11-Security Command Reference

HomeSupportResource CenterNFVH3C VSRH3C VSRTechnical DocumentsCommandCommand ReferencesH3C VSR Series Virtual Services Routers Command References(V7)-R0621-6W30011-Security Command Reference
20-Attack detection and prevention commands
Title Size Download
20-Attack detection and prevention commands 645.66 KB

Contents

Attack detection and prevention commands· 1

ack-flood action· 1

ack-flood detect 2

ack-flood detect non-specific· 3

ack-flood threshold· 4

attack-defense apply policy· 5

attack-defense local apply policy· 6

attack-defense login block-timeout 6

attack-defense login enable· 7

attack-defense login max-attempt 8

attack-defense login reauthentication-delay· 8

attack-defense policy· 9

attack-defense signature log non-aggregate· 10

attack-defense top-attack-statistics enable· 10

blacklist destination-ip· 11

blacklist destination-ipv6· 12

blacklist enable· 13

blacklist global enable· 14

blacklist ip· 14

blacklist ipv6· 15

blacklist logging enable· 16

blacklist object-group· 17

blacklist user 18

client-verify dns enable· 19

client-verify dns-reply enable· 20

client-verify http enable· 20

client-verify sip enable (interface view) 21

client-verify protected ip· 22

client-verify protected ipv6· 23

client-verify tcp enable· 24

display attack-defense flood statistics ip· 25

display attack-defense flood statistics ipv6· 28

display attack-defense policy· 30

display attack-defense policy ip· 36

display attack-defense policy ipv6· 38

display attack-defense scan attacker ip· 40

display attack-defense scan attacker ipv6· 42

display attack-defense statistics interface· 43

display attack-defense statistics local 49

display attack-defense top-attack-statistics· 55

display blacklist destination-ip· 56

display blacklist destination-ipv6· 58

display blacklist ip· 60

display blacklist ipv6· 62

display blacklist user 63

display client-verify protected ip· 64

display client-verify protected ipv6· 66

display client-verify trusted ip· 68

display client-verify trusted ipv6· 70

display whitelist object-group· 71

dns-flood action· 72

dns-flood detect 73

dns-flood detect non-specific· 75

dns-flood port 76

dns-flood threshold· 76

dns-reply-flood action· 77

dns-reply-flood detect 78

dns-reply-flood detect non-specific· 80

dns-reply-flood port 81

dns-reply-flood threshold· 82

exempt acl 82

fin-flood action· 84

fin-flood detect 85

fin-flood detect non-specific· 86

fin-flood threshold· 87

http-flood action· 88

http-flood detect 89

http-flood detect non-specific· 90

http-flood port 91

http-flood threshold· 92

icmp-flood action· 93

icmp-flood detect ip· 93

icmp-flood detect non-specific· 95

icmp-flood threshold· 95

icmpv6-flood action· 96

icmpv6-flood detect ipv6· 97

icmpv6-flood detect non-specific· 99

icmpv6-flood threshold· 99

reset attack-defense policy flood· 100

reset attack-defense statistics interface· 101

reset attack-defense statistics local 101

reset attack-defense top-attack-statistics· 102

reset blacklist destination-ip· 102

reset blacklist destination-ipv6· 103

reset blacklist ip· 103

reset blacklist ipv6· 104

reset blacklist statistics· 105

reset client-verify protected statistics· 105

reset client-verify trusted· 106

reset whitelist statistics· 106

rst-flood action· 107

rst-flood detect 108

rst-flood detect non-specific· 109

rst-flood threshold· 110

scan detect 111

signature { large-icmp | large-icmpv6 } max-length· 113

signature detect 114

signature level action· 117

signature level detect 118

sip-flood action· 119

sip-flood detect 120

sip-flood detect non-specific· 122

sip-flood port 123

sip-flood threshold· 123

syn-ack-flood action· 124

syn-ack-flood detect 125

syn-ack-flood detect non-specific· 127

syn-ack-flood threshold· 128

syn-flood action· 128

syn-flood detect 129

syn-flood detect non-specific· 131

syn-flood threshold· 132

threshold-learn apply· 132

threshold-learn auto-apply enable· 133

threshold-learn duration· 134

threshold-learn enable· 135

threshold-learn interval 135

threshold-learn mode· 136

threshold-learn tolerance-value· 137

udp-flood action· 138

udp-flood detect 139

udp-flood detect non-specific· 140

udp-flood threshold· 141

whitelist enable· 142

whitelist global enable· 142

whitelist object-group· 143

 


Attack detection and prevention commands

ack-flood action

Use ack-flood action to specify global actions against ACK flood attacks.

Use undo ack-flood action to restore the default.

Syntax

ack-flood action { client-verify | drop | logging } *

undo ack-flood action

Default

No global action is specified for ACK flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent ACK packets destined for the victim IP addresses.

logging: Enables logging for ACK flood attack events. The log messages will be sent to the log system.

Usage guidelines

For the ACK flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.

The logging keyword enables the attack detection and prevention module to log ACK flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output ACK flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view ACK flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify drop as the global action against ACK flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] ack-flood action drop

Related commands

ack-flood threshold

ack-flood detect

ack-flood detect non-specific

client-verify tcp enable

ack-flood detect

Use ack-flood detect to configure IP address-specific ACK flood attack detection.

Use undo ack-flood detect to remove IP address-specific ACK flood attack detection configuration.

Syntax

ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]

undo ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

IP address-specific ACK flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

threshold threshold-value: Specifies the maximum receiving rate in pps for ACK packets that are destined for the protected IP address. The value range is 1 to 1000000.

action: Specifies the actions against a detected ACK flood attack. If no action is specified, the global actions set by the ack-flood action command apply.

client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent ACK packets destined for the protected IP address.

logging: Enables logging for ACK flood attack events. The log messages will be sent to the log system.

none: Takes no action.

Usage guidelines

With ACK flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of ACK packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure ACK flood attack detection for multiple IP addresses in one attack defense policy.

The logging keyword enables the attack detection and prevention module to log ACK flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output ACK flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view ACK flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure ACK flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect ip 192.168.1.2 threshold 2000

Related commands

ack-flood action

ack-flood detect non-specific

ack-flood threshold

client-verify tcp enable

ack-flood detect non-specific

Use ack-flood detect non-specific to enable global ACK flood attack detection.

Use undo ack-flood detect non-specific to disable global ACK flood attack detection.

Syntax

ack-flood detect non-specific

undo ack-flood detect non-specific

Default

Global ACK flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global ACK flood attack detection applies to all IP addresses except those specified by the ack-flood detect command. The global detection uses the global trigger threshold set by the ack-flood threshold command and global actions specified by the ack-flood action command.

Examples

# Enable global ACK flood attack detection in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect non-specific

Related commands

ack-flood action

ack-flood detect

ack-flood threshold

ack-flood threshold

Use ack-flood threshold to set the global threshold for triggering ACK flood attack prevention.

Use undo ack-flood threshold to restore the default.

Syntax

ack-flood threshold threshold-value

undo ack-flood threshold

Default

The global threshold is 1000 for triggering ACK flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the maximum receiving rate in pps for ACK packets that are destined for an IP address. The value range is 1 to 1000000.

Usage guidelines

With global ACK flood attack detection configured, the device is in attack detection state. When the receiving rate of ACK packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The global threshold applies to global ACK flood attack detection. Adjust the threshold according to the application scenarios.

·     If the number of ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.

·     For a network that is unstable or susceptible to attacks, set a low threshold.

Examples

# Set the global threshold to 100 for triggering ACK flood attack prevention in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] ack-flood threshold 100

Related commands

ack-flood action

ack-flood detect

ack-flood detect non-specific

attack-defense apply policy

Use attack-defense apply policy to apply an attack defense policy to an interface.

Use undo attack-defense apply policy to restore the default.

Syntax

attack-defense apply policy policy-name

undo attack-defense apply policy

Default

No attack defense policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

Usage guidelines

An interface can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect.

An attack defense policy can be applied to multiple interfaces.

Examples

# Apply attack defense policy atk-policy-1 to GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] attack-defense apply policy atk-policy-1

Related commands

attack-defense policy

display attack-defense policy

attack-defense local apply policy

Use attack-defense local apply policy to apply an attack defense policy to the device.

Use undo attack-defense local apply policy to restore the default.

Syntax

attack-defense local apply policy policy-name

undo attack-defense local apply policy

Default

No attack defense policy is applied to the device.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

Usage guidelines

An attack defense policy applied to the device itself detects packets destined for the device and prevents attacks targeted at the device.

Applying an attack defense policy to the device can improve the efficiency of processing attack packets destined for the device.

Each device can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect.

An attack defense policy can be applied to the device itself and to multiple interfaces.

If a device and its interfaces have attack defense policies applied, a packet destined for the device is processed as follows:

1.     The policy applied to the receiving interface processes the packet.

2.     If the packet is not dropped by the receiving interface, the policy applied to the device processes the packet.

Examples

# Apply attack defense policy atk-policy-1 to the device.

<Sysname> system-view

[Sysname] attack-defense local apply policy atk-policy-1

Related commands

attack-defense policy

display attack-defense policy

attack-defense login block-timeout

Use attack-defense login block-timeout to set the block period during which a login attempt is blocked.

Use undo attack-defense login block-timeout to restore the default.

Syntax

attack-defense login block-timeout minutes

undo attack-defense login block-timeout

Default

The block period is 60 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

minutes: Specifies the block period in minutes, in the range of 1 to 2880.

Usage guidelines

After a user fails the maximum number of login attempts, login attack prevention triggers the blacklist module to add the user's IP address to the blacklist. The block period determines how long the user is on the blacklist. During the period, login attempts from the user are blocked.

Examples

# Set the block period to 5 minutes.

<Sysname> system-view

[Sysname] attack-defense login block-timeout 5

attack-defense login enable

Use attack-defense login enable to enable login attack prevention.

Use undo attack-defense login enable to disable login attack prevention.

Syntax

attack-defense login enable

undo attack-defense login enable

Default

Login attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After a user fails the maximum number of login attempts, login attack prevention uses the blacklist to block the user from logging in during the block period.

For login attack prevention to take effect, you must enable the global blacklist feature.

Examples

# Enable login attack prevention.

<Sysname> system-view

[Sysname] attack-defense login enable

Related commands

blacklist global enable

attack-defense login max-attempt

Use attack-defense login max-attempt to set the maximum number of successive login failures for each user.

Use undo attack-defense login max-attempt to restore the default.

Syntax

attack-defense login max-attempt max-attempt

undo attack-defense login max-attempt

Default

Login attack prevention detects a login attack if a user fails three successive login attempts.

Views

System view

Predefined user roles

network-admin

Parameters

max-attempt: Specifies the maximum number of login failures. The value range is 1 to 60.

Usage guidelines

After a user fails the maximum number of login attempts, login attack prevention uses the blacklist to block the user from logging in during the block period.

For login attack prevention to take effect, you must enable the global blacklist feature.

The login failure counter for a user is reset after the user logs in successfully. If the device reboots, all login failure counters are reset.

Examples

# Set the maximum number of successive login failures to five.

<Sysname> system-view

[Sysname] attack-defense login max-attempt 5

Related commands

attack-defense login enable

attack-defense login reauthentication-delay

Use attack-defense login reauthentication-delay to enable the login delay feature and set the delay period.

Use undo attack-defense login reauthentication-delay to restore the default.

Syntax

attack-defense login reauthentication-delay seconds

undo attack-defense login reauthentication-delay

Default

The login delay feature is disabled. The device does not delay accepting a login request from a user who has failed a login attempt.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the delay period in seconds, in the range of 4 to 60.

Usage guidelines

The login delay feature delays the device to accept a login request from a user after the user fails a login attempt. This feature can slow down login dictionary attacks.

The login delay feature is independent of the login attack prevention feature.

Examples

# Enable the login delay feature and set the delay period to 5 seconds.

<Sysname> system-view

[Sysname] attack-defense login reauthentication-delay 5

attack-defense policy

Use attack-defense policy to create an attack defense policy and enter its view, or enter the view of an existing attack defense policy.

Use undo attack-defense policy to delete an attack defense policy.

Syntax

attack-defense policy policy-name

undo attack-defense policy policy-name

Default

No attack defense policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

Examples

# Create attack defense policy atk-policy-1 and enter its view.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1]

Related commands

attack-defense apply policy

display attack-defense policy

attack-defense signature log non-aggregate

Use attack-defense signature log non-aggregate to enable log non-aggregation for single-packet attack events.

Use undo attack-defense signature log non-aggregate to restore the default.

Syntax

attack-defense signature log non-aggregate

undo attack-defense signature log non-aggregate

Default

Log non-aggregation is disabled for single-packet attack events.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Log aggregation aggregates multiple logs generated during a period of time and sends one log. Logs that are aggregated must have the following attributes in common:

·     Location where the attacks are detected: device or interface.

·     Attack type.

·     Attack prevention action.

·     Source and destination IP addresses.

·     VPN instance to which the victim IP address belongs.

As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console.

Examples

# Enable log non-aggregation for single-packet attack events.

<Sysname> system-view

[Sysname] attack-defense signature log non-aggregate

Related commands

signature detect

attack-defense top-attack-statistics enable

Use attack-defense top-attack-statistics enable to enable the top attack statistics ranking feature.

Use undo attack-defense top-attack-statistics enable to disable the top attack statistics ranking feature.

Syntax

attack-defense top-attack-statistics enable

undo attack-defense top-attack-statistics enable

Default

The top attack statistics ranking feature is disabled.

Views

System view.

Predefined user roles

network-admin

Usage guidelines

This feature collects statistics about number of dropped attack packets based on attacker, victim, and attack type and ranks the statistics by attacker and victim.

To display the top attack statistics, use the display attack-defense top-attack-statistics command.

Examples

# Enable the top attack statistics ranking feature.

<Sysname> system-view

[Sysname] attack-defense top-attack-statistics enable

Related commands

display attack-defense top-attack-statistics

blacklist destination-ip

Use blacklist destination-ip to add a destination IPv4 blacklist entry.

Use undo blacklist destination-ip to delete a destination IPv4 blacklist entry.

Syntax

blacklist destination-ip destination-ip-address [ vpn-instance vpn-instance-name ] [ timeout minutes ]

undo blacklist destination-ip destination-ip-address [ vpn-instance vpn-instance-name ]

Default

No destination IPv4 blacklist entries exist.

Views

System view

Predefined user roles

network-admin

Parameters

destination-ip-address Specifies an IPv4 address for the destination blacklist entry. Packets destined for this address will be dropped.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.

timeout minutes: Specifies the aging time for the destination blacklist entry, in the range of 1 to 10080 minutes. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.

Usage guidelines

The undo blacklist destination-ip command deletes only manually added destination IPv4 blacklist entries. To delete dynamically added destination IPv4 blacklist entries, use the reset blacklist destination-ip command.

A destination blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.

You can use the display blacklist destination-ip command to display all effective destination IPv4 blacklist entries.

Examples

# Add a destination blacklist entry for IPv4 address 192.168.1.2 and set the aging time to 20 minutes for the entry.

<Sysname> system-view

[Sysname] blacklist ip 192.168.1.2 timeout 20

Related commands

blacklist enable

blacklist global enable

display blacklist destination-ip

blacklist destination-ipv6

Use blacklist destination-ipv6 to add a destination IPv6 blacklist entry.

Use undo blacklist destination-ipv6 to delete a destination IPv6 blacklist entry.

Syntax

blacklist destination-ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ timeout minutes ]

undo blacklist destination-ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ]

Default

No destination IPv6 blacklist entries exist.

Views

System view

Predefined user roles

network-admin

Parameters

destination-ipv6-address: Specifies an IPv6 address for the blacklist entry. Packets destined for this address will be dropped.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.

timeout minutes: Specifies the aging time for the blacklist entry, in the range of 1 to 10080 minutes. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.

Usage guidelines

The undo blacklist destination-ipv6 command deletes only manually added destination IPv6 blacklist entries. To delete dynamically added destination IPv6 blacklist entries, use the reset blacklist ipv6 command.

A destination blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.

You can use the display blacklist destination-ipv6 command to display all effective destination IPv6 blacklist entries.

Examples

# Add a destination blacklist entry for IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry.

<Sysname> system-view

[Sysname] blacklist ipv6 2012::12:25 timeout 10

Related commands

blacklist enable

blacklist global enable

blacklist destination-ipv6

blacklist enable

Use blacklist enable to enable the blacklist feature on an interface.

Use undo blacklist enable to disable the blacklist feature on an interface.

Syntax

blacklist enable

undo blacklist enable

Default

The blacklist feature is disabled on an interface.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

If the global blacklist feature is enabled, the blacklist feature is enabled on all interfaces. If the global blacklist feature is disabled, you can use this command to enable the blacklist feature on individual interfaces.

Examples

# Enable the blacklist feature on GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] blacklist enable

Related commands

blacklist ip

blacklist ipv6

blacklist global enable

Use blacklist global enable to enable the global blacklist feature.

Use undo blacklist global enable to disable the global blacklist feature.

Syntax

blacklist global enable

undo blacklist global enable

Default

The global blacklist feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

If you enable the global blacklist feature, the blacklist feature is enabled on all interfaces.

Examples

# Enable the global blacklist feature.

<Sysname> system-view

[Sysname] blacklist global enable

Related commands

blacklist enable

blacklist ip

blacklist ip

Use blacklist ip to add a source IPv4 blacklist entry.

Use undo blacklist ip to delete a source IPv4 blacklist entry.

Syntax

blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] [ timeout minutes ]

undo blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ]

Default

No source IPv4 blacklist entries exist.

Views

System view

Predefined user roles

network-admin

Parameters

source-ip-address: Specifies an IPv4 address for the source blacklist entry. Packets sourced from this address will be dropped.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.

ds-lite-peer ds-lite-peer-address: Specifies the IPv6 address of the B4 element of the DS-Lite tunnel that transmits packets from the blacklisted IPv4 address.

timeout minutes: Specifies the aging time in minutes for the source blacklist entry, in the range of 1 to 10080. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.

Usage guidelines

The undo blacklist ip command deletes only manually added source IPv4 blacklist entries. To delete dynamically added source IPv4 blacklist entries, use the reset blacklist ip command.

A source blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.

You can use the display blacklist ip command to display all effective source IPv4 blacklist entries.

Examples

# Add a source blacklist entry for IPv4 address 192.168.1.2 and set the aging time to 20 minutes for the entry.

<Sysname> system-view

[Sysname] blacklist ip 192.168.1.2 timeout 20

Related commands

blacklist enable

blacklist global enable

display blacklist ip

blacklist ipv6

Use blacklist ipv6 to add a source IPv6 blacklist entry.

Use undo blacklist ipv6 to delete a source IPv6 blacklist entry.

Syntax

blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ] [ timeout minutes ]

undo blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ]

Default

No source IPv6 blacklist entries exist.

Views

System view

Predefined user roles

network-admin

Parameters

source-ipv6-address: Specifies an IPv6 address for the source blacklist entry. Packets sourced from this address will be dropped.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.

timeout minutes: Specifies the aging time in minutes for the source blacklist entry, in the range of 1 to 10080. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.

Usage guidelines

The undo blacklist ipv6 command deletes only manually added source IPv6 blacklist entries. To delete dynamically added source IPv6 blacklist entries, use the reset blacklist ipv6 command.

A source blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.

You can use the display blacklist ipv6 command to display all effective source IPv6 blacklist entries.

Examples

# Add a source blacklist entry for IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry.

<Sysname> system-view

[Sysname] blacklist ipv6 2012::12:25 timeout 10

Related commands

blacklist enable

blacklist global enable

blacklist ip

blacklist logging enable

Use blacklist logging enable to enable logging for the blacklist feature.

Use undo blacklist logging enable to disable logging for the blacklist feature.

Syntax

blacklist logging enable

undo blacklist logging enable

Default

Logging is disabled for the blacklist feature.

Views

System view

Predefined user roles

network-admin

Usage guidelines

With logging enabled for the blacklist feature, the system outputs logs in the following situations:

·     A blacklist entry is manually added.

·     A blacklist entry is dynamically added by the scanning attack detection feature.

·     A blacklist entry is manually deleted.

·     A blacklist entry ages out.

A blacklist log records the following information:

·     Source IP address of the blacklist entry.

·     Remote IP address of the DS-Lite tunnel.

·     VPN instance name.

·     Reason for adding or deleting the blacklist entry.

·     Aging time for the blacklist entry.

This command enables the attack detection and prevention module to log blacklist events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output blacklist logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view blacklist logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for the blacklist feature.

<Sysname> system-view

[Sysname] blacklist logging enable

# Add 192.168.1.2 to the blacklist. A log is output for the adding event.

[Sysname] blacklist ip 192.168.100.12

%Mar 13 03:47:49:736 2013 Sysname BLS/5/BLS_ENTRY_ADD:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; TTL(1051)=; Reason(1052)=Configuration.

# Delete 192.168.1.2 from the blacklist. A log is output for the deletion event.

[Sysname] undo blacklist ip 192.168.100.12

%Mar 13 03:49:52:737 2013 Sysname BLS/5/BLS_ENTRY_DEL:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; Reason(1052)=Configuration.

Related commands

blacklist ip

blacklist ipv6

blacklist object-group

Use blacklist object-group to add an address object group to the blacklist.

Use undo blacklist object-group to restore the default.

Syntax

blacklist object-group object-group-name

undo blacklist object-group

Default

No address object group is on the blacklist.

Views

System view

Predefined user roles

network-admin

Parameters

object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command must be used together with the address object group feature. For more information about address object groups, see object group configuration in Security Configuration Guide.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Add address object group object-group1 to the blacklist.

<Sysname> system-view

[Sysname] blacklist object-group object-group1

blacklist user

Use blacklist user to add a user blacklist entry.

Use undo blacklist user to delete a user blacklist entry.

Syntax

blacklist user user-name [ domain domain-name ] [ timeout minutes ]

undo blacklist user user-name [ domain domain-name ]

Default

No user blacklist entries exist.

Views

System view

Predefined user roles

network-admin

Parameters

user-name: Specifies a user by the username, a case-sensitive string of 1 to 55 characters. Packets sourced from this user will be dropped.

domain domain-name: Specifies a user identification domain by its name, a case-insensitive string of 1 to 255 characters. The user identification domain name cannot include question marks (?). If you do not specify a user identification domain, the user does not belong to any user identification domain.

timeout minutes: Specifies the aging time for the blacklist entry, in the range of 1 to 1000 minutes. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.

Usage guidelines

The user blacklist feature must be used together with the user identification feature. For more information about user identification, see "Configuring user identification."

Examples

# Add a user blacklist entry for user usera and set the aging time to 20 minutes for the entry.

<Sysname> system-view

[Sysname] blacklist user usera timeout 20

# Add a user blacklist entry for user usera in user identification domain domaina and set the aging time to 20 minutes for the entry.

<Sysname> system-view

[Sysname] blacklist user usera domain domaina timeout 20

Related commands

blacklist global enable

display blacklist user

client-verify dns enable

Use client-verify dns enable to enable DNS client verification on an interface.

Use undo client-verify dns enable to disable DNS client verification on an interface.

Syntax

client-verify dns enable

undo client-verify dns enable

Default

DNS client verification is disabled on an interface.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Enable DNS client verification on the interface that is connected to the external network. This feature protects internal DNS servers against DNS flood attacks.

For the DNS client verification to collaborate with DNS flood attack prevention, specify client-verify as the DNS flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a DNS flood attack. You can use the display client-verify dns protected ip command to display the protected IP list for DNS client verification.

Examples

# Enable DNS client verification on GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] client-verify dns enable

Related commands

client-verify dns protected ip

display client-verify dns protected ip

client-verify dns-reply enable

Use client-verify dns-reply enable to enable DNS response verification on an interface.

Use undo client-verify dns-reply enable to disable DNS response verification on an interface.

Syntax

client-verify dns-reply enable

undo client-verify dns-reply enable

Default

DNS response verification is disabled on an interface.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Enable DNS response verification on the interface that is connected to the external network. This feature protects internal DNS clients against DNS response flood attacks.

For the DNS response verification to collaborate with DNS response flood attack prevention, specify client-verify as the DNS response flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted servers if it detects a DNS response flood attack. You can use the display client-verify dns-reply protected ip command to display the protected IP list for DNS response verification.

Examples

# Enable DNS response verification on GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] client-verify dns-reply enable

Related commands

client-verify dns-reply protected ip

display client-verify dns-reply protected ip

client-verify http enable

Use client-verify http enable to enable HTTP client verification on an interface.

Use undo client-verify http enable to disable HTTP client verification on an interface.

Syntax

client-verify http enable

undo client-verify http enable

Default

HTTP client verification is disabled on an interface.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Enable HTTP client verification on the interface that is connected to the external network. This feature protects internal servers against HTTP flood attacks.

For the HTTP client verification to collaborate with HTTP flood attack prevention, specify client-verify as the HTTP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects an HTTP flood attack. You can use the display client-verify http protected ip command to display the protected IP list for HTTP client verification.

Examples

# Enable HTTP client verification on GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] client-verify http enable

Related commands

client-verify http protected ip

display client-verify http protected ip

client-verify sip enable (interface view)

Use client-verify sip enable to enable SIP client verification on an interface.

Use undo client-verify sip enable to disable SIP client verification on an interface.

Syntax

client-verify sip enable

undo client-verify sip enable

Default

SIP client verification is disabled on an interface.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Enable SIP client verification on the interface that is connected to the external network. This feature protects internal servers against SIP flood attacks.

For the SIP client verification to collaborate with SIP flood attack prevention, specify client-verify as the SIP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects an SIP flood attack. You can use the display client-verify sip protected ip command to display the protected IP list for SIP client verification.

Examples

# Enable SIP client verification on GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] client-verify sip enable

Related commands

client-verify sip protected ip

display client-verify sip protected ip

client-verify protected ip

Use client-verify protected ip to specify an IPv4 address to be protected by the client verification feature.

Use undo client-verify protected ip to remove an IPv4 address protected by the client verification feature.

Syntax

client-verify { dns | dns-reply | http | sip | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ]

undo client-verify { dns | dns-reply | http | sip | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ]

Default

The client verification feature does not protect any IPv4 addresses.

Views

System view

Predefined user roles

network-admin

Parameters

dns: Specifies the DNS client verification feature.

dns-reply: Specifies the DNS response verification feature.

http: Specifies the HTTP client verification feature.

sip: Specifies the SIP client verification feature.

tcp: Specifies the TCP client verification feature.

destination-ip-address: Specifies the IPv4 address to be protected. All connection requests destined for this address are verified by the client verification feature.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.

port port-number: Specifies the port to be protected, in the range of 1 to 65535. If you do not specify this option, the verification feature protects ports for different protocols as follows:

·     DNS client or DNS response verification protects port 53.

·     HTTP client verification protects port 80.

·     SIP client verification protects port 5060.

·     TCP client verification protects all ports.

Usage guidelines

You can specify multiple protected IP addresses by using this command multiple times.

Examples

# Configure TCP client verification to protect IPv4 address 2.2.2.5 and port 25.

<Sysname> system-view

[Sysname] client-verify tcp protected ip 2.2.2.5 port 25

# Configure DNS client verification to protect IPv4 address 2.2.2.5 and port 50.

<Sysname> system-view

[Sysname] client-verify dns protected ip 2.2.2.5 port 50

Related commands

display client-verify protected ip

client-verify protected ipv6

Use client-verify protected ipv6 to specify an IPv6 address to be protected by the client verification feature.

Use undo client-verify protected ipv6 to remove an IPv6 address protected by the client verification feature.

Syntax

client-verify { dns | dns-reply | http | sip | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ]

undo client-verify { dns | dns-reply | http | sip | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ]

Default

The client verification feature does not protect any IPv6 addresses.

Views

System view

Predefined user roles

network-admin

Parameters

dns: Specifies the DNS client verification feature.

dns-reply: Specifies the DNS response verification feature.

http: Specifies the HTTP client verification feature.

sip: Specifies the SIP client verification feature.

tcp: Specifies the TCP client verification feature.

destination-ipv6-address: Specifies the IPv6 address to be protected. All connection requests destined for this address are verified by the client verification feature.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.

port port-number: Specifies the port to be protected, in the range of 1 to 65535. If you do not specify this option, the verification feature for different protocols protects ports as follows:

·     DNS client or DNS response verification protects port 53.

·     HTTP client verification protects port 80.

·     SIP client verification protects port 5060.

·     TCP client verification protects all ports.

Usage guidelines

You can specify multiple protected IPv6 addresses by using this command multiple times.

Examples

# Configure TCP client verification to protect IPv6 address 2013::12 and port 23.

<Sysname> system-view

[Sysname] client-verify tcp protected ipv6 2013::12 port 23

# Configure HTTP client verification to protect IPv6 address 2013::12.

<Sysname> system-view

[Sysname] client-verify http protected ipv6 2013::12

Related commands

display client-verify protected ipv6

client-verify tcp enable

Use client-verify tcp enable to enable TCP client verification on an interface.

Use undo client-verify tcp enable to disable TCP client verification on an interface.

Syntax

client-verify tcp enable [ mode { syn-cookie | safe-reset } ]

undo client-verify tcp enable

Default

TCP client verification is disabled on an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

mode: Specifies a working mode for TCP client verification. If you do not specify this keyword, the SYN cookie mode is used.

syn-cookie: Specifies the SYN cookie mode. In this mode, bidirectional TCP proxy is enabled.

safe-reset: Specifies the safe reset mode. In this mode, unidirectional TCP proxy is enabled.

Usage guidelines

Enable TCP client verification on the interface that is connected to the external network. This feature protects internal servers against TCP flood attacks, including SYN flood attacks, SYN-ACK flood attacks, RST flood attacks, FIN flood attacks, and ACK flood attacks.

For TCP client verification to collaborate with TCP flood attack prevention, specify client-verify as the TCP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a TCP flood attack. You can use the display client-verify tcp protected ip command to display the protected IP list for TCP client verification.

TCP client verification supports the following modes:

·     Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators.

·     SYN cookie—Enables bidirectional TCP proxy for packets from both TCP clients and TCP servers.

Choose a TCP proxy mode according to the network scenarios. If packets from clients pass through the TCP proxy device, but packets from servers do not, specify the safe reset mode. If packets from clients and servers both pass through the TCP proxy device, specify either safe reset or SYN cookie. TCP proxy must be enabled on input interfaces. Otherwise, TCP connections cannot be established correctly.

Examples

# Enable TCP client verification in SYN cookie mode on GigabitEthernet 1/0.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0

[Sysname-GigabitEthernet1/0] client-verify tcp enable mode syn-cookie

Related commands

client-verify tcp protected ip

display client-verify tcp protected ip

display attack-defense flood statistics ip

Use display attack-defense flood statistics ip to display IPv4 flood attack detection and prevention statistics.

Syntax

In standalone mode:

display attack-defense { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ interface interface-type interface-number | local ] [ count ]

In IRF mode:

display attack-defense { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ack-flood: Specifies ACK flood attack.

dns-flood: Specifies DNS flood attack.

dns-reply-flood: Specifies DNS response flood attack.

fin-flood: Specifies FIN flood attack.

flood: Specifies all IPv4 flood attacks.

http-flood: Specifies HTTP flood attack.

icmp-flood: Specifies ICMP flood attack.

rst-flood: Specifies RST flood attack.

sip-flood: Specifies SIP flood attack.

syn-ack-flood: Specifies SYN-ACK flood attack.

syn-flood: Specifies SYN flood attack.

udp-flood: Specifies UDP flood attack.

ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays flood attack detection and prevention statistics for all protected IPv4 addresses.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv4 address is on the public network.

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays IPv4 flood attack detection and prevention statistics for all member devices. (In IRF mode.)

count: Displays the number of matching protected IPv4 addresses.

Usage guidelines

The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.

If you do not specify the interface or local parameter, this command displays IPv4 flood attack detection and prevention statistics for all interfaces and the device.

Examples

# (In standalone mode.) Display all IPv4 flood attack detection and prevention statistics.

<Sysname> display attack-defense flood statistics ip

IP address      VPN         Detected on  Detect type   State    PPS    Dropped

201.55.7.45     --          GE1/0        SYN-ACK-FLOOD Normal   1000   111111111

192.168.11.5    --          GE2/0        ACK-FLOOD     Normal   1000   222222222

201.55.7.44     --          Local        DNS-FLOOD     Normal   1000   111111111

192.168.11.4    --          Local        ACK-FLOOD     Normal   1000   22222222

192.168.8.41    --          Local        SIP-FLOOD     Normal   1000   125623489

# (In IRF mode.) Display all IPv4 flood attack detection and prevention statistics.

<Sysname> display attack-defense flood statistics ip

Slot 1:

IP address      VPN         Detected on  Detect type   State    PPS    Dropped

192.168.100.221 --          GE1/0        SYN-ACK-FLOOD Normal   1000   4294967295

192.168.11.5    --          GE2/0        ACK-FLOOD     Normal   1000   222222222

201.55.7.44     --          Local        DNS-FLOOD     Normal   1000   111111111

192.168.11.4    --          Local        ACK-FLOOD     Normal   1000   22222222

192.168.8.41    --          Local        SIP-FLOOD     Normal   1000   125623489

Slot 2:

IP address      VPN         Detected on  Detect type   State    PPS    Dropped

201.55.1.10     --          GE2/1/0      ACK-FLOOD     Normal   1000   222222222

192.168.100.30  --          GE2/2/0      DNS-FLOOD     Normal   1000   333333333

192.168.100.66  --          Local        SYN-ACK-FLOOD Normal   1000   165467998

# (In standalone mode.) Display the number of IPv4 addresses that are protected against flood attacks.

<Sysname> display attack-defense flood statistics ip count

Totally 2 flood entries.

# (In IRF mode.) Display the number of IPv4 addresses that are protected against flood attacks.

<Sysname> display attack-defense flood statistics ip count

Slot 1:

Totally 2 flood entries.

Slot 2:

Totally 1 flood entries.

Table 1 Command output

Field

Description

IP address

Protected IPv4 address.

VPN

MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--).

Detected on

Where the attack is detected: the device (Local) or an interface.

Detect type

Type of the detected flood attack:

·     ACK flood.

·     DNS flood.

·     DNS reply flood.

·     FIN flood.

·     ICMP flood.

·     ICMPv6 flood.

·     SYN flood.

·     SYN-ACK flood.

·     UDP flood.

·     RST flood.

·     HTTP flood.

·     SIP flood.

State

Whether the interface or device is attacked:

·     Attacked.

·     Normal.

PPS

Number of packets sent to the IPv4 address per second.

Dropped

Number of attack packets dropped by the interface or the device.

Totally 2 flood entries

Total number of flood attack prevention entries.

 

display attack-defense flood statistics ipv6

Use display attack-defense flood statistics ipv6 to display IPv6 flood attack detection and prevention statistics.

Syntax

In standalone mode:

display attack-defense { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ interface interface-type interface-number | local ] [ count ]

In IRF mode:

display attack-defense { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | sip-flood | syn-flood | syn-ack-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ack-flood: Specifies ACK flood attack.

dns-flood: Specifies DNS flood attack.

dns-reply-flood: Specifies DNS response flood attack.

fin-flood: Specifies FIN flood attack.

flood: Specifies all IPv6 flood attacks.

http-flood: Specifies HTTP flood attack.

icmpv6-flood: Specifies ICMPv6 flood attack.

rst-flood: Specifies RST flood attack.

sip-flood: Specifies SIP flood attack.

syn-ack-flood: Specifies SYN-ACK flood attack.

syn-flood: Specifies SYN flood attack.

udp-flood: Specifies UDP flood attack.

ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays flood attack detection and prevention statistics for all protected IPv6 addresses.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays IPv6 flood attack detection and prevention statistics for all member devices. (In IRF mode.)

count: Displays the number of matching protected IPv6 addresses.

Usage guidelines

The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.

If you do not specify the interface or local parameter, this command displays IPv6 flood attack detection and prevention statistics for all interfaces and the device.

Examples

# (In standalone mode.) Display all IPv6 flood attack detection and prevention statistics.

<Sysname> display attack-defense flood statistics ipv6

IPv6 address    VPN         Detected on  Detect type   State    PPS    Dropped

1::2            --          GE1/0        DNS-FLOOD     Normal   1000   111111111

1::3            --          GE2/0        SYN-ACK-FLOOD Normal   1000   222222222

1::4            --          Local        ACK-FLOOD     Normal   1000   111111111

1::5            --          Local        SYN-FLOOD     Normal   1000   22222222

17::14          --          Local        SIP-FLOOD     Normal   1000   264549789

# (In IRF mode.) Display all IPv6 flood attack detection and prevention statistics.

<Sysname> display attack-defense flood statistics ipv6

Slot 1:

IPv6 address    VPN         Detected on  Detect type   State    PPS    Dropped

1::2            --          GE1/0        DNS-FLOOD     Normal   1000   111111111

1::3            --          GE2/0        SYN-ACK-FLOOD Normal   1000   222222222

1::4            --          Local        ACK-FLOOD     Normal   1000   111111111

1::5            --          Local        SYN-FLOOD     Normal   1000   22222222

17::14          --          Local        SIP-FLOOD     Normal   1000   264549789

Slot 2:

IPv6 address    VPN         Detected on  Detect type   State    PPS    Dropped

1::2            --          GE2/1/0      SYN-FLOOD     Normal   1000   468792363

1::5            --          GE2/2/0      ACK-FLOOD     Normal   1000   452213396

1::6            --          Local        DNS-FLOOD     Normal   1000   12569985

# (In standalone mode.) Display the number of IPv6 addresses that are protected against flood attacks.

<Sysname> display attack-defense flood statistics ipv6 count

Totally 5 flood entries.

# (In IRF mode.) Display the number of IPv6 addresses that are protected against flood attacks.

<Sysname> display attack-defense flood statistics ipv6 count

Slot 1:

Totally 4 flood entries.

Slot 2:

Totally 3 flood entries.

Table 2 Command output

Field

Description

IPv6 address

Protected IPv6 address.

VPN

MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--).

Detected on

Where the attack is detected: the device (Local) or an interface.

Detect type

Type of the detected flood attack:

·     ACK flood.

·     DNS flood.

·     DNS reply flood.

·     FIN flood.

·     ICMP flood.

·     ICMPv6 flood.

·     SYN flood.

·     SYN-ACK flood.

·     UDP flood.

·     RST flood.

·     HTTP flood.

·     SIP flood.

State

Whether the interface or device is attacked:

·     Attacked.

·     Normal.

PPS

Number of packets sent to the IPv6 address per second.

Dropped

Number of attack packets dropped by the interface or the device.

Totally 4 flood entries

Total number of flood attack prevention entries.

 

display attack-defense policy

Use display attack-defense policy to display attack defense policy configuration.

Syntax

display attack-defense policy [ policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.

Usage guidelines

This command output includes the following configuration information about an attack defense policy:

·     Whether attack detection is enabled.

·     Attack prevention actions.

·     Attack prevention trigger thresholds.

Examples

# Display the configuration of attack defense policy abc.

<Sysname> display attack-defense policy abc

          Attack-defense Policy Information

--------------------------------------------------------------------------

Policy name                        : abc

Applied list                       : Local

                                     GE1/0

                                     Vlan1

--------------------------------------------------------------------------

Exempt IPv4 ACL:                  : Not configured

Exempt IPv6 ACL:                  : vip

--------------------------------------------------------------------------

  Actions: CV-Client verify  BS-Block source  L-Logging  D-Drop  N-None

 

Signature attack defense configuration:

Signature name                     Defense      Level             Actions

Fragment                           Enabled      Info              L

Impossible                         Enabled      Info              L

Teardrop                           Disabled     Info              L

Tiny fragment                      Disabled     Info              L

IP option abnormal                 Disabled     Info              L

Smurf                              Disabled     Info              N

Traceroute                         Disabled     Medium            L,D

Ping of death                      Disabled     Low               L

Large ICMP                         Disabled     Medium            L,D

  Max length                       4000 bytes

Large ICMPv6                       Disabled     Low               L

  Max length                       4000 bytes

TCP invalid flags                  Disabled     medium            L,D

TCP null flag                      Disabled     Low               L

TCP all flags                      Enabled      Info              L

TCP SYN-FIN flags                  Disabled     Info              L

TCP FIN only flag                  Enabled      Info              L

TCP Land                           Disabled     Info              L

Winnuke                            Disabled     Info              L

UDP Bomb                           Disabled     Info              L

UDP Snork                          Disabled     Info              L

UDP Fraggle                        Enabled      Info              L

IP option record route             Disabled     Info              L

IP option internet timestamp       Enabled      Info              L

IP option security                 Disabled     Info              L

IP option loose source routing     Enabled      Info              L

IP option stream ID                Disabled     Info              L

IP option strict source routing    Disabled     Info              L

IP option route alert              Disabled     Info              L

ICMP echo request                  Disabled     Info              L

ICMP echo reply                    Disabled     Info              L

ICMP source quench                 Disabled     Info              L

ICMP destination unreachable       Enabled      Info              L

ICMP redirect                      Enabled      Info              L

ICMP time exceeded                 Enabled      Info              L

ICMP parameter problem             Disabled     Info              L

ICMP timestamp request             Disabled     Info              L

ICMP timestamp reply               Disabled     Info              L

ICMP information request           Disabled     Info              L

ICMP information reply             Disabled     Medium            L,D

ICMP address mask request          Disabled     Medium            L,D

ICMP address mask reply            Disabled     Medium            L,D

ICMPv6 echo request                Enabled      Medium            L,D

ICMPv6 echo reply                  Disabled     Medium            L,D

ICMPv6 group membership query      Disabled     Medium            L,D

ICMPv6 group membership report     Disabled     Medium            L,D

ICMPv6 group membership reduction  Disabled     Medium            L,D

ICMPv6 destination unreachable     Enabled      Medium            L,D

ICMPv6 time exceeded               Enabled      Medium            L,D

ICMPv6 parameter problem           Disabled     Medium            L,D

ICMPv6 packet too big              Disabled     Medium            L,D

 

Scan attack defense configuration:

  Preset defense:

  Defense: Disabled

  User-defined defense:

    Port scan defense: Enabled

    Port scan defense threshold: 5000 packets

    IP sweep defense: Enabled

    IP sweep defense threshold: 8000 packets

    Period: 100s

    Actions: L

 

Flood attack defense configuration:

Flood type      Global thres(pps)  Global actions  Service ports   Non-specific

DNS flood        1000               -               53              Disabled

DNS reply flood  1000               -               -               Disabled

HTTP flood       1000               -               80              Disabled

SIP flood        100                L,CV            50              Enabled

SYN flood        1000               -               -               Disabled

ACK flood        1000               -               -               Disabled

SYN-ACK flood    1000               -               -               Disabled

RST flood        1000               -               -               Disabled

FIN flood        1000               -               -               Disabled

UDP flood        1000               -               -               Disabled

ICMP flood       1000               -               -               Disabled

ICMPv6 flood    1000(default)      CV              -               Disabled

 

Flood attack defense for protected IP addresses:

 Address                 VPN instance Flood type    Thres(pps)  Actions Ports

 1::1                    --           FIN-FLOOD     10          L,D     -

 192.168.1.1             --           SYN-ACK-FLOOD 10          -       -

 1::1                    --           FIN-FLOOD     -           L       -

 2013:2013:2013:2013:    --           DNS-FLOOD     100         L,CV    53

 2013:2013:2013:2013

 10::13:13               A0123458589  SIP-FLOOD     100         L,CV    5060

Table 3 Command output

Field

Description

Policy name

Name of the attack defense policy.

Applied list

Locations to which the attack defense policy is applied: interfaces and Local (Local indicates that the policy is applied to the device).

Exempt IPv4 ACL

IPv4 ACL used for attack detection exemption.

Exempt IPv6 ACL

IPv6 ACL used for attack detection exemption.

Actions

Attack prevention actions:

·     CV—Client verification.

·     BS—Blocking sources.

·     L—Logging.

·     D—Dropping packets.

·     N—No action.

Signature attack defense configuration

Configuration information about single-packet attack detection and prevention.

Signature name

Type of the single-packet attack.

Defense

Whether attack detection is enabled.

Level

Level of the single-packet attack, info, low, medium, or high.

Currently, no high-level single-packet attacks exist.

Actions

Prevention actions against the scanning attack:

·     L—Logging.

·     D—Dropping packets.

·     N—No action.

Large ICMPv6

Large ICMPv6 attack.

ICMPv6 echo request

ICMPv6 echo request attack.

ICMPv6 echo reply

ICMPv6 echo reply attack.

ICMPv6 group membership query

ICMPv6 group membership query attack.

ICMPv6 group membership report

ICMPv6 group membership report attack.

ICMPv6 group membership reduction

ICMPv6 group membership reduction attack.

ICMPv6 destination unreachable

ICMPv6 destination unreachable attack.

ICMPv6 time exceeded

ICMPv6 time exceeded attack.

ICMPv6 parameter problem

ICMPv6 parameter problem attack.

ICMPv6 packet too big

ICMPv6 packet too big attack.

Scan attack defense configuration

Configuration information about scanning attack detection and prevention.

Preset defense

Configuration information about predefined scanning attack detection and prevention.

Defense

Whether scanning attack detection is enabled.

Level

Level of the scanning attack detection, low, medium, or high.

User-defined defense

Configuration information about user-defined scanning attack detection and prevention.

Port scan defense

Status of port scan attack prevention, which can be Enabled or Disabled.

Port scan defense threshold

Threshold for triggering port scan attack prevention.

IP sweep defense

Status of IP sweep attack prevention, which can be Enabled or Disabled.

IP sweep defense threshold

Threshold for triggering IP sweep attack prevention.

Period

Scanning attack detection cycle in seconds.

Actions

Scanning attack prevention actions:

·     BS—Blocking sources.

·     D—Dropping packets.

·     L—Logging.

Flood attack defense configuration

Configuration information about flood attack detection and prevention.

Flood type

Type of the flood attack:

·     ACK flood.

·     DNS flood.

·     DNS reply flood.

·     FIN flood.

·     ICMP flood.

·     ICMPv6 flood.

·     SYN flood.

·     SYN-ACK flood.

·     UDP flood.

·     RST flood.

·     HTTP flood.

·     SIP flood.

Global thres (pps)

Global threshold for triggering the flood attack prevention, in pps. The default is 1000 pps.

Global actions

Global prevention actions against the flood attack:

·     D—Dropping packets.

·     L—Logging.

·     CV—Client verification.

·     -—Not configured.

Service ports

Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).

Non-specific

Whether the global flood attack detection is enabled.

Flood attack defense for protected IP addresses

Configuration of the IP address-specific flood attack detection and prevention.

Address

Protected IP address.

VPN instance

MPLS L3VPN instance to which the protected IP address belongs. If no MPLS L3VPN instance is specified, this field displays a hyphen (-).

Thres(pps)

Threshold for triggering the flood attack prevention, in pps. If no threshold is specified, this field displays 1000.

Actions

Flood attack prevention actions:

·     CV—Client verification.

·     BS—Blocking sources.

·     D—Dropping packets.

·     L—Logging.

·     N—No action.

Ports

Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).

 

# Display brief information about all attack defense policies.

<Sysname> display attack-defense policy

           Attack-defense Policy Brief Information

------------------------------------------------------------

Policy Name                        Applied list

Atk-policy-1                       GigabitEthernet1/0

                                   GigabitEthernet2/0

P123                               GigabitEthernet2/0

p1                                 Local

p12                                Local

Table 4 Command output

Field

Description

Policy name

Name of the attack defense policy.

Applied list

Locations to which the attack defense policy is applied: interfaces and Local (Local indicates that the policy is applied to the device).

 

Related commands

attack-defense policy

display attack-defense policy ip

Use display attack-defense policy ip to display information about IPv4 addresses protected by flood attack detection and prevention.

Syntax

In standalone mode:

display attack-defense policy policy-name { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ count ]

In IRF mode:

display attack-defense policy policy-name { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

ack-flood: Specifies ACK flood attack.

dns-flood: Specifies DNS flood attack.

dns-reply-flood: Specifies DNS response flood attack.

fin-flood: Specifies FIN flood attack.

flood: Specifies all IPv4 flood attacks.

http-flood: Specifies HTTP flood attack.

icmp-flood: Specifies ICMP flood attack.

rst-flood: Specifies RST flood attack.

sip-flood: Specifies SIP flood attack.

syn-ack-flood: Specifies SYN-ACK flood attack.

syn-flood: Specifies SYN flood attack.

udp-flood: Specifies UDP flood attack.

ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays information about all protected IPv4 addresses.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information about IPv4 addresses protected by flood attack detection and prevention for all IRF member devices. (In IRF mode.)

count: Displays the number of matching IPv4 addresses protected by flood attack detection and prevention.

Examples

# (In standalone mode.) Display information about all IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.

<Sysname> display attack-defense policy abc flood ip

IP address      VPN instance     Type          Rate threshold(PPS) Dropped

123.123.123.123 --               SYN-ACK-FLOOD 100                 4294967295

201.55.7.45     --               ICMP-FLOOD    100                 10

192.168.11.5    --               DNS-FLOOD     23                  100

10.168.200.5    --               SIP-FLOOD     100                 102556

# (In IRF mode.) Display information about all IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.

<Sysname> display attack-defense policy abc flood ip

Slot 1:

IP address      VPN instance     Type          Rate threshold(PPS) Dropped

123.123.123.123 --               SYN-ACK-FLOOD 100                 4294967295

201.55.7.45     --               ICMP-FLOOD    100                 10

192.168.11.5    --               DNS-FLOOD     23                  100

10.168.200.5    --               SIP-FLOOD     100                 102556

Slot 2:

IP address      VPN instance     Type          Rate threshold(PPS) Dropped

123.123.123.123 --               SYN-ACK-FLOOD 100                 2543

201.55.7.45     --               ICMP-FLOOD    100                 122

192.168.11.5    --               DNS-FLOOD     23                  0

# (In standalone mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.

<Sysname> display attack-defense policy abc flood ip count

Totally 3 flood protected IP addresses.

# (In IRF mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.

<Sysname> display attack-defense policy abc flood ip count

Slot 1:

Totally 3 flood protected IP addresses.

Slot 2:

Totally 0 flood protected IP addresses.

Table 5 Command output

Field

Description

Totally 3 flood protected IP addresses

Total number of the IPv4 addresses protected by flood attack detection and prevention.

IP address

Protected IPv4 address.

VPN instance

MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--).

Type

Type of the flood attack.

Rate threshold(PPS)

Threshold for triggering the flood attack prevention, in pps. If no rate threshold is set, this field displays 1000.

Dropped

Number of dropped attack packets. If the prevention action is logging, this field displays 0.

 

display attack-defense policy ipv6

Use display attack-defense policy ipv6 to display information about IPv6 addresses protected by flood attack detection and prevention.

Syntax

In standalone mode:

display attack-defense policy policy-name { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ count ]

In IRF mode:

display attack-defense policy policy-name { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

ack-flood: Specifies ACK flood attack.

dns-flood: Specifies DNS flood attack.

dns-reply-flood: Specifies DNS response flood attack.

fin-flood: Specifies FIN flood attack.

flood: Specifies all IPv6 flood attacks.

http-flood: Specifies HTTP flood attack.

icmpv6-flood: Specifies ICMPv6 flood attack.

rst-flood: Specifies RST flood attack.

sip-flood: Specifies SIP flood attack.

syn-ack-flood: Specifies SYN-ACK flood attack.

syn-flood: Specifies SYN flood attack.

udp-flood: Specifies UDP flood attack.

ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays information about all protected IPv6 addresses.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information about IPv6 addresses protected by flood attack detection and prevention for all IRF member devices. (In IRF mode.)

count: Displays the number of matching IPv6 addresses protected by flood attack detection and prevention.

Examples

# (In standalone mode.) Display information about all IPv6 addresses protected by flood attack detection and prevention in attack defense policy abc.

<Sysname> display attack-defense policy abc flood ipv6

IPv6 address    VPN instance     Type          Rate threshold(PPS) Dropped

2013::127f      --               SYN-ACK-FLOOD 100                 4294967295

2::5            --               ACK-FLOOD     100                 10

1::5            --               ACK-FLOOD     100                 23

10::15          --               SIP-FLOOD     100                 1002

# (In IRF mode.) Display information about all IPv6 addresses protected by flood attack detection and prevention in attack defense policy abc.

<Sysname> display attack-defense policy abc flood ipv6

Slot 1:

IPv6 address    VPN instance     Type          Rate threshold(PPS) Dropped

2013::127f      --               SYN-ACK-FLOOD 100                 4294967295

2::5            --               ACK-FLOOD     100                 10

1::5            --               ACK-FLOOD     100                 23

10::15          --               SIP-FLOOD     100                 1002

Slot 2:

IPv6 address    VPN instance     Type          Rate threshold(PPS) Dropped

2013::127f      --               SYN-ACK-FLOOD 100                 5465

2::5            --               ACK-FLOOD     100                 0

1::5            --               ACK-FLOOD     100                 122

# (In standalone mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in attack defense policy abc.

<Sysname> display attack-defense policy abc flood ipv6 count

Totally 3 flood protected IP addresses.

# (In IRF mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in attack defense policy abc.

<Sysname> display attack-defense policy abc flood ipv6 count

Slot 1:

Totally 3 flood protected IP addresses.

Slot 2:

Totally 0 flood protected IP addresses.

Table 6 Command output

Field

Description

Totally 3 flood protected IP addresses

Total number of the IPv6 addresses protected by flood attack detection and prevention.

IPv6 address

Protected IPv6 address.

VPN instance

MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--).

Type

Type of the flood attack.

Rate threshold(PPS)

Threshold for triggering the flood attack prevention, in pps. If no rate threshold is set, this field displays 1000.

Dropped

Number of dropped attack packets. If the prevention action is logging, this field displays 0.

 

display attack-defense scan attacker ip

Use display attack-defense scan attacker ip to display information about IPv4 scanning attackers.

Syntax

In standalone mode:

display attack-defense scan attacker ip [ interface interface-type interface-number | local ] [ count ]

In IRF mode:

display attack-defense scan attacker ip [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv4 scanning attackers for all member devices. (In IRF mode.)

count: Displays the number of matching IPv4 scanning attackers.

Usage guidelines

If you do not specify any parameters, this command displays information about all IPv4 scanning attackers.

Examples

# (In standalone mode.) Display information about all IPv4 scanning attackers.

<Sysname> display attack-defense scan attacker ip

IP addr(DslitePeer) VPN instance     Protocol      Detected on  Duration(min)

192.168.31.2(--)    --               TCP           GE1/0        1284

2.2.2.3(--)         --               UDP           GE1/0        23

192.68.11.2(--)     --               TCP           Local        782

2.2.2.1(--)         --               UDP           Local        23

# (In IRF mode.) Display information about all IPv4 scanning attackers.

<Sysname> display attack-defense scan attacker ip

Slot 1:

IP addr(DslitePeer) VPN instance     Protocol      Detected on  Duration(min)

192.168.31.2(--)    --               TCP           GE1/2/0      1284

2.2.2.3(--)         --               UDP           GE1/2/0      23

192.68.11.2(--)     --               TCP           Local        782

2.2.2.1(--)         --               UDP           Local        23

Slot 2:

IP addr(DslitePeer) VPN instance     Protocol      Detected on  Duration(min)

192.168.1.100(--)   --               TCP           GE2/1/0      1586

202.2.1.172(--)     --               UDP           GE2/1/0      258

192.168.1.200(--)   --               TCP           Local        1284

202.2.1.1(--)       --               UDP           Local        23

# (In standalone mode.) Display the number of IPv4 scanning attackers.

<Sysname> display attack-defense scan attacker ip count

Totally 3 attackers.

# (In IRF mode.) Display the number of IPv4 scanning attackers.

<Sysname> display attack-defense scan attacker ip count

Slot 1:

Totally 3 attackers.

Slot 2:

Totally 2 attackers.

Table 7 Command output

Field

Description

Totally 3 attackers

Total number of IPv4 scanning attackers.

IP addr(DslitePeer)

The IP addr field displays the IPv4 address of the attacker.

The DslitePeer field displays the DS-Lite tunnel source IPv6 address of the attacker in a DS-Lite network. In other situations, this field displays hyphens (--).

VPN instance

MPLS L3VPN instance to which the attacker's IPv4 address belongs. If the IPv4 address is on the public network, this field displays hyphens (--).

Protocol

Name of the protocol.

Detected on

Where the attack is detected: the device (Local) or an interface.

Duration(min)

The amount of time the attack lasts, in minutes.

 

Related commands

scan detect

display attack-defense scan attacker ipv6

Use display attack-defense scan attacker ipv6 to display information about IPv6 scanning attackers.

Syntax

In standalone mode:

display attack-defense scan attacker ipv6 [ interface interface-type interface-number | local ] [ count ]

In IRF mode:

display attack-defense scan attacker ipv6 [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

local: Specifies the device.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv6 scanning attackers for all member devices. (In IRF mode.)

count: Displays the number of matching IPv6 scanning attackers.

Usage guidelines

If you do not specify any parameters, this command displays information about all IPv6 scanning attackers.

Examples

# (In standalone mode.) Display information about all IPv6 scanning attackers.

<Sysname> display attack-defense scan attacker ipv6

IPv6 address       VPN instance     Protocol     Detected on      Duration(min)

2013::2            --               TCP          GE1/0            1234

1230::22           --               UDP          GE2/0            10

1002::20           --               TCP          Local            782

1230::1            --               UDP          Local            10

# (In IRF mode.) Display information about all IPv6 scanning attackers.

<Sysname> display attack-defense scan attacker ipv6

Slot 1:

IPv6 address       VPN instance     Protocol     Detected on      Duration(min)

2013::2            --               TCP          GE1/0            1234

1230::22           --               UDP          GE2/0            10

1002::20           --               TCP          Local            782

1230::1            --               UDP          Local            10

Slot 2:

IPv6 address       VPN instance     Protocol    Detected on      Duration(min)

2004::4            --               TCP         GE2/2/0           1122

1042::2            --               UDP         GE2/2/0           24

2004::1            --               TCP         Local             1122

1042::1            --               UDP         Local             24

# (In standalone mode.) Display the number of IPv6 scanning attackers.

<Sysname> display attack-defense scan attacker ipv6 count

Totally 3 attackers.

# (In IRF mode.) Display the number of IPv6 scanning attackers.

<Sysname> display attack-defense scan attacker ipv6 count

Slot 1:

Totally 3 attackers.

Slot 2:

Totally 0 attackers.

Table 8 Command output

Field

Description

Totally 3 attackers

Total number of IPv6 scanning attackers.

IPv6 address

IPv6 address of the attacker.

VPN instance

MPLS L3VPN instance to which the attacker IPv6 address belongs. If the attacker IPv6 address is on the public network, this field displays hyphens (--).

Protocol

Name of the protocol.

Detected on

Where the attack is detected: the device (Local) or an interface.

Duration(min)

The amount of time the attack lasts, in minutes.

 

Related commands

scan detect

display attack-defense statistics interface

Use display attack-defense statistics interface to display attack detection and prevention statistics on an interface.

Syntax

In standalone mode:

display attack-defense statistics interface interface-type interface-number

In IRF mode:

display attack-defense statistics interface interface-type interface-number [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this commands displays attack detection and prevention statistics for all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display attack detection and prevention statistics on GigabitEthernet 1/0.

<Sysname> display attack-defense statistics interface gigabitethernet 1/0

Attack policy name: abc

Scan attack defense statistics:

 AttackType                          AttackTimes Dropped

 Port scan                           2           23

 IP sweep                            3           33

 Distribute port scan                1           10

Flood attack defense statistics:

 AttackType                          AttackTimes Dropped

 SYN flood                           1           0

 ACK flood                           1           0

 SYN-ACK flood                       3           5000

 RST flood                           2           0

 FIN flood                           2           0

 UDP flood                           1           0

 ICMP flood                          1           0

 ICMPv6 flood                        1           0

 DNS flood                           1           0

 DNS reply flood                     1           0

 HTTP flood                          1           0

 SIP flood                           1           1000

Signature attack defense statistics:

 AttackType                          AttackTimes Dropped

 IP option record route              1           100

 IP option security                  2           0

 IP option stream ID                 3           0

 IP option internet timestamp        4           1

 IP option loose source routing      5           0

 IP option strict source routing     6           0

 IP option route alert               3           0

 Fragment                            1           0

 Impossible                          1           1

 Teardrop                            1           1

 Tiny fragment                       1           0

 IP options abnormal                 3           0

 Smurf                               1           0

 Ping of death                       1           0

 Traceroute                          1           0

 Large ICMP                          1           0

 TCP NULL flag                       1           0

 TCP all flags                       1           0

 TCP SYN-FIN flags                   1           0

 TCP FIN only flag                   1           0

 TCP invalid flag                    1           0

 TCP Land                            1           0

 Winnuke                             1           0

 UDP Bomb                            1           0

 Snork                               1           0

 Fraggle                             1           0

 Large ICMPv6                        1           0

 ICMP echo request                   1           0

 ICMP echo reply                     1           0

 ICMP source quench                  1           0

 ICMP destination unreachable        1           0

 ICMP redirect                       2           0

 ICMP time exceeded                  3           0

 ICMP parameter problem              4           0

 ICMP timestamp request              5           0

 ICMP timestamp reply                6           0

 ICMP information request            7           0

 ICMP information reply              4           0

 ICMP address mask request           2           0

 ICMP address mask reply             1           0

 ICMPv6 echo request                 1           1

 ICMPv6 echo reply                   1           1

 ICMPv6 group membership query       1           0

 ICMPv6 group membership report      1           0

 ICMPv6 group membership reduction   1           0

 ICMPv6 destination unreachable      1           0

 ICMPv6 time exceeded                1           0

 ICMPv6 parameter problem            1           0

 ICMPv6 packet too big               1           0

# (In IRF mode.) Display attack detection and prevention statistics on GigabitEthernet 1/0.

<Sysname> display attack-defense statistics interface gigabitethernet 1/0

Attack policy name: abc

Slot 1:

Scan attack defense statistics:

 AttackType                          AttackTimes Dropped

 Port scan                           2           23

 IP sweep                            3           33

 Distribute port scan                1           10

Flood attack defense statistics:

 AttackType                          AttackTimes Dropped

 SYN flood                           1           0

 ACK flood                           1           0

 SYN-ACK flood                       3           5000

 RST flood                           2           0

 FIN flood                           2           0

 UDP flood                           1           0

 ICMP flood                          1           0

 ICMPv6 flood                        1           0

 DNS flood                           1           0

 DNS reply flood                     1           0

 HTTP flood                          1           0

 SIP flood                           1           1000

Signature attack defense statistics:

 AttackType                          AttackTimes Dropped

 IP option record route              1           100

 IP option security                  2           0

 IP option stream ID                 3           0

 IP option internet timestamp        4           1

 IP option loose source routing      5           0

 IP option strict source routing     6           0

 IP option route alert               3           0

 Fragment                            1           0

 Impossible                          1           1

 Teardrop                            1           1

 Tiny fragment                       1           0

 IP options abnormal                 3           0

 Smurf                               1           0

 Ping of death                       1           0

 Traceroute                          1           0

 Large ICMP                          1           0

 TCP NULL flag                       1           0

 TCP all flags                       1           0

 TCP SYN-FIN flags                   1           0

 TCP FIN only flag                   1           0

 TCP invalid flag                    1           0

 TCP Land                            1           0

 Winnuke                             1           0

 UDP Bomb                            1           0

 Snork                               1           0

 Fraggle                             1           0

 Large ICMPv6                        1           0

 ICMP echo request                   1           0

 ICMP echo reply                     1           0

 ICMP source quench                  1           0

 ICMP destination unreachable        1           0

 ICMP redirect                       2           0

 ICMP time exceeded                  3           0

 ICMP parameter problem              4           0

 ICMP timestamp request              5           0

 ICMP timestamp reply                6           0

 ICMP information request            7           0

 ICMP information reply              4           0

 ICMP address mask request           2           0

 ICMP address mask reply             1           0

 ICMPv6 echo request                 1           1

 ICMPv6 echo reply                   1           1

 ICMPv6 group membership query       1           0

 ICMPv6 group membership report      1           0

 ICMPv6 group membership reduction   1           0

 ICMPv6 destination unreachable      1           0

 ICMPv6 time exceeded                1           0

 ICMPv6 parameter problem            1           0

 ICMPv6 packet too big               1           0

Slot 2:

Scan attack defense statistics:

 AttackType                          AttackTimes Dropped

 Port scan                           1           12

 IP sweep                            2           35

 Distribute port scan                5           48

Flood attack defense statistics:

 AttackType                          AttackTimes Dropped

 SYN flood                           1           0

 ACK flood                           1           0

 SYN-ACK flood                       3           4200

 RST flood                           2           0

 FIN flood                           2           0

 UDP flood                           1           0

 ICMP flood                          1           0

 ICMPv6 flood                        1           0

 DNS flood                           1           0

 DNS reply flood                     1           0

 HTTP flood                          1           0

 SIP flood                           1           1000

Signature attack defense statistics:

 AttackType                          AttackTimes Dropped

 IP option record route              1           100

 IP option security                  2           0

 IP option stream ID                 3           0

 IP option internet timestamp        4           1

 IP option loose source routing      5           0

 IP option strict source routing     6           0

 IP option route alert               3           0

 Fragment                            1           0

 Impossible                          1           1

 Teardrop                            1           1

 Tiny fragment                       1           0

 IP options abnormal                 3           0

 Smurf                               3           0

 Ping of death                       1           0

 Traceroute                          1           2

 Large ICMP                          2           0

 TCP NULL flag                       1           0

 TCP all flags                       1           0

 TCP SYN-FIN flags                   1           0

 TCP FIN only flag                   1           0

 TCP invalid flag                    1           0

 TCP Land                            1           0

 Winnuke                             1           0

 UDP Bomb                            1           0

 Snork                               1           0

 Fraggle                             1           0

 Large ICMPv6                        1           0

 ICMP echo request                   1           0

 ICMP echo reply                     1           0

 ICMP source quench                  1           0

 ICMP destination unreachable        1           0

 ICMP redirect                       2           0

 ICMP time exceeded                  3           0

 ICMP parameter problem              4           0

 ICMP timestamp request              5           0

 ICMP timestamp reply                6           0

 ICMP information request            7           0

 ICMP information reply              4           0

 ICMP address mask request           2           0

 ICMP address mask reply             1           0

 ICMPv6 echo request                 1           1

 ICMPv6 echo reply                   1           1

 ICMPv6 group membership query       1           0

 ICMPv6 group membership report      1           0

 ICMPv6 group membership reduction   1           0

 ICMPv6 destination unreachable      1           0

 ICMPv6 time exceeded                1           0

 ICMPv6 parameter problem            1           0

 ICMPv6 packet too big               1           0

Table 9 Command output

Field

Description

AttackType

Type of the attack.

AttackTimes

Number of times that the attack occurred.

This command output displays only attacks that are detected.

Dropped

Number of dropped packets.

ICMPv6 flood

ICMPv6 flood attack. This field is not displayed when no ICMPv6 flood attack is detected.

Large ICMPv6

Large ICMPv6 attack. This field is not displayed when no large ICMPv6 attack is detected.

ICMPv6 echo request

ICMPv6 echo request attack. This field is not displayed when no ICMPv6 echo request attack is detected.

ICMPv6 echo reply

ICMPv6 echo reply attack. This field is not displayed when no ICMPv6 echo reply attack is detected.

ICMPv6 group membership query

ICMPv6 group membership query attack. This field is not displayed when no ICMPv6 group membership query attack is detected.

ICMPv6 group membership report

ICMPv6 group membership report attack. This field is not displayed when no ICMPv6 group membership report attack is detected.

ICMPv6 group membership reduction

ICMPv6 group membership reduction attack. This field is not displayed when no ICMPv6 group membership reduction attack is detected.

ICMPv6 destination unreachable

ICMPv6 destination unreachable attack. This field is not displayed when no ICMPv6 destination unreachable attack is detected.

ICMPv6 time exceeded

ICMPv6 time exceeded attack. This field is not displayed when no ICMPv6 time exceeded attack is detected.

ICMPv6 parameter problem

ICMPv6 parameter problem attack. This field is not displayed when no ICMPv6 parameter problem attack is detected.

ICMPv6 packet too big

ICMPv6 packet too big attack. This field is not displayed when no ICMPv6 packet too big attack is detected.

 

display attack-defense statistics local

Use display attack-defense statistics local to display attack detection and prevention statistics for the device.

Syntax

In standalone mode:

display attack-defense statistics local

In IRF mode:

display attack-defense statistics local [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays attack detection and prevention statistics for all IRF member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display attack detection and prevention statistics for the device.

<Sysname> display attack-defense statistics local

Attack defense policy name: abc

Scan attack defense statistics:

 AttackType                          AttackTimes Dropped

 Port scan                           2           23

 IP sweep                            3           33

 Distribute port scan                1           10

Flood attack defense statistics:

 AttackType                          AttackTimes Dropped

 SYN flood                           1           0

 ACK flood                           1           0

 SYN-ACK flood                       3           5000

 RST flood                           2           0

 FIN flood                           2           0

 UDP flood                           1           0

 ICMP flood                          1           0

 ICMPv6 flood                        1           0

 DNS flood                           1           0

 DNS reply flood                     1           0

 HTTP flood                          1           0

 SIP flood                           1           1000

Signature attack defense statistics:

 AttackType                          AttackTimes Dropped

 IP option record route              1           100

 IP option security                  2           0

 IP option stream ID                 3           0

 IP option internet timestamp        4           1

 IP option loose source routing      5           0

 IP option strict source routing     6           0

 IP option route alert               3           0

 Fragment                            1           0

 Impossible                          1           1

 Teardrop                            1           1

 Tiny fragment                       1           0

 IP options abnormal                 3           0

 Smurf                               1           0

 Ping of death                       1           0

 Traceroute                          1           0

 Large ICMP                          1           0

 TCP NULL flag                       1           0

 TCP all flags                       1           0

 TCP SYN-FIN flags                   1           0

 TCP FIN only flag                   1           0

 TCP invalid flag                    1           0

 TCP Land                            1           0

 Winnuke                             1           0

 UDP Bomb                            1           0

 Snork                               1           0

 Fraggle                             1           0

 Large ICMPv6                        1           0

 ICMP echo request                   1           0

 ICMP echo reply                     1           0

 ICMP source quench                  1           0

 ICMP destination unreachable        1           0

 ICMP redirect                       2           0

 ICMP time exceeded                  3           0

 ICMP parameter problem              4           0

 ICMP timestamp request              5           0

 ICMP timestamp reply                6           0

 ICMP information request            7           0

 ICMP information reply              4           0

 ICMP address mask request           2           0

 ICMP address mask reply             1           0

 ICMPv6 echo request                 1           1

 ICMPv6 echo reply                   1           1

 ICMPv6 group membership query       1           0

 ICMPv6 group membership report      1           0

 ICMPv6 group membership reduction   1           0

 ICMPv6 destination unreachable      1           0

 ICMPv6 time exceeded                1           0

 ICMPv6 parameter problem            1           0

 ICMPv6 packet too big               1           0

# (In IRF mode.) Display attack detection and prevention statistics for the device.

<Sysname> display attack-defense statistics local

Attack policy name: abc

Slot 1:

Scan attack defense statistics:

 AttackType                          AttackTimes Dropped

 Port scan                           2           23

 IP sweep                            3           33

 Distribute port scan                1           10

Flood attack defense statistics:

 AttackType                          AttackTimes Dropped

 SYN flood                           1           0

 ACK flood                           1           0

 SYN-ACK flood                       3           5000

 RST flood                           2           0

 FIN flood                           2           0

 UDP flood                           1           0

 ICMP flood                          1           0

 ICMPv6 flood                        1           0

 DNS flood                           1           0

 DNS reply flood                     1           0

 HTTP flood                          1           0

 SIP flood                           1           1000

Signature attack defense statistics:

 AttackType                          AttackTimes Dropped

 IP option record route              1           100

 IP option security                  2           0

 IP option stream ID                 3           0

 IP option internet timestamp        4           1

 IP option loose source routing      5           0

 IP option strict source routing     6           0

 IP option route alert               3           0

 Fragment                            1           0

 Impossible                          1           1

 Teardrop                            1           1

 Tiny fragment                       1           0

 IP options abnormal                 3           0

 Smurf                               1           0

 Ping of death                       1           0

 Traceroute                          1           0

 Large ICMP                          1           0

 TCP NULL flag                       1           0

 TCP all flags                       1           0

 TCP SYN-FIN flags                   1           0

 TCP FIN only flag                   1           0

 TCP invalid flag                    1           0

 TCP Land                            1           0

 Winnuke                             1           0

 UDP Bomb                            1           0

 Snork                               1           0

 Fraggle                             1           0

 Large ICMPv6                        1           0

 ICMP echo request                   1           0

 ICMP echo reply                     1           0

 ICMP source quench                  1           0

 ICMP destination unreachable        1           0

 ICMP redirect                       2           0

 ICMP time exceeded                  3           0

 ICMP parameter problem              4           0

 ICMP timestamp request              5           0

 ICMP timestamp reply                6           0

 ICMP information request            7           0

 ICMP information reply              4           0

 ICMP address mask request           2           0

 ICMP address mask reply             1           0

 ICMPv6 echo request                 1           1

 ICMPv6 echo reply                   1           1

 ICMPv6 group membership query       1           0

 ICMPv6 group membership report      1           0

 ICMPv6 group membership reduction   1           0

 ICMPv6 destination unreachable      1           0

 ICMPv6 time exceeded                1           0

 ICMPv6 parameter problem            1           0

 ICMPv6 packet too big               1           0

Slot 2:

Scan attack defense statistics:

 AttackType                          AttackTimes Dropped

 Port scan                           4           46

 IP sweep                            2           28

 Distribute port scan                1           10

Flood attack defense statistics:

 AttackType                          AttackTimes Dropped

 SYN flood                           1           0

 ACK flood                           1           0

 SYN-ACK flood                       2           4200

 RST flood                           2           0

 FIN flood                           2           20

 UDP flood                           1           0

 ICMP flood                          1           0

 ICMPv6 flood                        1           0

 DNS flood                           1           0

 DNS reply flood                     1           0

 HTTP flood                          1           0

 SIP flood                           1           1000

Signature attack defense statistics:

 AttackType                          AttackTimes Dropped

 IP option record route              2           230

 IP option security                  2           0

 IP option stream ID                 3           0

 IP option internet timestamp        4           1

 IP option loose source routing      5           0

 IP option strict source routing     2           0

 IP option route alert               3           12

 Fragment                            1           0

 Impossible                          1           1

 Teardrop                            1           1

 Tiny fragment                       1           0

 IP options abnormal                 3           0

 Smurf                               1           0

 Ping of death                       1           0

 Traceroute                          1           0

 Large ICMP                          1           0

 TCP NULL flag                       1           0

 TCP all flags                       1           0

 TCP SYN-FIN flags                   1           0

 TCP FIN only flag                   1           0

 TCP invalid flag                    1           0

 TCP Land                            1           0

 Winnuke                             1           0

 UDP Bomb                            1           0

 Snork                               1           0

 Fraggle                             1           0

 Large ICMPv6                        1           0

 ICMP echo request                   1           0

 ICMP echo reply                     1           0

 ICMP source quench                  1           0

 ICMP destination unreachable        1           0

 ICMP redirect                       2           3

 ICMP time exceeded                  3           0

 ICMP parameter problem              4           0

 ICMP timestamp request              5           0

 ICMP timestamp reply                6           0

 ICMP information request            7           0

 ICMP information reply              4           0

 ICMP address mask request           2           0

 ICMP address mask reply             1           0

 ICMPv6 echo request                 1           1

 ICMPv6 echo reply                   1           1

 ICMPv6 group membership query       1           0

 ICMPv6 group membership report      1           0

 ICMPv6 group membership reduction   1           0

 ICMPv6 destination unreachable      1           0

 ICMPv6 time exceeded                1           0

 ICMPv6 parameter problem            1           0

 ICMPv6 packet too big               1           0

Table 10 Command output

Field

Description

AttackType

Type of the attack.

AttackTimes

Number of times that the attack occurred.

This command output displays only attacks that are detected.

Dropped

Number of dropped packets.

ICMPv6 flood

ICMPv6 flood attack. This field is not displayed when no ICMPv6 flood attack is detected.

Large ICMPv6

Large ICMPv6 attack. This field is not displayed when no large ICMPv6 attack is detected.

ICMPv6 echo request

ICMPv6 echo request attack. This field is not displayed when no ICMPv6 echo request attack is detected.

ICMPv6 echo reply

ICMPv6 echo reply attack. This field is not displayed when no ICMPv6 echo reply attack is detected.

ICMPv6 group membership query

ICMPv6 group membership query attack. This field is not displayed when no ICMPv6 group membership query attack is detected.

ICMPv6 group membership report

ICMPv6 group membership report attack. This field is not displayed when no ICMPv6 group membership report attack is detected.

ICMPv6 group membership reduction

ICMPv6 group membership reduction attack. This field is not displayed when no ICMPv6 group membership reduction attack is detected.

ICMPv6 destination unreachable

ICMPv6 destination unreachable attack. This field is not displayed when no ICMPv6 destination unreachable attack is detected.

ICMPv6 time exceeded

ICMPv6 time exceeded attack. This field is not displayed when no ICMPv6 time exceeded attack is detected.

ICMPv6 parameter problem

ICMPv6 parameter problem attack. This field is not displayed when no ICMPv6 parameter problem attack is detected.

ICMPv6 packet too big

ICMPv6 packet too big attack. This field is not displayed when no ICMPv6 packet too big attack is detected.

 

Related commands

reset attack-defense statistics local

display attack-defense top-attack-statistics

Use display attack-defense top-attack-statistics to display top 10 attack statistics.

Syntax

display attack-defense top-attack-statistics { last-1-hour | last-24-hours | last-30-days } [ by-attacker | by-type | by-victim ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

last-1-hour: Specifies the most recent 1 hour.

last-24-hours: Specifies the most recent 24 hours.

last-30-days: Specifies the most recent 30 days.

by-attacker: Displays top 10 attack statistics by attacker.

by-type: Displays all attack statistics by attack type.

by-victim: Displays top 10 attack statistics by victim.

Usage guidelines

If you do not specify the by-attacker, by-type, or by-victim keyword, this command displays attack statistics by attacker, victim, attack type.

Examples

# Display top 10 attack statistics in the most recent 1 hour.

<Sysname> display attack-defense top-attack-statistics last-1-hour

Top attackers:

No.     VPN instance   Attacker IP         Attacks

1       --             200.200.200.55      21

2       --             200.200.200.21      16

3       --             200.200.200.133     12

4       --             200.200.200.19      10

5       --             200.200.200.4       8

6       --             200.200.200.155     8

7       --             200.200.200.93      5

8       --             200.200.200.67      3

9       --             200.200.200.70      1

10      --             200.200.200.23      1

 

Top victims:

No.     VPN instance   Victim IP            Attacks

1       --             200.200.200.12       21

2       --             200.200.200.32       16

3       --             200.200.200.14       12

4       --             200.200.200.251      12

5       --             200.200.200.10       7

6       --             200.200.200.77       6

7       --             200.200.200.96       2

8       --             200.200.200.22       2

9       --             200.200.200.154      2

10      --             200.200.200.18       1

 

Top attack types:

Attack type       Attacks

Scan              155

Syn               155

Table 11 Command output

Field

Description

Top attackers

Top 10 attack statistics by attacker.

No.

Rank on the list.

VPN instance

VPN instance to which the attacker or victim belongs. If the attacker or victim belongs to the public network, this field displays null.

Attacks

Number of attack packets that have been dropped.

Top victims

Top 10 attack statistics by victim.

Top attack types

Attack statistics by attack type.

 

Related commands

attack-defense top-attack-statistics enable

display blacklist destination-ip

Use display blacklist destination-ip to display destination IPv4 blacklist entries.

Syntax

In standalone mode:

display blacklist destination-ip [ destination-ip-address [ vpn-instance vpn-instance-name ] ] [ count ]

In IRF mode:

display blacklist destination-ip [ destination-ip-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

destination-ip-address: Specifies a destination IPv4 address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the destination IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays destination IPv4 blacklist entries for all member devices. (In IRF mode.)

count: Displays the number of matching destination IPv4 blacklist entries.

Usage guidelines

If you do not specify any parameters, this command displays all destination IPv4 blacklist entries.

Examples

# (In standalone mode.) Display all destination IPv4 blacklist entries.

<Sysname> display blacklist destination-ip

IP address      VPN instance   Type    Aging (sec)  Dropped

192.168.11.5    --             Dynamic 10           353452

123.123.123.123 --             Dynamic 123          4294967295

201.55.7.45     --             Manual  Never        14478

# (In IRF mode.) Display all destination IPv4 blacklist entries.

<Sysname> display blacklist destination-ip

Slot 1:

IP address      VPN instance   Type    Aging (sec)  Dropped

192.168.11.5    --             Dynamic 10           353452

123.123.123.123 --             Dynamic 123          4294967295

201.55.7.45     --             Manual  Never        14478

Slot 2:

IP address      VPN instance   Type    Aging (sec)  Dropped

123.55.123.7    --             Dynamic 123       164698

201.55.7.33     --             Manual  Never     845969

# (In standalone mode.) Display the number of destination IPv4 blacklist entries.

<Sysname> display blacklist destination-ip count

Totally 3 blacklist entries.

# (In IRF mode.) Display the total number of destination IPv4 blacklist entries.

<Sysname> display blacklist destination-ip count

Slot 1:

Totally 3 blacklist entries.

Slot 2:

Totally 2 blacklist entries.

Table 12 Command output

Field

Description

IP address

IPv4 address in the destination blacklist entry.

VPN instance

MPLS L3VPN instance to which the blacklisted IPv4 address belongs. If the blacklisted IPv4 address is on the public network, this field displays hyphens (--).

Type

Type of the destination IPv4 blacklist entry:

·     Dynamic—Dynamically generated.

·     Manual—Manually configured.

Aging (sec)

Remaining aging time of the destination IPv4 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never.

Dropped

Number of dropped packets that are destined for the IPv4 address.

Totally 3 blacklist entries.

Total number of destination IPv4 blacklist entries.

 

Related commands

blacklist destination-ip

display blacklist destination-ipv6

Use display blacklist destination-ipv6 to display destination IPv6 blacklist entries.

Syntax

In standalone mode:

display blacklist destination-ipv6 [ destination-ipv6-address [ vpn-instance vpn-instance-name ] ] [ count ]

In IRF mode:

display blacklist destination-ipv6 [ destination-ipv6-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

destination-ipv6-address: Specifies a destination IPv6 address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the destination IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays destination IPv6 blacklist entries for all member devices. (In IRF mode.)

count: Displays the number of matching destination IPv6 blacklist entries.

Usage guidelines

If you do not specify any parameters, this command displays all destination IPv6 blacklist entries.

Examples

# (In standalone mode.) Display all destination IPv6 blacklist entries.

<Sysname> display blacklist destination-ipv6

IPv6 address         VPN instance      Type    Aging (sec)  Dropped

1::4                 --                Manual  Never        14478

1::5                 --                Dynamic 10           353452

2013:fe07:221a:4011: --                Dynamic 123          4294967295

2013:fe07:221a:4011

# (In IRF mode.) Display all destination IPv6 blacklist entries.

<Sysname> display blacklist destination-ipv6

Slot 1:

IPv6 address         VPN instance      Type    Aging (sec)  Dropped

1::4                 --                Manual  Never        14478

1::5                 --                Dynamic 10           353452

2013:fe07:221a:4011: --                Dynamic 123          4294967295

2013:fe07:221a:4011

Slot 2:

IPv6 address         VPN instance      Type    Aging (sec)  Dropped

1::3                 --                Manual  Never        74679

20::33               --                Dynamic 10           1697898

# (In standalone mode.) Display the number of destination IPv6 blacklist entries.

<Sysname> display blacklist destination-ipv6 count

Totally 3 blacklist entries.

# (In IRF mode.) Display the total number of destination IPv6 blacklist entries.

<Sysname> display blacklist destination-ipv6 count

Slot 1:

Totally 3 blacklist entries.

Slot 2:

Totally 2 blacklist entries.

Table 13 Command output

Field

Description

IPv6 address

IPv6 address in the destination blacklist entry.

VPN instance

MPLS L3VPN instance to which the blacklisted IPv6 address belongs. If the blacklisted IPv6 address is on the public network, this field displays hyphens (--).

Type

Type of the destination IPv6 blacklist entry:

·     Dynamic—Dynamically generated.

·     Manual—Manually configured.

Aging (sec)

Remaining aging time of the destination IPv6 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never.

Dropped

Number of dropped packets that are destined for the IPv6 address.

Totally 3 blacklist entries.

Total number of destination IPv6 blacklist entries.

 

Related commands

blacklist destination-ipv6

display blacklist ip

Use display blacklist ip to display source IPv4 blacklist entries.

Syntax

In standalone mode:

display blacklist ip [ source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] ] [ count ]

In IRF mode:

display blacklist ip [ source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] ] [ slot slot-number  ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-ip-address: Specifies a source IPv4 address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.

ds-lite-peer ds-lite-peer-address: Specifies the IPv6 address of the B4 element of the DS-Lite tunnel that transmits packets from the blacklisted IPv4 address.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays source IPv4 blacklist entries for all member devices. (In IRF mode.)

count: Displays the number of matching source IPv4 blacklist entries.

Usage guidelines

If you do not specify any parameters, this command displays all source IPv4 blacklist entries.

Examples

# (In standalone mode.) Display all source IPv4 blacklist entries.

<Sysname> display blacklist ip

IP address      VPN instance   DS-Lite tunnel peer  Type    TTL(sec) Dropped

192.168.11.5    --             --                   Dynamic 10       353452

123.123.123.123 --             2013::fe07:221a:4011 Dynamic 123      4294967295

201.55.7.45     --             2013::1              Manual  Never    14478

# (In IRF mode.) Display all source IPv4 blacklist entries.

<Sysname> display blacklist ip

Slot 1:

IP address      VPN instance   DS-Lite tunnel peer  Type    TTL(sec) Dropped

192.168.11.5    --             --                   Dynamic 10       353452

123.123.123.123 --             2013::fe07:221a:4011 Dynamic 123      4294967295

201.55.7.45     --             2013::1              Manual  Never    14478

Slot 2:

IP address      VPN instance   DS-Lite tunnel peer  Type    TTL(sec) Dropped

123.55.123.7    --             --                   Dynamic 123      164698

201.55.7.33     --             --                   Manual  Never    845969

# (In standalone mode.) Display the number of source IPv4 blacklist entries.

<Sysname> display blacklist ip count

Totally 3 blacklist entries.

# (In IRF mode.) Display the total number of source IPv4 blacklist entries.

<Sysname> display blacklist ip count

Slot 1:

Totally 3 blacklist entries.

Slot 2:

Totally 2 blacklist entries.

Table 14 Command output

Field

Description

IP address

IPv4 address in the source blacklist entry.

VPN instance

MPLS L3VPN instance to which the blacklisted IPv4 address belongs. If the blacklisted IPv4 address is on the public network, this field displays hyphens (--).

DS-Lite tunnel peer

IPv6 address of the DS-Lite tunnel peer.

If the device is the AFTR of a DS-Lite tunnel, this field displays the IPv6 address of the B4 element from which the packet comes.

In other situations, this field displays hyphens (--).

Type

Type of the source IPv4 blacklist entry:

·     Dynamic—Dynamically generated.

·     Manual—Manually configured.

TTL(sec)

Remaining aging time of the source IPv4 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never.

Totally 3 blacklist entries

Total number of source IPv4 blacklist entries.

 

Related commands

blacklist ip

display blacklist ipv6

Use display blacklist ipv6 to display source IPv6 blacklist entries.

Syntax

In standalone mode:

display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] ] [ count ]

In IRF mode:

display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source-ipv6-address: Specifies a source IPv6 address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays source IPv6 blacklist entries for all member devices. (In IRF mode.)

count: Displays the number of matching source IPv6 blacklist entries.

Usage guidelines

If you do not specify any parameters, this command displays all source IPv6 blacklist entries.

Examples

# (In standalone mode.) Display all source IPv6 blacklist entries.

<Sysname> display blacklist ipv6

IPv6 address         VPN instance      Type    TTL(sec) Dropped

1::4                 --                Manual  Never    14478

1::5                 --                Dynamic 10       353452

2013:fe07:221a:4011: --                Dynamic 123      4294967295

2013:fe07:221a:4011

# (In IRF mode.) Display all source IPv6 blacklist entries.

<Sysname> display blacklist ipv6

Slot 1:

IPv6 address         VPN instance      Type    TTL(sec) Dropped

1::4                 --                Manual  Never    14478

1::5                 --                Dynamic 10       353452

2013:fe07:221a:4011: --                Dynamic 123      4294967295

2013:fe07:221a:4011

Slot 2:

IPv6 address         VPN instance      Type    TTL(sec) Dropped

1::3                 --                Manual  Never    74679

20::33               --                Dynamic 10       1697898

# (In standalone mode.) Display the number of source IPv6 blacklist entries.

<Sysname> display blacklist ipv6 count

Totally 3 blacklist entries.

Totally 3 blacklist entries.

# (In IRF mode.) Display the total number of source IPv6 blacklist entries.

<Sysname> display blacklist ipv6 slot 1 count

Slot 1:

Totally 3 blacklist entries.

Slot 2:

Totally 2 blacklist entries..

Table 15 Command output

Field

Description

IPv6 address

IPv6 address in the source blacklist entry.

VPN instance

MPLS L3VPN instance to which the blacklisted IPv6 address belongs. If the blacklisted IPv6 address is on the public network, this field displays hyphens (--).

Type

Type of the source IPv6 blacklist entry:

·     Dynamic—Dynamically generated.

·     Manual—Manually configured.

TTL(sec)

Remaining aging time of the source IPv6 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never.

Totally 3 blacklist entries

Total number of source IPv6 blacklist entries.

 

Related commands

blacklist ipv6

display blacklist user

Use display blacklist user to display user blacklist entries.

Syntax

display blacklist user [ user-name ] [ domain domain-name ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

user-name: Specifies a user by the username, a case-sensitive string of 1 to 55 characters. If you do not specify a user, this command displays all user blacklist entries.

domain domain-name: Specifies a user identification domain by its name, a case-insensitive string of 1 to 255 characters. The user identification domain name cannot include question marks (?). If you do not specify a user identification domain, this command displays user blacklist entries that do not belong to any user identification domains.

count: Displays the number of matching user blacklist entries.

Examples

# Display all user blacklist entries.

<Sysname> display blacklist user

User name    Domain name      Type       TTL(sec)  Dropped

Alex         domaina          Manual     10        353452

Bob                           Manual     123       4294967295

Cary                          Manual     Never     14478

# Display the user blacklist entry for user Alex in user identification domain domaina.

<Sysname> display blacklist user Alex domain domaina

User name   Domain name      Type       TTL(sec)   Dropped

Alex        domaina          Manual     10         353452

# Display the number of user blacklist entries.

<Sysname> display blacklist user count

Totally 3 blacklist entries.

Table 16 Command output

Field

Description

Username

Username in the user blacklist entry.

Domain name

User identification domain to which the user belongs.

Type

Type of the user blacklist entry. Only the manual mode is supported.

TTL(sec)

Remaining aging time of the user blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never.

Dropped

Number of dropped packets sourced from the user.

Totally 3 blacklist entries

Total number of user blacklist entries.

 

Related commands

blacklist global enable

blacklist user

display client-verify protected ip

Use display client-verify protected ip to display protected IPv4 addresses for client verification.

Syntax

In standalone mode:

display client-verify { dns | dns-reply | http | sip | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ count ]

In IRF mode:

display client-verify { dns | dns-reply | http | sip | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dns: Specifies the DNS client verification feature.

dns-reply: Specifies the DNS response verification feature.

http: Specifies the HTTP client verification feature.

sip: Specifies the SIP client verification feature.

tcp: Specifies the TCP client verification feature.

ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays all protected IPv4 addresses.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv4 address is on the public network.

port port-number: Specifies a protected port in the range of 1 to 65535. If you do not specify a port, this command displays protected IPv4 addresses with default ports. The default port for DNS client verification is port 53, the default port for HTTP client verification is port 80, and the default port for TCP client verification is all ports.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays protected IPv4 addresses for all member devices. (In IRF mode.)

count: Displays the number of matching protected IPv4 addresses.

Examples

# (In standalone mode.) Display the protected IPv4 addresses for TCP client verification.

<Sysname> display client-verify tcp protected ip

IP address           VPN instance     Port  Type    Requested  Trusted

192.168.11.5         --               23    Dynamic 353452     555

123.123.123.123      --               65535 Dynamic 4294967295 15151

201.55.7.45          --               10    Manual  15000      222

# (In IRF mode.) Display the protected IPv4 addresses for TCP client verification.

<Sysname> display client-verify tcp protected ip

Slot 1:

IP address           VPN instance     Port  Type    Requested   Trusted

192.168.11.5         --               23    Dynamic 353452      555

123.123.123.123      --               65535 Dynamic 4294967295  15151

201.55.7.45          --               10    Manual  15000       222

Slot 2:

IP address           VPN instance     Port  Type    Requested   Trusted

192.168.11.5         --               23    Dynamic 46790       78578

201.55.7.45          --               10    Dynamic 2368        7237

123.123.123.123      --               65535 Manual  24587       1385

# (In standalone mode.) Display the number of protected IPv4 addresses for TCP client verification.

<Sysname> display client-verify tcp protected ip count

Totally 3 protected IP addresses.

# (In IRF mode.) Display the number of protected IPv4 addresses for TCP client verification.

<Sysname> display client-verify tcp protected ip count

Slot 1:

Totally 3 protected IP addresses.

Slot 2:

Totally 0 protected IP addresses.

Table 17 Command output

Field

Description

Totally 3 protected IP addresses

Total number of protected IPv4 addresses.

IP address

Protected IPv4 address.

VPN instance

MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--).

Port

Port protected by TCP client verification. If TCP client verification protects all ports, this field displays any.

Type

Type of the protected IPv4 address, Manual or Dynamic.

Requested

Number of packets destined for the protected IPv4 address.

Trusted

Number of packets that passed the client verification.

 

Related commands

client-verify protected ip

display client-verify protected ipv6

Use display client-verify protected ipv6 to display protected IPv6 addresses for client verification.

Syntax

In standalone mode:

display client-verify { dns | dns-reply | http | sip | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ count ]

In IRF mode:

display client-verify { dns | dns-reply | http | sip | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dns: Specifies the DNS client verification feature.

dns-reply: Specifies the DNS response verification feature.

http: Specifies the HTTP client verification feature.

sip: Specifies the SIP client verification feature.

tcp: Specifies the TCP client verification feature.

ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays all protected IPv6 addresses.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.

port port-number: Specifies a protected port in the range of 1 to 65535. If you do not specify a port, this command displays protected IPv6 addresses with default ports. The default port for DNS client verification is port 53, the default port for HTTP client verification is port 80, and the default port for TCP client verification is all ports.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays protected IPv6 addresses for all member devices. (In IRF mode.)

count: Displays the number of matching protected IPv6 addresses.

Examples

# (In standalone mode.) Display the protected IPv6 addresses for TCP client verification.

<Sysname> display client-verify tcp protected ipv6

IPv6 address         VPN instance     Port  Type    Requested   Trusted

1:2:3:4:5:6:7:8      --               100   Manual  14478       5501

1023::1123           --               65535 Dynamic 4294967295  15151

# (In IRF mode.) Display the protected IPv6 addresses for TCP client verification.

<Sysname> display client-verify tcp protected ipv6

Slot 1:

IPv6 address         VPN instance     Port  Type    Requested   Trusted

1:2:3:4:5:6:7:8      --               100   Manual  14478       5501

1023::1123           --               65535 Dynamic 4294967295  15151

Slot 2:

IPv6 address         VPN instance     Port  Type    Requested   Trusted

1:2:3:4:5:6:7:8      --               100   Manual  4568        8798

1023::1123           --               65535 Dynamic 15969       4679

# (In standalone mode.) Display the number of protected IPv6 addresses for TCP client verification.

<Sysname> display client-verify tcp protected ipv6 count

Totally 3 protected IPv6 addresses.

# (In IRF mode.) Display the number of protected IPv6 addresses for TCP client verification.

<Sysname> display client-verify tcp protected ip count

Slot 1:

Totally 3 protected IPv6 addresses.

Slot 2:

Totally 0 protected IPv6 addresses.

Table 18 Command output

Field

Description

Totally 3 protected IPv6 addresses

Total number of protected IPv6 addresses.

IPv6 address

Protected IPv6 address.

VPN instance

MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--).

Port

Port protected by TCP client verification. If TCP client verification protects all ports, this field displays any.

Type

Type of the protected IPv6 address, Manual or Dynamic.

Requested

Number of packets destined for the protected IPv6 address.

Trusted

Number of packets that passed the client verification.

 

Related commands

client-verify protected ipv6

display client-verify trusted ip

Use display client-verify trusted ip to display trusted IPv4 addresses for client verification.

Syntax

In standalone mode:

display client-verify { dns | dns-reply | http | sip | tcp } trusted ip [ ip-address [ vpn vpn-instance-name ] ] [ count ]

In IRF mode:

display client-verify { dns | dns-reply | http | sip | tcp } trusted ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dns: Specifies the DNS client verification feature.

dns-reply: Specifies the DNS response verification feature.

http: Specifies the HTTP client verification feature.

sip: Specifies the SIP client verification feature.

tcp: Specifies the TCP client verification feature.

ip-address: Specifies a trusted IPv4 address. If you do not specify an IPv4 address, this command displays all trusted IPv4 addresses.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the trusted IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the trusted IPv4 address is on the public network.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted IPv4 addresses for all member devices. (In IRF mode.)

count: Displays the number of matching trusted IPv4 addresses.

Examples

# (In standalone mode.) Display the trusted IPv4 addresses for DNS client verification.

<Sysname> display client-verify dns trusted ip

IP address      VPN instance        DS-Lite tunnel peer    TTL(sec)

11.1.1.2        --                  --                     3600

123.123.123.123 --                  --                     3550

# (In IRF mode.) Display the trusted IPv4 addresses for DNS client verification.

<Sysname> display client-verify dns trusted ip

Slot 1:

IP address      VPN instance        DS-Lite tunnel peer    TTL(sec)

11.1.1.2        --                  --                     3600

123.123.123.123 --                  --                     3550

Slot 2:

IP address      VPN instance        DS-Lite tunnel peer    TTL(sec)

11.1.1.3        --                  --                     1200

# (In standalone mode.) Display the number of trusted IPv4 addresses for DNS client verification.

<Sysname> display client-verify dns trusted ip count

Totally 3 trusted IP addresses.

# (In IRF mode.) Display the number of trusted IPv4 addresses for DNS client verification.

<Sysname> display client-verify dns trusted ip count

Slot 1:

Totally 3 trusted IP addresses.

Slot 2:

Totally 0 trusted IP addresses.

Table 19 Command output

Field

Description

Totally 3 protected IP addresses

Total number of trusted IPv4 addresses.

IP address

Trusted IPv4 address.

VPN instance

MPLS L3VPN instance to which the trusted IPv4 address belongs. If the trusted IPv4 address is on the public network, this field displays hyphens (--).

DS-Lite tunnel peer

IPv6 address of the DS-Lite tunnel peer.

If the device is the AFTR of a DS-Lite tunnel, this field displays the IPv6 address of the B4 element from which the packet comes.

In other situations, this field displays hyphens (--).

TTL(sec)

Remaining aging time of the trusted IPv4 address, in seconds.

 

display client-verify trusted ipv6

Use display client-verify trusted ipv6 to display trusted IPv6 addresses for client verification.

Syntax

In standalone mode:

display client-verify { dns | dns-reply | http | sip | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ count ]

In IRF mode:

display client-verify { dns | dns-reply | http | sip | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dns: Specifies the DNS client verification feature.

dns-reply: Specifies the DNS response verification feature.

http: Specifies the HTTP client verification feature.

sip: Specifies the SIP client verification feature.

tcp: Specifies the TCP client verification feature.

ipv6-address: Specifies a trusted IPv6 address. If you do not specify an IPv6 address, this command displays all trusted IPv6 addresses.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the trusted IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the trusted IPv6 address is on the public network.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted IPv6 addresses for all member devices. (In IRF mode.)

count: Displays the number of matching trusted IPv6 addresses.

Examples

# (In standalone mode.) Display the trusted IPv6 addresses for DNS client verification.

<Sysname> display client-verify dns trusted ipv6

IPv6 address                            VPN instance     TTL(sec)

1::3                                    --               1643

1234::1234                              --               1234

# (In IRF mode.) Display the trusted IPv6 addresses for DNS client verification.

<Sysname> display client-verify dns trusted ipv6

Slot 1:

IPv6 address                            VPN instance     TTL(sec)

1::3                                    --               1643

1234::1234                              --               1234

Slot 2:

IPv6 address                            VPN instance     TTL(sec)

1::3                                    --               1643

# (In standalone mode.) Display the number of trusted IPv6 addresses for DNS client verification.

<Sysname> display client-verify dns trusted ipv6 count

Totally 3 trusted IPv6 addresses.

# (In IRF mode.) Display the number of trusted IPv6 list for DNS client verification.

<Sysname> display client-verify dns trusted ipv6 count

Slot 1:

Totally 3 trusted IPv6 addresses.

Slot 2:

Totally 0 trusted IPv6 addresses.

Table 20 Command output

Field

Description

Totally 3 protected IPv6 addresses

Number of trusted IPv6 addresses.

IPv6 address

Trusted IPv6 address.

VPN instance

MPLS L3VPN instance to which the trusted IPv6 address belongs. If the trusted IPv6 address is on the public network, this field displays hyphens (--).

TTL(sec)

Remaining aging time of the trusted IPv6 address, in seconds.

 

display whitelist object-group

Use display whitelist object-group to display statistics about packets that match the address object groups on the whitelist.

Syntax

In standalone mode:

display whitelist object-group [ object-group-name ]

In IRF mode:

display whitelist object-group [ object-group-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 31 characters. If you do not specify an address object group, this command displays statistics about packets that match all address object groups on the whitelist.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays statistics for all member devices. (In IRF mode.)

Usage guidelines

If you do not specify any parameters, this command displays statistics about packets that match all address object groups on the whitelist.

Examples

# (In standalone mode.) Display statistics about packets that match the address object group on the whitelist.

<Sysname> display whitelist object-group objgrp-1

Object group                Type          Matching Packets

objgrp-1                    IPv4          353452

# (In IRF mode.) Display statistics about packets that match all address object groups on the whitelist.

<Sysname> display whitelist object-group

Slot 1:

Object group               Type          Matching Packets

objgrp-1                   IPv4          15696

objgrp-2                   IPv4          855864455

Slot 2:

Object group               Type          Matching Packets

objgrp-1                   IPv4          353452

Table 21 Command output

Field

Description

Object group

Name of the address object group.

Type

Type of the address object group.

Matching packets

Number of packets that match the address object group.

 

Related commands

reset whitelist statistics

whitelist object-group

dns-flood action

Use dns-flood action to specify global actions against DNS flood attacks.

Use undo dns-flood action to restore the default.

Syntax

dns-flood action { client-verify | drop | logging } *

undo dns-flood action

Default

No global action is specified for DNS flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent DNS packets destined for the victim IP addresses.

logging: Enables logging for DNS flood attack events. The log messages will be sent to the log system.

Usage guidelines

For the DNS flood attack detection to collaborate with the DNS client verification, make sure the client-verify keyword is specified and the DNS client verification is enabled. To enable DNS client verification, use the client-verify dns enable command.

The logging keyword enables the attack detection and prevention module to log DNS flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output DNS flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view DNS flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify drop as the global action against DNS flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood action drop

Related commands

client-verify dns enable

dns-flood detect

dns-flood detect non-specific

dns-flood threshold

dns-flood detect

Use dns-flood detect to configure IP address-specific DNS flood attack detection.

Use undo dns-flood detect to remove the IP address-specific DNS flood attack detection configuration.

Syntax

dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]

undo dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

IP address-specific DNS flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

port port-list: Specifies a space-separated list of up to 24 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.

threshold threshold-value: Specifies the maximum receiving rate in pps for DNS packets that are destined for the protected IP address. The value range is 1 to 1000000.

action: Specifies the actions against a detected DNS flood attack. If no action is specified, the global actions set by the dns-flood action command apply.

client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent DNS packets destined for the protected IP address.

logging: Enables logging for DNS flood attack events. The log messages will be sent to the log system.

none: Takes no action.

Usage guidelines

With DNS flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of DNS packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure DNS flood attack detection for multiple IP addresses in one attack defense policy.

The logging keyword enables the attack detection and prevention module to log DNS flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output DNS flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view DNS flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure DNS flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect ip 192.168.1.2 port 53 threshold 2000

Related commands

dns-flood action

dns-flood detect non-specific

dns-flood port

dns-flood threshold

dns-flood detect non-specific

Use dns-flood detect non-specific to enable global DNS flood attack detection.

Use undo dns-flood detect non-specific to disable global DNS flood attack detection.

Syntax

dns-flood detect non-specific

undo dns-flood detect non-specific

Default

Global DNS flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global DNS flood attack detection applies to all IP addresses except for those specified by the dns-flood detect command. The global detection uses the global trigger threshold set by the dns-flood threshold command and global actions specified by the dns-flood action command.

Examples

# Enable global DNS flood attack detection in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific

Related commands

dns-flood action

dns-flood detect

dns-flood threshold

dns-flood port

Use dns-flood port to specify the global ports to be protected against DNS flood attacks.

Use undo dns-flood port to restore the default.

Syntax

dns-flood port port-list

undo dns-flood port

Default

The global DNS flood attack prevention protects port 53.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.

Usage guidelines

The device detects only DNS packets destined for the specified ports.

The global ports apply to global DNS flood attack detection and IP address-specific DNS flood attack detection with no port specified.

Examples

# Specify the ports 53 and 61000 as the global ports to be protected against DNS flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood port 53 61000

Related commands

dns-flood action

dns-flood detect

dns-flood detect non-specific

dns-flood threshold

Use dns-flood threshold to set the global threshold for triggering DNS flood attack prevention.

Use undo dns-flood threshold to restore the default.

Syntax

dns-flood threshold threshold-value

undo dns-flood threshold

Default

The global threshold is 1000 for triggering DNS flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the maximum receiving rate in pps for DNS packets that are destined for an IP address. The value range is 1 to 1000000.

Usage guidelines

With global DNS flood attack detection configured, the device is in attack detection state. When the receiving rate of DNS packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The global threshold applies to global DNS flood attack detection. Adjust the threshold according to the application scenarios.

·     If the number of DNS packets sent to a protected DNS server is normally large, set a high threshold. A low threshold might affect the server services.

·     For a network that is unstable or susceptible to attacks, set a low threshold.

Examples

# Set the global threshold to 100 for triggering DNS flood attack prevention in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood threshold 100

Related commands

dns-flood action

dns-flood detect

dns-flood detect non-specific

dns-reply-flood action

Use dns-reply-flood action to specify global actions against DNS response flood attacks.

Use undo dns-reply-flood action to restore the default.

Syntax

dns-reply-flood action { client-verify | drop | logging } *

undo dns-reply-flood action

Default

No global action is specified for DNS response flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

client-verify: Adds the victim IP addresses to the protected IP list for DNS response verification. If DNS response verification is enabled, the device provides proxy services for protected clients.

drop: Drops subsequent DNS response packets destined for the victim IP addresses.

logging: Enables logging for DNS response flood attack events. The log messages will be sent to the log system.

Usage guidelines

For the DNS response flood attack detection to collaborate with the DNS response verification, make sure the client-verify keyword is specified and the DNS response verification is enabled. To enable DNS response verification, use the client-verify dns-reply enable command.

The logging keyword enables the attack detection and prevention module to log DNS response flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output DNS response flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view DNS response flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify drop as the global action against DNS response flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood action drop

Related commands

client-verify dns-reply enable

dns-reply-flood detect

dns-reply-flood detect non-specific

dns-reply-flood threshold

dns-reply-flood detect

Use dns-reply-flood detect to configure IP address-specific DNS response flood attack detection.

Use undo dns-reply-flood detect to remove the IP address-specific DNS response flood attack detection configuration.

Syntax

dns-reply-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]

undo dns-reply-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

IP address-specific DNS response flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

port port-list: Specifies a space-separated list of up to 24 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.

threshold threshold-value: Specifies the maximum receiving rate in pps for DNS responses that are destined for the protected IP address. The value range is 1 to 1000000, and the default value is 1000.

action: Specifies the actions against a detected DNS response flood attack.

client-verify: Adds the victim IP addresses to the protected IP list for DNS response verification. If DNS response verification is enabled, the device provides proxy services for protected clients.

drop: Drops subsequent DNS response packets destined for the protected IP address.

logging: Enables logging for DNS response flood attack events. The log messages will be sent to the log system.

none: Takes no action.

Usage guidelines

You can configure DNS response flood attack detection for multiple IP addresses in one attack defense policy.

With DNS response flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of DNS responses destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The logging keyword enables the attack detection and prevention module to log DNS response flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output DNS response flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view DNS response flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure DNS response flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood detect ip 192.168.1.2 port 53 threshold 2000

Related commands

dns-reply-flood action

dns-reply-flood detect non-specific

dns-reply-flood threshold

dns-reply-flood port

dns-reply-flood detect non-specific

Use dns-reply-flood detect non-specific to enable global DNS response flood attack detection.

Use undo dns-reply-flood detect non-specific to disable global DNS response flood attack detection.

Syntax

dns-reply-flood detect non-specific

undo dns-reply-flood detect non-specific

Default

Global DNS response flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global DNS response flood attack detection applies to all IP addresses except for those specified by the dns-reply-flood detect command. The global detection uses the global trigger threshold set by the dns-reply-flood threshold command and global actions specified by the dns-flood action command.

Examples

# Enable global DNS response flood attack detection in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood detect non-specific

Related commands

dns-reply-flood action

dns-reply-flood detect

dns-reply-flood threshold

dns-reply-flood port

Use dns-reply-flood port to specify the global ports to be protected against DNS response flood attacks.

Use undo dns-reply-flood port to restore the default.

Syntax

dns-reply-flood port port-list

undo dns-reply-flood port

Default

The global DNS response flood attack prevention protects port 53.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.

Usage guidelines

The device detects only DNS responses destined for the specified ports.

The global ports apply to global DNS response flood attack detection and IP address-specific DNS response flood attack detection with no port specified.

Examples

# Specify the ports 53 and 61000 as the global ports to be protected against DNS response flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood port 53 61000

Related commands

dns-reply-flood action

dns-reply-flood detect

dns-reply-flood detect non-specific

dns-reply-flood threshold

Use dns-reply-flood threshold to set the global threshold for triggering DNS response flood attack prevention.

Use undo dns-reply-flood threshold to restore the default.

Syntax

dns-reply-flood threshold threshold-value

undo dns-reply-flood threshold

Default

The global threshold is 1000 for triggering DNS response flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the maximum receiving rate in pps for DNS responses that are destined for an IP address. The value range is 1 to 1000000.

Usage guidelines

With global DNS response flood attack detection configured, the device is in attack detection state. When the receiving rate of DNS response packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The global threshold applies to global DNS response flood attack detection. Adjust the threshold according to the application scenarios.

·     If the number of DNS response packets sent to a protected DNS client is normally large, set a high threshold. A low threshold might affect the client services.

·     For a network that is unstable or susceptible to attacks, set a low threshold.

Examples

# Set the global threshold to 100 for triggering DNS response flood attack prevention in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood threshold 100

Related commands

dns-reply-flood action

dns-reply-flood detect ip

dns-reply-flood detect non-specific

exempt acl

Use exempt acl to configure attack detection exemption.

Use undo exempt acl to restore the default.

Syntax

exempt acl [ ipv6 ] { acl-number | name acl-name }

undo exempt acl [ ipv6 ]

Default

Attack detection exemption is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not use this keyword.

acl-number: Specifies an ACL by its number:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

The attack defense policy uses an ACL to identify exempted packets. The policy does not check the packets permitted by the ACL. You can configure the ACL to identify packets from trusted hosts. The exemption feature reduces the false alarm rate and improves packet processing efficiency.

If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit rules take effect:

·     Source IP address.

·     Destination IP address.

·     Source port.

·     Destination port.

·     Protocol.

·     L3VPN instance.

·     The fragment keyword for matching non-first fragments.

If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.

Examples

# Configure an ACL to permit packets sourced from 1.1.1.1. Configure attack detection exemption for packets matching the ACL in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0

[Sysname-acl-ipv4-basic-2001] quit

[Sysname] attack-defense policy atk-policy-1

[attack-defense-policy-atk-policy-1] exempt acl 2001

Related commands

attack-defense policy

fin-flood action

Use fin-flood action to specify global actions against FIN flood attacks.

Use undo fin-flood action to restore the default.

Syntax

fin-flood action { client-verify | drop | logging } *

undo fin-flood action

Default

No global action is specified for FIN flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent FIN packets destined for the victim IP addresses.

logging: Enables logging for FIN flood attack events. The log messages will be sent to the log system.

Usage guidelines

For the FIN flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.

The logging keyword enables the attack detection and prevention module to log FIN flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output FIN flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view FIN flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify drop as the global action against FIN flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] fin-flood action drop

Related commands

client-verify tcp enable

fin-flood detect

fin-flood detect non-specific

fin-flood threshold

fin-flood detect

Use fin-flood detect to configure IP address-specific FIN flood attack detection.

Use undo fin-flood detect to remove the IP address-specific FIN flood attack detection configuration.

Syntax

fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]

undo fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

IP address-specific FIN flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

threshold threshold-value: Specifies the maximum receiving rate in pps for FIN packets that are destined for the protected IP address. The value range is 1 to 1000000.

action: Specifies the actions against a detected FIN flood attack. If no action is specified, the global actions set by the fin-flood action command apply.

client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent FIN packets destined for the protected IP address.

logging: Enables logging for FIN flood attack events. The log messages will be sent to the log system.

none: Takes no action.

Usage guidelines

With FIN flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of FIN packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure FIN flood attack detection for multiple IP addresses in one attack defense policy.

The logging keyword enables the attack detection and prevention module to log FIN flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output FIN flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view FIN flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure FIN flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect ip 192.168.1.2 threshold 2000

Related commands

fin-flood action

fin-flood detect non-specific

fin-flood threshold

fin-flood detect non-specific

Use fin-flood detect non-specific to enable global FIN flood attack detection.

Use undo fin-flood detect non-specific to disable global FIN flood attack detection.

Syntax

fin-flood detect non-specific

undo fin-flood detect non-specific

Default

Global FIN flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global FIN flood attack detection applies to all IP addresses except for those specified by the fin-flood detect command. The global detection uses the global trigger threshold set by the fin-flood threshold command and global actions specified by the fin-flood action command.

Examples

# Enable global FIN flood attack detection in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect non-specific

Related commands

fin-flood action

fin-flood detect

fin-flood threshold

fin-flood threshold

Use fin-flood threshold to set the global threshold for triggering FIN flood attack prevention.

Use undo fin-flood threshold to restore the default.

Syntax

fin-flood threshold threshold-value

undo fin-flood threshold

Default

The global threshold is 1000 for triggering FIN flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the maximum receiving rate in pps for FIN packets that are destined for an IP address. The value range is 1 to 1000000.

Usage guidelines

With global FIN flood attack detection configured, the device is in attack detection state. When the receiving rate of FIN packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The global threshold applies to global FIN flood attack detection. Adjust the threshold according to the application scenarios.

·     If the number of FIN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.

·     For a network that is unstable or susceptible to attacks, set a low threshold.

Examples

# Set the global threshold to 100 for triggering FIN flood attack prevention in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] fin-flood threshold 100

Related commands

fin-flood action

fin-flood detect

fin-flood detect non-specific

http-flood action

Use http-flood action to specify global actions against HTTP flood attacks.

Use undo http-flood action to restore the default.

Syntax

http-flood action { client-verify | drop | logging } *

undo http-flood action

Default

No global action is specified for HTTP flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent HTTP packets destined for the victim IP addresses.

logging: Enables logging for HTTP flood attack events. The log messages will be sent to the log system.

Usage guidelines

For the HTTP flood attack detection to collaborate with the HTTP client verification, make sure the client-verify keyword is specified and the HTTP client verification is enabled. To enable HTTP client verification, use the client-verify http enable command.

The logging keyword enables the attack detection and prevention module to log HTTP flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output HTTP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view HTTP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify drop as the global action against HTTP flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] http-flood action drop

Related commands

client-verify http enable

http-flood detect

http-flood detect non-specific

http-flood threshold

http-flood detect

Use http-flood detect to configure IP address-specific HTTP flood attack detection.

Use undo http-flood detect to remove the IP address-specific HTTP flood attack detection configuration.

Syntax

http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]

undo http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

IP address-specific HTTP flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

port port-list: Specifies a space-separated list of up to 24 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.

threshold threshold-value: Specifies the maximum receiving rate in pps for HTTP packets that are destined for the protected IP address. The value range is 1 to 1000000.

action: Specifies the actions against a detected HTTP flood attack. If no action is specified, the global actions set by the http-flood action command apply.

client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent HTTP packets destined for the protected IP address.

logging: Enables logging for HTTP flood attack events. The log messages will be sent to the log system.

none: Takes no action.

Usage guidelines

With HTTP flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of HTTP packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure HTTP flood attack detection for multiple IP addresses in one attack defense policy.

The logging keyword enables the attack detection and prevention module to log HTTP flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output HTTP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view HTTP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure HTTP flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] http-flood detect ip 192.168.1.2 port 80 8080 threshold 2000

Related commands

http-flood action

http-flood detect non-specific

http-flood port

http-flood threshold

http-flood detect non-specific

Use http-flood detect non-specific to enable global HTTP flood attack detection.

Use undo http-flood detect non-specific to disable global HTTP flood attack detection.

Syntax

http-flood detect non-specific

undo http-flood detect non-specific

Default

Global HTTP flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global HTTP flood attack detection applies to all IP addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command.

Examples

# Enable global HTTP flood attack detection in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific

Related commands

http-flood action

http-flood detect

http-flood threshold

http-flood port

Use http-flood port to specify the global ports to be protected against HTTP flood attacks.

Use undo http-flood port to restore the default.

Syntax

http-flood port port-list

undo http-flood port

Default

The global HTTP flood attack prevention protects port 80.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.

Usage guidelines

The device detects only HTTP packets destined for the specified ports.

The global ports apply to global HTTP flood attack detection and IP address-specific HTTP flood attack detection with no port specified.

Examples

# Specify the ports 80 and 8080 as the global ports to be protected against HTTP flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] http-flood port 80 8080

Related commands

http-flood action

http-flood detect

http-flood detect non-specific

http-flood threshold

Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention.

Use undo http-flood threshold to restore the default.

Syntax

http-flood threshold threshold-value

undo http-flood threshold

Default

The global threshold is 1000 for triggering HTTP flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the maximum receiving rate in pps for HTTP packets that are destined for an IP address. The value range is 1 to 1000000.

Usage guidelines

With global HTTP flood attack detection configured, the device is in attack detection state. When the receiving rate of HTTP packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The global threshold applies to global HTTP flood attack detection. Adjust the threshold according to the application scenarios.

·     If the number of HTTP packets sent to a protected HTTP server is normally large, set a high threshold. A low threshold might affect the server services.

·     For a network that is unstable or susceptible to attacks, set a low threshold.

Examples

# Set the global threshold to 100 for triggering HTTP flood attack prevention in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] http-flood threshold 100

Related commands

http-flood action

http-flood detect

http-flood detect non-specific

icmp-flood action

Use icmp-flood action to specify global actions against ICMP flood attacks.

Use undo icmp-flood action to restore the default.

Syntax

icmp-flood action { drop | logging } *

undo icmp-flood action

Default

No global action is specified for ICMP flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent ICMP packets destined for the victim IP addresses.

logging: Enables logging for ICMP flood attack events. The log messages will be sent to the log system.

Usage guidelines

The logging keyword enables the attack detection and prevention module to log ICMP flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output ICMP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view ICMP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify drop as the global action against ICMP flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmp-flood action drop

Related commands

icmp-flood detect non-specific

icmp-flood detect ip

icmp-flood threshold

icmp-flood detect ip

Use icmp-flood detect ip to configure IP address-specific ICMP flood attack detection.

Use undo icmp-flood detect ip to remove the IP address-specific ICMP flood attack detection configuration.

Syntax

icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ]

Default

IP address-specific ICMP flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

threshold threshold-value: Specifies the maximum receiving rate in pps for ICMP packets that are destined for the protected IP address. The value range is 1 to 1000000.

action: Specifies the actions against a detected ICMP flood attack. If no action is specified, the global actions set by the icmp-flood action command apply.

drop: Drops subsequent ICMP packets destined for the protected IP address.

logging: Enables logging for ICMP flood attack events. The log messages will be sent to the log system.

none: Takes no action.

Usage guidelines

With ICMP flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of ICMP packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure ICMP flood attack detection for multiple IP addresses in one attack defense policy.

The logging keyword enables the attack detection and prevention module to log ICMP flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output ICMP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view ICMP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure ICMP flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect ip 192.168.1.2 threshold 2000

Related commands

icmp-flood action

icmp-flood detect non-specific

icmp-flood threshold

icmp-flood detect non-specific

Use icmp-flood detect non-specific to enable global ICMP flood attack detection.

Use undo icmp-flood detect non-specific to disable global ICMP flood attack detection.

Syntax

icmp-flood detect non-specific

undo icmp-flood detect non-specific

Default

Global ICMP flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global ICMP flood attack detection applies to all IP addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold command and global actions specified by the icmp-flood action command.

Examples

# Enable global ICMP flood attack detection in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect non-specific

Related commands

icmp-flood action

icmp-flood detect ip

icmp-flood threshold

icmp-flood threshold

Use icmp-flood threshold to set the global threshold for triggering ICMP flood attack prevention.

Use undo icmp-flood threshold to restore the default.

Syntax

icmp-flood threshold threshold-value

undo icmp-flood threshold

Default

The global threshold is 1000 for triggering ICMP flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the maximum receiving rate in pps for ICMP packets that are destined for an IP address. The value range is 1 to 1000000.

Usage guidelines

With global ICMP flood attack detection configured, the device is in attack detection state. When the receiving rate of ICMP packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The global threshold applies to global ICMP flood attack detection. Adjust the threshold according to the application scenarios.

·     If the number of ICMP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.

·     For a network that is unstable or susceptible to attacks, set a low threshold.

Examples

# Set the global threshold to 100 for triggering ICMP flood attack prevention in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmp-flood threshold 100

Related commands

icmp-flood action

icmp-flood detect ip

icmp-flood detect non-specific

icmpv6-flood action

Use icmpv6-flood action to specify global actions against ICMPv6 flood attacks.

Use undo icmpv6-flood action to restore the default.

Syntax

icmpv6-flood action { drop | logging } *

undo icmpv6-flood action

Default

No global action is specified for ICMPv6 flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

drop: Drops subsequent ICMPv6 packets destined for the victim IP addresses.

logging: Enables logging for ICMPv6 flood attack events. The log messages will be sent to the log system.

Usage guidelines

The logging keyword enables the attack detection and prevention module to log ICMPv6 flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output ICMPv6 flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view ICMPv6 flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify drop as the global action against ICMPv6 flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood action drop

Related commands

icmpv6-flood detect ipv6

icmpv6-flood detect non-specific

icmpv6-flood threshold

icmpv6-flood detect ipv6

Use icmpv6-flood detect ipv6 to configure IPv6 address-specific ICMPv6 flood attack detection.

Use undo icmpv6-flood detect ipv6 to remove the IPv6 address-specific ICMPv6 flood attack detection configuration.

Syntax

icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ]

Default

IPv6 address-specific ICMPv6 flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

Ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.

threshold threshold-value: Specifies the maximum receiving rate in pps for ICMPv6 packets that are destined for the protected IP address. The value range is 1 to 1000000.

action: Specifies the actions against a detected ICMPv6 flood attack. If no action is specified, the global actions set by the icmpv6-flood action command apply.

drop: Drops subsequent ICMPv6 packets destined for the protected IPv6 address.

logging: Enables logging for ICMPv6 flood attack events. The log messages will be sent to the log system.

none: Takes no action.

Usage guidelines

With ICMPv6 flood attack detection configured for an IPv6 address, the device is in attack detection state. When the receiving rate of ICMPv6 packets destined for the IPv6 address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure ICMPv6 flood attack detection for multiple IPv6 addresses in one attack defense policy.

The logging keyword enables the attack detection and prevention module to log ICMPv6 flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output ICMPv6 flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view ICMPv6 flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure ICMPv6 flood attack detection for 2012::12 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect ipv6 2012::12 threshold 2000

Related commands

icmpv6-flood action

icmpv6-flood detect non-specific

icmpv6-flood threshold

icmpv6-flood detect non-specific

Use icmpv6-flood detect non-specific to enable global ICMPv6 flood attack detection.

Use undo icmpv6-flood detect non-specific to disable global ICMPv6 flood attack detection.

Syntax

icmpv6-flood detect non-specific

undo icmpv6-flood detect non-specific

Default

Global ICMPv6 flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global ICMPv6 flood attack detection applies to all IPv6 addresses except for those specified by the icmpv6-flood detect ipv6 command. The global detection uses the global trigger threshold set by the icmpv6-flood threshold command and global actions specified by the icmpv6-flood action command.

Examples

# Enable global ICMPv6 flood attack detection in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect non-specific

Related commands

icmpv6-flood action

icmpv6-flood detect ipv6

icmpv6-flood threshold

icmpv6-flood threshold

Use icmpv6-flood threshold to set the global threshold for triggering ICMPv6 flood attack prevention.

Use undo icmpv6-flood threshold to restore the default.

Syntax

icmpv6-flood threshold threshold-value

undo icmpv6-flood threshold

Default

The global threshold is 1000 for triggering ICMPv6 flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the maximum receiving rate in pps for ICMPv6 packets that are destined for an IP address. The value range is 1 to 1000000.

Usage guidelines

With global ICMPv6 flood attack detection configured, the device is in attack detection state. When the receiving rate of ICMPv6 packets destined for an IPv6 address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The global threshold applies to global ICMPv6 flood attack detection. Adjust the threshold according to the application scenarios.

·     If the number of ICMPv6 packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.

·     For a network that is unstable or susceptible to attacks, set a low threshold.

Examples

# Set the global threshold to 100 for triggering ICMPv6 flood attack prevention in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood threshold 100

Related commands

icmpv6-flood action

icmpv6-flood detect ipv6

icmpv6-flood detect non-specific

reset attack-defense policy flood

Use reset attack-defense policy flood statistics to clear flood attack detection and prevention statistics for protected IP addresses.

Syntax

reset attack-defense policy policy-name flood protected { ip | ipv6 } statistics

Views

User view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

ip: Specifies protected IPv4 addresses.

ipv6: Specifies protected IPv6 addresses.

statistics: Clears flood attack detection and prevention statistics.

Examples

# Clear flood attack detection and prevention statistics for protected IPv4 addresses in attack defense policy abc.

<Sysname> reset attack-defense policy abc flood protected ip statistics

# Clear flood attack detection and prevention statistics for protected IPv6 addresses in attack defense policy abc.

<Sysname> reset attack-defense policy abc flood protected ipv6 statistics

Related commands

display attack-defense policy ip

display attack-defense policy ipv6

reset attack-defense statistics interface

Use reset attack-defense statistics interface to clear attack detection and prevention statistics for an interface.

Syntax

reset attack-defense statistics interface interface-type interface-number

Views

User view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Examples

# Clear attack detection and prevention statistics for GigabitEthernet 1/0.

<Sysname> reset attack-defense statistics interface gigabitethernet 1/0

Related commands

display attack defense policy

reset attack-defense statistics local

Use reset attack-defense statistics local to clear attack detection and prevention statistics for the device.

Syntax

reset attack-defense statistics local

Views

User view

Predefined user roles

network-admin

Examples

# Clear attack detection and prevention statistics for the device.

<Sysname> reset attack-defense statistics local

Related commands

display attack-defense statistics local

reset attack-defense top-attack-statistics

Use reset attack-defense top-attack-statistics to clear top 10 attack statistics.

Syntax

reset attack-defense top-attack-statistics

Views

User view

Predefined user roles

network-admin

network-operator

Examples

# Clear top 10 attack statistics.

<Sysname> reset attack-defense top-attack-statistics

Related commands

attack-defense top-attack-statistics enable

display attack-defense top-attack-statistics

reset blacklist destination-ip

Use reset blacklist destination-ip to delete dynamic destination IPv4 blacklist entries.

Syntax

reset blacklist destination-ip { destination-ip-address [ vpn-instance vpn-instance-name ]  | all }

Views

User view

Predefined user roles

network-admin

Parameters

destination-ip-address: Specifies an IPv4 address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.

all: Specifies all dynamic destination IPv4 blacklist entries.

Usage guidelines

This command deletes only dynamic destination IPv4 blacklist entries. To delete manual destination IPv4 blacklist entries, use the undo blacklist destination-ip command.

Examples

# Delete all dynamic destination IPv4 blacklist entries.

<Sysname> reset blacklist destination-ip all

Related commands

display blacklist destination-ip

reset blacklist destination-ipv6

Use reset blacklist destination-ipv6 to delete dynamic destination IPv6 blacklist entries.

Syntax

reset blacklist destination-ipv6{ destination-ipv6-address [ vpn-instance vpn-instance-name ]  | all }

Views

User view

Predefined user roles

network-admin

Parameters

destination-ipv6-address : Specifies an IPv6 address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.

all: Specifies all dynamic destination IPv4 blacklist entries.

Usage guidelines

This command deletes only dynamic destination IPv6 blacklist entries. To delete manual destination IPv6 blacklist entries, use the undo blacklist destination-ipv6 command.

Examples

# Delete all dynamic destination IPv6 blacklist entries.

<Sysname> reset blacklist destination-ipv6 all

Related commands

display blacklist ipv6

reset blacklist ip

Use reset blacklist ip to delete dynamic IPv4 blacklist entries.

Syntax

reset blacklist ip { source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] | all }

Views

User view

Predefined user roles

network-admin

Parameters

source-ip-address: Specifies the IPv4 address for a blacklist entry.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.

ds-lite-peer ds-lite-peer-address: Specifies the IPv6 address of the B4 element of the DS-Lite tunnel that transmits packets from the blacklisted IPv4 address. Do not specify this option if the IPv4 address is on the public network.

all: Specifies all dynamic IPv4 blacklist entries.

Usage guidelines

This command deletes only dynamic IPv4 blacklist entries. To delete manual IPv4 blacklist entries, use the undo blacklist ip command.

Examples

# Delete all dynamic IPv4 blacklist entries.

<Sysname> reset blacklist ip all

Related commands

display blacklist ip

reset blacklist ipv6

Use reset blacklist ipv6 to delete dynamic IPv6 blacklist entries.

Syntax

reset blacklist ipv6 { source-ipv6-address [ vpn-instance vpn-instance-name ] | all }

Views

User view

Predefined user roles

network-admin

Parameters

source-ipv6-address: Specifies the IPv6 address for a blacklist entry.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.

all: Specifies all dynamic IPv6 blacklist entries.

Usage guidelines

This command deletes only dynamic IPv6 blacklist entries. To delete manual IPv6 blacklist entries, use the undo blacklist ipv6 command.

Examples

# Delete all dynamic IPv6 blacklist entries.

<Sysname> reset blacklist ipv6 all

Related commands

display blacklist ipv6

reset blacklist statistics

Use reset blacklist statistics to clear blacklist statistics.

Syntax

reset blacklist statistics

Views

User view

Predefined user roles

network-admin

Usage guidelines

This command resets the counter for dropped packets for all blacklist entries.

Examples

# Clear blacklist statistics.

<Sysname> reset blacklist statistics

Related commands

display blacklist ip

display blacklist ipv6

reset client-verify protected statistics

Use reset client-verify protected statistics to clear protected IP statistics for client verification.

Syntax

reset client-verify { dns| dns-reply | http | sip | tcp } protected { ip | ipv6 } statistics

Views

User view

Predefined user roles

network-admin

Parameters

dns: Specifies the DNS client verification feature.

dns-reply: Specifies the DNS response verification feature.

http: Specifies the HTTP client verification feature.

sip: Specifies the SIP client verification feature.

tcp: Specifies the TCP client verification feature.

ip: Specifies the protected IPv4 list.

ipv6: Specifies the protected IPv6 list.

Examples

# Clear the protected IPv4 statistics for TCP client verification.

<Sysname> reset client-verify tcp protected ip statistics

Related commands

display client-verify protected ip

display client-verify protected ipv6

reset client-verify trusted

Use reset client-verify trusted to clear the trusted IP list for client verification.

Syntax

reset client-verify { dns| dns-reply | http | sip | tcp } trusted { ip | ipv6 }

Views

User view

Predefined user roles

network-admin

Parameters

dns: Specifies the DNS client verification feature.

dns-reply: Specifies the DNS response verification feature.

http: Specifies the HTTP client verification feature.

sip: Specifies the SIP client verification feature.

tcp: Specifies the TCP client verification feature.

ip: Specifies the trusted IPv4 list.

ipv6: Specifies the trusted IPv6 list.

Examples

# Clear the trusted IPv4 list for DNS client verification.

<Sysname> reset client-verify dns trusted ip

Related commands

display client-verify trusted ip

display client-verify trusted ipv6

reset whitelist statistics

Use reset whitelist statistics to clear statistics about packets that match the address object groups on the whitelist.

Syntax

reset whitelist statistics

Views

User view

Predefined user roles

network-admin

Usage guidelines

This command clears statistics about packets that match all address object groups on the whitelist.

Examples

# Clear statistics about packets that match the address object groups on the whitelist.

<Sysname> reset whitelist statistics

Related commands

display whitelist object-group

rst-flood action

Use rst-flood action to specify global actions against RST flood attacks.

Use undo rst-flood action to restore the default.

Syntax

rst-flood action { client-verify | drop | logging } *

undo rst-flood action

Default

No global action is specified for RST flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent RST packets destined for the victim IP addresses.

logging: Enables logging for RST flood attack events. The log messages will be sent to the log system.

Usage guidelines

For the RST flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.

The logging keyword enables the attack detection and prevention module to log RST flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output RST flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view RST flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify drop as the global action against RST flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] rst-flood action drop

Related commands

client-verify tcp enable

rst-flood detect

rst-flood detect non-specific

rst-flood threshold

rst-flood detect

Use rst-flood detect to configure IP address-specific RST flood attack detection.

Use undo rst-flood detect to remove the IP address-specific RST flood attack detection configuration.

Syntax

rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]

undo rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

IP address-specific RST flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

threshold threshold-value: Specifies the maximum receiving rate in pps for RST packets that are destined for the protected IP address. The value range is 1 to 1000000.

action: Specifies the actions against a detected RST flood attack. If no action is specified, the global actions set by the rst-flood action command apply.

client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent RST packets destined for the protected IP address.

logging: Enables logging for RST flood attack events. The log messages will be sent to the log system.

none: Takes no action.

Usage guidelines

With RST flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of RST packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device considers returns to the attack detection state.

You can configure RST flood attack detection for multiple IP addresses in one attack defense policy.

The logging keyword enables the attack detection and prevention module to log RST flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output RST flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view RST flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure RST flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect ip 192.168.1.2 threshold 2000

Related commands

rst-flood action

rst-flood detect non-specific

rst-flood threshold

rst-flood detect non-specific

Use rst-flood detect non-specific to enable global RST flood attack detection.

Use undo rst-flood detect non-specific to disable global RST flood attack detection.

Syntax

rst-flood detect non-specific

undo rst-flood detect non-specific

Default

Global RST flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global RST flood attack detection applies to all IP addresses except for those specified by the rst-flood detect command. The global detection uses the global trigger threshold set by the rst-flood threshold command and global actions specified by the rst-flood action command.

Examples

# Enable global RST flood attack detection in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect non-specific

Related commands

rst-flood action

rst-flood detect

rst-flood threshold

rst-flood threshold

Use rst-flood threshold to set the global threshold for triggering RST flood attack prevention.

Use undo rst-flood threshold to restore the default.

Syntax

rst-flood threshold threshold-value

undo rst-flood threshold

Default

The global threshold is 1000 for triggering RST flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the maximum receiving rate in pps for RST packets that are destined for an IP address. The value range is 1 to 1000000.

Usage guidelines

With global RST flood attack detection configured, the device is in attack detection state. When the receiving rate of RST packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The global threshold applies to global RST flood attack detection. Adjust the threshold according to the application scenarios.

·     If the number of RST packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.

·     For a network that is unstable or susceptible to attacks, set a low threshold.

Examples

# Set the global threshold to 100 for triggering RST flood attack prevention in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100

Related commands

rst-flood action

rst-flood detect

rst-flood detect non-specific

scan detect

Use scan detect to configure scanning attack detection.

Use undo scan detect to remove the scanning attack detection configuration.

Syntax

scan detect level { { high | low | medium } | user-defined { port-scan-threshold threshold-value | ip-sweep-threshold threshold-value } * [ period period-value ] } action { { block-source [ timeout minutes ] | drop } | logging } *

undo scan detect

Default

No scanning attack detection is configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

level: Specifies the level of the scanning attack detection.

high: Specifies the high level. This level can detect most of the scanning attacks, but has a high false alarm rate. Some packets from active hosts might be considered as attack packets. For high level detection, the detection cycle is 10 seconds. The threshold for triggering port scan attack prevention is 5000 packets in a detection cycle. The threshold for triggering IP sweep attack prevention is 5000 packets in a detection cycle.

low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected. For low level detection, the detection cycle is 10 seconds. The threshold for triggering port scan attack prevention is 100000 packets in a detection cycle. The threshold for triggering IP sweep attack prevention is 100000 packets in a detection cycle.

medium: Specifies the medium level. Compared with the high and low levels, this level has medium false alarm rate and attack detection accuracy. For medium level detection, the detection cycle is 10 seconds. The threshold for triggering port scan attack prevention is 40000 packets. The threshold for triggering IP sweep attack prevention is 40000 packets.

user-defined: Specifies the user-defined level. This level allows you to set the thresholds and detection cycle for port scan and IP sweep attacks on demand.

port-scan-threshold threshold-value: Sets the user-defined threshold for triggering port scan attack prevention. The value range is 1 to 1000000000. This threshold defines the maximum number of packets sent from an IP address to different ports within a detection cycle.

ip-sweep-threshold threshold-value: Sets the user-defined threshold for triggering IP sweep attack prevention. The value range is 1 to 1000000000. This threshold defines the maximum number of packets sent from an IP address to different IP addresses within a detection cycle.

period period-value: Sets the scanning attack detection cycle in the range of 1 to 1000000000 seconds. The default value is 10.

action: Specifies the actions against scanning attacks.

block-source: Adds the attackers' IP addresses to the IP blacklist. If the blacklist feature is enabled on the receiving interface, the device drops subsequent packets from the blacklisted IP addresses.

timeout minutes: Specifies the aging timer in minutes for the dynamically added blacklist entries, in the range of 1 to 10080. The default aging timer is 10 minutes.

drop: Drops subsequent packets from detected scanning attack sources. The log messages will be sent to the log system.

logging: Enables logging for scanning attack events.

Usage guidelines

To collaborate with the IP blacklist feature, make sure the blacklist feature is enabled on the on the interface to which the attack defense policy is applied.

The aging timer set by the timeout minutes option must be longer than the statistics collection interval.

The logging keyword enables the attack detection and prevention module to log RST flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output scanning attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view scanning attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure low level scanning attack detection and specify the prevention action as drop in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action drop

# Configure scanning attack detection in attack defense policy atk-policy-1. Specify the detection level as low and the prevention actions as block-source and logging. Set the aging time for the dynamically added IP blacklist entries to 10 minutes.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action logging block-source timeout 10

# Configure scanning attack detection in the attack defense policy atk-policy-1. Specify the detection level as user-defined and detection cycle as 30 seconds. Set the port scan attack prevention threshold and IP sweep attack prevention threshold to 6000 packets and 80000 packets, respectively. Specify the prevention action as block-source and logging. Set the aging time for the dynamically added IP blacklist entries to 10 minutes.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] scan detect level user-defined port-scan-threshold 6000 ip-sweep-threshold 80000 period 30 action logging block-source timeout 10

Related commands

blacklist enable

blacklist global enable

signature { large-icmp | large-icmpv6 } max-length

Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.

Use undo signature { large-icmp | large-icmpv6 } max-length to restore the default.

Syntax

signature { large-icmp | large-icmpv6 } max-length length

undo signature { large-icmp | large-icmpv6 } max-length

Default

The maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

large-icmp: Specifies large ICMP packet attack signature.

large-icmpv6: Specifies large ICMPv6 packet attack signature.

length: Specifies the maximum length of safe ICMP or ICMPv6 packets, in bytes. The value range for ICMP packets is 28 to 65534. The value range for ICMPv6 packets is 48 to 65534.

Examples

# Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] signature large-icmp max-length 50000

Related commands

signature detect

signature detect

Use signature detect to enable signature detection for single-packet attacks and specify the prevention actions.

Use undo signature detect to disable signature detection for single-packet attacks.

Syntax

signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]

undo signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke }

signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } *

undo signature detect { ip-option-abnormal | ping-of-death | teardrop }

signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]

undo signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request }

signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]

undo signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded }

signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]

undo signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing }

signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]

undo signature detect ipv6-ext-header next-header-value

Default

Signature detection is disabled for all single-packet attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

fraggle: Specifies the fraggle attack.

fragment: Specifies the IP fragment attack.

icmp-type: Specifies an ICMP packet attack by the packet type. You can specify the packet type by a number or a keyword:

·     icmp-type-value: Specifies the ICMP packet type in the range of 0 to 255.

·     address-mask-reply: Specifies the ICMP address mask reply type.

·     address-mask-request: Specifies the ICMP address mask request type.

·     destination-unreachable: Specifies the ICMP destination unreachable type.

·     echo-reply: Specifies the ICMP echo reply type.

·     echo-request: Specifies the ICMP echo request type.

·     information-reply: Specifies the ICMP information reply type.

·     information-request: Specifies the ICMP information request type.

·     parameter-problem: Specifies the ICMP parameter problem type.

·     redirect: Specifies the ICMP redirect type.

·     source-quench: Specifies the ICMP source quench type.

·     time-exceeded: Specifies the ICMP time exceeded type.

·     timestamp-reply: Specifies the ICMP timestamp reply type.

·     timestamp-request: Specifies the ICMP timestamp request type.

icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword:

·     icmpv6-type-value: Specifies the ICMPv6 packet type in the range of 0 to 255.

·     destination-unreachable: Specifies the ICMPv6 destination unreachable type.

·     echo-reply: Specifies the ICMPv6 echo reply type.

·     echo-request: Specifies the ICMPv6 echo request type.

·     group-query: Specifies the ICMPv6 group query type.

·     group-reduction: Specifies the ICMPv6 group reduction type.

·     group-report: Specifies the ICMPv6 group report type.

·     packet-too-big: Specifies the ICMPv6 packet too big type.

·     parameter-problem: Specifies the ICMPv6 parameter problem type.

·     time-exceeded: Specifies the ICMPv6 time exceeded type.

impossible: Specifies the IP impossible packet attack.

ip-option: Specifies an IP option. You can specify the IP option by a number or a keyword:

·     option-code: Specifies the IP option in the range of 1 to 255.

·     internet-timestamp: Specifies the timestamp option.

·     loose-source-routing: Specifies the loose source routing option.

·     record-route: Specifies the record route option.

·     route-alert: Specifies the route alert option.

·     security: Specifies the security option.

·     stream-id: Specifies the stream identifier option.

·     strict-source-routing: Specifies the strict source route option.

ip-option-abnormal: Specifies the abnormal IP option attack.

ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255.

land: Specifies the Land attack.

large-icmp: Specifies the large ICMP packet attack.

large-icmpv6: Specifies the large ICMPv6 packet attack.

ping-of-death: Specifies the ping-of-death attack.

smurf: Specifies the smurf attack.

snork: Specifies the UDP snork attack.

tcp-all-flags: Specifies the attack where the TCP packet has all flags set.

tcp-fin-only: Specifies the attack where the TCP packet has only the FIN flag set.

tcp-invalid-flags: Specifies the attack that uses TCP packets with invalid flags.

tcp-null-flag: Specifies the attack where the TCP packet has no flags set.

tcp-syn-fin: Specifies the attack where the TCP packet has both SYN and FIN flags set.

teardrop: Specifies the teardrop attack.

tiny-fragment: Specifies the tiny fragment attack.

traceroute: Specifies the traceroute attack.

udp-bomb: Specifies the UDP bomb attack.

winnuke: Specifies the WinNuke attack.

action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.

drop: Drops packets that match the specified signature.

logging: Enables logging for the specified single-packet attack.

none: Takes no action.

Usage guidelines

You can use this command multiple times to enable signature detection for multiple single-packet attack types.

When you specify a packet type by a number, if the packet type has a corresponding keyword, the keyword is displayed in command output. If the packet type does not have a corresponding keyword, the number is displayed.

The logging keyword enables the attack detection and prevention module to log single-packet attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output single-packet attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view single-packet attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable signature detection for the IP fragment attack and specify the prevention action as drop in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] signature detect fragment action drop

Related commands

signature level action

signature level action

Use signature level action to specify the actions against single-packet attacks on a specific level.

Use undo signature level action to restore the default.

Syntax

signature level { high | info | low | medium } action { { drop | logging } * | none }

undo signature level { high | info | low | medium } action

Default

For informational-level and low-level single-packet attacks, the action is logging.

For medium-level and high-level single-packet attacks, the actions are logging and drop.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.

info: Specifies the informational level. For example, large ICMP packet attack is on this level.

low: Specifies the low level. For example, the traceroute attack is on this level.

medium: Specifies the medium level. For example, the WinNuke attack is on this level.

drop: Drops packets that match the specified level.

logging: Enable logging for single-packet attacks on the specified level.

none: Takes no action.

Usage guidelines

According to their severity, single-packet attacks are divided into four levels: info, low, medium, and high. Enabling signature detection for a specific level enables signature detection for all single-packet attacks on that level.

If you enable signature detection for a single-packet attack also by using the signature detect command, action parameters in the signature detect command take effect.

The logging keyword enables the attack detection and prevention module to log single-packet attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output single-packet attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view single-packet attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify the action against informational-level single-packet attacks as drop in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy 1

[Sysname-attack-defense-policy-1] signature level info action drop

Related commands

signature detect

signature level detect

signature level detect

Use signature level detect to enable signature detection for single-packet attacks on a specific level.

Use undo signature level detect to disable signature detection for single-packet attacks on a specific level.

Syntax

signature level { high | info | low | medium } detect

undo signature level { high | info | low | medium } detect

Default

Signature detection is disabled for all levels of single-packet attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.

info: Specifies the informational level. For example, large ICMP packet attack is on this level.

low: Specifies the low level. For example, the traceroute attack is on this level.

medium: Specifies the medium level. For example, the WinNuke attack is on this level.

Usage guidelines

According to their severity, single-packet attacks are divided into four levels: info, low, medium, and high. Enabling signature detection for a specific level enables signature detection for all single-packet attacks on that level. Use the signature level action command to specify the actions against single-packet attacks on a specific level. If you enable signature detection for a single-packet attack also by using the signature detect command, action parameters in the signature detect command take effect.

To display the level to which a single-packet attack belongs, use the display attack-defense policy command.

Examples

# Enable signature detection for informational-level single-packet attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy 1

[Sysname-attack-defense-policy-1] signature level info detect

Related commands

display attack-defense policy

signature detect

signature level action

sip-flood action

Use sip-flood action to specify global actions against SIP flood attacks.

Use undo sip-flood action to restore the default.

Syntax

sip-flood action { client-verify | drop | logging } *

undo sip-flood action

Default

No global action is specified for SIP flood attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

client-verify: Adds the victim IP addresses to the protected IP list for SIP client verification. If SIP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent SIP packets destined for the victim IP addresses.

logging: Enables logging for SIP flood attack events. The log messages will be sent to the log system.

Usage guidelines

For the SIP flood attack detection to collaborate with the SIP client verification, make sure the client-verify keyword is specified and the SIP client verification is enabled. To enable SIP client verification, use the client-verify sip enable command.

The logging keyword enables the attack detection and prevention module to log SIP flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output SIP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view SIP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Specify drop as the global action against SIP flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] sip-flood action drop

Related commands

client-verify sip enable

sip-flood detect

sip-flood detect non-specific

sip-flood threshold

sip-flood detect

Use sip-flood detect to configure IP address-specific SIP flood attack detection.

Use undo sip-flood detect to remove IP address-specific SIP flood attack detection configuration.

Syntax

sip-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]

undo sip-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

IP address-specific SIP flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

port port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.

threshold threshold-value: Specifies the maximum receiving rate in pps for SIP packets that are destined for the protected IP address. The value range is 1 to 1000000, and the default is 1000.

action: Specifies the actions against a detected an SIP flood attack. If no action is specified, the global actions set by the sip-flood action command apply.

client-verify: Adds the victim IP addresses to the protected IP list for SIP client verification. If SIP client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent SIP packets destined for the protected IP address.

logging: Enables logging for SIP flood attack events. The log messages will be sent to the log system.

none: Takes no action.

Usage guidelines

With SIP flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of SIP packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure SIP flood attack detection for multiple IP addresses in one attack defense policy.

The logging keyword enables the attack detection and prevention module to log SIP flood attack events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output SIP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view SIP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure SIP flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] sip-flood detect ip 192.168.1.2 threshold 2000

Related commands

client-verify sip enable

sip-flood action

sip-flood detect non-specific

sip-flood port

sip-flood threshold

sip-flood detect non-specific

Use sip-flood detect non-specific to enable global SIP flood attack detection.

Use undo sip-flood detect non-specific to disable global SIP flood attack detection.

Syntax

sip-flood detect non-specific

undo sip-flood detect non-specific

Default

Global SIP flood attack detection is disabled.

Views

Attack defense policy view

Predefined user roles

network-admin

Usage guidelines

The global SIP flood attack detection applies to all IP addresses except those specified by the sip-flood detect command. The global detection uses the global trigger threshold set by the sip-flood threshold command and global actions specified by the sip-flood action command.

Examples

# Enable global SIP flood attack detection in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] sip-flood detect non-specific

Related commands

sip-flood action

sip-flood detect

sip-flood threshold

sip-flood port

Use sip-flood port to specify the global ports to be protected against SIP flood attacks.

Use undo sip-flood port to restore the default.

Syntax

sip-flood port port-list

undo sip-flood port

Default

The global SIP flood attack prevention protects port 5060.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.

Usage guidelines

The device detects only SIP packets destined for the specified ports.

The global ports apply to global SIP flood attack detection and IP address-specific SIP flood attack detection with no port specified.

Examples

# Specify ports 5060 and 65530 as the global ports to be protected against SIP flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] sip-flood port 5060 65530

Related commands

sip-flood action

sip-flood detect

sip-flood detect non-specific

sip-flood threshold

Use sip-flood threshold to set the global threshold for triggering SIP flood attack prevention.

Use undo sip-flood threshold to restore the default.

Syntax

sip-flood threshold threshold-value

undo sip-flood threshold

Default

The global threshold is 1000 for triggering SIP flood attack prevention.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the maximum receiving rate in pps for SIP packets that are destined for an IP address. The value range is 1 to 1000000.

Usage guidelines

With global SIP flood attack detection configured, the device is in attack detection state. When the receiving rate of SIP packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

The global threshold applies to global SIP flood attack detection. Adjust the threshold according to the application scenarios.

·     If the number of SIP packets sent to a protected SIP server is normally large, set a high threshold. A low threshold might affect the server services.

·