specified level.

logging: Enable logging for single-packet attacks of the specified level.

none: Takes no action.

Usage guidelines

According to their severity, single-packet attacks are divided into four levels: info, low, medium, and high.

If you enable the level-specific signature detection for single-packet attacks, the signature detection is enabled for all single-packet attacks of the level. If you enable the signature detection for a single-packet attack by using the signature detect command, action parameters in the signature detect command take effect.

Examples

# Specify the action against informational level single-packet attacks as drop in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy 1

[Sysname-attack-defense-policy-1] signature level info action drop

Related commands

·     signature detect

·     signature level detect

signature level detect

Use signature level detect to enable signature detection for single-packet attacks of a specific level.

Use undo signature level detect to disable signature detection for single-packet attacks of a specific level.

Syntax

signature level { high | info | low | medium } detect

undo signature level { high | info | low | medium } detect

Default

Signature detection is disabled for all levels of single-packet attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.

info: Specifies the informational level. For example, large ICMP packet attack is of this level.

low: Specifies the low level. For example, the traceroute attack is of this level.

medium: Specifies the medium level. For example, the WinNuke attack is of this level.

Usage guidelines

According to their severity, single-packet attacks fall into four levels: info, low, medium, and high.

If you enable the level-specific signature detection for single-packet attacks, the signature detection is enabled for all single-packet attacks of the level. If you enable the signature detection for a single-packet attack by using the signature detect command, action parameters in the signature detect command take effect.

Use the signature level action command to specify the actions against single-packet attacks of a specific level. To display the level to which a single-packet attack belongs, use the display attack-defense policy command.

Examples

# Enable signature detection for informational level single-packet attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy 1

[Sysname-attack-defense-policy-1] signature level info detect

Related commands

·     display attack-defense policy

·     signature detect

·     signature level action

syn-ack-flood action

Use syn-ack-flood action to specify global actions against SYN-ACK flood attacks.

Use undo syn-ack-flood action to restore the default.

Syntax

syn-ack-flood action { drop | logging } *

undo syn-ack-flood action

Default

No global action is specified for SYN-ACK flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent SYN-ACK packets destined for the victim IP addresses.

logging: Enables logging for SYN-ACK flood attack events.

Examples

# Specify drop as the global action against SYN-ACK flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood action drop

Related commands

·     syn-ack-flood detect

·     syn-ack-flood detect non-specific

·     syn-ack-flood threshold

syn-ack-flood detect

Use syn-ack-flood detect to configure IP address-specific SYN-ACK flood attack detection.

Use undo syn-ack-flood detect to remove the IP address-specific SYN-ACK flood attack detection configuration.

Syntax

syn-ack-flood detect { ip ip-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo syn-ack-flood detect { ip ip-address | ipv6 ipv6-address }

Default

IP address-specific SYN-ACK flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

threshold threshold-value: Sets the threshold for triggering SYN-ACK flood attack prevention. The value range is 1 to 1000000 in units of SYN-ACK packets sent to the specified IP address per second.

action: Specifies the actions when a SYN-ACK flood attack is detected. If no action is specified, the global actions set by the syn-ack-flood action command apply.

drop: Drops subsequent SYN-ACK packets destined for the protected IP address.

logging: Enables logging for SYN-ACK flood attack events.

none: Takes no action.

Usage guidelines

With SYN-ACK flood attack detection configured, the device is in attack detection state. When the sending rate of SYN-ACK packets to a protected IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Examples

# Configure SYN-ACK flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect ip 192.168.1.2 threshold 2000

Related commands

·     syn-ack-flood action

·     syn-ack-flood detect non-specific

·     syn-ack-flood threshold

syn-ack-flood detect non-specific

Use syn-ack-flood detect non-specific to enable global SYN-ACK flood attack detection.

Use undo syn-ack-flood detect non-specific to restore the default.

Syntax

syn-ack-flood detect non-specific

undo syn-ack-flood detect non-specific

Default

Global SYN-ACK flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global SYN-ACK flood attack detection applies to all IP addresses except for those specified by the syn-ack-flood detect command. The global detection uses the global trigger threshold set by the syn-ack-flood threshold command and global actions specified by the syn-ack-flood action command.

Examples

# Enable global SYN-ACK flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect non-specific

Related commands

·     syn-ack-flood action

·     syn-ack-flood detect

·     syn-ack-flood threshold

syn-ack-flood threshold

Use syn-ack-flood threshold to set the global threshold for triggering SYN-ACK flood attack prevention.

Use undo syn-ack-flood threshold to restore the default.

Syntax

syn-ack-flood threshold threshold-value

undo syn-ack-flood threshold

Default

The global threshold is 1000 for triggering SYN-ACK flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of SYN-ACK packets sent to an IP address per second.

Usage guidelines

The global threshold applies to global SYN-ACK flood attack detection.

Adjust the threshold according to the application scenarios. If the number of SYN-ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering SYN-ACK flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood threshold 100

Related commands

·     syn-ack-flood action

·     syn-ack-flood detect

·     syn-ack-flood detect non-specific

syn-flood action

Use syn-flood action to specify global actions against SYN flood attacks.

Use undo syn-flood action to restore the default.

Syntax

syn-flood action { drop | logging } *

undo syn-flood action

Default

No global action is specified for SYN flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent SYN packets destined for the victim IP addresses.

logging: Enables logging for SYN flood attack events.

Examples

# Specify drop as the global action against SYN flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] syn-flood action drop

Related commands

·     syn-flood detect

·     syn-flood detect non-specific

·     syn-flood threshold

syn-flood detect

Use syn-flood detect to configure IP address-specific SYN flood attack detection.

Use undo syn-flood detect to remove the IP address-specific SYN flood attack detection configuration.

Syntax

syn-flood detect { ip ip-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo syn-flood detect { ip ip-address | ipv6 ipv6-address }

Default

IP address-specific SYN flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

threshold threshold-value: Sets the threshold for triggering SYN flood attack prevention. The value range is 1 to 1000000 in units of SYN packets sent to the specified IP address per second.

action: Specifies the actions when a SYN flood attack is detected. If no action is specified, the global actions set by the syn-flood action command apply.

drop: Drops subsequent SYN packets destined for the protected IP address.

logging: Enables logging for SYN flood attack events.

none: Takes no action.

Usage guidelines

With SYN flood attack detection configured, the device is in attack detection state. When the sending rate of SYN packets to a protected IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Examples

# Configure SYN flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] syn-flood detect ip 192.168.1.2 threshold 2000

Related commands

·     syn-flood action

·     syn-flood detect non-specific

·     syn-flood threshold

syn-flood detect non-specific

Use syn-flood detect non-specific to enable global SYN flood attack detection.

Use undo syn-flood detect non-specific to restore the default.

Syntax

syn-flood detect non-specific

undo syn-flood detect non-specific

Default

Global SYN flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global SYN flood attack detection applies to all IP addresses except for those specified by the syn-flood detect command. The global detection uses the global trigger threshold set by the syn-flood threshold command and global actions specified by the syn-flood action command.

Examples

# Enable global SYN flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] syn-flood detect non-specific

Related commands

·     syn-flood action

·     syn-flood detect

·     syn-flood threshold

syn-flood threshold

Use syn-flood threshold to set the global threshold for triggering SYN flood attack prevention.

Use undo syn-flood threshold to restore the default.

Syntax

syn-flood threshold threshold-value

undo syn-flood threshold

Default

The global threshold is 1000 for triggering SYN flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of SYN packets sent to an IP address per second.

Usage guidelines

The global threshold applies to global SYN flood attack detection.

Adjust the threshold according to the application scenarios. If the number of SYN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering SYN flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] syn-flood threshold 100

Related commands

·     syn-flood action

·     syn-flood detect

·     syn-flood detect non-specific

udp-flood action

Use udp-flood action to specify global actions against UDP flood attacks.

Use undo udp-flood action to restore the default.

Syntax

udp-flood action { drop | logging } *

undo udp-flood action

Default

No global action is specified for UDP flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent UDP packets destined for the victim IP addresses.

logging: Enables logging for UDP flood attack events.

Examples

# Specify drop as the global action against UDP flood attacks in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] udp-flood action drop

Related commands

·     udp-flood detect

·     udp-flood detect non-specific

·     udp-flood threshold

udp-flood detect

Use udp-flood detect to configure IP address-specific UDP flood attack detection.

Use undo udp-flood detect to remove the IP address-specific UDP flood attack detection configuration.

Syntax

udp-flood detect { ip ip-address | ipv6 ipv6-address } [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo udp-flood detect { ip ip-address | ipv6 ipv6-address }

Default

IP address-specific UDP flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

threshold threshold-value: Sets the threshold for triggering UDP flood attack prevention. The value range is 1 to 1000000 in units of UDP packets sent to the specified IP address per second.

action: Specifies the actions when a UDP flood attack is detected. If no action is specified, the global actions set by the udp-flood action command apply.

drop: Drops subsequent UDP packets destined for the protected IP address.

logging: Enables logging for UDP flood attack events.

none: Takes no action.

Usage guidelines

With UDP flood attack detection configured, the device is in attack detection state. When the device detects that the sending rate of UDP packets to a protected IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Examples

# Configure UDP flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect ip 192.168.1.2 threshold 2000

Related commands

·     udp-flood action

·     udp-flood detect non-specific

·     udp-flood threshold

udp-flood detect non-specific

Use udp-flood detect non-specific to enable global UDP flood attack detection.

Use undo udp-flood detect non-specific to restore the default.

Syntax

udp-flood detect non-specific

undo udp-flood detect non-specific

Default

Global UDP flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global UDP flood attack detection applies to all IP addresses except for those specified by the udp-flood detect command. The global detection uses the global trigger threshold set by the udp-flood threshold command and global actions specified by the udp-flood action command.

Examples

# Enable global UDP flood attack detection in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect non-specific

Related commands

·     udp-flood action

·     udp-flood detect

·     udp-flood threshold

udp-flood threshold

Use udp-flood threshold to set the global threshold for triggering UDP flood attack prevention.

Use undo udp-flood threshold to restore the default.

Syntax

udp-flood threshold threshold-value

undo udp-flood threshold

Default

The global threshold is 1000 for triggering UDP flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Sets the threshold value. The value range is 1 to 1000000 in units of UDP packets sent to an IP address per second.

Usage guidelines

The global threshold applies to global UDP flood attack detection.

Adjust the threshold according to the application scenarios. If the number of UDP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.

Examples

# Set the global threshold to 100 for triggering UDP flood attack prevention in the attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100

Related commands

·     udp-flood action

·     udp-flood detect

·     udp-flood detect non-specific