- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-MAC authentication commands
- 09-User identification commands
- 10-Password control commands
- 11-Public key management commands
- 12-PKI commands
- 13-SSH commands
- 14-SSL commands
- 15-ASPF commands
- 16-APR commands
- 17-Session management commands
- 18-Connection limit commands
- 19-Attack detection and prevention commands
- 20-DDoS protection commands
- 21-uRPF commands
- 22-ARP attack protection commands
- 23-ND attack defense commands
- 24-IP-MAC binding commands
- 25-IP reputation commands
- 26-Keychain commands
- 27-Crypto engine commands
- Related Documents
-
Title | Size | Download |
---|---|---|
20-DDoS protection commands | 435.93 KB |
Contents
anti-ddos out-of-band interface
anti-ddos user-defined attack-type protocol
anti-ddos user-defined attack-type protocol icmp
anti-ddos user-defined attack-type protocol icmpv6
anti-ddos user-defined attack-type protocol tcp
anti-ddos user-defined attack-type protocol udp
bandwidth-detection destination-ip threshold
bandwidth-limit destination-ip type max-rate
display anti-ddos blacklist zone
display anti-ddos filter statistics
display anti-ddos flow-agent statistics
display anti-ddos flow-agent-template
display anti-ddos flow-forward statistics
display anti-ddos source-verify protected ip
display anti-ddos source-verify protected ipv6
display anti-ddos source-verify trusted ip
display anti-ddos source-verify trusted ipv6
display anti-ddos statistics bandwidth-limit destination-ip
display anti-ddos statistics destination-ip
display anti-ddos whitelist zone
display anti-ddos zone configuration
dns-query-flood defense source-verify
dns-query-flood detection threshold
dns-reply-flood defense source-verify
dns-reply-flood detection threshold
fingerprint (fingerprint policy group view)
http-flood defense source-verify
http-flood detection threshold
https-flood detection threshold
icmp-flood detection threshold
icmp-frag-flood detection threshold
reset anti-ddos filter statistics zone
reset anti-ddos flow-agent statistics
reset anti-ddos flow-forward statistics
sip-flood defense source-verify
syn-ack-flood detection threshold
syn-flood defense source-verify
tcp-frag-flood detection threshold
udp-frag-flood detection threshold
user-defined attack-type detection threshold
DDoS protection commands
The following compatibility matrixes show the support of hardware platforms for DDoS protection:
Hardware platform |
Module type |
DDoS protection compatibility |
M9006 M9010 M9014 |
Blade IV firewall module |
No |
Blade V firewall module |
No |
|
NAT module |
No |
|
Application delivery engine (ADE) module |
No |
|
Anomaly flow cleaner (AFC) module |
The module supports anti-DDoS cleaning feature commands. |
|
M9010-GM |
Encryption module |
No |
M9016-V |
Blade V firewall module |
No |
M9008-S M9012-S M9008-S-6GW |
Blade IV firewall module |
No |
Application delivery engine (ADE) module |
No |
|
Intrusion prevention service (IPS) module |
No |
|
Video network gateway module |
No |
|
Anomaly flow cleaner (AFC) module |
The module supports anti-DDoS cleaning feature commands. |
|
IPv6 module |
The module supports anti-DDoS cleaning feature commands. |
|
M9008-S-V |
Blade IV firewall module |
No |
M9000-AI-E8 |
Blade V firewall module |
No |
Application delivery engine (ADE) module |
No |
|
M9000-AI-E16 |
Blade V firewall module |
No |
ack-flood detection threshold
Use ack-flood detection threshold to enable ACK flood attack detection and set a detection threshold.
Use undo ack-flood detection threshold to disable ACK flood attack detection.
Syntax
ack-flood detection threshold { bit-based value | packet-based value}
undo ack-flood detection threshold
Default
ACK flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable ACK flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of ACK packets per destination IP address in this zone. When the sending rate of ACK packets destined for an IP address keeps exceeding the threshold, an ACK flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of ACK packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable ACK flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] ack-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
action
Use action to specify an action on packets that match a filter.
Use undo action to restore the default.
Syntax
action { drop | limit { bit-based value | packet-based value } | pass | source-verify }
undo action
Default
The device drops packets that match a filter.
Views
Filter view
Predefined user roles
network-admin
Parameters
drop: Drops the matching packets.
limit: Rate limits the matching packets. The device drops the matching packets that exceed the threshold.
bit-based value: Specifies a bit-based threshold, in Mbps. The value range is 1 to 4294967295.
packet-based value: Specifies a packet-based threshold, in pps. The value range is 1 to 4294967295.
pass: Allows the matching packets to pass through.
source-verify: Performs source verification of the matching packets.
Usage guidelines
The source-verify keyword is applicable only to HTTP filters. If you specify this keyword, the device permits packets that pass source verification and drops packets that fail source verification.
If you execute this command multiple times for one filter, the most recent configuration takes effect.
Examples
# Configure the device to perform source verification on packets matching HTTP filter test.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] action source-verify
Related commands
anti-ddos filter
display anti-ddos filter statistics
anti-ddos apply filter
Use anti-ddos apply filter to apply a filter to an anti-DDOS zone and set a preference for the filter.
Use undo anti-ddos apply filter to remove the application of a filter from the anti-DDoS zone.
Syntax
anti-ddos apply filter filter-name preference preference
undo anti-ddos apply filter filter-name
Default
No filters are applied to an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
filter-name: Specifies a filter name, a string of 1 to 63 characters. The filter name contains case-insensitive letters, digits, and underscores (_), and it must start with a letter. The specified filter must already exist.
preference preference: Sets the filter preference, in the range of 1 to 255. A smaller value indicates a higher priority.
Usage guidelines
The device uses the filters in an anti-DDoS zone to match a packet in the descending order of priority:
1. If the packet matches the filter with the highest priority, the device takes the filter-specific action.
2. If the packet does not match the filter with the highest priority, the device uses filters with lower priorities to match the packet one by one in the descending order. If the packet matches a filter, the device stops the matching process and takes the action specified in this filter.
3. If the packet does not match any filters, the device delivers the packet to the next DDoS protection process.
The preference value of each filter applied to the same anti-DDoS zone must be unique.
You can apply a maximum of 10 filters to an anti-DDoS zone.
Examples
# Apply filter test to anti-DDoS zone 3, and set the filter preference to 10.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] anti-ddos apply filter test preference 10
Related commands
anti-ddos filter
display anti-ddos filter statistics
anti-ddos blacklist
Use anti-ddos blacklist to add a global static anti-DDoS blacklist entry.
Use undo anti-ddos blacklist to delete a global static anti-DDoS blacklist entry.
Syntax
anti-ddos blacklist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
undo anti-ddos blacklist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
Default
No global static anti-DDoS blacklist entries exist.
Views
System view
Predefined user roles
network-admin
Parameters
all: Deletes all global static blacklist entries, including IPv4 and IPv6 entries.
ip source-ip-address ip-mask-length: Specifies an IPv4 address and its mask length. The value range for the ip-mask-length argument is 8 to 32. The device uses the specified address range for source IPv4 address match.
ipv6 source-ipv6-address ipv6-mask-length: Specifies an IPv6 address and its mask length. The value range for the ipv6-mask-length argument is 8 to 128. The device uses the specified address range for source IPv6 address match.
Usage guidelines
The command is available only on anti-DDoS cleaning devices.
The device drops a packet if the source IP address of the packet is on the global static anti-DDoS blacklist.
IP addresses on the global static anti-DDoS blacklist and whitelist cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.
The device supports a maximum of 1024 global static anti-DDoS blacklist and whitelist entries in total.
Examples
# Add subnet 1.1.1.1/24 to the global static anti-DDoS blacklist.
<Sysname> system-view
[Sysname] anti-ddos blacklist ip 1.1.1.1 24
Related commands
anti-ddos whitelist
display anti-ddos blacklist
anti-ddos blacklist timeout
Use anti-ddos blacklist timeout to set an aging time for dynamic blacklist entries.
Use undo anti-ddos blacklist timeout to restore the default.
Syntax
anti-ddos blacklist timeout aging-time
undo anti-ddos blacklist timeout
Default
The aging time is 1 minute for dynamic blacklist entries.
Views
System view
Predefined user roles
network-admin
Parameters
aging-time: Specifies an aging time in minutes. The value range is 1 to 1000.
Usage guidelines
The command is available only on anti-DDoS cleaning devices.
Examples
# Set the aging time to 2 minutes for dynamic blacklist entries.
<Sysname> system-view
[Sysname] anti-ddos blacklist timeout 2
anti-ddos cleaner deploy-mode
Use anti-ddos cleaner deploy-mode set the deployment mode of the anti-DDoS cleaning device.
Use undo anti-ddos cleaner deploy-mode to restore the default.
Syntax
anti-ddos cleaner deploy-mode { inline | out-of-path }
undo anti-ddos cleaner deploy-mode
Default
The anti-DDoS cleaning device uses the inline deployment mode.
Views
System view
Predefined user roles
network-admin
Parameters
inline: Specifies the inline deployment mode.
out-of-path: Specifies the one-arm deployment mode.
Usage guidelines
This command is available only on anti-DDoS cleaning devices. The deployment of the anti-DDoS cleaning device must be consistent with the network connection method of the device.
The DDoS attack detection features on the anti-DDoS cleaning device takes effect in both deployment modes.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the one-arm deployment mode for the anti-DDoS cleaning device.
<Sysname> system-view
[Sysname] anti-ddos cleaner deploy-mode out-of-path
anti-ddos default-zone enable
Use anti-ddos default-zone enable to enable the default anti-DDoS zone.
Use undo anti-ddos default-zone enable to disable the default anti-DDoS zone.
Syntax
anti-ddos default-zone enable
undo anti-ddos default-zone enable
Default
The default anti-DDoS zone is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
If the IP addresses of packets passing through the device does not belong to any non-default anti-DDoS zone, the DDoS protection in the default anti-DDoS zone applies.
The configuration of the default anti-DDoS zone does not take effect if you do not enable the default anti-DDoS zone.
Examples
# Enable the default anti-DDoS zone.
<Sysname> system-view
[Sysname] anti-ddos default-zone enable
Related commands
anti-ddos zone default
anti-ddos detection-mode
Use anti-ddos detection-mode to set the DDoS attack detection mode.
Use undo anti-ddos detection-mode to restore the default.
Syntax
anti-ddos detection-mode { flow | mirror }
undo anti-ddos detection-mode
Default
The device performs DFI-based DDoS attack detection.
Views
System view
Predefined user roles
network-admin
Parameters
flow: Specifies the DFI detection mode. In this mode, the device analyzes NetFlow, NetStream, and sFlow packets to determine whether a DDoS attack occurs.
mirror: Specifies the DPI detection mode. In this mode, the device detects DDoS attacks based on the mirrored packets.
Usage guidelines
CAUTION: The device might fail to identify DDoS attack packets during detection mode switchover. |
This command is available only on anti-DDoS detection devices.
Examples
# Specify the DPI-based DDoS attack detection mode.
<Sysname> system-view
[Sysname] anti-ddos detection-mode mirror
anti-ddos filter
Use anti-ddos filter to create a filter and enter its view, or enter the view of an existing filter.
Use undo anti-ddos filter to delete a filter.
Syntax
anti-ddos filter name filter-name [ type { dns | http | icmp | ip | sip | tcp | udp } ]
undo anti-ddos filter name filter-name
Default
No filters exist.
Views
System view
Predefined user roles
network-admin
Parameters
name filter-name: Specifies a filter by its name, a string of 1 to 63 characters. The filter name contains case-insensitive letters, digits, and underscores (_), and it must start with a letter.
type: Specifies a filter type. To enter the view of an existing filter, you do not need to specify its filter type.
dns: Specifies the DNS type.
http: Specifies the HTTP type.
icmp: Specifies the ICMP type.
ip: Specifies the IP type.
sip: Specifies the SIP type.
tcp: Specifies the TCP type.
udp: Specifies the UDP type.
Usage guidelines
A filter allows you to use different packet fields to identify packets. For each field, you can specify multiple rules. A packet matches a field if it matches one of these rules. The device takes the filter action only when the packet matches all the fields specified in the filter.
You can configure a maximum of 1024 filters. The filter name must be unique on the device.
Examples
# Create an HTTP filter named test and enter its view.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test]
Related commands
action
display anti-ddos filter statistics
anti-ddos flow-agent
Use anti-ddos flow-agent to specify a flow agent.
Use undo anti-ddos flow-agent to delete the configuration of a flow agent.
Syntax
anti-ddos flow-agent ip ip-address port destination-port flow-type { netflow | netstream | sflow } [ sampling-rate sampling-rate-value ]
undo anti-ddos flow-agent [ ip ip-address port port-value ]
Default
No flow agents are specified.
Views
System view
Predefined user roles
network-admin
Parameters
ip ip-address: Specifies the IP address of a flow agent.
port destination-port: Specifies a destination port number for the traffic statistics packets, in the range of 1025 to 65535.
flow-type: Specifies a packet type.
netflow: Specifies the NetFlow packet type.
netstream: Specifies the NetStream packet type.
sflow: Specifies the sFlow packet type.
sampling-rate sampling-rate-value: Specifies the packet sampling rate, in the range of 1 to 65535. The sampling rate value determines the number of packets out of which a packet is sampled.
Usage guidelines
The DFI-based detection mode is available on anti-DDoS detection devices.
The device determines whether an attack occurs by analyzing traffic statistics of an anti-DDoS zone, which includes traffic analysis based on statistics packets received from flow agents. Typically, a flow agent is a router or switch.
The DFI-based detection mode supports analyzing packets of the following types: NetFlow V5, NetFlow V9, NetStream V5, NetStream V9, and sFlow V5.
A flow agent is uniquely identified by the combination of the IP address and the destination port number. If you specify different packet formats and sampling rates for the same flow agent, the most recent configuration takes effect. A maximum of 16 flow agents are supported.
If sampling rate is contained in the traffic statistics packets, the sampling-rate-value argument setting does not take effect.
If you do not specify an IP address or destination port number in the undo command, the device deletes configurations of all flow agents on the device.
Examples
# Specify a flow agent with IP address 10.10.10.10 and destination port number 1200, and set the packet format to NetFlow, and sampling rate to 1024.
<Sysname> system-view
[Sysname] anti-ddos flow-agent ip 10.10.10.10 port 1200 flow-type netflow sampling-rate 1024
Related commands
display anti-ddos flow-agent statistics
anti-ddos flow-forward ip
Use anti-ddos flow-forward to specify a forwarding destination for flow statistics packets.
Use undo anti-ddos flow-forward to remove the forwarding destination configuration of flow statistics packets.
Syntax
anti-ddos flow-forward { ip ip-address | ipv6 ipv6-address } port port-number
undo anti-ddos flow-forward { ip [ ip-address port port-number ] | ipv6 [ ipv6-address port port-number ] }
Default
No forwarding destination is specified for flow statistics packets.
Views
System view
Predefined user roles
network-admin
Parameters
ip ip-address: Specifies a destination IP address for IPv4 flow statistics packets.
ipv6 ipv6-address: Specifies a destination IP address for IPv6 flow statistics packets.
port port-numbers: Specifies a destination port number for flow statistics packets, in the range of 1 to 65535.
Usage guidelines
This feature enables the device to forward flow statistics packets that are received from flow agents to the specified destination device before analyzing them locally.
The device supports four destination addresses for IPv4 flow statistics packets and four destination addresses for IPv6 flow statistics packets.
If you do not specify an IP address or port number in the undo command, the device deletes all forwarding configurations of IPv4 or IPv6 flow statistics packets.
Examples
# Specify the destination IP address as 10.10.10.10 and the destination port number as 1200 for flow statistics packets.
<Sysname> system-view
[Sysname] anti-ddos flow-forward ip 10.10.10.10 port 1200
# Remove the forwarding configuration of destination IP address 10.10.10.10 and destination port number 1200.
<Sysname> system-view
[Sysname] undo anti-ddos flow-forward ip 10.10.10.10 port 1200
anti-ddos log-local-ip
Use anti-ddos log-local-ip to specify a source IP address for DDoS protection logs.
Use undo anti-ddos log-local-ip to restore the default.
Syntax
anti-ddos log-local-ip { ip ipv4-address | ipv6 ipv6-address }
undo anti-ddos log-local-ip
Default
No source IP address is specified for anti-DDoS logs.
Views
System view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a source IPv4 address for anti-DDoS logs. The IP address must be an IP address on the device.
ipv6 ipv6-address: Specifies a source IPv6 address for anti-DDoS logs. The IP address must be an IP address on the device.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The device uses the specified source IP address to report DDoS protection logs to the management center.
Only one IPv4 or IPv6 address is supported. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify 192.168.1.2 as the source IP address for anti-DDoS logs.
<Sysname> system-view
[Sysname] anti-ddos log-local-ip ip 192.168.1.2
Related commands
anti-ddos log-server-ip
anti-ddos log-server-ip
Use anti-ddos log-server-ip to specify a log server address.
Use undo anti-ddos log-server-ip to restore the default.
Syntax
anti-ddos log-server-ip { ip ipv4-address | ipv6 ipv6-address } [ port port-number ]
undo anti-ddos log-server-ip
Default
No log server address is specified.
Views
System view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address of a log server.
ipv6 ipv6-address: Specifies the IPv6 address of a log server.
port port-number: Specifies a destination port number for reported logs. The value range is 1 to 65535, and the default is 10083.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The device sends DDoS protection logs to the specified IP address and port number.
Only one IPv4 or IPv6 address is supported. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify 192.168.1.1 as the IP address of the log server.
<Sysname> system-view
[Sysname] anti-ddos log-server-ip ip 192.168.1.1
Related commands
anti-ddos log-local-ip
anti-ddos out-of-band interface
Use anti-ddos out-of-band interface to exclude interfaces from DDoS protection.
Use undo anti-ddos out-of-band interface to cancel the configuration.
Syntax
anti-ddos out-of-band interface { interface-type interface-number } &<1-10>
undo anti-ddos out-of-band interface [ interface-type interface-number ]
Default
Only M-GigabitEthernet 1/0/0 is excluded from DDoS protection.
Views
System view
Predefined user roles
network-admin
Parameters
interface-type interface-number &<1-10>: Specifies a list of up to 10 interfaces. The interface-type interface-number arguments specify the interface type and interface number.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can exclude only physical interfaces from DDoS protection.
If you do not specify the interface type or interface number in the undo command, the device removes all excluded interfaces.
Examples
# Exclude GigabitEthernet 1/0/1, GigabitEthernet 1/0/4, and Loopback 1 from DDoS protection.
<Sysname> system-view
[Sysname] anti-ddos out-of-band interface gigabitethernet 1/0/1 gigabitethernet 1/0/4 loopback 1
anti-ddos user-defined attack-type protocol
Use anti-ddos user-defined attack-type protocol to configure a user-defined protocol-specific DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol protocol-number [ packet-length { equal | greater-than | less-than } packet-length ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined protocol-specific DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
protocol-number: Specifies a protocol number in the range of 0 to 255.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can specify a packet length match criterion for a protocol-specific DDoS attack type.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure an attack type 3 to match VRRP packets with the packet length less than 28 bytes.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol 112 packet-length less-than 28
anti-ddos user-defined attack-type protocol icmp
Use anti-ddos user-defined attack-type protocol icmp to configure a user-defined ICMP-based DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol icmp [ packet-length { equal | greater-than | less-than } packet-length ] [ icmp-type icmp-type icmp-code icmp-code ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined ICMP-based DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
icmp-type icmp-type: Specifies an ICMP type, in the range to 0 to 255.
icmp-code icmp-code: Specifies an ICMP code in the range to 0 to 255.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can use the packet length, ICMP type, and ICMP code as the packet match criteria for an ICMP-based DDoS attack type.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure an ICMP-based attack type 3 to match ICMP packets with ICMP type 8 and ICMP code 0.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol icmp icmp-type 8 icmp-code 0
anti-ddos user-defined attack-type protocol icmpv6
Use anti-ddos user-defined attack-type protocol icmpv6 to configure a user-defined ICMPv6-based DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol icmpv6 [ packet-length { equal | greater-than | less-than } packet-length ] [ icmpv6-type icmpv6-type icmpv6-code icmpv6-code ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined ICMPv6-based DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
icmpv6-type icmp-type: Specifies an ICMPv6 type, in the range to 0 to 255.
icmpv6-code icmp-code: Specifies an ICMPv6 code in the range to 0 to 255.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can use the packet length, ICMPv6 type, and ICMPv6 code as the packet match criteria for an ICMPv6-based DDoS attack type.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure an ICMPv6-based attack type 3 to match ICMPv6 packets that are greater than 65535 bytes.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol icmpv6 packet-length greater-than 65535
anti-ddos user-defined attack-type protocol tcp
Use anti-ddos user-defined attack-type protocol tcp to configure a user-defined TCP-based DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol tcp [ packet-length { equal | greater-than | less-than } packet-length ] [ port port-num port-type { source | destination } ] [ tcp-flag flag-value ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined TCP-based DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
port port-num: Specifies a port number in the range of 1 to 65535.
port-type: Specifies the port type.
source: Specifies the source port type
destination: Specifies the destination port type.
tcp-flag flag-value: Specifies a value of the TCP flags field, in the range of 0 to 63.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can use the packet length, port, and the value of TCP flags field as the packet match criteria for a TCP-based DDoS attack type. If all criteria are specified, a TCP packet is an attack packet only if it matches all criteria.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure a TCP-based attack type 3 to match TCP packets that are greater than 65535 bytes and destined for port 80.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol tcp packet-length greater-than 65535 port 80 port-type destination
anti-ddos user-defined attack-type protocol udp
Use anti-ddos user-defined attack-type protocol udp to configure a user-defined UDP-based DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol udp [ packet-length { equal | greater-than | less-than } packet-length ] [ port port-num port-type { source | destination } ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined UDP-based DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
port port-num: Specifies a port number in the range of 1 to 65535.
port-type: Specifies the port type.
source: Specifies the source port type
destination: Specifies the destination port type.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can use the packet length and port number as the packet match criteria for a UDP-based DDoS attack type. If both criteria are specified, a UDP packet is an attack packet only if it matches these criteria.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure a TCP-based attack type 3 to match UDP packets with a packet length of 48 bytes.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol udp packet-length equal 48
anti-ddos whitelist
Use anti-ddos whitelist to add a global static anti-DDoS whitelist entry.
Use undo anti-ddos whitelist to delete a global static anti-DDoS whitelist entry.
Syntax
anti-ddos whitelist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
undo anti-ddos whitelist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
Default
No global static anti-DDoS whitelist entries exist.
Views
System view
Predefined user roles
network-admin
Parameters
all: Deletes all global static anti-DDoS whitelist entries, including IPv4 and IPv6 entries.
ip source-ip-address ip-mask-length: Specifies an IPv4 address and its mask length. The value range for the ip-mask-length argument is 8 to 32. The device uses the specified address range for source IPv4 address match.
ipv6 source-ipv6-address ipv6-mask-length: Specifies an IPv6 address and its mask length. The value range for the ipv6-mask-length argument is 8 to 128. The device uses the specified address range for source IPv6 address match.
Usage guidelines
The command is available only on anti-DDoS cleaning devices.
If the source IP address of a packet matches a global static anti-DDoS whitelist entry, the packet bypasses DDoS protection (except rate limiting).
IP addresses on the global static anti-DDoS blacklist and whitelist cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.
The device supports a maximum of 1024 global static anti-DDoS blacklist and whitelist entries in total.
Examples
# Add subnet 1.1.1.1/24 to the global static anti-DDoS whitelist.
<Sysname> system-view
[Sysname] anti-ddos whitelist ip 1.1.1.1 24
Related commands
anti-ddos blacklist
display anti-ddos whitelist
anti-ddos whitelist timeout
Use anti-ddos whitelist timeout to set an aging time for dynamic whitelist entries.
Use undo anti-ddos whitelist timeout to restore the default.
Syntax
anti-ddos whitelist timeout aging-time
undo anti-ddos whitelist timeout
Default
The aging time is 10 minutes for dynamic whitelist entries.
Views
System view
Predefined user roles
network-admin
Parameters
aging-time: Specifies an aging time in minutes. The value range is 1 to 1000.
Usage guidelines
The command is available only on anti-DDoS cleaning devices.
The device adds the source IP addresses of packets that pass anti-DDoS source verification to the dynamic whitelist (also known as trusted IP address list). Packets with source IP addresses on the dynamic whitelist bypass DDoS protection except rate limit.
In the current software version, the device generates dynamic whitelist entries only based on the anti-DDoS source verification result.
Examples
# Set the aging time to 2 minutes for dynamic whitelist entries.
<Sysname> system-view
[Sysname] anti-ddos whitelist timeout 2
Related commands
display anti-ddos source-verify trusted ip
display anti-ddos source-verify trusted ipv6
anti-ddos zone
Use anti-ddos zone to create an anti-DDoS zone and enter its view, or enter the view of an existing anti-DDoS zone.
Use undo anti-ddos zone to delete an anti-DDoS zone.
Syntax
anti-ddos zone { id zone-id | default }
undo anti-ddos zone [ id zone-id ]
Default
Only the default anti-DDoS zone named default exists.
Views
System view
Predefined user roles
network-admin
Parameters
id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone. The zone ID is fixed at 1.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The device does not take any protection action if no anti-DDoS zone is configured.
The device supports a maximum of 1024 anti-DDoS zones, including the default anti-DDoS zone.
If you do not specify an anti-DDoS zone ID in the undo command, the device deletes all user-defined anti-DDoS zones.
The default anti-DDoS zone exists by default and cannot be deleted.
Examples
# Create an anti-DDoS zone with ID 3 and enter its view.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3]
bandwidth-detection destination-ip threshold
Use bandwidth-detection destination-ip threshold to enable IP traffic attack detection and set a detection threshold.
Use undo bandwidth-detection destination-ip threshold to disable IP traffic attack detection.
Syntax
bandwidth-detection destination-ip threshold threshold-value
undo bandwidth-detection destination-ip threshold
Default
IP traffic attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold in Mbps, in the range of 1 to 4294967295.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable IP traffic attack detection for a zone, the device enters attack detection state and monitors the sending rate of IP packets per destination IP address in this zone. When the sending rate of IP packets destined for an IP address keeps exceeding the threshold, an IP traffic attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the IP attack traffic locally. If IP traffic rate limiting is not enabled, the IP traffic is allowed to pass through. If IP traffic rate limiting is enabled, the device limits the sending rate of IP traffic.
When the sending rate of IP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable IP traffic attack detection for anti-DDoS zone 3 and set the threshold to 20 Mbps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] bandwidth-detection destination-ip threshold 20
Related commands
anti-ddos cleaner deploy-mode
bandwidth-limit destination-ip type max-rate
display anti-ddos zone configuration
bandwidth-limit destination-ip type max-rate
Use bandwidth-limit destination-ip type max-rate to enable IP packet rate limiting and set the maximum rate.
Use undo bandwidth-limit destination-ip type to disable IP packet rate limiting.
Syntax
bandwidth-limit destination-ip type total max-rate value
undo bandwidth-limit destination-ip [ type total ]
Default
IP packet rate limiting is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
total: Specifies the total rate threshold for all IP packets.
value: Sets a maximum rate in Mbps. The value range is 1 to 4294967295.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature monitors the IP packet rate on a per destination IP address basis in an anti-DDoS zone. IP packets that exceed the maximum rate are dropped.
Examples
# In anti-DDoS zone 3, rate limit IP packets to 20 Mbps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] bandwidth-limit destination-ip type total max-rate 20
Related commands
bandwidth-detect destination-ip threshold
display anti-ddos zone configuration
callee
Use callee to create a callee field match rule for SIP packets.
Use undo callee to delete a callee field match rule for SIP packets.
Syntax
callee { equal | include } callee-string
undo callee [ { equal | include } callee-string ]
Default
No callee field match rules exist.
Views
SIP filter view
Predefined user roles
network-admin
Parameters
equal: Specifies to be identical to the specified URI.
include: Specifies to include the specified URI.
callee-string: Specifies the URI of the callee, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the URI of the callee in SIP packets.
A SIP filter supports a maximum of 32 rules for the callee field. A SIP packet matches the callee field if its callee field matches one of these rules.
If you do not specify any parameters, the undo callee command deletes all callee field match rules in the filter.
Examples
# Create a rule for SIP filter test to match SIP packets that contain www.abc.com in the callee field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type sip
[Sysname-anti-ddos-filter-sip-test] callee include www.abc.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
caller
Use caller to create a caller field match rule for SIP packets.
Use undo caller to delete a caller field match rule for SIP packets.
Syntax
caller { equal | include } caller-string
undo caller [ { equal | include } caller-string ]
Default
No caller field match rules exist.
Views
SIP filter view
Predefined user roles
network-admin
Parameters
equal: Specifies to be identical to the specified URI.
include: Specifies to include the specified URI.
callee-string: Specifies the URI of the caller, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the URI of the caller in SIP packets.
A SIP filter supports a maximum of 32 rules for the caller field. A SIP packet matches the caller field if its caller field matches one of these rules.
If you do not specify any parameters, the undo caller command deletes all caller field match rules in the filter.
Examples
# Create a rule for SIP filter test to match SIP packets that contain www.abc.com in the caller field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type sip
[Sysname-anti-ddos-filter-sip-test] caller include www.abc.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
cookie
Use cookie to create a cookie field match rule for HTTP packets.
Use undo cookie to delete a cookie field match rule for HTTP packets.
Syntax
cookie include cookie-string
undo cookie [ include cookie-string ]
Default
No cookie field match rules exist.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified cookie keyword.
cookie-string: Specifies the cookie keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the cookie field in HTTP packets.
An HTTP filter supports a maximum of 32 rules for the cookie field. An HTTP packet matches the cookie field if its cookie field matches one of these rules.
If you do not specify any parameters, the undo cookie command deletes all cookie field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets that contain abc in the cookie field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] cookie include abc
Related commands
anti-ddos filter
display anti-ddos filter statistics
destination-ip
Use destination-ip to create a destination IP address match rule.
Use undo destination-ip to delete a destination IP address match rule.
Syntax
destination-ip { ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 }
undo destination-ip [ ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 ]
Default
No destination IP address match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
ip-range: Specifies a destination IPv4 address range.
start-ip: Specifies a start IPv4 address. This address cannot be higher than the end IPv4 address.
end-ip: Specifies an end IPv4 address. If the end IPv4 address is the same as the start IPv4 address, the IPv4 address range has only one IPv4 address.
ipv6-range: Specifies a destination IPv6 address range.
start-ipv6: Specifies a start IPv6 address. This address cannot be higher than the end IPv6 address.
end-ipv6: Specifies an end IPv6 address. If the end IPv6 address is the same as the start IPv6 address, the IPv6 address range has only one IPv6 address.
Usage guidelines
The device uses this rule to match the destination IP addresses of packets.
A filter supports a maximum of 100 rules for the destination IP address field. A packet matches the destination IP address field if its destination IP address matches one of these rules.
The destination IP address ranges in one filter cannot overlap.
If you do not specify any parameters, the undo destination-ip command deletes all destination IP address match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with destination IPv4 addresses in the range of 2.2.2.10 to 2.2.2.20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] destination-ip ip-range 2.2.2.10 2.2.2.20
Related commands
anti-ddos filter
display anti-ddos filter statistics
destination-port
Use destination-port to create a destination port match rule.
Use undo destination-port to delete a destination port match rule.
Syntax
destination-port range start-port end-port
undo destination-port [ range start-port end-port ]
Default
No destination port match rules exist.
Views
TCP filter view
UDP filter view
Predefined user roles
network-admin
Parameters
range: Specifies a destination port range.
start-port: Specifies a start port number in the range of 1 to 65535. The start port number cannot be greater than the end port number.
end-port: Specifies an end port number in the range of 1 to 65535.
Usage guidelines
The device uses this rule to match the destination port numbers of packets.
A TCP or UDP filter supports a maximum of 10 rules for the destination port number field. A packet matches the destination port number field if its destination port number matches one of these rules.
The destination port number ranges in one filter cannot overlap.
If you do not specify any parameters, the undo destination-port command deletes all destination port match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with destination port numbers in the range of 10 to 20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] destination-port range 10 20
Related commands
anti-ddos filter
display anti-ddos filter statistics
display anti-ddos blacklist
Use display anti-ddos blacklist to display global static anti-DDoS blacklist entries.
Syntax
display anti-ddos blacklist [ ip source-ip-address | ipv6 source-ipv6-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip source-ip-address: Specifies a source IPv4 address.
ipv6 source-ipv6-address: Specifies a source IPv6 address.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an IPv4 or IPv6 address, the command displays all IPv4 and IPv6 global static anti-DDoS blacklist entries.
Examples
# Display all global static anti-DDoS blacklist entries.
<Sysname> display anti-ddos blacklist
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
3.3.3.3/32 Black
10.0.0.0/24 Black
8000::/64 Black
# Display the global static anti-DDoS blacklist entry for the specified IPv4 address.
<Sysname> display anti-ddos blacklist ip 10.0.0.3
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
10.0.0.0/24 Black
# Display the global static anti-DDoS blacklist entry for the specified IPv6 address.
<Sysname> display anti-ddos blacklist ipv6 8000::1
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
8000::/64 Black
Table 1 Command output
Field |
Description |
Total |
Total number of IPv4 or IPv6 blacklist and whitelist entries. |
Blacklist |
Number of IPv4 or IPv6 blacklist entries. |
Whitelist |
Number of IPv4 or IPv6 whitelist entries. |
Source-ip/MaskLen |
Source IP address and the mask length. |
Black/White |
Entry type, blacklist or whitelist. |
Related commands
anti-ddos blacklist
display anti-ddos blacklist zone
Use display anti-ddos blacklist zone to display anti-DDoS zone-based static blacklist entries.
Syntax
display anti-ddos blacklist zone [ { id zone-id | default } [ ip source-ip-address | ipv6 source-ipv6-address ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone. The zone ID is fixed at 1.
ip source-ip-address: Specifies a source IPv4 address.
ipv6 source-ipv6-address: Specifies a source IPv6 address.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an anti-DDoS zone, the command displays all anti-DDoS zone-based static blacklist entries.
If you do not specify the IPv4 or IPv6 address for an anti-DDoS zone-based blacklist entry, the command displays all static blacklist entries for this zone.
Examples
# Display all anti-DDoS zone-based static blacklist entries.
<Sysname> display anti-ddos blacklist zone
Total:4 Blacklist:3 Whitelist:1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
default 3.3.3.3/32 Black
2 10.0.0.0/24 Black
2 8000::/64 Black
# Display the static blacklist entry matching source IP address 10.0.0.3 in anti-DDoS zone 2.
<Sysname> display anti-ddos blacklist zone id 2 ip 10.0.0.3
Total:4 Blacklist:3 Whitelist:1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
2 10.0.0.0/24 Black
# Display the static blacklist entry matching source IPv6 address 8000::1 in the default anti-DDoS zone.
<Sysname> display anti-ddos blacklist zone default ipv6 8000::1
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
default 8000::/64 Black
Table 2 Command output
Field |
Description |
Total |
Total number of IPv4 or IPv6 blacklist and whitelist entries in the anti-DDoS zone. |
Blacklist |
Number of IPv4 or IPv6 blacklist entries in the anti-DDoS zone. |
Whitelist |
Number of IPv4 or IPv6 whitelist entries in the anti-DDoS zone. |
ZoneID |
Anti-DDoS zone ID. |
Source-ip/MaskLen |
Source IP address and mask length. |
Black/White |
Entry type, blacklist or whitelist. |
Related commands
zone-blacklist
display anti-ddos filter statistics
Use display anti-ddos filter statistics to display filter statistics in an anti-DDoS zone.
Syntax
display anti-ddos filter statistics name name anti-ddos-zone { id zone-id | default }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name name: Specifies a filter by its name, a string of 1 to 63 characters. The filter name must contain case-insensitive letters, digits, and underscores (_), and it must start with a letter.
anti-ddos-zone: Specifies an anti-DDoS zone.
id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone.
Examples
# Display statistics about filter test in anti-DDoS zone 3.
<Sysname> display anti-ddos filter statistics name test anti-ddos-zone id 3
Type : HTTP
Action : drop
PPS : 100000
Bps : 200000000
Dropped packets : 20750
Dropped bytes : 5
Table 3 Command output
Field |
Description |
Type |
Filter type: · IP. · TCP. · UDP. · HTTP. · DNS. · ICMP. · SIP. |
Action |
Action on the matching packets: · drop—Drops the matching packets. · pass—Allows the matching packets to pass through. · limit—Rate limits the matching packets. · source-verify—Verifies the source of the matching packets. |
PPS |
Sending rate of the matching packets, in pps. |
Bps |
Sending rate of the matching packets, in Bps. |
Dropped packets |
Number of packets dropped by the filter. |
Dropped bytes |
Number of bytes dropped by the filter. |
display anti-ddos flow-agent statistics
Use display anti-ddos flow-agent statistics to display statistics about a flow agent.
Syntax
In standalone mode:
display anti-ddos flow-agent statistics ip ip-address port destination-port [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos flow-agent statistics ip ip-address port destination-port [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
Parameters
ip ip-address: Specifies the IPv4 address of a flow agent.
port destination-port: Specifies a destination port number, in the range of 1025 to 65535.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics about a flow agent for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics about a flow agent for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display statistics about packets sent to destination port 1200 by a flow agent at IP address 10.10.10.10 on CPU 1 slot 1.
<Sysname> display anti-ddos flow-agent statistics ip 10.10.10.10 port 1200 slot 1 cpu 1
CPU 1 on slot 1:
NetFlow V5 statistics:
Packets: 1000
Records: 1990
DropRecords: 10
NetFlow V9 statistics:
Packets: 1000
Records: 1980
TemplateRecords: 20
DataRecords: 10
DropRecords: 10
Table 4 Command output
Field |
Description |
Packets |
Number of packets received by the anti-DDoS detection device. |
Records |
Recorded number of successfully resolved packets. |
DropRecords |
Recorded number of packets failed to be resolved. |
TemplateRecords |
Number of successfully resolved NetFlow V9 templates |
DataRecords |
Number of successfully resolved NetFlow V9 packet records. |
DropRecords |
Number of dropped NetFlow V9 templates and NetFlow V9 packet records. |
Related commands
anti-ddos flow-agent
display anti-ddos flow-agent-template
Use display anti-ddos flow-agent-template to display template information of a flow agent.
Syntax
In standalone mode:
display anti-ddos flow-agent-template ip ip-address [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos flow-agent-template ip ip-address [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
Parameters
ip ip-address: Specifies the IPv4 address of a flow agent.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays template information of the specified flow agent for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays template information of the specified flow agent for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display template information of the flow agent at 10.10.10.10 on CPU 1 slot 1.
<Sysname> system-view
[Sysname] display anti-ddos flow-agent-template ip 10.10.10.10 slot 1 cpu 1
CPU 1 on slot 1:
Template ID: 256 Source ID: 1936773375
Field information:
Field type Field length (bytes)
Packets 4
Bytes 4
Protocol 1
Template ID: 257 Source ID: 1936773376
Field information:
Field type Field length (bytes)
Packets 4
Bytes 4
Protocol 1
Table 5 Command output
Field |
Description |
Template id |
ID of the NetFlow template or NetStream V9 template. |
Source id |
Source ID in the NetFlow V9 template. |
Field information |
Field information. |
Field Type |
Field type. |
Field Length |
Field length. |
Packets |
Number of packets sent by using this template. |
Bytes |
Number of bytes sent by using this template. |
Protocol |
Layer 4 protocol type. |
display anti-ddos flow-forward statistics
Use display anti-ddos flow-forward statistics to display statistics for the forwarded flow statistics packets.
Syntax
In standalone mode:
display anti-ddos flow-forward statistics [ slot slot-number ]
In IRF mode:
display anti-ddos flow-forward statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays related forwarding statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays related forwarding statistics for all cards. (In IRF mode.)
Examples
# (In standalone mode.) Display statistics for the forwarded flow statistics packets on slot 1.
<Sysname> system-view
[Sysname] display anti-ddos flow-forward statistics slot 1
Slot 1:
Flow IPv4 Statistics information:
IP address port Pkts
192.168.1.1 2048 100
Flow IPv6 Statistics information:
IPv6 address port Pkts
192:168:1::1 2048 100
display anti-ddos source-verify protected ip
Use display anti-ddos source-verify protected ip to display protected IPv4 addresses for source verification.
Syntax
In standalone mode:
display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } protected ip [ ip-address ] [ count ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } protected ip [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns-query: Specifies the DNS query source verification feature.
dns-reply: Specifies the DNS reply source verification feature.
http: Specifies the HTTP source verification feature.
sip: Specifies the SIP source verification feature.
syn: Specifies the SYN source verification feature.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays all protected IPv4 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv4 addresses for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv4 addresses for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching protected IPv4 addresses.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# (In standalone mode.) Display the protected IPv4 addresses for SYN source verification.
<Sysname> display anti-ddos source-verify syn protected ip
Slot 1:
IP address Port Type Requested Trusted
192.168.11.5 23 Dynamic 353452 555
123.123.123.123 23 Dynamic 4294967295 15151
Slot 2:
IP address Port Type Requested Trusted
192.168.11.6 23 Dynamic 467901 78578
201.55.7.45 23 Dynamic 236829 7237
# (In standalone mode.) Display the number of protected IPv4 addresses for SYN source verification.
<Sysname> display anti-ddos source-verify syn protected ip count
Slot 1:
Totally 3 protected IP addresses.
Slot 2:
Totally 1 protected IP addresses.
Table 6 Command output
Field |
Description |
Totally n protected IP addresses. |
Total number of protected IPv4 addresses. |
IP address |
Protected IPv4 address. |
Port |
Destination port number of the connection. |
Type |
Type of the protected IPv4 address. Dynamic represents a dynamically learned IP address. |
Requested |
Number of packets destined for the protected IPv4 address. |
Trusted |
Number of packets that passed the source verification. |
display anti-ddos source-verify protected ipv6
Use display anti-ddos source-verify protected ipv6 to display protected IPv6 addresses for source verification.
Syntax
In standalone mode:
display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } protected ipv6 [ ipv6-address ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } protected ipv6 [ ipv6-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns-query: Specifies the DNS query source verification feature.
dns-reply: Specifies the DNS reply source verification feature.
http: Specifies the HTTP source verification feature.
sip: Specifies the SIP source verification feature.
syn: Specifies the SYN source verification feature.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays all protected IPv6 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv6 addresses for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv6 addresses for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching protected IPv6 addresses.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# (In standalone mode.) Display the protected IPv6 addresses for SYN source verification.
<Sysname> display anti-ddos source-verify syn protected ipv6
Slot 1:
IPv6 address Port Type Requested Trusted
192:168:11::5 23 Dynamic 353452 555
123:123:123::123 23 Dynamic 4294967295 15151
Slot 2:
IPv6 address Port Type Requested Trusted
192:168:11::5 23 Dynamic 467901 78578
201:55:7::45 23 Dynamic 236829 7237
# (In standalone mode.) Display the number of protected IPv6 addresses for SYN source verification.
<Sysname> display anti-ddos source-verify syn protected ipv6 count
Slot 1:
Totally 3 protected IPv6 addresses.
Slot 2:
Totally 1 protected IPv6 addresses.
Table 7 Command output
Field |
Description |
Totally n protected IPv6 addresses. |
Total number of protected IPv6 addresses. |
IPv6 address |
Protected IPv6 address. |
Port |
Destination port number of the connection. |
Type |
Type of the protected IPv6 address. Dynamic represents a dynamically learned IP address. |
Requested |
Number of packets destined for the protected IPv6 address. |
Trusted |
Number of packets that passed the source verification. |
display anti-ddos source-verify trusted ip
Use display anti-ddos source-verify trusted ip to display trusted IPv4 addresses for source verification.
Syntax
In standalone mode:
display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } trusted ip [ ip-address ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } trusted ip [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns-query: Specifies the DNS query source verification feature.
dns-reply: Specifies the DNS reply source verification feature.
http: Specifies the HTTP source verification feature.
sip: Specifies the SIP source verification feature.
syn: Specifies the SYN source verification feature.
ip-address: Specifies a trusted IPv4 address. If you do not specify an IPv4 address, this command displays all trusted IPv4 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv4 addresses for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv4 addresses for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching trusted IPv4 addresses.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# (In standalone mode.) Display the trusted IPv4 addresses for HTTP source verification.
<Sysname> display anti-ddos source-verify http trusted ip
Slot 1:
IP address Age-time (sec)
11.1.1.2 600
123.123.123.123 550
Slot 2:
IP address Age-time (sec)
11.1.1. 200
# (In standalone mode.) Display the number of trusted IPv4 addresses for HTTP source verification.
<Sysname> display anti-ddos source-verify http trusted ip count
Slot 1:
Totally 3 trusted IP addresses.
Slot 2:
Totally 0 trusted IP addresses.
Table 8 Command output
Field |
Description |
Totally n trusted IP addresses |
Total number of trusted IPv4 addresses. |
IP address |
Trusted IPv4 address. |
Age-time(sec) |
Remaining aging time of the trusted IPv4 address, in seconds. |
display anti-ddos source-verify trusted ipv6
Use display anti-ddos source-verify trusted ipv6 to display trusted IPv6 addresses for source verification.
Syntax
In standalone mode:
display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } trusted ipv6 [ ipv6-address ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } trusted ipv6 [ ipv6-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns-query: Specifies the DNS query source verification feature.
dns-reply: Specifies the DNS reply source verification feature.
http: Specifies the HTTP source verification feature.
sip: Specifies the SIP source verification feature.
syn: Specifies the SYN source verification feature.
ipv6-address: Specifies a trusted IPv6 address. If you do not specify an IPv6 address, this command displays all trusted IPv6 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv6 addresses for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv6 addresses for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching trusted IPv6 addresses.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# (In standalone mode.) Display the trusted IPv6 addresses for HTTP source verification.
<Sysname> display anti-ddos source-verify http trusted ipv6
Slot 1:
IPv6 address Age-time(sec)
11:1:1::2 600
123:123:123::123 550
Slot 2:
IPv6 address Age-time(sec)
11:1:1::3 200
# (In standalone mode.) Display the number of trusted IPv6 addresses for HTTP source verification.
<Sysname> display anti-ddos zone source-verify http trusted ipv6 count
Slot 1:
Totally 3 trusted IPv6 addresses.
Slot 2:
Totally 0 trusted IPv6 addresses.
Table 9 Command output
Field |
Description |
Totally n trusted IPv6 addresses |
Total number of trusted IPv6 addresses. |
IPv6 address |
Trusted IPv6 address. |
Age-time(sec) |
Remaining aging time of the trusted IPv6 address, in seconds. |
display anti-ddos statistics
Use display anti-ddos statistics to display DDoS protection statistics.
Syntax
In standalone mode:
display anti-ddos statistics { destination-ip { ipv4 [ ip-address ] | ipv6 [ ipv6-address ] } | destination-port | source-ip { ipv4 | ipv6 } | source-port } [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos statistics { destination-ip { ipv4 [ ip-address ] | ipv6 [ ipv6-address ] } | destination -port | source-ip { ipv4 | ipv6 } | source-port } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
destination-ip: Displays statistics on a per destination IP basis.
destination-port: Displays statistics on a per destination port basis.
srp-ip: Displays statistics on a per source IP basis.
srp-port: Displays statistics on a per source port basis.
ipv4: Specifies the IPv4 address type.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays anti-DDoS statistics for all destination IPv4 addresses.
ipv6: Specifies the IPv6 address type.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv4 address, this command displays DDoS protection statistics for all destination IPv6 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays DDoS protection statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays DDoS protection statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command is available only on anti-DDoS detection devices.
The anti-DDoS cleaning device supports the display anti-ddos statistics { destination-ip { ipv4 [ ip-address ] | ipv6 [ ipv6-address ] } command.
Examples
# (In standalone mode.) Display DDoS protection statistics on a per source IPv4 basis.
<Sysname> display anti-ddos statistics source-ip ipv4
Slot 1:
Source IP Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3.3.3.3 4.4.4.4 - 100 20 100 30
3.3.3.3 4.4.4.4 - 100 20 100 30
Slot 2:
Source IP Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
2.2.2.2 4.4.4.4 - 100 30 100 30
# (In standalone mode.) Display DDoS protection statistics on a per source IPv6 basis.
<Sysname> display anti-ddos statistics source-ip ipv6
Slot 1:
Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3::3 - 100 20 100 30
3::5 - 100 20 100 30
2::6 - 100 30 100 30
Slot 2:
Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)
8::3 ACK 100 20 100 30
# (In standalone mode.) Display DDoS protection statistics on a per source port basis.
<Sysname> display anti-ddos statistics source-port
Slot 1:
Source Port Dest addr Packet type Input(bps) Output(bps) Input(pps) Output(pps)
78 3.3.3.3 - 100 20 100 30
54321 3.3.3.3 - 100 20 100 30
Slot 2:
Source Port Dest addr Packet type Input(bps) Output(bps) Input(pps) Output(pps)
8080 3.3.3.3 - 100 30 100 30
# (In standalone mode.) Display DDoS protection statistics on a per destination IPv4 basis.
<Sysname> display anti-ddos statistics destination-ip ipv4
Slot 1:
Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3.3.3.3 UDP 100 20 60 10
3.3.3.3 IP 100 20 60 10
3.3.3.2 ACK 100 20 60 10
3.3.3.2 IP 100 20 60 10
Slot 2:
Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
4.3.2.3 UDP 100 20 60 10
4.3.2.3 IP 100 20 60 10
5.3.2.3 ACK 100 20 60 10
5.3.2.3 IP 100 20 60 10
Table 10 Command output
Field |
Description |
Source IP |
Source IPv4 address. |
Source IPv6 |
Source IPv6 address. |
Source port |
Source port number. |
Dest IP |
Destination IPv4 address. |
Dest IPv6 |
Destination IPv6 address. |
Dest addr |
Destination address. |
Dest port |
Destination port number. |
Packet type |
Packet type: · ACK—ACK packets. · DNS-QUERY—DNS query packets. · DNS-REPLY—DNS reply packets. · ICMP—ICMP packets. · HTTP—HTTP packets. · SYN—SYN packets. · SYN-ACK—SYN-ACK packets. · UDP—UDP packets. · RST—RST packets. · SIP—SIP packets. · IP—IP packets. |
Input(bps) |
Number of input bits per second. |
Output(bps) |
Number of output bits per second. |
Input(pps) |
Number of input packets per second. |
Output (pps) |
Number of output packets per second. |
display anti-ddos statistics bandwidth-limit destination-ip
Use display anti-ddos statistics bandwidth-limit destination-ip to display rate limiting statistics for a destination IP address.
Syntax
In standalone mode:
display anti-ddos statistics bandwidth-limit destination-ip { ipv4 ipv4-address | ipv6 ipv6-address } [ slot slot-number ]
In IRF mode:
display anti-ddos statistics bandwidth-limit destination-ip { ipv4 ipv4-address | ipv6 ipv6-address } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4 ipv4-address: Specifies a destination IPv4 address.
ipv6 ipv6-address: Specifies a destination IPv6 address.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays related rate limiting statistics on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays related rate limiting statistics on all cards. (In IRF mode.)
Usage guidelines
This command is available only on anti-DDoS cleaning devices. The statistics shows information only about packets with the maximum rate defined. The information includes traffic thresholds and statistics for different protocol packets destined to an IP address.
The device generates a statistics node for a destination IP address when it receives the first packet destined for this address. If a node has no matching packets within its aging time, the node is deleted after it ages out.
If no statistics node exists for an IP address, no command output is displayed.
Examples
# (In standalone mode.) Display rate limiting statistics for a destination IPv4 address.
<Sysname> display anti-ddos statistics bandwidth-limit destination-ip ipv4 10.10.10.10
slot 1:
Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)
TCP 50000 50000 100 100 50
UDP 400000 393216 800 786 3
TCP-FRAG 50000 50000 100 100 50
IP 493216 493216 986 986 50
slot 2:
Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)
TCP 20000 20000 40 40 50
UDP 420000 393216 840 786 3
TCP-FRAG 50000 50000 100 100 50
IP 453216 453216 906 906 50
# (In IRF mode.) Display rate limiting statistics for a destination IPv4 address.
<Sysname> display anti-ddos statistics bandwidth-limit destination-ip ipv4 10.10.10.10
chassis 1 slot 1:
Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)
TCP 50000 50000 100 100 50
UDP 400000 393216 800 786 3
TCP-FRAG 50000 50000 100 100 50
IP 493216 493216 986 986 50
chassis 1 slot 2:
Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)
TCP 20000 20000 40 40 50
UDP 420000 393216 840 786 3
TCP-FRAG 52000 52000 104 104 50
IP 453216 453216 906 906 50
Table 11 Command output
Field |
Description |
Type |
Packet types: · TCP—TCP packets. · UDP—UDP packets. · ICMP—ICMP packets. · TCP-FRAG—TCP fragments. · UDP-FRAG—UDP fragments. · ICMP-FRAG—ICMP fragments. · Other—Other types of packets. · IP—IP packets. |
Input(bps) |
Input rate for a specific type of packets or all IP packets, in bps. |
Input(pps) |
Input rate for a specific type of packets or all IP packets, in pps. |
Output(bps) |
Output rate for a specific type of packets or all IP packets, in bps. |
Output(pps) |
Output rate for a specific type of packets or all IP packets, in pps. |
Threshold(Mbps) |
Rate threshold for a specific type of packets or all IP packets, in Mbps. |
display anti-ddos statistics destination-ip
Use display anti-ddos statistics destination-ip to display DDoS protection statistics for IP addresses under attack.
Syntax
In standalone mode:
display anti-ddos statistics destination-ip { ipv4 ip-address | ipv6 ipv6-address } { destination-port | source-ip | source-port } [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos statistics destination-ip { ipv4 ip-address | ipv6 ipv6-address } { destination-port | source-ip | source-port } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4 ip-address: Specifies an IPv4 address.
ipv6 ipv6-address: Specifies an IPv6 address.
destination-port: Specifies destination port-based statistics.
srp-ip: Specifies source IP-based statistics.
srp-port: Specifies source port-based statistics.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display source IP-based DDoS protection statistics for IPv4 address 1.1.1.1.
<Sysname> display anti-ddos statistics destination-ip ipv4 1.1.1.1 source-ip
Slot 1:
Source IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3.3.3.3 - 100 20 60 10
3.3.3.3 - 100 20 60 10
Slot 2:
Source IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
1.1.1.2 - 100 20 60 10
2.2.2.3 - 100 20 60 10
# (In standalone mode.) Display source IP-based DDoS protection statistics for IPv6 address 1::1.
<Sysname> display anti-ddos statistics destination-ip ipv6 1::1 source-ip
Slot 1:
Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3::3 - 100 20 60 10
4::4 - 100 20 60 10
Slot 2:
Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3::6 - 100 20 60 10
4::5 - 100 20 60 10
Table 12 Command output
Field |
Description |
Source IP |
Source IPv4 address. |
Source IPv6 |
Source IPv6 address. |
Source port |
Source port number. |
Dest port |
Destination port number. |
Packet type |
Type of received packets. |
Input(bps) |
Number of input bits per second. |
Output(bps) |
Number of output bits per second. |
Input(pps) |
Number of input packets per second. |
Output(pps) |
Number of output packets per second. |
display anti-ddos whitelist
Use display anti-ddos whitelist to display global static anti-DDoS whitelist entries.
Syntax
display anti-ddos whitelist [ ip source-ip-address | ipv6 source-ipv6-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip source-ip-address: Specifies a source IPv4 address.
ipv6 source-ipv6-address: Specifies a source IPv6 address.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an IPv4 or IPv6 address, the command displays all global static IPv4 and IPv6 anti-DDoS whitelist entries.
Examples
# Display all global static anti-DDoS whitelist entries.
<Sysname> display anti-ddos whitelist
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
3.3.3.4/32 White
# Display the global static anti-DDoS whitelist entry for the specified IPv4 address.
<Sysname> display anti-ddos whitelist ip 3.3.3.4
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
3.3.3.4/32 White
# Display the global static anti-DDoS whitelist entry for the specified IPv6 address.
<Sysname> display anti-ddos whitelist ipv6 8000::1
Total: 4 Blacklist: 3 Whitelist: 0
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
Table 13 Command output
Field |
Description |
Total |
Total number of IPv4 or IPv6 blacklist and whitelist entries. |
Blacklist |
Number of IPv4 or IPv6 blacklist entries. |
Whitelist |
Number of IPv4 or IPv6 whitelist entries. |
Source-ip/MaskLen |
Source IP address and the mask length. |
Black/White |
Entry type, blacklist or whitelist. |
Related commands
anti-ddos whitelist
display anti-ddos whitelist zone
Use display anti-ddos whitelist zone to display anti-DDoS zone-based static whitelist entries.
Syntax
display anti-ddos whitelist zone [ { id zone-id | default } [ ip source-ip-address | ipv6 source-ipv6-address ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone. The zone ID is fixed at 1.
ip source-ip-address: Specifies a source IPv4 address.
ipv6 source-ipv6-address: Specifies a source IPv6 address.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an anti-DDoS zone, the command displays all anti-DDoS zone-based static whitelist entries.
If you do not specify the IPv4 or IPv6 address for an anti-DDoS zone-based whitelist entry, the command displays all static whitelist entries for this zone.
Examples
# Display all anti-DDoS zone-based static whitelist entries.
<Sysname> display anti-ddos whitelist zone
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
2 3.3.3.4/32 White
# Display the static whitelist entry matching source IP address 10.0.0.3 in anti-DDoS zone 2.
<Sysname> display anti-ddos whitelist zone 2 ip 3.3.3.4
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
2 3.3.3.4/32 White
# Display the static whitelist entry matching source IPv6 address 8000::1 in anti-DDoS zone 2.
<Sysname> display anti-ddos whitelist zone 2 ipv6 8000::1
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
2 8000::/64 White
Table 14 Command output
Field |
Description |
Total |
Total number of IPv4 or IPv6 blacklist and whitelist entries in the anti-DDoS zone. |
Blacklist |
Number of IPv4 or IPv6 blacklist entries in the anti-DDoS zone. |
Whitelist |
Number of IPv4 or IPv6 whitelist entries in the anti-DDoS zone. |
ZoneID |
Anti-DDoS zone ID. |
Source-ip/MaskLen |
Source IP address and mask length. |
Black/White |
Entry type, blacklist or whitelist. |
Related commands
zone-whitelist
display anti-ddos zone configuration
Use display anti-ddos zone configuration to display anti-DDoS zone configuration.
Syntax
display anti-ddos zone configuration [ default | id zone-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
default: Specifies the default anti-DDoS zone.
id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
If you do not specify the default keyword or the id zone-id option, this command displays brief configuration information about all anti-DDoS zones.
Examples
# Display the configuration of anti-DDoS zone 2.
<Sysname> display anti-ddos zone configuration id 2
Anti-DDoS zone configuration information
Zone ID : 2
Zone name : abc
IP range configuration:
Start IP End IP
1.1.1.1 1.1.1.100
2.2.2.2 2.2.2.10
Filter configuration:
Name Type Preference
IPFliter IP 10
UdpFliter UDP 20
Flood detection configuration:
Flood type Thres(pps/Mbps)
DNS query 1000 pps
DNS reply 1000 pps
HTTP 1000 bps
SYN 1000 pps
ACK 1000 Mbps
SYN-ACK 1000 pps
RST 1000 pps
UDP 1000 Mbps
ICMP 1000 Mbps
SIP 1000 Mbps
Source verification configuration:
Type Status
TCP Enabled
HTTP Enabled
DNS query Enabled
DNS reply Enabled
SIP Enabled
Bandwidth configuration:
bandwidth-detection destination-ip threshold: 20
bandwidth-limit destination-ip max-rate: 10
Fingerprint configuration:
Type GroupID
IPv4 10
Threshold Learning: Enabled
Black/White list:
Type IP MaskLength
Black 2.2.2.0 24
White 192.168.13.0 24
Table 15 Command output
Field |
Description |
Anti-ddos zone Information |
Configuration of the anti-DDoS zone. |
Zone name |
Name of the anti-DDoS zone. |
Zone ID |
ID of the anti-DDoS zone. |
IP configuration |
IP address ranges in the anti-DDoS zone. |
Start IP |
Start IP address. |
End IP |
End IP address. |
Flood detection configuration |
Configuration of flood attack protection. |
Flood type |
Flood attack type: · ACK—ACK flood attack type. · DNS query—DNS query flood attack type. · DNS reply—DNS reply flood attack type. · ICMP—ICMP flood attack type. · SYN—SYN flood attack type. · SYN-ACK—SYN-ACK flood attack type. · UDP—UDP flood attack type. · RST—RST flood attack type. · HTTP—HTTP flood attack type. · SIP—SIP flood attack type. |
Thres(pps/Mbps) |
Flood attack detection threshold, in pps or Mbps. |
Source verification configuration |
Configuration of source verification. |
Type |
Source verification type: · DNS query—DNS query source verification. · DNS reply—DNS reply source verification. · TCP—TCP SYN source verification. · HTTP—HTTP source verification. · SIP—SIP source verification. |
Status |
Status of source verification: · Enable. · Disable. |
Bandwidth configuration |
Bandwidth threshold setting. |
Bandwidth-detection destination-ip threshold |
IP traffic attack detection threshold. |
Bandwidth-limit destination-ip max-rate |
Maximum bandwidth for IP traffic. |
Fingerprint configuration |
Fingerprint protection configuration. |
Type |
Type of the fingerprint policy group: · IPv4. · IPv6. |
GroupID |
ID of the fingerprint policy group. |
# Display brief configuration information about all anti-DDoS zones.
<Sysname> display anti-ddos zone configuration
Anti-ddos Zone Brief information
Zone ID Zone Name
2 abc
100 p1
10 p12
Table 16 Command output
Field |
Description |
Zone ID |
ID of the anti-DDoS zone. |
Zone Name |
Name of the anti-DDoS zone. |
dns-query-flood defense source-verify
Use dns-query-flood defense source-verify to enable DNS query source verification.
Use undo dns-query-flood defense source-verify to disable DNS query source verification.
Syntax
dns-query-flood defense source-verify
undo dns-query-flood defense source-verify
Default
DNS query source verification is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects internal DNS servers against DNS query flood attacks initiated by external illegitimate clients. After receiving a DNS reply destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent DNS queries from this IP address to pass through.
· If the source IP address fails verification, the device drops the DNS query and subsequent queries form this IP address.
Examples
# Enable DNS query source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] dns-query-flood defense source-verify
Related commands
display anti-ddos zone configuration
dns-query-flood detection threshold
Use dns-query-flood detection threshold to enable DNS query flood attack detection and set a detection threshold.
Use undo dns-query-flood detection threshold to disable DNS query flood attack detection.
Syntax
dns-query-flood detection threshold { bit-based value | packet-based value}
undo dns-query-flood detection threshold
Default
DNS query flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable DNS query flood attack flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of DNS queries per destination IP address in this zone. When the sending rate of DNS queries destined for an IP address keeps exceeding the threshold, a DNS query flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of DNS queries destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable DNS query flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] dns-query-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
dns-reply-flood defense source-verify
Use dns-reply-flood defense source-verify to enable DNS reply source verification.
Use undo dns-reply-flood defense source-verify to disable DNS reply source verification.
Syntax
dns-reply-flood defense source-verify
undo dns-reply-flood defense source-verify
Default
DNS reply source verification is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects DNS clients against DNS reply flood attacks. After receiving a DNS reply destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent DNS replies from this IP address to pass through.
· If the source IP address fails verification, the device drops the DNS reply.
Examples
# Enable DNS reply source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] dns-reply-flood defense source-verify
Related commands
display anti-ddos zone configuration
dns-reply-flood detection threshold
Use dns-reply-flood detection threshold to enable DNS reply flood attack detection and set a detection threshold.
Use undo dns-reply-flood detection threshold to disable DNS reply flood attack detection.
Syntax
dns-reply-flood detection threshold { bit-based value | packet-based value}
undo dns-reply-flood detection threshold
Default
DNS reply flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable DNS reply flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of DNS replies per destination IP address in this zone. When the sending rate of DNS replies destined for an IP address keeps exceeding the threshold, a DNS reply attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of DNS replies destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable DNS reply flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] dns-reply-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
domain
Use domain to create a domain name field match rule for DNS packets.
Use undo domain to delete a domain name field match rule for DNS packets.
Syntax
domain { equal | include } domain-string
undo domain [ { equal | include } domain-string ]
Default
No domain name field match rules exist.
Views
DNS filter view
Predefined user roles
network-admin
Parameters
equal: Specifies to be identical to the specified domain name keyword.
include: Specifies to include the specified domain name keyword.
domain-string: Specifies the domain name keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the domain name keyword of DNS packets.
A DNS filter supports a maximum of 32 rules for the domain name field. A packet matches the domain name field if its domain name matches one of these rules.
If you do not specify any parameters, the undo domain command deletes all domain name field match rules in the filter.
Examples
# Create a rule for DNS filter test to match packets that contain www.abc.com in the domain name field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type dns
[Sysname-anti-ddos-filter-dns-test] domain include www.abc.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
dscp
Use dscp to create a DSCP match rule.
Use undo dscp to delete a DSCP match rule.
Syntax
dscp dscp
undo dscp [ dscp ]
Default
No DSCP match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
dscp: Specifies a DSCP value in the range of 0 to 63.
Usage guidelines
The device uses this rule to match the DSCP value in packets.
A filter supports a maximum of 10 rules for the DSCP field. A packet matches the DSCP field if its DSCP value matches one of these rules.
If you do not specify a DSCP value, the undo dscp command deletes all DSCP match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with DSCP value 20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] dscp 20
Related commands
anti-ddos filter
display anti-ddos filter statistics
fingerprint (filter view)
Use fingerprint to create a fingerprint match rule.
Use undo fingerprint to delete a fingerprint match rule.
Syntax
fingerprint id { offset offset-value content content [ depth depth-value ] } &<1-4>
undo fingerprint [ id ]
Default
No fingerprint match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
id: Specifies a fingerprint ID in the range of 0 to 31.
offset offset-value: Specifies an offset value in bytes after which the match operation starts. The value range is 0 to 1500.
content content: Specifies the fingerprint content. The fingerprint content is 4 to 16 bytes long, and each byte includes two hexadecimal characters.
depth depth-value: Specifies the number of bytes to match. This depth value defines a range for the device to search for the specified fingerprint content. The value range is 1 to 1500.
&<1-4>: Specifies a list of up to four fingerprint segments. Each fingerprint segment contains the fingerprint offset, content, and depth.
Usage guidelines
The device uses this rule to match the fingerprint content in the specified byte range of packets.
A filter supports a maximum of 10 fingerprint match rules. Each rule supports a maximum of four fingerprint segments. The device supports a maximum of 512 fingerprint segments.
For each fingerprint segment, the device searches for the specified fingerprint content starting from offset byte in the packet header.
· If the depth-value argument is specified, the search range is determined by the depth value.
· If the depth-value argument is not specified, the search range is the same as the length of the specified fingerprint content.
If you configure multiple fingerprint segments for a fingerprint match rule, a packet matches this rule only if the packet matches all these fingerprint segments.
If you do not specify a fingerprint ID, the undo fingerprint command deletes all fingerprint match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets if they have fingerprint aabbccdd after the 10th bytes and have fingerprint 2233 in the 10 bytes after the 20th bytes.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] fingerprint 20 offset 10 content aabbccdd offset 20 content 22334455 depth 10
Related commands
anti-ddos filter
display anti-ddos filter statistics
fingerprint (fingerprint policy group view)
Use fingerprint to create a fingerprint policy.
Use undo fingerprint to delete a fingerprint policy.
Syntax
fingerprint policy-id protocol { icmp | other | tcp | udp } { offset offset-value length length-value [ content content ] } &<1-3> threshold threshold-value action { bandwidth-limit | drop | watch }
undo fingerprint id
Default
No fingerprint policies exist.
Views
Fingerprint policy group view
Predefined user roles
network-admin
Parameters
policy-id: Specifies the ID of a fingerprint policy, in the range of 0 to 31.
protocol { icmp | other | tcp | udp }: Specifies a protocol type, which can be ICMP, TCP, UDP, and Other.
offset offset-value: Specifies the fingerprint offset, in the range of 0 to 254.
length length-value: Specifies the fingerprint length in bytes. The value range is 1 to 4.
content content: Specifies the fingerprint content. The fingerprint content is 1 to 4 bytes long with each byte including two hexadecimal characters.
&<1-3>: Specifies a list of up to three fingerprint segments. Each fingerprint segment contains the fingerprint offset, length, and content.
threshold threshold-value: Specifies a threshold in pps. The value range is 1 to 10000000.
action: Specifies an action on matching packets that exceed the threshold.
bandwidth-limit: Rate limits matching packets and drops packets that exceed the threshold.
drop: Drops matching packets that exceed the threshold.
watch: Takes no action on matching packets that exceed the threshold.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
A fingerprint policy contains a packet match criterion, a threshold, and a protection action to take when the sending rate of the matching packets exceeds the threshold.
If a fingerprint policy contains multiple fingerprint segments, a packet matches the policy only when the packet matches all segments.
The device always sends logs upon threshold violations no matter which protection action is specified.
A fingerprint does not support matching IP options or IPv6 extension headers.
A fingerprint policy group supports a maximum of 32 fingerprint policies. You can configure a maximum of eight fingerprint policies for each type (ICMP, TCP, UDP, and Other).
The content of each segment in a fingerprint policy must be unique.
Examples
# Add fingerprint policy 5 to IPv4 fingerprint policy group 10, configure the fingerprint signature, set the threshold to 2000 pps, and specify watch as the protection action.
<Sysname> system-view
[Sysname] fingerprint-group ip 10
[Sysname-fingerprint-group-ip-10] fingerprint 5 protocol tcp offset 40 length 4 content 01ab3f0c threshold 2000 action watch
Related commands
bandwidth-limit destination-ip max-rate
fingerprint-group
Use fingerprint-group to create a fingerprint policy group and enter its view, or enter the view of an existing fingerprint policy group.
Use undo fingerprint-group to delete a fingerprint policy group.
Syntax
fingerprint-group { ip | ipv6 } group-id
undo fingerprint-group { ip | ipv6 } group-id
Default
No fingerprint policy groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
ip: Specifies the IPv4 fingerprint policy group.
ipv6: Specifies the IPv6 fingerprint policy group.
group-id: Specifies the ID of a fingerprint policy group, in the range of 0 to 31.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
The device supports a maximum of 64 fingerprint policy groups, including 32 IPv4 fingerprint policy groups and 32 IPv6 fingerprint policy groups.
Examples
# Create IPv4 fingerprint policy group 10 and enter its view.
<Sysname> system-view
[Sysname] fingerprint-group ip 10
[Sysname-fingerprint-group-ip-10]
Related commands
fingerprint
fingerprint-group { ip | ipv6 }
display anti-ddos zone configuration
fingerprint-group apply
Use fingerprint-group apply to apply a fingerprint policy group to an anti-DDoS zone.
Use undo fingerprint-group apply to remove the application of a fingerprint policy group.
Syntax
fingerprint-group apply { ip | ipv6 } group-id
undo fingerprint-group apply { ip | ipv6 }
Default
No fingerprint policy group is applied to an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
ip: Specifies the IPv4 fingerprint policy group.
ipv6: Specifies the IPv6 fingerprint policy group.
group-id: Specifies the ID of a fingerprint policy group, in the range of 0 to 31.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
You can apply one IPv4 fingerprint policy group and one IPv6 fingerprint policy group to an anti-DDoS zone.
Examples
# Apply fingerprint policy group 10 to anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-ddos-zone-3] fingerprint-group apply ip 10
Related commands
fingerprint-group { ip | ipv6 }
fragment
Use fragment to create a fragment match rule.
Use undo fragment to delete a fragment match rule.
Syntax
fragment { donot | first | last | middle | non }
undo fragment [ donot | first | last | middle | non ]
Default
No fragment match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
donot: Specifies packets where the DF bit is 1 in the IP header. Fragmentation of those packets is not allowed.
first: Specifies first fragments where the offset value is 0 and MF bit is 1 in the IP header.
last: Specifies last fragments where the offset value is not 0 and the MF bit is 0 in the IP header.
middle: Specifies middle fragments where the offset value is not 0 and MF bit is 1 in the IP header.
non: Specifies non-fragments where the offset value is 0 and MF bit is 0 in the IP header.
Usage guidelines
The device uses this rule to match packets or fragments.
A filter supports a maximum of five fragment match rules.
If you do not specify any keyword, the undo fragment command deletes all fragment match rules in the filter.
Examples
# Create a rule for HTTP filter test to match non-fragments.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] fragment non
Related commands
anti-ddos filter
display anti-ddos filter statistics
host
Use host to create a host field match rule for HTTP packets.
Use undo host to delete a host field match rule for HTTP packets.
Syntax
host include host-name
undo host [ include host-name ]
Default
No host field match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified host keyword.
host-name: Specifies the host keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the host field in HTTP packets.
An HTTP filter supports a maximum of 32 rules for the host field. A packet matches the host field if its host field matches one of these rules.
If you do not specify any parameters, the undo host command deletes all host field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets that contain www.abc.com in the host field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] host include www.abc.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
http-flood defense source-verify
Use http-flood defense source-verify to enable HTTP source verification.
Use undo http-flood defense source-verify to disable HTTP source verification.
Syntax
http-flood defense source-verify
undo http-flood defense source-verify
Default
HTTP source verification is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects the internal HTTP server against HTTP flood attacks initiated by external illegitimate clients. After receiving an HTTP packet destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
The device verifies the source IP address of the HTTP GET request destined for an IP address in this zone.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent HTTP GET requests from this IP address to pass through.
· If the source IP address fails verification, the device drops the HTTP GET request.
Examples
# Enable HTTP source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] http-flood defense source-verify
Related commands
display anti-ddos zone configuration
http-flood detection threshold
Use http-flood detection threshold enable HTTP flood attack detection and set a detection threshold.
Use undo http-flood detection threshold to disable HTTP flood attack detection.
Syntax
http-flood detection threshold { bit-based value | packet-based value}
undo http-flood detection threshold
Default
HTTP flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable HTTP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of HTTP packets per destination IP address in this zone. When the sending rate of HTTP packets destined for an IP address keeps exceeding the threshold, an HTTP flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of HTTP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable HTTP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] http-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
https-flood detection threshold
Use https-flood detection threshold to enable HTTPS flood attack detection and set a detection threshold.
Use undo https-flood detection threshold to disable HTTPS flood attack detection.
Syntax
https-flood detection threshold { bit-based | packet-based } value
undo https-flood detection threshold
Default
HTTPS flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable HTTPS flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of HTTPS packets per destination IP address in this zone. When the sending rate of HTTPS packets destined for an IP address keeps exceeding the threshold, an HTTPS flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of HTTPS packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable HTTPS flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] https-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
icmp-flood detection threshold
Use icmp-flood detection threshold to enable ICMP flood attack detection and set a detection threshold.
Use undo icmp-flood detection threshold to disable ICMP flood attack detection.
Syntax
icmp-flood detection threshold { bit-based value | packet-based value}
undo icmp-flood detection threshold
Default
ICMP flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable ICMP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of ICMP packets per destination IP address in this zone. When the sending rate of ICMP packets destined for an IP address keeps exceeding the threshold, an ICMP flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of ICMP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable ICMP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] icmp-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
icmp-frag-flood detection threshold
Use icmp-frag-flood detection threshold to enable ICMP fragment flood attack detection and set a detection threshold.
Use undo icmp-frag-flood detection threshold to disable ICMP fragment flood attack detection.
Syntax
icmp-frag-flood detection threshold { bit-based | packet-based } value
undo icmp-frag-flood detection threshold
Default
ICMP fragment flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable ICMP fragment flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of ICMP fragments per destination IP address in this zone. When the sending rate of ICMP fragments destined for an IP address keeps exceeding the threshold, an ICMP fragment flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of ICMP fragments destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable ICMP fragment flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] icmp-frag-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
ip-range
Use ip-range to add an IPv4 address range to an anti-DDoS zone.
Use undo ip-range to remove an IPv4 address range from an anti-DDoS zone.
Syntax
ip-range start-ip end-ip
undo ip-range start-ip end-ip
Default
No IPv4 address range is configured in an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
start-ip: Specifies a start IPv4 address.
end-ip: Specifies an end IPv4 address.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
An anti-DDoS zone supports a maximum of 128 IPv4 address ranges. The highest 16 bits of all IPv4 addresses in a zone must be the same.
IPv4 address ranges in each anti-DDoS zone cannot overlap. The device supports a maximum of 512 IPv4 and IPv6 address ranges that contain IP addresses with different highest 16 bits.
This command is not available in the default anti-DDoS zone.
Examples
# Add IPv4 address range 192.168.30.10 to 192.168.30.120 to anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] ip-range 192.168.30.10 192.168.30.120
Related commands
display anti-ddos zone configuration
ipv6-range
ipv6-range
Use ipv6-range to add an IPv6 address range to an anti-DDoS zone.
Use undo ipv6-range to remove an IPv6 address range from an anti-DDoS zone.
Syntax
ipv6-range start-ip end-ip
undo ipv6-range start-ip end-ip
Default
No IPv6 address range is configured in an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
start-ip: Specifies a start IPv6 address.
end-ip: Specifies an end IPv6 address.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
An anti-DDoS zone supports a maximum of 128 IPv6 address ranges. The highest 16 bits of all IPv6 addresses in a zone must be the same.
IPv6 address ranges in each anti-DDoS zone cannot overlap. The device supports a maximum of 512 IPv4 and IPv6 address ranges that contain IP addresses with different highest 16 bits.
This command is not available in the default anti-DDoS zone.
Examples
# Add IPv6 address range 192:168:30::10 to 192:168:30::120 to anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] ipv6-range 192:168:30::10 192:168:30::120
Related commands
display anti-ddos zone configuration
ip-range
name
Use name to assign a name to an anti-DDoS zone.
Use undo name to restore the default.
Syntax
name zone-name
undo name
Default
An anti-DDoS zone does not have a name.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
zone-name: Specifies the name of an anti-DDoS zone, a case-insensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), and hyphens (-). The name cannot be default.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The name of the default anti-DDoS zone is not configurable.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify name test for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] name test
Related commands
anti-ddos zone
display anti-ddos zone configuration
opcode
Use opcode to create a request packet type match rule for HTTP packets.
Use undo opcode to delete a request packet type match rule for HTTP packets.
Syntax
opcode { connect | delete | get | head | options | post | put | trace }
undo opcode { connect | delete | get | head | options | post | put | trace }
Default
No request packet type match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
connect: Specifies the HTTP CONNECT request packet type.
delete: Specifies the HTTP DELETE request packet type.
get: Specifies the HTTP GET request packet type.
head: Specifies the HTTP HEAD request packet type.
options: Specifies the HTTP OPTIONS request packet type.
post: Specifies the HTTP POST request packet type.
put: Specifies the HTTP PUT request packet type.
trace: Specifies the HTTP TRACE request packet type.
Usage guidelines
The device uses this rule to match the packet type of HTTP request packets.
An HTTP filter supports a maximum of eight request packet types for packet match.
Examples
# Create a rule for HTTP filter test to match HTTP PUT request packets.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] opcode put
Related commands
anti-ddos filter
display anti-ddos filter statistics
packet-length
Use packet-length to create a packet length match rule.
Use undo packet-length to delete a packet length match rule.
Syntax
packet-length range length1 length2
undo packet-length [ range length1 length2 ]
Default
No packet length match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
range: Specifies a packet length range.
length1: Specifies the minimum packet length in bytes. The value range is 1 to 1500.
length2: Specifies the maximum packet length in bytes. The value range is 1 to 1500.
Usage guidelines
The device uses this rule to match the packet length.
A filter supports a maximum of 10 rules for the packet length field. A packet matches the packet length field if its packet length matches one of these rules.
The minimum packet length cannot be greater than the maximum packet length. The packet length ranges in one filter cannot overlap.
If you do not specify any parameters, the undo packet-length command deletes all packet length match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets that are 50 to 500 bytes long.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] packet-length range 50 500
Related commands
anti-ddos filter
display anti-ddos filter statistics
protocol
Use protocol to create a protocol field match rule.
Use undo protocol to delete a protocol field match rule.
Syntax
protocol protocol-number
undo protocol [ protocol-number ]
Default
No packet protocol match rules exist.
Views
IP filter view
Predefined user roles
network-admin
Parameters
protocol-number: Specifies a protocol number in the range of 0 to 255.
Usage guidelines
The device uses this rule to match the protocol field of packets.
An IP filter supports a maximum of 10 rules for the protocol field. A packet matches the protocol field if its protocol field matches one of these rules.
If you do not specify a protocol number, the undo protocol command deletes all packet protocol match rules in the filter.
Examples
# Create a rule for IP filter test to match VRRP packets (protocol number 112).
<Sysname> system-view
[Sysname] anti-ddos filter name test type ip
[Sysname-anti-ddos-filter-ip-test] protocol 112
Related commands
anti-ddos filter
display anti-ddos filter statistics
qr
Use qr to create a QR field match rule for DNS packets.
Use undo qr to delete a QR field match rule for DNS packets.
Syntax
qr { query | reply }
undo qr { query | reply }
Default
No QR field match rules for DNS packets exist.
Views
DNS filter view
Predefined user roles
network-admin
Parameters
query: Specifies DNS queries.
reply: Specifies DNS replies.
Usage guidelines
The device uses this rule to match the QR field of DNS packets.
A DNS filter supports a maximum of two rules for the QR field. A packet matches the QR field if its QR field matches one of these rules.
Examples
# Create a rule to match DNS replies for DNS filer test.
<Sysname> system-view
[Sysname] anti-ddos filter name test type dns
[Sysname-anti-ddos-filter-dns-test] qr query
Related commands
anti-ddos filter
display anti-ddos filter statistics
referer
Use referer to create a referer field match rule for HTTP packets.
Use undo referer to delete a referer field match rule for HTTP packets.
Syntax
referer include referrer-string
undo referer [ include referrer-string ]
Default
No referer field match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified referer keyword.
referrer-string: Specifies the referer keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the referer field of HTTP packets.
An HTTP filter supports a maximum of 32 rules for the referer field. A packet matches the referer field if its referer field matches one of these rules.
If you do not specify any parameters, the undo referer command deletes all referer field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets that contain www.abc.com in the referer field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] referer include www.abc.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
request-uri
Use request-uri to create a match rule for the request URI field in HTTP packets.
Use undo request-uri to delete a match rule for the request URI field in HTTP packets.
Syntax
request-uri include uri
undo request-uri [ include uri ]
Default
No URI match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified URI keyword.
uri: Specifies the URI keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match HTTP packets that contains the specified URI keyword.
An HTTP filter supports a maximum of 32 rules for the request URI field. A packet matches the request URI field if its request URI matches one of these rules.
If you do not specify any parameters, the undo request-uri command deletes all URI match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets that contain favicon.ico in the request URI field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] request-uri include favicon.ico
Related commands
anti-ddos filter
display anti-ddos filter statistics
reset anti-ddos filter statistics zone
Use reset anti-ddos filter statistics to clear filter statistics in an anti-DDoS zone.
Syntax
reset anti-ddos filter statistics name name anti-ddos-zone { id zone-id | default }
Views
User view
Predefined user roles
network-admin
Parameters
name name: Specifies a filter by its name, a string of 1 to 63 characters. The filter name contains case-insensitive letters, digits, and underscores (_), and it must start with a letter.
anti-ddos-zone: Specifies an anti-DDoS zone.
id zone-id: Specifies an anti-DDoS zone by its ID in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone.
Examples
# Clear statistics about filter test in anti-DDoS zone 3.
<Sysname> reset anti-ddos filter statistics name test anti-ddos-zone id 3
Related commands
display anti-ddos filter statistics
reset anti-ddos flow-agent statistics
Use reset anti-ddos flow-agent statistics to clear flow agent statistics.
Syntax
reset anti-ddos flow-agent statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear flow agent statistics.
<Sysname> reset anti-ddos flow-agent statistics
reset anti-ddos flow-forward statistics
Use reset anti-ddos flow-forward statistics to clear statistics for the forwarded flow statistics packets.
Syntax
In standalone mode:
reset anti-ddos flow-forward statistics [ slot slot-number ]
In IRF mode:
reset anti-ddos flow-forward statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears related forwarding statistics on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears related forwarding statistics on all cards. (In IRF mode.)
Examples
# Clear statistics for the forwarded flow statistics packets.
<Sysname> reset anti-ddos flow-forward statistics
rst-flood detection threshold
Use rst-flood detection threshold to enable RST flood attack detection and set a detection threshold.
Use undo rst-flood detection threshold to disable RST flood attack detection.
Syntax
rst-flood detection threshold { bit-based value | packet-based value}
undo rst-flood detection threshold
Default
RST flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable RST flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of RST packets per destination IP address in this zone. When the sending rate of RST packets destined for an IP address keeps exceeding the threshold, an RST flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of RST packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable RST flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] rst-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
sip-flood defense source-verify
Use sip-flood defense source-verify to enable SIP source verification.
Use undo sip-flood defense source-verify to disable SIP source verification.
Syntax
sip-flood defense source-verify
undo sip-flood defense source-verify
Default
SIP source verification is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects the internal SIP server against SIP flood attacks initiated by external illegitimate clients. After receiving a SIP packet destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent SIP packets from this IP address to pass through.
· If the source IP address fails verification, the device drops the SIP packet.
Examples
# Enable SIP source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] sip-flood defense source-verify
Related commands
display anti-ddos zone configuration
sip-flood detection threshold
Use sip-flood detection threshold to enable SIP flood attack detection and set a detection threshold.
Use undo sip-flood detection threshold to disable SIP flood attack detection.
Syntax
sip-flood detection threshold { bit-based value | packet-based value}
undo sip-flood detection threshold
Default
SIP flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable SIP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of SIP packets per destination IP address in this zone. When the sending rate of SIP packets destined for an IP address keeps exceeding the threshold, a SIP flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of SIP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable SIP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] sip-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
source-ip
Use source-ip to create a source IP address match rule.
Use undo source-ip to delete a source IP address match rule.
Syntax
source-ip { ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 }
undo source-ip [ ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 ]
Default
No source IP address match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
ip-range: Specifies a source IPv4 address range.
start-ip: Specifies a start IPv4 address. This address cannot be higher than the end IPv4 address.
end-ip: Specifies an end IPv4 address. If the end IPv4 address is the same as the start IPv4 address, the IPv4 address range has only one IPv4 address.
ipv6-range: Specifies a source IPv6 address range.
start-ipv6: Specifies a start IPv6 address. This address cannot be higher than the end IPv6 address.
end-ipv6: Specifies an end IPv6 address. If the end IPv6 address is the same as the start IPv6 address, the IPv6 address range has only one IPv6 address.
Usage guidelines
The device uses this rule to match the source IP addresses of packets.
A filter supports a maximum of 512 rules for the source IP address field. A packet matches the source IP address field if its source IP address matches one of these rules.
The source IP address ranges in one filter cannot overlap.
If you do not specify any parameters, the undo source-ip command deletes all source IP address match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with source IPv4 addresses in the range of 1.1.1.10 to 1.1.1.20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] source-ip ip-range 1.1.1.10 1.1.1.20
Related commands
anti-ddos filter
display anti-ddos filter statistics
source-port
Use source-port to create a source port match rule.
Use undo source-port to delete a source port match rule.
Syntax
source-port range start-port end-port
undo source-port [ range start-port end-port ]
Default
No source port match rules exist.
Views
TCP filter view
UDP filter view
DNS filter view
HTTP filter view
SIP filter view
Predefined user roles
network-admin
Parameters
range: Specifies a source port range.
start-port: Specifies a start port number in the range of 1 to 65535. The start port number cannot be greater than the end port number.
end-port: Specifies an end port number in the range of 1 to 65535.
Usage guidelines
The device uses this rule to match the source port numbers of packets.
A filter supports a maximum of 10 rules for the source port number field. A packet matches the source port number field if its source port number matches one of these rules.
The source port number ranges in one filter cannot overlap.
If you do not specify any parameters, the undo source-port command deletes all source port match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with source port numbers in the range of 10 to 20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] source-port range 10 20
Related commands
anti-ddos filter
display anti-ddos filter statistics
syn-ack-flood detection threshold
Use syn-ack-flood detection threshold to enable SYN-ACK flood attack detection and set a detection threshold.
Use undo syn-ack-flood detection threshold to disable SYN-ACK flood attack detection.
Syntax
syn-ack-flood detection threshold { bit-based value | packet-based value}
undo syn-ack-flood detection threshold
Default
SYN-ACK flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable SYN-ACK flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of SYN-ACK packets per destination IP address in this zone. When the sending rate of SYN-ACK packets destined for an IP address keeps exceeding the threshold, a SYN-ACK flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of SYN-ACK packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable SYN-ACK flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] syn-ack-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
syn-flood defense source-verify
Use syn-flood defense source-verify to enable SYN source verification.
Use undo syn-flood defense source-verify to disable SYN source verification.
Syntax
syn-flood defense source-verify
undo syn-flood defense source-verify
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Default
SYN source verification is disabled.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects the internal server against SYN flood attacks initiated by external illegitimate clients. After receiving a SYN packet destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent SYN packets from this IP address to pass through.
· If the source IP address fails verification, the device drops the SYN packet.
Examples
# Enable SYN source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] syn-flood defense source-verify
Related commands
display anti-ddos zone configuration
syn-flood detection threshold
Use syn-flood detection threshold to enable SYN flood attack detection and set a detection threshold.
Use undo syn-flood detection threshold to disable SYN flood attack detection.
Syntax
syn-flood detection threshold { bit-based value | packet-based value}
undo syn-flood detection threshold
Default
SYN flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable SYN flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of SYN packets per destination IP address in this zone. When the sending rate of SYN packets destined for an IP address keeps exceeding the threshold, a SYN flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of SYN packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable SYN flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] syn-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
tcp-flag
Use tcp-flag to create a TCP flags field match rule.
Use undo tcp-flag to delete a TCP flags field match rule.
Syntax
tcp-flag tcp-flag
undo tcp-flag [ tcp-flag ]
Default
No TCP flags field match rules exist.
Views
TCP filter view
HTTP filter view
Predefined user roles
network-admin
Parameters
tcp-flag: Specifies a value of the TCP flags field, in the range of 0 to 63.
Usage guidelines
The device uses this rule to match the TCP flags field of packets.
A TCP or HTTP filter supports a maximum of 10 rules for the TCP flags field. A packet matches the TCP flags field if its TCP flags field value matches one of these rules.
If you do not specify a value, the undo tcp-flag command deletes all TCP flags field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets in which the TCP flags field value is 20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] tcp-flag 20
Related commands
anti-ddos filter
display anti-ddos filter statistics
tcp-frag-flood detection threshold
Use tcp-frag-flood detection threshold to enable TCP fragment flood attack detection and set a detection threshold.
Use undo tcp-frag-flood detection threshold to disable TCP fragment flood attack detection.
Syntax
tcp-frag-flood detection threshold { bit-based | packet-based } value
undo tcp-frag-flood detection threshold
Default
TCP fragment flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable TCP fragment flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of TCP fragments per destination IP address in this zone. When the sending rate of TCP fragments destined for an IP address keeps exceeding the threshold, a TCP fragment flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of TCP fragments destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable TCP fragment flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] tcp-frag-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
threshold-learning enable
Use threshold-learning enable to enable threshold learning for an anti-DDoS zone.
Use undo threshold-learning enable to disable threshold learning for an anti-DDoS zone.
Syntax
threshold-learning enable
undo threshold-learning enable
Default
Threshold learning is disabled for an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The threshold learning feature enables the device to learn attack detection thresholds for different types of DDoS attacks based on the actual network traffic. As a best practice, enable this feature if you are not sure about thresholds for DDoS attack protection.
After you enable this feature for a non-default anti-DDoS zone, the device collects the traffic baseline values for IP addresses in this zone every 5 minutes and reports the values to the anti-DDoS management center. The management center calculates the threshold and assigns policies accordingly.
Only non-default anti-DDoS zones support this command.
Examples
# Enable threshold learning for an anti-DDoS zone 6.
<Sysname> system-view
[Sysname] anti-ddos zone id 6
[Sysname-anti-ddos-zone-id-6] threshold-learning enable
Related commands
display anti-ddos zone configuration
ttl
Use ttl to create a TTL field match rule.
Use undo ttl to delete a TTL field match rule.
Syntax
ttl ttl-value
undo ttl [ ttl-value ]
Default
No TTL field match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
ttl-value: Specifies a TTL value in the range of 1 to 255.
Usage guidelines
The device uses this rule to match the TTL value of packets.
A filter supports a maximum of 10 rules for the TTL field. A packet matches the TTL field if its TTL value matches one of these rules.
If you do not specify a TTL value, the undo ttl command deletes all TTL field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with TTL value 63.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] ttl 63
Related commands
anti-ddos filter
display anti-ddos filter statistics
type
Use type to create a DNS packet type match rule.
Use undo type to delete a DNS packet type match rule.
Syntax
type type-value
undo type [ type-value ]
Default
No DNS packet type match rules exist.
Views
DNS filter view
Predefined user roles
network-admin
Parameters
type-value: Specifies a DNS type ID in the range of 0 to 255.
Usage guidelines
The device uses this rule to match the packet type of DNS packets.
A DNS filter supports a maximum of 10 rules for the DNS type field. A DNS packet matches the type field if its type matches one of these rules.
If you do not specify a packet type, the undo type command deletes all DNS packet type match rules in the filter.
Examples
# Create a rule for DNS filter test to match DNS packet with type ID 6.
<Sysname> system-view
[Sysname] anti-ddos filter name test type dns
[Sysname-anti-ddos-filter-dns-test] type 6
Related commands
anti-ddos filter
display anti-ddos filter statistics
udp-flood detection threshold
Use udp-flood detection threshold to enable UDP flood attack detection and set a detection threshold.
Use undo udp-flood detection threshold to disable UDP flood attack detection.
Syntax
udp-flood detection threshold { bit-based value | packet-based value}
undo udp-flood detection threshold
Default
UDP flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable UDP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of UDP packets per destination IP address in this zone. When the sending rate of UDP packets destined for an IP address keeps exceeding the threshold, a UDP flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of UDP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable UDP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] udp-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
udp-frag-flood detection threshold
Use udp-frag-flood detection threshold to enable UDP fragment flood attack detection and set a detection threshold.
Use undo udp-frag-flood detection threshold to disable UDP fragment flood attack detection.
Syntax
udp-frag-flood detection threshold { bit-based | packet-based } value
undo udp-frag-flood detection threshold
Default
UDP fragment flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable UDP fragment flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of UDP fragments per destination IP address in this zone. When the sending rate of UDP fragments destined for an IP address keeps exceeding the threshold, a UDP fragment flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of UDP fragments destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable UDP fragment flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] udp-frag-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
user-agent
Use user-agent to create a user-agent field match rule for HTTP packets.
Use undo user-agent to delete a user-agent field match rule for HTTP packets.
Syntax
user-agent include user-agent
undo user-agent [ include user-agent ]
Default
No user-agent field match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified user-agent keyword.
user-agent: Specifies the user-agent keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match HTTP packets that contains the specified keyword in the user-agent field.
An HTTP filter supports a maximum of 32 rules for the user-agent field. An HTTP packet matches the user-agent field if its user-agent field matches one of these rules.
If you do not specify any parameters, the undo user-agent command deletes all user-agent field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets that contain Linux in the user-agent field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] user-agent include Linux
Related commands
anti-ddos filter
display anti-ddos filter statistics
user-defined attack-type detection threshold
Use user-defined attack-type detection threshold to enable flood attack detection for a user-defined attack type and set a detection threshold.
Use undo user-defined attack-type detection threshold to disable flood attack detection for a user-defined attack type.
Syntax
user-defined attack-type id id detection threshold { bit-based | packet-based } value
undo user-defined attack-type [ id id ] detection threshold
Default
Flood attack detection for all user-defined attack types is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15.
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable flood attack detection for a user-defined protocol-specific attack type in a zone, the device enters attack detection state. The device also monitors the sending rate of protocol packets per destination IP address in this zone. When the sending rate of protocol packets destined for an IP address keeps exceeding the threshold, a flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of the protocol packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# In anti-DDoS zone 3, enable flood attack detection for attack type 2 and set the threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] user-defined attack-type id 2 threshold packet-based 20
zone-blacklist
Use zone-blacklist to add an anti-DDoS zone-based static blacklist entry.
Use undo zone-blacklist to delete an anti-DDoS zone-based static blacklist entry.
Syntax
zone-blacklist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
undo zone-blacklist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
Default
No anti-DDoS zone-based static blacklist entries exist.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
all: Deletes all anti-DDoS zone-based static blacklist entries, including IPv4 and IPv6 entries.
ip source-ip-address ip-mask-length: Specifies an IPv4 address and mask length. The value range for the ip-mask-length argument is 8 to 32. The device uses the specified address range for source IPv4 address match.
ipv6 source-ipv6-address ipv6-mask-length: Specifies an IPv6 address and mask length. The value range for the ipv6-mask-length argument is 8 to 128. The device uses the specified address range for source IPv6 address match.
Usage guidelines
The command is available only on anti-DDoS cleaning devices.
The device drops a packet if the source IP address of the packet destined for an anti-DDoS zone is on the static blacklist of this zone.
For an anti-DDoS zone, IP addresses on its static blacklist and whitelist entries cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.
An anti-DDoS zone supports a maximum of 10 static blacklist and whitelist entries in total. All anti-DDoS zones support a maximum of 12040 static blacklist and whitelist entries in total.
Examples
# Add subnet 1.1.1.1/24 to the static blacklist for anti-DDoS zone 2.
<Sysname> system-view
[Sysname] anti-ddos zone id 2
[Sysname-anti-ddos-zone-id-2] zone-blacklist ip 1.1.1.1 24
Related commands
zone-whitelist
display anti-ddos blacklist zone
zone-whitelist
Use zone-whitelist to add an anti-DDoS zone-based static whitelist entry.
Use undo zone-whitelist to delete an anti-DDoS zone-based static whitelist entry.
Syntax
zone-whitelist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
undo zone-whitelist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
Default
No anti-DDoS zone-based static whitelist entries exist.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
all: Deletes all anti-DDoS zone-based static whitelist entries, including IPv4 and IPv6 entries.
ip source-ip-address ip-mask-length: Specifies an IPv4 address and mask length. The value range for the ip-mask-length argument is 8 to 32. The device uses the specified address range for source IPv4 address match.
ipv6 source-ipv6-address ipv6-mask-length: Specifies an IPv6 address and mask length. The value range for the ipv6-mask-length argument is 8 to 128. The device uses the specified address range for source IPv6 address match.
Usage guidelines
The command is available only on anti-DDoS cleaning devices.
If the source IP address of a packet destined for an anti-DDoS zone matches a static whitelist entry specific to this zone, the packet bypasses DDoS protection (except rate limiting).
For an anti-DDoS zone, IP addresses on its blacklist and whitelist entries cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.
An anti-DDoS zone supports a maximum of static 10 blacklist and whitelist entries in total. All anti-DDoS zones support a maximum of 12040 static blacklist and whitelist entries in total.
Examples
# Add subnet 1.1.1.1/24 to the static whitelist for anti-DDoS zone 2.
<Sysname> system-view
[Sysname] anti-ddos zone id 2
[Sysname-anti-ddos-zone-id-2] zone-whitelist ip 1.1.1.1 24
Related commands
zone-blacklist
display anti-ddos whitelist zone