After you enable Naptha attack prevention, the device periodically checks the number of TCP connections in each state. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in that state. The check interval is set by the tcp check-state interval command. The TCP connection limits are set by the tcp state command.

Examples

# Enable Naptha attack prevention.

<Sysname> system-view

[Sysname] tcp anti-naptha enable

Related commands

tcp state

tcp check-state interval

Use tcp check-state interval to set the interval for checking the number of TCP connections in each state.

Use undo tcp check-state interval to restore the default.

Syntax

tcp check-state interval interval

undo tcp check-state interval

Default

The interval is 30 seconds for checking the number of TCP connections in each state.

Views

System

Predefined user roles

network-admin

mdc-admin

Parameter

interval: Specifies the check interval in the range of 1 to 60 seconds.

Usage guidelines

This command takes effect after you enable Naptha attack prevention.

After you enable Naptha attack prevention, the device checks the number of TCP connections in each state at intervals. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in that state.

Examples

# Set the interval to 40 seconds for checking the number of TCP connections in each state.

<Sysname> system-view

[Sysname] tcp check-state interval 40

Related commands

tcp anti-naptha enable

tcp state

Use tcp state to set the maximum number of TCP connections in a state.

Use undo tcp state to restore the default.

Syntax

tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack } connection-limit number

undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack } connection-limit

Default

The maximum number of TCP connections in each state (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, and LAST_ACK) is 50.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

closing: Specifies the CLOSING state.

established: Specifies the ESTABLISHED state.

fin-wait-1: Specifies the FIN_WAIT_1 state.

fin-wait-2: Specifies the FIN_WAIT_2 state.

last-ack: Specifies the LAST_ACK state.

connection-limit number: Specifies the maximum number of TCP connections, in the range of 0 to 500. The value of 0 represents that the device does not accelerate the aging of the TCP connections in a state.

Usage guidelines

This command takes effect after you enable Naptha attack prevention. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in the state.

Examples

# Set the maximum number of TCP connections in the ESTABLISHED state to 100.

<Sysname> system-view

[Sysname] tcp state established connection-limit 100

Related commands

tcp anti-naptha enable

tcp check-state interval

TCP SYN flood attack prevention commands

display ipv6 tcp anti-syn-flood flow-based entry

Use display ipv6 tcp anti-syn-flood flow-based entry to display IPv6 flow-based TCP SYN flood attack prevention entries.

Syntax

display ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * chassis chassis-number slot slot-number [ cpu cpu-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

all: Displays all IPv6 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To display IPv6 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv6 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command displays IPv6 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 TCP SYN flood attack packets. If you do not specify this option, the command displays IPv6 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv6 flow-based TCP SYN flood attack prevention entries for all packet types.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Displays detailed information about IPv6 flow-based TCP SYN flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv6 flow-based TCP SYN flood attack prevention entries.

Examples

# Display brief information about IPv6 flow-based TCP SYN flood attack prevention entries on slot 1 chassis 1 on the public network.

<Sysname> display ipv6 tcp anti-syn-flood flow-based entry chassis 1 slot 1

SrcAddr DstPort VPN Type Packets dropped

2::1 179 -- IP 987654321

# Display detailed information about IPv6 flow-based TCP SYN flood attack prevention entries on slot 1 chassis 1 on the public network.

<Sysname> display ipv6 tcp anti-syn-flood flow-based entry chassis 1 slot 1 verbose

SrcAddr: 2::1

DstPort: 179

VPN: --

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 987654321

Table 1 Command output

Field	Description
SrcAddr	Source IPv6 address of the TCP SYN flood attack packets.
DstPort	Destination port number of the TCP SYN flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the flow-based TCP SYN flood attack prevention entry setting to hardware: · Succeeded. · Failed. · Not enough resources.
Aging time	Remaining lifetime of the IPv6 flow-based TCP SYN flood attack prevention entry, in seconds.
Attack time	Time when the IPv6 TCP SYN flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv6 flow-based TCP SYN flood attack prevention.

Related commands

reset ipv6 tcp anti-syn-flood flow-based entry

reset ipv6 tcp anti-syn-flood flow-based statistics

display ipv6 tcp anti-syn-flood flow-based entry count

Use display ipv6 tcp anti-syn-flood flow-based entry count to display the number of IPv6 flow-based TCP SYN flood attack prevention entries.

Syntax

display ipv6 tcp anti-syn-flood flow-based entry chassis chassis-number slot slot-number [ cpu cpu-number ] count

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display the number of IPv6 flow-based TCP SYN flood attack prevention entries on slot 1 chassis 1.

<Sysname> display ipv6 tcp anti-syn-flood flow-based entry chassis 1 slot 1 count

Total flow-based entries: 2

Table 2 Command output

Field	Description
Total flow-based entries	Total number of IPv6 flow-based TCP SYN flood attack prevention entries.

Related commands

reset ipv6 tcp anti-syn-flood flow-based entry

reset ipv6 tcp anti-syn-flood flow-based statistics

display tcp anti-syn-flood flow-based configuration

Use display tcp anti-syn-flood flow-based configuration display the configuration of flow-based TCP SYN flood attack prevention.

Syntax

display tcp anti-syn-flood flow-based configuration

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display the configuration of flow-based TCP SYN flood attack prevention.

<Sysname> display tcp anti-syn-flood flow-based configuration

Flow-based TCP SYN flood attack prevention is enabled.

Check interval: 1 seconds

Duration: 5 minutes

Threshold: 100 packets per check interval

Table 3 Command output

Field	Description
Flow-based TCP SYN flood attack prevention is enabled.	The flow-based TCP SYN flood attack prevention feature is enabled.
Flow-based TCP SYN flood attack prevention is disabled.	The flow-based TCP SYN flood attack prevention feature is disabled.
Check interval	Check interval of flow-based TCP SYN flood attack prevention, in seconds.
Duration	Flow-based TCP SYN flood attack prevention duration, in minutes.
Threshold	Threshold for triggering flow-based TCP SYN flood attack prevention.

Related commands

tcp anti-syn-flood flow-based enable

display tcp anti-syn-flood flow-based entry

Use display tcp anti-syn-flood flow-based entry to display IPv4 flow-based TCP SYN flood attack prevention entries.

Syntax

display tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * chassis chassis-number slot slot-number [ cpu cpu-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

all: Displays all IPv4 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To display IPv4 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv4 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command displays IPv4 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 TCP SYN flood attack packets. If you do not specify this option, the command displays IPv4 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv4 flow-based TCP SYN flood attack prevention entries for all packet types.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Displays detailed information about IPv4 flow-based TCP SYN flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv4 flow-based TCP SYN flood attack prevention entries.

Examples

# Display brief information about IPv4 flow-based TCP SYN flood attack prevention entries on slot 1 chassis 1 on the public network.

<Sysname> display tcp anti-syn-flood flow-based entry chassis 1 slot 1

SrcAddr DstPort VPN Type Packets dropped

1.1.1.1 179 -- MPLS 12345678

2.1.1.1 179 -- IP 87654321

# Display detailed information about IPv4 flow-based TCP SYN flood attack prevention entries on slot 1 chassis 1 on the public network.

<Sysname> display tcp anti-syn-flood flow-based entry chassis 1 slot 1 verbose

SrcAddr: 1.1.1.1

DstPort: 179

VPN: --

Type: MPLS

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/01/07 18:55:03

Packets dropped: 12345678

SrcAddr: 2.1.1.1

DstPort: 179

VPN: 1

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 87654321

Table 4 Command output

Field	Description
SrcAddr	Source IPv4 address of the TCP SYN flood attack packets.
DstPort	Destination port number of the TCP SYN flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the flow-based TCP SYN flood attack prevention entry setting to hardware: · Succeeded. · Failed. · Not enough resources.
Aging time	Remaining lifetime of the IPv4 flow-based TCP SYN flood attack prevention entry, in seconds.
Attack time	Time when the TCP SYN flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv4 flow-based TCP SYN flood attack prevention.

Related commands

reset tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based statistics

display tcp anti-syn-flood flow-based entry count

Use display tcp anti-syn-flood flow-based entry count to display the number of IPv4 flow-based TCP SYN flood attack prevention entries.

Syntax

display tcp anti-syn-flood flow-based entry chassis chassis-number slot slot-number [ cpu cpu-number ] count

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display the number of IPv4 flow-based TCP SYN flood attack prevention entries on slot 1 chassis 1.

<Sysname> display tcp anti-syn-flood flow-based entry chassis 1 slot 1 count

Total flow-based entries: 2

Table 5 Command output

Field	Description
Total flow-based entries	Total number of IPv4 flow-based TCP SYN flood attack prevention entries.

Related commands

reset tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based statistics

reset ipv6 tcp anti-syn-flood flow-based entry

Use reset ipv6 tcp anti-syn-flood flow-based entry to delete IPv6 flow-based TCP SYN flood attack prevention entries.

Syntax

reset ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Deletes all IPv6 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To delete IPv6 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv6 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command deletes IPv6 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 TCP SYN flood attack packets. If you do not specify this option, the command deletes IPv6 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv6 flow-based TCP SYN flood attack prevention entries for all packet types.

chassis chassis-number slot slot-number: Specifies a card on a cluster member device. The chassis-number argument represents the member ID of the cluster member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command deletes IPv6 flow-based TCP SYN flood attack prevention entries on all cards.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command deletes all IPv6 flow-based TCP SYN flood attack prevention entries on the public network.

Examples

# Delete IPv6 flow-based TCP SYN flood attack prevention entries with source IP address 2000::1 and destination port number 200 on the public network.

<Sysname> reset ipv6 tcp anti-syn-flood flow-based entry destination-port 200 source 2000::1

Related commands

display ipv6 tcp anti-syn-flood flow-based entry

reset ipv6 tcp anti-syn-flood flow-based statistics

Use reset ipv6 tcp anti-syn-flood flow-based statistics to clear statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention.

Syntax

reset ipv6 tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Clears all statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network and VPN instances. To clear statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 TCP SYN flood attack packets. If you do not specify this option, the command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention for all packet types.

chassis chassis-number slot slot-number: Specifies a card on a cluster member device. The chassis-number argument represents the member ID of the cluster member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on all cards.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

Examples

# Clear statistics for IPv6 TCP SYN packets with source IPv6 address 2000::1 and destination port number 200 dropped by flow-based TCP SYN flood attack prevention on the public network.

<Sysname> reset ipv6 tcp anti-syn-flood flow-based statistics destination-port 200 source 2000::1

Related commands

display ipv6 tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based entry

Use reset tcp anti-syn-flood flow-based entry to delete IPv4 flow-based TCP SYN flood attack prevention entries.

Syntax

reset tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Deletes all IPv4 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To delete IPv4 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv4 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command deletes IPv4 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 TCP SYN flood attack packets. If you do not specify this option, the command deletes IPv4 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv4 flow-based TCP SYN flood attack prevention entries for all packet types.

chassis chassis-number slot slot-number: Specifies a card on a cluster member device. The chassis-number argument represents the member ID of the cluster member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command deletes IPv4 flow-based TCP SYN flood attack prevention entries on all cards.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command deletes all IPv4 flow-based TCP SYN flood attack prevention entries on the public network.

Examples

# Delete IPv4 flow-based TCP SYN flood attack prevention entries with source IPv4 address 2.2.2.2 and destination port number 1024 on the public network.

<Sysname> reset tcp anti-syn-flood flow-based entry destination-port 1024 source 2.2.2.2

Related commands

display tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based statistics

Use reset tcp anti-syn-flood flow-based statistics to clear statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention.

Syntax

reset tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Clears all statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network and VPN instances. To clear statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 TCP SYN flood attack packets. If you do not specify this option, the command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv4 SYN packets dropped by flow-based TCP SYN flood attack prevention for all packet types.

chassis chassis-number slot slot-number: Specifies a card on a cluster member device. The chassis-number argument represents the member ID of the cluster member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on all cards.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

Examples

# Clear statistics for IPv4 TCP SYN packets with source IP address 2.2.2.2 and destination port number 1024 dropped by flow-based TCP SYN flood attack prevention on the public network.

<Sysname> reset tcp anti-syn-flood flow-based statistics destination-port 1024 source 2.2.2.2

Related commands

display tcp anti-syn-flood flow-based entry

tcp anti-syn-flood flow-based duration

Use tcp anti-syn-flood flow-based duration to set the flow-based TCP SYN flood attack prevention duration.

Use undo tcp anti-syn-flood flow-based duration to restore the default.

Syntax

tcp anti-syn-flood flow-based duration minutes

undo tcp anti-syn-flood flow-based duration

Default

The flow-based TCP SYN flood attack prevention duration is 5 minutes.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the flow-based TCP SYN flood attack prevention duration in minutes. The value range is of 1 to 3600.

Usage guidelines

After you enable flow-based TCP SYN flood attack prevention, the device enters attack detection state. When the device detects an attack, it changes to prevention state and drops subsequent SYN packets received in the TCP SYN flood attack prevention duration. The device returns to the attack detection state when the duration expires.

Examples

# Set the flow-based TCP SYN flood attack prevention duration to 10 minutes.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based duration 10

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood flow-based check-interval

tcp anti-syn-flood flow-based threshold

tcp anti-syn-flood flow-based enable

Use tcp anti-syn-flood flow-based enable to enable flow-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood flow-based enable to disable flow-based TCP SYN flood attack prevention.

Syntax

tcp anti-syn-flood flow-based enable

undo tcp anti-syn-flood flow-based enable

Default

Flow-based TCP SYN flood attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim unresponsive to legal users. An attacker sends a large number of SYN packets to a server. This causes the server to open a large number of half-open connections and respond to the requests. However, the server will never receive the expected ACK packets. Because all of its resources are bound to half-open connections, the server is unable to accept new incoming connection requests.

The flow-based TCP SYN flood attack prevention feature monitors the SYN packet receiving rate. When the number of received SYN packets within a check interval reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent SYN packets.

Examples

# Enable flow-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based enable

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based check-interval

tcp anti-syn-flood flow-based threshold

tcp anti-syn-flood flow-based duration

tcp anti-syn-flood flow-based threshold

Use tcp anti-syn-flood flow-based threshold to set the threshold for triggering flow-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood flow-based threshold to restore the default.

Syntax

tcp anti-syn-flood flow-based threshold threshold-value

undo tcp anti-syn-flood flow-based threshold

Default

The threshold is 100 packets per check interval for triggering flow-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

threshold threshold-value: Specifies the threshold for triggering flow-based TCP SYN flood attack prevention, in the range of 1 to 1000000. This threshold defines the maximum number of TCP SYN packets that can be received per flow within a check interval.

Usage guidelines

The flow-based TCP SYN flood attack prevention feature monitors the SYN packet receiving rate on a per-flow basis. When the number of received SYN packets within a check interval reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent SYN packets.

Examples

# Set the threshold to 200 for triggering flow-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based threshold 200

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based check-interval

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood flow-based duration

tcp anti-syn-flood log enable

Use tcp anti-syn-flood log enable to enable logging for TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood log enable to disable logging for TCP SYN flood attack prevention.

Syntax

tcp anti-syn-flood log enable

undo tcp anti-syn-flood log enable

Default

Logging is disabled for TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

This feature generates TCP SYN flood attack prevention logs and sends them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

To avoid the device performance being degraded by excessive TCP SYN flood attack prevention logs, disable this feature as a best practice. Enable this feature only for auditing or troubleshooting.

Examples

# Enable logging for TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood log enable

Related commands

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood interface-based enable

tcp anti-syn-flood flow-based check-interval

Use tcp anti-syn-flood flow-based check-interval to set the check interval for flow-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood flow-based check-interval to restore the default.

Syntax

tcp anti-syn-flood flow-based check-interval interval

undo tcp anti-syn-flood flow-based check-interval

Default

The check interval is 1 second for flow-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

interval: Specifies the check interval for flow-based TCP SYN flood attack prevention, in seconds. The value range is 1 to 60.

Usage guidelines

The flow-based TCP SYN flood attack prevention feature uses the source IP address, destination port number, VPN instance, and packet type to identify a flow. When the number of received SYN packets within a check interval exceeds the threshold, the device enters prevention state and drops subsequent SYN packets.

If attacks occur frequently in your network, set a short check interval so that TCP SYN flood attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for flow-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based check-interval 30

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood flow-based duration

tcp anti-syn-flood flow-based threshold

UDP flood attack prevention commands

display ipv6 udp anti-flood flow-based entry

Use display ipv6 udp anti-flood flow-based entry to display IPv6 flow-based UDP flood attack prevention entries.

Syntax

display ipv6 udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * chassis chassis-number slot slot-number [ cpu cpu-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

all: Displays all IPv6 flow-based UDP flood attack prevention entries on the public network and VPN instances. To display IPv6 flow-based UDP flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv6 flow-based UDP flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 UDP flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command displays IPv6 flow-based UDP flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 UDP flood attack packets. If you do not specify this option, the command displays IPv6 flow-based UDP flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv6 flow-based UDP flood attack prevention entries for all packet types.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Displays detailed information about IPv6 flow-based UDP flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv6 flow-based UDP flood attack prevention entries.

Examples

# Display brief information about IPv6 flow-based UDP flood attack prevention entries on slot 1 on the public network.

<Sysname> display ipv6 udp anti-flood flow-based entry slot 1

SrcAddr DstPort VPN Type Packets dropped

2::1 179 -- IP 987654321

# Display detailed information about IPv6 flow-based UDP flood attack prevention entries on slot 1 on the public network.

<Sysname> display ipv6 udp anti-flood flow-based entry slot 1 verbose

SrcAddr: 2::1

DstPort: 179

VPN: --

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 987654321

# Display brief information about IPv6 flow-based UDP flood attack prevention entries on slot 1 chassis 1 on the public network.

<Sysname> display ipv6 udp anti-flood flow-based entry chassis 1 slot 1

SrcAddr DstPort VPN Type Packets dropped

2::1 179 -- IP 987654321

# Display detailed information about IPv6 flow-based UDP flood attack prevention entries on slot 1 chassis 1 on the public network.

<Sysname> display ipv6 udp anti-flood flow-based entry chassis 1 slot 1 verbose

SrcAddr: 2::1

DstPort: 179

VPN: --

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 987654321

Table 6 Command output

Field	Description
SrcAddr	Source IPv6 address of the UDP flood attack packets.
DstPort	Destination port number of the UDP flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the flow-based UDP flood attack prevention entry setting to hardware: · Succeeded. · Failed. · Not enough resources.
Aging time	Remaining lifetime of the IPv6 flow-based UDP flood attack prevention entry, in seconds.
Attack time	Time when the IPv6 UDP flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv6 flow-based UDP flood attack prevention.

Related commands

reset ipv6 udp anti-flood flow-based entry

reset ipv6 udp anti-flood flow-based statistics

display ipv6 udp anti-flood flow-based entry count

Use display ipv6 udp anti-flood flow-based entry count to display the number of IPv6 flow-based UDP flood attack prevention entries.

Syntax

display ipv6 udp anti-flood flow-based entry chassis chassis-number slot slot-number [ cpu cpu-number ] count

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display the number of IPv6 flow-based UDP flood attack prevention entries on slot 1.

<Sysname> display ipv6 udp anti-flood flow-based entry slot 1 count

Total flow-based entries: 2

# Display the number of IPv6 flow-based UDP flood attack prevention entries on slot 1 chassis 1.

<Sysname> display ipv6 udp anti-flood flow-based entry chassis 1 slot 1 count

Total flow-based entries: 2

Table 7 Command output

Field	Description
Total flow-based entries	Total number of IPv6 flow-based UDP flood attack prevention entries.

Related commands

reset ipv6 udp anti-flood flow-based entry

reset ipv6 udp anti-flood flow-based statistics

display udp anti-flood flow-based configuration

Use display udp anti-flood flow-based configuration display the configuration of flow-based UDP flood attack prevention.

Syntax

display udp anti-flood flow-based configuration

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display the configuration of flow-based UDP flood attack prevention.

<Sysname> display udp anti-flood flow-based configuration

Flow-based UDP flood attack prevention is enabled.

Check interval: 1 seconds

Duration: 5 minutes

Threshold: 100 packets per check interval

Table 8 Command output

Field	Description
Flow-based UDP flood attack prevention is enabled.	The flow-based UDP flood attack prevention feature is enabled.
Flow-based UDP flood attack prevention is disabled.	The flow-based UDP flood attack prevention feature is disabled.
Check interval	Check interval of flow-based UDP flood attack prevention, in seconds.
Duration	Flow-based UDP flood attack prevention duration, in minutes.
Threshold	Threshold for triggering flow-based UDP flood attack prevention.

Related commands

udp anti-flood flow-based enable

display udp anti-flood flow-based entry

Use display udp anti-flood flow-based entry to display IPv4 flow-based UDP flood attack prevention entries.

Syntax

display udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * chassis chassis-number slot slot-number [ cpu cpu-number ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

all: Displays all IPv4 flow-based UDP flood attack prevention entries on the public network and VPN instances. To display IPv4 flow-based UDP flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv4 flow-based UDP flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 UDP flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command displays IPv4 flow-based UDP flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 UDP flood attack packets. If you do not specify this option, the command displays IPv4 flow-based UDP flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv4 flow-based UDP flood attack prevention entries for all packet types.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Displays detailed information about IPv4 flow-based UDP flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv4 flow-based UDP flood attack prevention entries.

Examples

# Display brief information about IPv4 flow-based UDP flood attack prevention entries on slot 1 on the public network.

<Sysname> display udp anti-flood flow-based entry slot 1

SrcAddr DstPort VPN Type Packets dropped

1.1.1.1 179 -- MPLS 12345678

2.1.1.1 179 -- IP 87654321

# Display detailed information about IPv4 flow-based UDP flood attack prevention entries on slot 1 on the public network.

<Sysname> display udp anti-flood flow-based entry slot 1 verbose

SrcAddr: 1.1.1.1

DstPort: 179

VPN: --

Type: MPLS

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/01/07 18:55:03

Packets dropped: 12345678

SrcAddr: 2.1.1.1

DstPort: 179

VPN: 1

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 87654321

# Display brief information about IPv4 flow-based UDP flood attack prevention entries on slot 1 chassis 1 on the public network.

<Sysname> display udp anti-flood flow-based entry chassis 1 slot 1

SrcAddr DstPort VPN Type Packets dropped

1.1.1.1 179 -- MPLS 12345678

2.1.1.1 179 -- IP 87654321

# Display detailed information about IPv4 flow-based UDP flood attack prevention entries on slot 1 chassis 1 on the public network.

<Sysname> display udp anti-flood flow-based entry chassis 1 slot 1 verbose

SrcAddr: 1.1.1.1

DstPort: 179

VPN: --

Type: MPLS

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/01/07 18:55:03

Packets dropped: 12345678

SrcAddr: 2.1.1.1

DstPort: 179

VPN: 1

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 87654321

Table 9 Command output

Field	Description
SrcAddr	Source IPv4 address of the UDP flood attack packets.
DstPort	Destination port number of the UDP flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the flow-based UDP flood attack prevention entry setting to hardware: · Succeeded. · Failed. · Not enough resources.
Aging time	Remaining lifetime of the IPv4 flow-based UDP flood attack prevention entry, in seconds.
Attack time	Time when the UDP flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv4 flow-based UDP flood attack prevention.

Related commands

reset udp anti-flood flow-based entry

reset udp anti-flood flow-based statistics

display udp anti-flood flow-based entry count

Use display udp anti-flood flow-based entry count to display the number of IPv4 flow-based UDP flood attack prevention entries.

Syntax

display udp anti-flood flow-based entry chassis chassis-number slot slot-number [ cpu cpu-number ] count

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display the number of IPv4 flow-based UDP flood attack prevention entries on slot 1.

<Sysname> display udp anti-flood flow-based entry slot 1 count

Total flow-based entries: 2

# Display the number of IPv4 flow-based UDP flood attack prevention entries on slot 1 chassis 1.

<Sysname> display udp anti-flood flow-based entry chassis 1 slot 1 count

Total flow-based entries: 2

Table 10 Command output

Field	Description
Total flow-based entries	Total number of IPv4 flow-based UDP flood attack prevention entries.

Related commands

reset udp anti-flood flow-based entry

reset udp anti-flood flow-based statistics

reset ipv6 udp anti-flood flow-based entry

Use reset ipv6 udp anti-flood flow-based entry to delete IPv6 flow-based UDP flood attack prevention entries.

Syntax

reset ipv6 udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Deletes all IPv6 flow-based UDP flood attack prevention entries on the public network and VPN instances. To delete IPv6 flow-based UDP flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv6 flow-based UDP flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 UDP flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command deletes IPv6 flow-based UDP flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 UDP flood attack packets. If you do not specify this option, the command deletes IPv6 flow-based UDP flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv6 flow-based UDP flood attack prevention entries for all packet types.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command deletes all IPv6 flow-based UDP flood attack prevention entries on the public network.

Examples

# Delete IPv6 flow-based UDP flood attack prevention entries with source IP address 2000::1 and destination port number 200 on the public network.

<Sysname> reset ipv6 udp anti-flood flow-based entry destination-port 200 source 2000::1

Related commands

display ipv6 udp anti-flood flow-based entry

reset ipv6 udp anti-flood flow-based statistics

Use reset ipv6 udp anti-flood flow-based statistics to clear statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention.

Syntax

reset ipv6 udp anti-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Clears all statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention on the public network and VPN instances. To clear statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 UDP flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 UDP flood attack packets. If you do not specify this option, the command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention for all packet types.

chassis chassis-number slot slot-number: Specifies a card on a cluster member device. The chassis-number argument represents the member ID of the cluster member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention on all cards.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv6 UDP packets dropped by flow-based UDP flood attack prevention on the public network.

Examples

# Clear statistics for IPv6 UDP packets with source IPv6 address 2000::1 and destination port number 200 dropped by flow-based UDP flood attack prevention on the public network.

<Sysname> reset ipv6 udp anti-flood flow-based statistics destination-port 200 source 2000::1

Related commands

display ipv6 udp anti-flood flow-based entry

reset udp anti-flood flow-based entry

Use reset udp anti-flood flow-based entry to delete IPv4 flow-based UDP flood attack prevention entries.

Syntax

reset udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Deletes all IPv4 flow-based UDP flood attack prevention entries on the public network and VPN instances. To delete IPv4 flow-based UDP flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv4 flow-based UDP flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 UDP flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command deletes IPv4 flow-based UDP flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 UDP flood attack packets. If you do not specify this option, the command deletes IPv4 flow-based UDP flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv4 flow-based UDP flood attack prevention entries for all packet types.

chassis chassis-number slot slot-number: Specifies a card on a cluster member device. The chassis-number argument represents the member ID of the cluster member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command deletes IPv4 flow-based UDP flood attack prevention entries on all cards.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command deletes all IPv4 flow-based UDP flood attack prevention entries on the public network.

Examples

# Delete IPv4 flow-based UDP flood attack prevention entries with source IPv4 address 2.2.2.2 and destination port number 1024 on the public network.

<Sysname> reset udp anti-flood flow-based entry destination-port 1024 source 2.2.2.2

Related commands

display udp anti-flood flow-based entry

reset udp anti-flood flow-based statistics

Use reset udp anti-flood flow-based statistics to clear statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention.

Syntax

reset udp anti-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

all: Clears all statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention on the public network and VPN instances. To clear statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 UDP flood attack packets. The port-number argument specifies a port number in the range of 1 to 65535. If you do not specify this option, the command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 UDP flood attack packets. If you do not specify this option, the command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention for all packet types.

chassis chassis-number slot slot-number: Specifies a card on a cluster member device. The chassis-number argument represents the member ID of the cluster member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention on all cards.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv4 UDP packets dropped by flow-based UDP flood attack prevention on the public network.

Examples

# Clear statistics for IPv4 UDP packets with source IP address 2.2.2.2 and destination port number 1024 dropped by flow-based UDP flood attack prevention on the public network.

<Sysname> reset udp anti-flood flow-based statistics destination-port 1024 source 2.2.2.2

Related commands

display udp anti-flood flow-based entry

udp anti-flood flow-based duration

Use udp anti-flood flow-based duration to set the flow-based UDP flood attack prevention duration.

Use undo udp anti-flood flow-based duration to restore the default.

Syntax

udp anti-flood flow-based duration minutes

undo udp anti-flood flow-based duration

Default

The flow-based UDP flood attack prevention duration is 5 minutes.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the flow-based UDP flood attack prevention duration in minutes. The value range is of 1 to 3600.

Usage guidelines

After you enable flow-based UDP flood attack prevention, the device enters attack detection state. When the device detects an attack, it changes to prevention state and drops subsequent UDP packets received in the prevention duration. The device returns to the attack detection state when the duration expires.

Examples

# Set the flow-based UDP flood attack prevention duration to 10 minutes.

<Sysname> system-view

[Sysname] udp anti-flood flow-based duration 10

Related commands

display udp anti-flood flow-based configuration

udp anti-flood flow-based enable

udp anti-flood flow-based check-interval

udp anti-flood flow-based threshold

udp anti-flood flow-based enable

Use udp anti-flood flow-based enable to enable flow-based UDP flood attack prevention.

Use undo udp anti-flood flow-based enable to disable flow-based UDP flood attack prevention.

Syntax

udp anti-flood flow-based enable

undo udp anti-flood flow-based enable

Default

Flow-based UDP flood attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The flow-based UDP flood attack prevention feature monitors the UDP packet receiving rate on a per-flow basis. The device uses the source IP address, destination port number, VPN instance, and packet type to identify a flow. When the number of received UDP packets within a check interval reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent UDP packets.

Examples

# Enable flow-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood flow-based enable

Related commands

display udp anti-flood flow-based configuration

udp anti-flood flow-based check-interval

udp anti-flood flow-based threshold

udp anti-flood flow-based duration

udp anti-flood flow-based threshold

Use udp anti-flood flow-based threshold to set the threshold for triggering flow-based UDP flood attack prevention.

Use undo udp anti-flood flow-based threshold to restore the default.

Syntax

udp anti-flood flow-based threshold threshold-value

undo udp anti-flood flow-based threshold

Default

The threshold is 100 packets per check interval for triggering flow-based UDP flood attack prevention.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

threshold threshold-value: Specifies the threshold for triggering flow-based UDP flood attack prevention, in the range of 1 to 1000000. This threshold defines the maximum number of UDP packets that can be received per flow within a check interval.

Usage guidelines

When the number of received UDP packets in a flow within a check interval reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent UDP packets.

Examples

# Set the threshold to 200 for triggering flow-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood flow-based threshold 200

Related commands

display udp anti-syn-flood flow-based configuration

udp anti-flood flow-based check-interval

udp anti-flood flow-based enable

udp anti-flood flow-based duration

udp anti-flood log enable

Use udp anti-flood log enable to enable logging for UDP flood attack prevention.

Use undo udp anti-flood log enable to disable logging for UDP flood attack prevention.

Syntax

udp anti-flood log enable

undo udp anti-flood log enable

Default

Logging is disabled for UDP flood attack prevention.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

This feature generates UDP flood attack prevention logs and sends them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

To avoid the device performance being degraded by excessive UDP flood attack prevention logs, disable this feature as a best practice. Enable this feature only for auditing or troubleshooting.

Examples

# Enable logging for UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood log enable

Related commands

udp anti-flood flow-based enable

udp anti-flood interface-based enable

udp anti-flood flow-based check-interval

Use udp anti-flood flow-based check-interval to set the check interval for flow-based UDP flood attack prevention.

Use undo udp anti-flood flow-based check-interval to restore the default.

Syntax

udp anti-flood flow-based check-interval interval

undo udp anti-flood flow-based check-interval

Default

The check interval is 1 second for flow-based UDP flood attack prevention.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

interval: Specifies the check interval for flow-based UDP flood attack prevention, in seconds. The value range is 1 to 60.

Usage guidelines

The flow-based UDP flood attack prevention feature uses the source IP address, destination port number, VPN instance, and packet type to identify a flow. When the number of received UDP packets within a check interval reaches or exceeds the threshold, the device enters prevention state and drops subsequent UDP packets.

If attacks occur frequently in your network, set a short check interval so that UDP flood attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for flow-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood flow-based check-interval 30

Related commands

display udp anti-flood flow-based configuration

udp anti-flood flow-based enable

udp anti-flood flow-based duration

udp anti-flood flow-based threshold

12-Security Command Reference

IP-based attack prevention commands

TCP SYN flood attack prevention commands

reset ipv6 tcp anti-syn-flood flow-based entry

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us