This feature allows incoming ACK packets to pass through only when the packets have matching sessions. Those incoming ACK packets are dropped if they do not have any matching session.

Do not enable this feature on the cleaning device deployed in one-arm mode. If you do so, the cleaning device will drop ACK packets of sessions that are established before the dynamic traffic redirection.

Examples

# Enable session check for ACK flood attack protection in anti-DDoS zone 5.

<Sysname> system-view

[Sysname] anti-ddos zone id 5

[Sysname-anti-ddos-id-5] ack-flood defense session-check

Related commands

ack-flood detection threshold

Use ack-flood detection threshold to enable ACK flood attack detection and set a detection threshold.

Use undo ack-flood detection threshold to disable ACK flood attack detection.

Syntax

ack-flood detection threshold { bit-based value | packet-based value}

undo ack-flood detection threshold

Default

ACK flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable ACK flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of ACK packets per destination IP address in this zone. When the sending rate of ACK packets destined for an IP address keeps exceeding the threshold, an ACK flood attack occurs and triggers one of the following protection actions:

· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of ACK packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable ACK flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] ack-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

action

Use action to specify an action on packets that match a filter.

Use undo action to restore the default.

Syntax

action { drop | limit { bit-based value | packet-based value } | pass | source-verify }

undo action

Default

The device drops packets that match a filter.

Views

Filter view

Predefined user roles

network-admin

Parameters

drop: Drops the matching packets.

limit: Rate limits the matching packets. The device drops the matching packets that exceed the threshold.

bit-based value: Specifies a bit-based threshold, in Mbps. The value range is 1 to 4294967295.

packet-based value: Specifies a packet-based threshold, in pps. The value range is 1 to 4294967295.

pass: Allows the matching packets to pass through.

source-verify: Performs source verification of the matching packets.

Usage guidelines

The source-verify keyword is applicable only to HTTP filters. If you specify this keyword, the device permits packets that pass source verification and drops packets that fail source verification.

If you execute this command multiple times for one filter, the most recent configuration takes effect.

Examples

# Configure the device to perform source verification on packets matching HTTP filter test.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] action source-verify

Related commands

anti-ddos filter

display anti-ddos filter statistics

anti-ddos apply filter

Use anti-ddos apply filter to apply a filter to an anti-DDOS zone and set a preference for the filter.

Use undo anti-ddos apply filter to remove the application of a filter from the anti-DDoS zone.

Syntax

anti-ddos apply filter filter-name preference preference

undo anti-ddos apply filter filter-name

Default

No filters are applied to an anti-DDoS zone.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

filter-name: Specifies a filter name, a string of 1 to 63 characters. The filter name contains case-insensitive letters, digits, and underscores (_), and it must start with a letter. The specified filter must already exist.

preference preference: Sets the filter preference, in the range of 1 to 255. A smaller value indicates a higher priority.

Usage guidelines

The device uses the filters in an anti-DDoS zone to match a packet in the descending order of priority:

1. If the packet matches the filter with the highest priority, the device takes the filter-specific action.

2. If the packet does not match the filter with the highest priority, the device uses filters with lower priorities to match the packet one by one in the descending order. If the packet matches a filter, the device stops the matching process and takes the action specified in this filter.

3. If the packet does not match any filters, the device delivers the packet to the next DDoS protection process.

The preference value of each filter applied to the same anti-DDoS zone must be unique.

You can apply a maximum of 10 filters to an anti-DDoS zone.

Examples

# Apply filter test to anti-DDoS zone 3, and set the filter preference to 10.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] anti-ddos apply filter test preference 10

Related commands

anti-ddos filter

display anti-ddos filter statistics

anti-ddos blacklist

Use anti-ddos blacklist to add a global static anti-DDoS blacklist entry.

Use undo anti-ddos blacklist to delete a global static anti-DDoS blacklist entry.

Syntax

anti-ddos blacklist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }

undo anti-ddos blacklist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }

Default

No global static anti-DDoS blacklist entries exist.

Views

System view

Predefined user roles

network-admin

Parameters

all: Deletes all global static blacklist entries, including IPv4 and IPv6 entries.

ip source-ip-address ip-mask-length: Specifies an IPv4 address and mask length. The value range for the ip-mask-length argument is 8 to 32. The device uses the specified address range for source IPv4 address match.

ipv6 source-ipv6-address ipv6-mask-length: Specifies an IPv6 address and mask length. The value range for the ipv6-mask-length argument is 8 to 128. The device uses the specified address range for source IPv6 address match.

Usage guidelines

The device drops a packet if the source IP address of the packet is on the global static anti-DDoS blacklist.

IP addresses on the global static anti-DDoS blacklist and whitelist cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.

The device supports a maximum of 1024 global static anti-DDoS blacklist and whitelist entries in total.

Examples

# Add subnet 1.1.1.1/24 to the global static anti-DDoS blacklist.

<Sysname> system-view

[Sysname] anti-ddos blacklist ip 1.1.1.1 24

Related commands

anti-ddos whitelist

display anti-ddos blacklist

anti-ddos blacklist timeout

Use anti-ddos blacklist timeout to set an aging time for dynamic blacklist entries.

Use undo anti-ddos blacklist timeout to restore the default.

Syntax

anti-ddos blacklist timeout aging-time

undo anti-ddos blacklist timeout

Default

The aging time is 1 minute for dynamic blacklist entries.

Views

System view

Predefined user roles

network-admin

Parameters

aging-time: Specifies an aging time in minutes. The value range is 1 to 1000.

Examples

# Set the aging time to 2 minutes for dynamic blacklist entries.

<Sysname> system-view

[Sysname] anti-ddos blacklist timeout 2

anti-ddos cleaner deploy-mode

Use anti-ddos cleaner deploy-mode set the deployment mode of the anti-DDoS cleaning device.

Use undo anti-ddos cleaner deploy-mode to restore the default.

Syntax

anti-ddos cleaner deploy-mode { inline | out-of-path }

undo anti-ddos cleaner deploy-mode

Default

The anti-DDoS cleaning device uses the inline deployment mode.

Views

System view

Predefined user roles

network-admin

Parameters

inline: Specifies the inline deployment mode.

out-of-path: Specifies the one-arm deployment mode.

Usage guidelines

This command is available only on anti-DDoS cleaning devices. The deployment of the anti-DDoS cleaning device must be consistent with the network connection method of the device.

The DDoS attack detection features on the anti-DDoS cleaning device takes effect in both deployment modes.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the one-arm deployment mode for the anti-DDoS cleaning device.

<Sysname> system-view

[Sysname] anti-ddos cleaner deploy-mode out-of-path

anti-ddos default-zone enable

Use anti-ddos default-zone enable to enable the default anti-DDoS zone.

Use undo anti-ddos default-zone enable to disable the default anti-DDoS zone.

Syntax

anti-ddos default-zone enable

undo anti-ddos default-zone enable

Default

The default anti-DDoS zone is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

If the IP addresses of packets passing through the device does not belong to any non-default anti-DDoS zone, the DDoS protection in the default anti-DDoS zone applies.

The configuration of the default anti-DDoS zone does not take effect if you do not enable the default anti-DDoS zone.

Examples

# Enable the default anti-DDoS zone.

<Sysname> system-view

[Sysname] anti-ddos default-zone enable

Related commands

anti-ddos zone default

anti-ddos filter

Use anti-ddos filter to create a filter and enter its view, or enter the view of an existing filter.

Use undo anti-ddos filter to delete a filter.

Syntax

anti-ddos filter name filter-name [ type { dns | http | icmp | ip | sip | tcp | udp } ]

undo anti-ddos filter name filter-name

Default

No filters exist.

Views

System view

Predefined user roles

network-admin

Parameters

name filter-name: Specifies a filter by its name, a string of 1 to 63 characters. The filter name contains case-insensitive letters, digits, and underscores (_), and it must start with a letter.

type: Specifies a filter type. To enter the view of an existing filter, you do not need to specify its filter type.

dns: Specifies the DNS type.

http: Specifies the HTTP type.

icmp: Specifies the ICMP type.

ip: Specifies the IP type.

sip: Specifies the SIP type.

tcp: Specifies the TCP type.

udp: Specifies the UDP type.

Usage guidelines

A filter allows you to use different packet fields to identify packets. For each field, you can specify multiple rules. A packet matches a field if it matches one of these rules. The device takes the filter action only when the packet matches all the fields specified in the filter.

You can configure a maximum of 1024 filters. The filter name must be unique on the device.

Examples

# Create an HTTP filter named test and enter its view.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test]

Related commands

action

display anti-ddos filter statistics

anti-ddos log-local-ip

Use anti-ddos log-local-ip to specify a source IP address for DDoS protection logs.

Use undo anti-ddos log-local-ip to restore the default.

Syntax

anti-ddos log-local-ip { ip ipv4-address | ipv6 ipv6-address }

undo anti-ddos log-local-ip

Default

No source IP address is specified for anti-DDoS logs.

Views

System view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a source IPv4 address for anti-DDoS logs. The IP address must be an IP address on the device.

ipv6 ipv6-address: Specifies a source IPv6 address for anti-DDoS logs. The IP address must be an IP address on the device.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

The device uses the specified source IP address to report DDoS protection logs to the management center.

Only one IPv4 or IPv6 address is supported. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify 192.168.1.2 as the source IP address for anti-DDoS logs.

<Sysname> system-view

[Sysname] anti-ddos log-local-ip ip 192.168.1.2

Related commands

anti-ddos log-server-ip

Use anti-ddos log-server-ip to specify a log server address.

Use undo anti-ddos log-server-ip to restore the default.

Syntax

anti-ddos log-server-ip { ip ipv4-address | ipv6 ipv6-address } [ port port-number ]

undo anti-ddos log-server-ip

Default

No log server address is specified.

Views

System view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies the IPv4 address of a log server.

ipv6 ipv6-address: Specifies the IPv6 address of a log server.

port port-number: Specifies a destination port number for reported logs. The value range is 1 to 65535, and the default is 10083.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

The device sends DDoS protection logs to the specified IP address and port number.

Only one IPv4 or IPv6 address is supported. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify 192.168.1.1 as the IP address of the log server.

<Sysname> system-view

[Sysname] anti-ddos log-server-ip ip 192.168.1.1

Related commands

anti-ddos log-local-ip

anti-ddos out-of-band interface

Use anti-ddos out-of-band interface to exclude interfaces from DDoS protection.

Use undo anti-ddos out-of-band interface to cancel the configuration.

Syntax

anti-ddos out-of-band interface { interface-type interface-number } &<1-10>

undo anti-ddos out-of-band interface [ interface-type interface-number ]

Default

Only GigabitEthernet 1/0/0 is excluded from DDoS protection.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number &<1-10>: Specifies a list of up to 10 interfaces. The interface-type interface-number arguments specify the interface type and interface number.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

You can exclude only physical interfaces from DDoS protection.

If you do not specify any interface type or interface number in the undo command, the device removes all excluded interfaces.

Examples

# Exclude GigabitEthernet 1/0/1, GigabitEthernet 1/0/4, and Loopback 1 from DDoS protection.

<Sysname> system-view

[Sysname] anti-ddos out-of-band interface gigabitethernet 1/0/1 gigabitethernet 1/0/4 loopback 1

anti-ddos user-defined attack-type protocol

Use anti-ddos user-defined attack-type protocol to configure a user-defined protocol-specific DDoS attack type.

Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.

Syntax

anti-ddos user-defined attack-type id id protocol protocol-number [ packet-length { equal | greater-than | less-than } packet-length ]

undo anti-ddos user-defined attack-type [ id id ]

Default

No user-defined protocol-specific DDoS attack types exist.

Views

System view

Predefined user roles

network-admin

Parameters

id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.

protocol-number: Specifies a protocol number in the range of 0 to 255.

packet-length: Specifies the packet length match criterion.

equal: Equal to the specified packet length.

greater-than: Greater than the specified packet length.

less-than: Less than the specified packet length.

packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

You can specify a packet length match criterion for a protocol-specific DDoS attack type.

If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.

If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.

Examples

# Configure an attack type 3 to match VRRP packets with the packet length less than 28 bytes.

<Sysname> system-view

[Sysname] anti-ddos user-defined attack-type id 3 protocol 112 packet-length less-than 28

anti-ddos user-defined attack-type protocol icmp

Use anti-ddos user-defined attack-type protocol icmp to configure a user-defined ICMP-based DDoS attack type.

Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.

Syntax

anti-ddos user-defined attack-type id id protocol icmp [ packet-length { equal | greater-than | less-than } packet-length ] [ icmp-type icmp-type icmp-code icmp-code ]

undo anti-ddos user-defined attack-type [ id id ]

Default

No user-defined ICMP-based DDoS attack types exist.

Views

System view

Predefined user roles

network-admin

Parameters

id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.

packet-length: Specifies the packet length match criterion.

equal: Equal to the specified packet length.

greater-than: Greater than the specified packet length.

less-than: Less than the specified packet length.

packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.

icmp-type icmp-type: Specifies an ICMP type, in the range to 0 to 255.

icmp-code icmp-code: Specifies an ICMP code in the range to 0 to 255.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

You can use the packet length, ICMP type, and ICMP code as the packet match criteria for an ICMP-based DDoS attack type.

If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.

If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.

Examples

# Configure an ICMP-based attack type 3 to match ICMP packets with ICMP type 8 and ICMP code 0.

<Sysname> system-view

[Sysname] anti-ddos user-defined attack-type id 3 protocol icmp icmp-type 8 icmp-code 0

anti-ddos user-defined attack-type protocol icmpv6

Use anti-ddos user-defined attack-type protocol icmpv6 to configure a user-defined ICMPv6-based DDoS attack type.

Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.

Syntax

anti-ddos user-defined attack-type id id protocol icmpv6 [ packet-length { equal | greater-than | less-than } packet-length ] [ icmpv6-type icmpv6-type icmpv6-code icmpv6-code ]

undo anti-ddos user-defined attack-type [ id id ]

Default

No user-defined ICMPv6-based DDoS attack types exist.

Views

System view

Predefined user roles

network-admin

Parameters

id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.

packet-length: Specifies the packet length match criterion.

equal: Equal to the specified packet length.

greater-than: Greater than the specified packet length.

less-than: Less than the specified packet length.

packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.

icmpv6-type icmp-type: Specifies an ICMPv6 type, in the range to 0 to 255.

icmpv6-code icmp-code: Specifies an ICMPv6 code in the range to 0 to 255.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

You can use the packet length, ICMPv6 type, and ICMPv6 code as the packet match criteria for an ICMPv6-based DDoS attack type.

If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.

If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.

Examples

# Configure an ICMPv6-based attack type 3 to match ICMPv6 packets that are greater than 65535 bytes.

<Sysname> system-view

[Sysname] anti-ddos user-defined attack-type id 3 protocol icmpv6 packet-length greater-than 65535

anti-ddos user-defined attack-type protocol tcp

Use anti-ddos user-defined attack-type protocol tcp to configure a user-defined TCP-based DDoS attack type.

Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.

Syntax

anti-ddos user-defined attack-type id id protocol tcp [ packet-length { equal | greater-than | less-than } packet-length ] [ port port-num port-type { source | destination } ] [ tcp-flag flag-value ]

undo anti-ddos user-defined attack-type [ id id ]

Default

No user-defined TCP-based DDoS attack types exist.

Views

System view

Predefined user roles

network-admin

Parameters

id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.

packet-length: Specifies the packet length match criterion.

equal: Equal to the specified packet length.

greater-than: Greater than the specified packet length.

less-than: Less than the specified packet length.

packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.

port port-num: Specifies a port number in the range of 1 to 65535.

port-type: Specifies the port type.

source: Specifies the source port type

destination: Specifies the destination port type.

tcp-flag flag-value: Specifies a value of the TCP flags field, in the range of 0 to 63.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

You can use the packet length, port, and the value of TCP flags field as the packet match criteria for a TCP-based DDoS attack type. If all criteria are specified, a TCP packet is an attack packet only if it matches all criteria.

If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.

If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.

Examples

# Configure a TCP-based attack type 3 to match TCP packets that are greater than 65535 bytes and destined for port 80.

<Sysname> system-view

[Sysname] anti-ddos user-defined attack-type id 3 protocol tcp packet-length greater-than 65535 port 80 port-type destination

anti-ddos user-defined attack-type protocol udp

Use anti-ddos user-defined attack-type protocol udp to configure a user-defined UDP-based DDoS attack type.

Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.

Syntax

anti-ddos user-defined attack-type id id protocol udp [ packet-length { equal | greater-than | less-than } packet-length ] [ port port-num port-type { source | destination } ]

undo anti-ddos user-defined attack-type [ id id ]

Default

No user-defined UDP-based DDoS attack types exist.

Views

System view

Predefined user roles

network-admin

Parameters

id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.

packet-length: Specifies the packet length match criterion.

equal: Equal to the specified packet length.

greater-than: Greater than the specified packet length.

less-than: Less than the specified packet length.

packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.

port port-num: Specifies a port number in the range of 1 to 65535.

port-type: Specifies the port type.

source: Specifies the source port type

destination: Specifies the destination port type.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

You can use the packet length and port number as the packet match criteria for a UDP-based DDoS attack type. If both criteria are specified, a UDP packet is an attack packet only if it matches these criteria.

If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.

If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.

Examples

# Configure a TCP-based attack type 3 to match UDP packets with a packet length of 48 bytes.

<Sysname> system-view

[Sysname] anti-ddos user-defined attack-type id 3 protocol udp packet-length equal 48

anti-ddos whitelist

Use anti-ddos whitelist to add a global static anti-DDoS whitelist entry.

Use undo anti-ddos whitelist to delete a global static anti-DDoS whitelist entry.

Syntax

anti-ddos whitelist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }

undo anti-ddos whitelist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }

Default

No global static anti-DDoS whitelist entries exist.

Views

System view

Predefined user roles

network-admin

Parameters

all: Deletes all global static anti-DDoS whitelist entries, including IPv4 and IPv6 entries.

Usage guidelines

If the source IP address of a packet matches a global static anti-DDoS whitelist entry, the packet bypasses DDoS protection except rate limiting.

The device supports a maximum of 1024 global static anti-DDoS blacklist and whitelist entries in total.

Examples

# Add subnet 1.1.1.1/24 to the global static anti-DDoS whitelist.

<Sysname> system-view

[Sysname] anti-ddos whitelist ip 1.1.1.1 24

Related commands

anti-ddos blacklist

display anti-ddos whitelist

anti-ddos whitelist timeout

Use anti-ddos whitelist timeout to set an aging time for dynamic whitelist entries.

Use undo anti-ddos whitelist timeout to restore the default.

Syntax

anti-ddos whitelist timeout aging-time

undo anti-ddos whitelist timeout

Default

The aging time is 10 minutes for dynamic whitelist entries.

Views

System view

Predefined user roles

network-admin

Parameters

aging-time: Specifies an aging time in minutes. The value range is 1 to 1000.

Usage guidelines

The command is available only on anti-DDoS cleaning devices.

The device adds the source IP addresses of packets that pass anti-DDoS source verification to the dynamic whitelist (also known as trusted IP address list). Packets with source IP addresses on the dynamic whitelist bypass DDoS protection except rate limit.

In the current software version, the device generates dynamic whitelist entries only based on the anti-DDoS source verification result.

Examples

# Set the aging time to 2 minutes for dynamic whitelist entries.

<Sysname> system-view

[Sysname] anti-ddos whitelist timeout 2

Related commands

display anti-ddos source-verify trusted ip

display anti-ddos source-verify trusted ipv6

anti-ddos zone

Use anti-ddos zone to create an anti-DDoS zone and enter its view, or enter the view of an existing anti-DDoS zone.

Use undo anti-ddos zone to delete an anti-DDoS zone.

Syntax

anti-ddos zone { id zone-id | default }

undo anti-ddos zone [ id zone-id ]

Default

Only the default anti-DDoS zone named default exists.

Views

System view

Predefined user roles

network-admin

Parameters

id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.

default: Specifies the default anti-DDoS zone. The zone ID is fixed at 1.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

The device does not take any protection action if no anti-DDoS zone is configured.

The device supports a maximum of 1024 anti-DDoS zones, including the default anti-DDoS zone.

If you do not specify an anti-DDoS zone ID in the undo command, the device deletes all user-defined anti-DDoS zones.

The default anti-DDoS zone exists by default and cannot be deleted.

Examples

# Create an anti-DDoS zone with ID 3 and enter its view.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3]

bandwidth-detection destination-ip threshold

Use bandwidth-detection destination-ip threshold to enable IP traffic attack detection and set a detection threshold.

Use undo bandwidth-detection destination-ip threshold to disable IP traffic attack detection.

Syntax

bandwidth-detection destination-ip threshold threshold-value

undo bandwidth-detection destination-ip threshold

Default

IP traffic attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the threshold in Mbps, in the range of 1 to 4294967295.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable IP traffic attack detection for a zone, the device enters attack detection state and monitors the sending rate of IP packets per destination IP address in this zone. When the sending rate of IP packets destined for an IP address keeps exceeding the threshold, an IP traffic attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the IP attack traffic locally. If IP traffic rate limiting is not enabled, the IP traffic is allowed to pass through. If IP traffic rate limiting is enabled, the device limits the sending rate of IP traffic.

When the sending rate of IP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable IP traffic attack detection for anti-DDoS zone 3 and set the threshold to 20 Mbps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] bandwidth-detection destination-ip threshold 20

Related commands

anti-ddos cleaner deploy-mode

bandwidth-limit destination-ip type max-rate

display anti-ddos zone configuration

bandwidth-limit destination-ip type max-rate

Use bandwidth-limit destination-ip type max-rate to enable rate limiting for protocol-specific packets and set the maximum rate.

Use undo bandwidth-limit destination-ip type to disable rate limiting for protocol-specific packets.

Syntax

bandwidth-limit destination-ip type { icmp | icmp-fragment | other | tcp | tcp-fragment | total | udp | udp-fragment } max-rate value

undo bandwidth-limit destination-ip [ type { icmp | icmp-fragment | other | tcp | tcp-fragment | total | udp | udp-fragment } ]

Default

Rate limiting is disabled for all supported types of packets.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

icmp: Specifies ICMP packets.

icmp-fragment: Specifies ICMP fragments.

other: Specifies other types of IP-based packets, except TCP packets, UDP packets, and ICMP packets.

tcp: Specifies TCP packets.

tcp-fragment: Specifies TCP fragments.

total: Specifies the total rate threshold for all IP-based packets.

udp: Specifies UDP packets.

udp-fragment: Specifies UDP fragments.

value: Sets a maximum rate in Mbps on a per destination IP address basis. The value range is 1 to 4294967295.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

This feature monitors the protocol packet rate on a per destination IP address basis in an anti-DDoS zone. Protocol packets that exceed the maximum rate are dropped.

If you set the total rate threshold, and packet threshold and fragment threshold of a protocol, the device rate limits the packets and fragments as follows:

· Rate limits non-fragment packets based on the packet threshold and the total rate threshold in the descending order.

· Rate limits fragments based on the packet threshold, fragment threshold, and the total threshold in the descending order.

When you set maximum rates for both packets and fragments of a protocol, set the fragment maximum rate to a smaller value as a best practice.

If you do not specify any parameter in the undo command, the device disables rate limiting for all types of packets in this zone.

Examples

# In anti-DDoS zone 3, rate limit TCP packets to 50 Mbps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] bandwidth-limit destination-ip type tcp max-rate 50

Related commands

bandwidth-detect destination-ip threshold

display anti-ddos zone configuration

callee

Use callee to create a callee field match rule for SIP packets.

Use undo callee to delete a callee field match rule for SIP packets.

Syntax

callee { equal | include } callee-string

undo callee [ { equal | include } callee-string ]

Default

No callee field match rules exist.

Views

SIP filter view

Predefined user roles

network-admin

Parameters

equal: Specifies to be identical to the specified URI.

include: Specifies to include the specified URI.

callee-string: Specifies the URI of the callee, a case-insensitive string of 2 to 63 characters.

Usage guidelines

The device uses this rule to match the URI of the callee in SIP packets.

A SIP filter supports a maximum of 32 rules for the callee field. A SIP packet matches the callee field if its callee field matches one of these rules.

If you do not specify any parameters, the undo callee command deletes all callee field match rules in the filter.

Examples

# Create a rule for SIP filter test to match SIP packets that contain www.abc.com in the callee field.

<Sysname> system-view

[Sysname] anti-ddos filter name test type sip

[Sysname-anti-ddos-filter-sip-test] callee include www.abc.com

Related commands

anti-ddos filter

display anti-ddos filter statistics

caller

Use caller to create a caller field match rule for SIP packets.

Use undo caller to delete a caller field match rule for SIP packets.

Syntax

caller { equal | include } caller-string

undo caller [ { equal | include } caller-string ]

Default

No caller field match rules exist.

Views

SIP filter view

Predefined user roles

network-admin

Parameters

equal: Specifies to be identical to the specified URI.

include: Specifies to include the specified URI.

callee-string: Specifies the URI of the caller, a case-insensitive string of 2 to 63 characters.

Usage guidelines

The device uses this rule to match the URI of the caller in SIP packets.

A SIP filter supports a maximum of 32 rules for the caller field. A SIP packet matches the caller field if its caller field matches one of these rules.

If you do not specify any parameters, the undo caller command deletes all caller field match rules in the filter.

Examples

# Create a rule for SIP filter test to match SIP packets that contain www.abc.com in the caller field.

<Sysname> system-view

[Sysname] anti-ddos filter name test type sip

[Sysname-anti-ddos-filter-sip-test] caller include www.abc.com

Related commands

anti-ddos filter

display anti-ddos filter statistics

cookie

Use cookie to create a cookie field match rule for HTTP packets.

Use undo cookie to delete a cookie field match rule for HTTP packets.

Syntax

cookie include cookie-string

undo cookie [ include cookie-string ]

Default

No cookie field match rules exist.

Views

HTTP filter view

Predefined user roles

network-admin

Parameters

include: Specifies to include the specified cookie keyword.

cookie-string: Specifies the cookie keyword, a case-insensitive string of 2 to 63 characters.

Usage guidelines

The device uses this rule to match the cookie field in HTTP packets.

An HTTP filter supports a maximum of 32 rules for the cookie field. An HTTP packet matches the cookie field if its cookie field matches one of these rules.

If you do not specify any parameters, the undo cookie command deletes all cookie field match rules in the filter.

Examples

# Create a rule for HTTP filter test to match HTTP packets that contain abc in the cookie field.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] cookie include abc

Related commands

anti-ddos filter

display anti-ddos filter statistics

destination-ip

Use destination-ip to create a destination IP address match rule.

Use undo destination-ip to delete a destination IP address match rule.

Syntax

destination-ip { ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 }

undo destination-ip [ ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 ]

Default

No destination IP address match rules exist.

Views

Filter view

Predefined user roles

network-admin

Parameters

ip-range: Specifies a destination IPv4 address range.

start-ip: Specifies a start IPv4 address. This address cannot be higher than the end IPv4 address.

end-ip: Specifies an end IPv4 address. If the end IPv4 address is the same as the start IPv4 address, the IPv4 address range has only one IPv4 address.

ipv6-range: Specifies a destination IPv6 address range.

start-ipv6: Specifies a start IPv6 address. This address cannot be higher than the end IPv6 address.

end-ipv6: Specifies an end IPv6 address. If the end IPv6 address is the same as the start IPv6 address, the IPv6 address range has only one IPv6 address.

Usage guidelines

The device uses this rule to match the destination IP addresses of packets.

A filter supports a maximum of 100 rules for the destination IP address field. A packet matches the destination IP address field if its destination IP address matches one of these rules.

The destination IP address ranges in one filter cannot overlap.

If you do not specify any parameters, the undo destination-ip command deletes all destination IP address match rules in the filter.

Examples

# Create a rule for HTTP filter test to match packets with destination IPv4 addresses in the range of 2.2.2.10 to 2.2.2.20.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] destination-ip ip-range 2.2.2.10 2.2.2.20

Related commands

anti-ddos filter

display anti-ddos filter statistics

destination-port

Use destination-port to create a destination port match rule.

Use undo destination-port to delete a destination port match rule.

Syntax

destination-port range start-port end-port

undo destination-port [ range start-port end-port ]

Default

No destination port match rules exist.

Views

TCP filter view

UDP filter view

Predefined user roles

network-admin

Parameters

range: Specifies a destination port range.

start-port: Specifies a start port number in the range of 1 to 65535. The start port number cannot be greater than the end port number.

end-port: Specifies an end port number in the range of 1 to 65535.

Usage guidelines

The device uses this rule to match the destination port numbers of packets.

A TCP or UDP filter supports a maximum of 10 rules for the destination port number field. A packet matches the destination port number field if its destination port number matches one of these rules.

The destination port number ranges in one filter cannot overlap.

If you do not specify any parameters, the undo destination-port command deletes all destination port match rules in the filter.

Examples

# Create a rule for HTTP filter test to match packets with destination port numbers in the range of 10 to 20.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] destination-port range 10 20

Related commands

anti-ddos filter

display anti-ddos filter statistics

display anti-ddos blacklist

Use display anti-ddos blacklist to display global static anti-DDoS blacklist entries.

Syntax

display anti-ddos blacklist [ ip source-ip-address | ipv6 source-ipv6-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip source-ip-address: Specifies a source IPv4 address.

ipv6 source-ipv6-address: Specifies a source IPv6 address.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

If you do not specify an IPv4 or IPv6 address, the command displays all IPv4 and IPv6 global static anti-DDoS blacklist entries.

Examples

# Display all global static anti-DDoS blacklist entries.

<Sysname> display anti-ddos blacklist

Total: 4 Blacklist: 3 Whitelist: 1

-------------------------------------------------------------------

Source-ip/MaskLen Black/White

3.3.3.3/32 Black

10.0.0.0/24 Black

8000::/64 Black

# Display the global static anti-DDoS blacklist entry for the specified IPv4 address.

<Sysname> display anti-ddos blacklist ip 10.0.0.3

Total: 4 Blacklist: 3 Whitelist: 1

-------------------------------------------------------------------

Source-ip/MaskLen Black/White

10.0.0.0/24 Black

# Display the global static anti-DDoS blacklist entry for the specified IPv6 address.

<Sysname> display anti-ddos blacklist ipv6 8000::1

Total: 4 Blacklist: 3 Whitelist: 1

-------------------------------------------------------------------

Source-ip/MaskLen Black/White

8000::/64 Black

Table 1 Command output

Field	Description
Total	Total number of IPv4 or IPv6 blacklist and whitelist entries.
Blacklist	Number of IPv4 or IPv6 blacklist entries.
Whitelist	Number of IPv4 or IPv6 whitelist entries.
Source-ip/MaskLen	Source IP address and mask length.
Black/White	Entry type, blacklist or whitelist.

Related commands

anti-ddos blacklist

display anti-ddos blacklist zone

Use display anti-ddos blacklist zone to display anti-DDoS zone-based static blacklist entries.

Syntax

display anti-ddos blacklist zone [ { id zone-id | default } [ ip source-ip-address | ipv6 source-ipv6-address ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.

default: Specifies the default anti-DDoS zone. The zone ID is fixed at 1.

ip source-ip-address: Specifies a source IPv4 address.

ipv6 source-ipv6-address: Specifies a source IPv6 address.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

If you do not specify an anti-DDoS zone, the command displays all anti-DDoS zone-based static blacklist entries.

If you do not specify the IPv4 or IPv6 address for an anti-DDoS zone-based blacklist entry, the command displays all static blacklist entries for this zone.

Examples

# Display all anti-DDoS zone-based static blacklist entries.

<Sysname> display anti-ddos blacklist zone

Total:4 Blacklist:3 Whitelist:1

-------------------------------------------------------------------

ZoneID Source-ip/MaskLen Black/White

default 3.3.3.3/32 Black

2 10.0.0.0/24 Black

2 8000::/64 Black

# Display the static blacklist entry matching source IP address 10.0.0.3 in anti-DDoS zone 2.

<Sysname> display anti-ddos blacklist zone id 2 ip 10.0.0.3

Total:4 Blacklist:3 Whitelist:1

-------------------------------------------------------------------

ZoneID Source-ip/MaskLen Black/White

2 10.0.0.0/24 Black

# Display the static blacklist entry matching source IPv6 address 8000::1 in the default anti-DDoS zone.

<Sysname> display anti-ddos blacklist zone default ipv6 8000::1

Total: 4 Blacklist: 3 Whitelist: 1

-------------------------------------------------------------------

ZoneID Source-ip/MaskLen Black/White

default 8000::/64 Black

Table 2 Command output

Field	Description
Total	Total number of IPv4 or IPv6 blacklist and whitelist entries in the anti-DDoS zone.
Blacklist	Number of IPv4 or IPv6 blacklist entries in the anti-DDoS zone.
Whitelist	Number of IPv4 or IPv6 whitelist entries in the anti-DDoS zone.
ZoneID	Anti-DDoS zone ID.
Source-ip/MaskLen	Source IP address and mask length.
Black/White	Entry type, blacklist or whitelist.

Related commands

zone-blacklist

display anti-ddos dynamic-blacklist

Use display anti-ddos dynamic-blacklist to display dynamic blacklist entries in anti-DDoS zones.

Syntax

display anti-ddos dynamic-blacklist { ip | ipv6 } [ zone [ default | id zone-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip: Specifies IPv4 dynamic blacklist entries.

ipv6: Specifies IPv6 dynamic blacklist entries.

zone: Specifies an anti-DDoS zone. If you do not specify an anti-DDoS zone, this command displays dynamic blacklist entries in all anti-DDoS zones.

default: Specifies the default anti-DDoS zone.

id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

Examples

# Display dynamic IPv4 blacklist entries in all anti-DDoS zones.

<sysname> display anti-ddos dynamic-blacklist ip

Zone ID Source-ip Aging time (min) Reason

2 192.168.8.9 10 -

2 192.168.3.6 20 -

3 192.168.9.6 5 -

# Display dynamic IPv6 blacklist entries in anti-DDoS zone 2.

<sysname> display anti-ddos dynamic-blacklist ipv6 zone id 2

Source-ipv6 Aging time (min) Reason

fe80::64fb:D5cf:3131:c1af 10 -

Table 3 Command output

Field	Description
Zone ID	Anti-DDoS zone ID.
Source-ip	IPv4 blacklist entry.
Source-ipv6	IPv6 blacklist entry.
Aging time(min)	Remaining aging time in minutes.
Reason	Reason for adding the IP address to the dynamic blacklist.

display anti-ddos filter statistics

Use display anti-ddos filter statistics to display filter statistics in an anti-DDoS zone.

Syntax

display anti-ddos filter statistics name name anti-ddos-zone { id zone-id | default }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name name: Specifies a filter by its name, a string of 1 to 63 characters. The filter name must contain case-insensitive letters, digits, and underscores (_), and it must start with a letter.

anti-ddos-zone: Specifies an anti-DDoS zone.

id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.

default: Specifies the default anti-DDoS zone.

Examples

# Display statistics about filter test in anti-DDoS zone 3.

<Sysname> display anti-ddos filter statistics name test anti-ddos-zone id 3

Type : HTTP

Action : drop

PPS : 100000

Bps : 200000000

Dropped packets : 20750

Dropped bytes : 5

Table 4 Command output

Field	Description
Type	Filter type: · IP. · TCP. · UDP. · HTTP. · DNS. · ICMP. · SIP.
Action	Action on the matching packets: · drop—Drops the matching packets. · pass—Allows the matching packets to pass through. · limit—Rate limits the matching packets. · source-verify—Verifies the source of the matching packets.
PPS	Sending rate of the matching packets, in pps.
Bps	Sending rate of the matching packets, in Bps.
Dropped packets	Number of packets dropped by the filter.
Dropped bytes	Number of bytes dropped by the filter.

‌

display anti-ddos source-verify protected ip

Use display anti-ddos source-verify protected ip to display protected IPv4 addresses for source verification.

Syntax

In standalone mode:

display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } protected ip [ ip-address ] [ count ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } protected ip [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dns-query: Specifies the DNS query source verification feature.

dns-reply: Specifies the DNS reply source verification feature.

http: Specifies the HTTP source verification feature.

sip: Specifies the SIP source verification feature.

syn: Specifies the SYN source verification feature.

ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays all protected IPv4 addresses.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv4 addresses on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv4 addresses on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

Examples

# (In standalone mode.) Display the protected IPv4 addresses for SYN source verification.

<Sysname> display anti-ddos source-verify syn protected ip

Slot 1:

IP address Port Type Requested Trusted

192.168.11.5 23 Dynamic 353452 555

123.123.123.123 23 Dynamic 4294967295 15151

Slot 2:

IP address Port Type Requested Trusted

192.168.11.6 23 Dynamic 467901 78578

201.55.7.45 23 Dynamic 236829 7237

# (In standalone mode.) Display the number of protected IPv4 addresses for SYN source verification.

<Sysname> display anti-ddos source-verify syn protected ip count

Slot 1:

Totally 3 protected IP addresses.

Slot 2:

Totally 1 protected IP addresses.

Table 5 Command output

Field	Description
Totally n protected IP addresses.	Total number of protected IPv4 addresses.
IP address	Protected IPv4 address.
Port	Destination port number of the connection.
Type	Type of the protected IPv4 address. Dynamic represents a dynamically learned IP address.
Requested	Number of packets destined for the protected IPv4 address.
Trusted	Number of packets that passed the source verification.

display anti-ddos source-verify protected ipv6

Use display anti-ddos source-verify protected ipv6 to display protected IPv6 addresses for source verification.

Syntax

In standalone mode:

display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } protected ipv6 [ ipv6-address ] [ slot slot-number [ cpu cpu-number ] ] [ count ]

In IRF mode:

display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } protected ipv6 [ ipv6-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dns-query: Specifies the DNS query source verification feature.

dns-reply: Specifies the DNS reply source verification feature.

http: Specifies the HTTP source verification feature.

sip: Specifies the SIP source verification feature.

syn: Specifies the SYN source verification feature.

ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays all protected IPv6 addresses.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv6 addresses on all cards. (In standalone mode.)

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays protected IPv6 addresses on all member devices.

slot slot-number: Specifies an IRF member device by the virtual slot number for its member ID. If you do not specify a member device, this command displays protected IPv6 addresses on all member devices.

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the virtual chassis number for the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv6 addresses on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

Examples

# (In standalone mode.) Display the protected IPv6 addresses for SYN source verification.

<Sysname> display anti-ddos source-verify syn protected ipv6

Slot 1:

IPv6 address Port Type Requested Trusted

192:168:11::5 23 Dynamic 353452 555

123:123:123::123 23 Dynamic 4294967295 15151

Slot 2:

IPv6 address Port Type Requested Trusted

192:168:11::5 23 Dynamic 467901 78578

201:55:7::45 23 Dynamic 236829 7237

# (In standalone mode.) Display the number of protected IPv6 addresses for SYN source verification.

<Sysname> display anti-ddos source-verify syn protected ipv6 count

Slot 1:

Totally 3 protected IPv6 addresses.

Slot 2:

Totally 1 protected IPv6 addresses.

Table 6 Command output

Field	Description
Totally n protected IPv6 addresses.	Total number of protected IPv6 addresses.
IPv6 address	Protected IPv6 address.
Port	Destination port number of the connection.
Type	Type of the protected IPv6 address. Dynamic represents a dynamically learned IP address.
Requested	Number of packets destined for the protected IPv6 address.
Trusted	Number of packets that passed the source verification.

display anti-ddos source-verify trusted ip

Use display anti-ddos source-verify trusted ip to display trusted IPv4 addresses for source verification.

Syntax

In standalone mode:

display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } trusted ip [ ip-address ] [ slot slot-number [ cpu cpu-number ] ] [ count ]

In IRF mode:

display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } trusted ip [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dns-query: Specifies the DNS query source verification feature.

dns-reply: Specifies the DNS reply source verification feature.

http: Specifies the HTTP source verification feature.

sip: Specifies the SIP source verification feature.

syn: Specifies the SYN source verification feature.

ip-address: Specifies a trusted IPv4 address. If you do not specify an IPv4 address, this command displays all trusted IPv4 addresses.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv4 addresses on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv4 addresses on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

Examples

# (In standalone mode.) Display the trusted IPv4 addresses for HTTP source verification.

<Sysname> display anti-ddos source-verify http trusted ip

Slot 1:

IP address Age-time (sec)

11.1.1.2 600

123.123.123.123 550

Slot 2:

IP address Age-time (sec)

11.1.1. 200

# (In standalone mode.) Display the number of trusted IPv4 addresses for HTTP source verification.

<Sysname> display anti-ddos source-verify http trusted ip count

Slot 1:

Totally 3 trusted IP addresses.

Slot 2:

Totally 1 trusted IP addresses.

Table 7 Command output

Field	Description
Totally n trusted IP addresses	Total number of trusted IPv4 addresses.
IP address	Trusted IPv4 address.
Age-time(sec)	Remaining aging time of the trusted IPv4 address, in seconds.

display anti-ddos source-verify trusted ipv6

Use display anti-ddos source-verify trusted ipv6 to display trusted IPv6 addresses for source verification.

Syntax

In standalone mode:

display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } trusted ipv6 [ ipv6-address ] [ slot slot-number [ cpu cpu-number ] ] [ count ]

In IRF mode:

display anti-ddos source-verify { dns-query | dns-reply | http | sip | syn } trusted ipv6 [ ipv6-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dns-query: Specifies the DNS query source verification feature.

dns-reply: Specifies the DNS reply source verification feature.

http: Specifies the HTTP source verification feature.

sip: Specifies the SIP source verification feature.

syn: Specifies the SYN source verification feature.

ipv6-address: Specifies a trusted IPv6 address. If you do not specify an IPv6 address, this command displays all trusted IPv6 addresses.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv6 addresses on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv6 addresses on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

Examples

# (In standalone mode.) Display the trusted IPv6 addresses for HTTP source verification.

<Sysname> display anti-ddos source-verify http trusted ipv6

Slot 1:

IPv6 address Age-time(sec)

11:1:1::2 600

123:123:123::123 550

Slot 2:

IPv6 address Age-time(sec)

11:1:1::3 200

# (In standalone mode.) Display the number of trusted IPv6 addresses for HTTP source verification.

<Sysname> display anti-ddos zone source-verify http trusted ipv6 count

Slot 1:

Totally 3 trusted IPv6 addresses.

Slot 2:

Totally 1 trusted IPv6 addresses.

Table 8 Command output

Field	Description
Totally n trusted IPv6 addresses	Total number of trusted IPv6 addresses.
IPv6 address	Trusted IPv6 address.
Age-time(sec)	Remaining aging time of the trusted IPv6 address, in seconds.

display anti-ddos ssl-defend illegal-session-stat-nodes

Use display anti-ddos ssl-defend illegal-session-stat-nodes to display the abnormal session statistics nodes for SSL renegotiation protection.

Syntax

In standalone mode:

display anti-ddos ssl-defend illegal-session-stat-nodes { ip | ipv6 } [ count | zone { default | id zone-id } ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display anti-ddos ssl-defend illegal-session-stat-nodes { ip | ipv6 } [ count | zone { default | id zone-id } ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip: Displays abnormal IPv4 session statistics nodes for SSL renegotiation protection.

ipv6: Displays abnormal IPv6 session statistics nodes for SSL renegotiation protection.

count: Displays the number of abnormal session statistics nodes for SSL renegotiation protection.

zone: Specifies an anti-DDoS zone.

default: Specifies the default anti-DDoS zone.

id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the abnormal session statistics nodes on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays the abnormal session statistics nodes on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

If you do not specify an anti-DDoS zone, this command displays the abnormal session statistics nodes for SSL renegotiation protection in all anti-DDoS zones.

Examples

# (In standalone mode.) Display the abnormal IPv6 session statistics nodes for SSL renegotiation protection in all anti-DDoS zones.

<Sysname> display anti-ddos ssl-defend illegal-session-stat-nodes ipv6 zone id 2

Slot 1:

Zone ID Source-ipv6 Illegal sessions

3 3::2:1 8

Slot 2:

Zone ID Source-ipv6 Illegal sessions

6 5:1::ff 10

Table 9 Command output

Field	Description
Zone ID	Anti-DDoS zone ID.
Source-ip	Source IPv4 address of abnormal SSL sessions.
Source-ipv6	Source IPv6 address of abnormal SSL sessions.
Illegal-num	Number of abnormal SSL sessions.

Related commands

https-flood defense ssl-defend

display anti-ddos ssl-defend session-stat-nodes

Use display anti-ddos ssl-defend session-stat-nodes to display the session statistics nodes for SSL renegotiation protection.

Syntax

In standalone mode:

display anti-ddos ssl-defend session-stat-nodes { ip | ipv6 } [ count | zone { default | id zone-id } ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display anti-ddos ssl-defend session-stat-nodes { ip | ipv6 } [ count | zone { default | id zone-id } ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip: Displays IPv4 session statistics nodes for SSL renegotiation protection.

ipv6: Displays IPv6 session statistics nodes for SSL renegotiation protection.

count: Displays the number of session statistics nodes for SSL renegotiation protection.

zone: Specifies an anti-DDoS zone.

default: Specifies the default anti-DDoS zone.

id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the session statistics nodes for SSL renegotiation protection on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays the session statistics nodes for SSL renegotiation protection on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

If you do not specify an anti-DDoS zone, this command displays the session statistics nodes for SSL renegotiation protection in all anti-DDoS zones.

Examples

# (In standalone mode.) Display the IPv6 session statistics nodes for SSL renegotiation protection in all anti-DDoS zones.

<Sysname> display anti-ddos ssl-defend session-stat-node ipv6 zone id 2

Slot 1:

Zone ID Source-ipv6 Negotiation-num State

2 1::1 8 normal

Slot 2:

Zone ID Source-ipv6 Negotiation-num State

3 ff::1 8 illegal

Table 10 Command output

Field	Description
Zone ID	Anti-DDoS zone ID.
Source-ip	Source IPv4 address of an abnormal IPv4 session.
Source-ipv6	Source IPv6 address of an abnormal IPv4 session.
Negotiation-num	Number of SSL session negotiations.
State	Status of the SSL session statistics node: · Normal. · Illegal.

Related commands

https-flood defense ssl-defend

display anti-ddos statistics

Use display anti-ddos statistics to display DDoS protection statistics.

Syntax

In standalone mode:

display anti-ddos statistics { destination-ip { ipv4 [ ip-address ] | ipv6 [ ipv6-address ] } | destination-port | source-ip { ipv4 | ipv6 } | source-port } [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display anti-ddos statistics { destination-ip { ipv4 [ ip-address ] | ipv6 [ ipv6-address ] } | destination -port | source-ip { ipv4 | ipv6 } | source-port } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

destination-ip: Displays statistics on a per destination IP basis.

destination-port: Displays statistics on a per destination port basis.

source-ip: Displays statistics on a per source IP basis.

source-port: Displays statistics on a per source port basis.

ipv4: Specifies the IPv4 address type.

ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays anti-DDoS statistics for all destination IPv4 addresses.

ipv6: Specifies the IPv6 address type.

ipv6-address: Specifies an IPv6 address. If you do not specify an IPv4 address, this command displays DDoS protection statistics for all destination IPv6 addresses.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays DDoS protection statistics on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays DDoS protection statistics on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command is available only on anti-DDoS detection devices.

The anti-DDoS cleaning device supports the display anti-ddos statistics { destination-ip { ipv4 [ ip-address ] | ipv6 [ ipv6-address ] } command.

Examples

# (In standalone mode.) Display DDoS protection statistics on a per source IPv4 basis.

<Sysname> display anti-ddos statistics source-ip ipv4

Slot 1:

Source IP Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)

3.3.3.3 4.4.4.4 - 100 20 100 30

Slot 2:

Source IP Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)

2.2.2.2 4.4.4.4 - 100 30 100 30

# (In standalone mode.) Display DDoS protection statistics on a per source IPv6 basis.

<Sysname> display anti-ddos statistics source-ip ipv6

Slot 1:

Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)

3::3 - 100 20 100 30

3::5 - 100 20 100 30

2::6 - 100 30 100 30

Slot 2:

Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)

8::3 ACK 100 20 100 30

# (In standalone mode.) Display DDoS protection statistics on a per source port basis.

<Sysname> display anti-ddos statistics source-port

Slot 1:

Source Port Dest addr Packet type Input(bps) Output(bps) Input(pps) Output(pps)

78 3.3.3.3 - 100 20 100 30

54321 3.3.3.3 - 100 20 100 30

Slot 2:

Source Port Dest addr Packet type Input(bps) Output(bps) Input(pps) Output(pps)

8080 3.3.3.3 - 100 30 100 30

# (In standalone mode.) Display DDoS protection statistics on a per destination IPv4 basis.

<Sysname> display anti-ddos statistics destination-ip ipv4

Slot 1:

Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)

3.3.3.3 UDP 100 20 60 10

3.3.3.3 IP 100 20 60 10

3.3.3.2 ACK 100 20 60 10

3.3.3.2 IP 100 20 60 10

6.6.6.6 HTTPS 500 50 60 10

6.6.6.6 TCP-FRAG 500 50 60 10

6.6.6.6 User-defined 2 500 50 60 10

6.6.6.6 IP 1500 150 180 30

Slot 2:

Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)

4.3.2.3 UDP 100 20 60 10

4.3.2.3 IP 100 20 60 10

5.3.2.3 ACK 100 20 60 10

5.3.2.3 IP 100 20 60 10

Table 11 Command output

Field	Description
Source IP	Source IPv4 address.
Source IPv6	Source IPv6 address.
Source port	Source port number.
Dest IP	Destination IPv4 address.
Dest IPv6	Destination IPv6 address.
Dest addr	Destination address.
Dest port	Destination port number.
Packet type	Packet type: · ACK—ACK packets. · DNS-QUERY—DNS query packets. · DNS-REPLY—DNS reply packets. · ICMP—ICMP packets. · HTTP—HTTP packets. · SYN—SYN packets. · SYN-ACK—SYN-ACK packets. · UDP—UDP packets. · RST—RST packets. · SIP—SIP packets. · HTTPS—HTTPS packets. · TCP-FRAG—TCP fragments. · UDP-FRAG—UDP fragments. · ICMP-FRAG—ICMP fragments. · User-defined—Packets of a user-defined attack type. The attack type ID is displayed after User-defined. · IP—IP packets.
Input(bps)	Number of input bits per second.
Output(bps)	Number of output bits per second.
Input(pps)	Number of input packets per second.
Output (pps)	Number of output packets per second.

display anti-ddos statistics bandwidth-limit destination-ip

Use display anti-ddos statistics bandwidth-limit destination-ip to display rate limiting statistics for a destination IP address.

Syntax

In standalone mode:

display anti-ddos statistics bandwidth-limit destination-ip { ipv4 ipv4-address | ipv6 ipv6-address } [ slot slot-number ]

In IRF mode:

display anti-ddos statistics bandwidth-limit destination-ip { ipv4 ipv4-address | ipv6 ipv6-address } [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4 ipv4-address: Specifies a destination IPv4 address.

ipv6 ipv6-address: Specifies a destination IPv6 address.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays related rate limiting statistics on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays related rate limiting statistics on all cards. (In IRF mode.)

Usage guidelines

This command is available only on anti-DDoS cleaning devices. The statistics shows information only about packets with the maximum rate defined. The information includes traffic thresholds and statistics for different protocol packets destined for an IP address.

The device generates a statistics node for a destination IP address when it receives the first packet destined for this address. If a node has no matching packets within its aging time, the node is deleted after it ages out.

If no statistics node exists for an IP address, no command output is displayed.

Examples

# (In standalone mode.) Display rate limiting statistics for a destination IPv4 address.

<Sysname> display anti-ddos statistics bandwidth-limit destination-ip ipv4 10.10.10.10

slot 1:

Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)

TCP 50000 50000 100 100 50

UDP 400000 393216 800 786 3

TCP-FRAG 50000 50000 100 100 50

IP 493216 493216 986 986 50

slot 2:

Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)

TCP 20000 20000 40 40 50

UDP 420000 393216 840 786 3

TCP-FRAG 50000 50000 100 100 50

IP 453216 453216 906 906 50

# (In IRF mode.) Display rate limiting statistics for a destination IPv4 address.

<Sysname> display anti-ddos statistics bandwidth-limit destination-ip ipv4 10.10.10.10

chassis 1 slot 1:

Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)

TCP 50000 50000 100 100 50

UDP 400000 393216 800 786 3

TCP-FRAG 50000 50000 100 100 50

IP 493216 493216 986 986 50

chassis 1 slot 2:

Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)

TCP 20000 20000 40 40 50

UDP 420000 393216 840 786 3

TCP-FRAG 52000 52000 104 104 50

IP 453216 453216 906 906 50

Table 12 Command output

Field	Description
Type	Packet types: · TCP—TCP packets. · UDP—UDP packets. · ICMP—ICMP packets. · TCP-FRAG—TCP fragments. · UDP-FRAG—UDP fragments. · ICMP-FRAG—ICMP fragments. · Other—Other types of packets. · IP—IP packets.
Input(bps)	Input rate for a specific type of packets or all IP packets, in bps.
Input(pps)	Input rate for a specific type of packets or all IP packets, in pps.
Output(bps)	Output rate for a specific type of packets or all IP packets, in bps.
Output(pps)	Output rate for a specific type of packets or all IP packets, in pps.
Threshold(Mbps)	Rate threshold for a specific type of packets or all IP packets, in Mbps.

display anti-ddos statistics destination-ip

Use display anti-ddos statistics destination-ip to display DDoS protection statistics for IP addresses under attack.

Syntax

In standalone mode:

display anti-ddos statistics destination-ip { ipv4 ip-address | ipv6 ipv6-address } { destination-port | source-ip | source-port } [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display anti-ddos statistics destination-ip { ipv4 ip-address | ipv6 ipv6-address } { destination-port | source-ip | source-port } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4 ip-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

destination-port: Specifies destination port-based statistics.

source-ip: Specifies source IP-based statistics.

source-port: Specifies source port-based statistics.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display source IP-based DDoS protection statistics for IPv4 address 1.1.1.1.

<Sysname> display anti-ddos statistics destination-ip ipv4 1.1.1.1 source-ip

Slot 1:

Source IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)

3.3.3.3 - 100 20 60 10

Slot 2:

Source IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)

1.1.1.2 - 100 20 60 10

2.2.2.3 - 100 20 60 10

# (In standalone mode.) Display source IP-based DDoS protection statistics for IPv6 address 1::1.

<Sysname> display anti-ddos statistics destination-ip ipv6 1::1 source-ip

Slot 1:

Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)

3::3 - 100 20 60 10

4::4 - 100 20 60 10

Slot 2:

Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)

3::6 - 100 20 60 10

4::5 - 100 20 60 10

Table 13 Command output

Field	Description
Source IP	Source IPv4 address.
Source IPv6	Source IPv6 address.
Source port	Source port number.
Dest port	Destination port number.
Packet type	Type of received packets.
Input(bps)	Number of input bits per second.
Output(bps)	Number of output bits per second.
Input(pps)	Number of input packets per second.
Output(pps)	Number of output packets per second.

display anti-ddos whitelist

Use display anti-ddos whitelist to display global static anti-DDoS whitelist entries.

Syntax

display anti-ddos whitelist [ ip source-ip-address | ipv6 source-ipv6-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip source-ip-address: Specifies a source IPv4 address.

ipv6 source-ipv6-address: Specifies a source IPv6 address.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

If you do not specify an IPv4 or IPv6 address, the command displays all global static IPv4 and IPv6 anti-DDoS whitelist entries.

Examples

# Display all global static anti-DDoS whitelist entries.

<Sysname> display anti-ddos whitelist

Total: 4 Blacklist: 3 Whitelist: 1

-------------------------------------------------------------------

Source-ip/MaskLen Black/White

3.3.3.4/32 White

# Display the global static anti-DDoS whitelist entry for the specified IPv4 address.

<Sysname> display anti-ddos whitelist ip 3.3.3.4

Total: 4 Blacklist: 3 Whitelist: 1

-------------------------------------------------------------------

Source-ip/MaskLen Black/White

3.3.3.4/32 White

# Display the global static anti-DDoS whitelist entry for the specified IPv6 address.

<Sysname> display anti-ddos whitelist ipv6 8000::1

Total: 4 Blacklist: 3 Whitelist: 0

-------------------------------------------------------------------

Source-ip/MaskLen Black/White

Table 14 Command output

Field	Description
Total	Total number of IPv4 or IPv6 blacklist and whitelist entries.
Blacklist	Number of IPv4 or IPv6 blacklist entries.
Whitelist	Number of IPv4 or IPv6 whitelist entries.
Source-ip/MaskLen	Source IP address and the mask length.
Black/White	Entry type, blacklist or whitelist.

Related commands

anti-ddos whitelist

display anti-ddos whitelist zone

Use display anti-ddos whitelist zone to display anti-DDoS zone-based static whitelist entries.

Syntax

display anti-ddos whitelist zone [ { id zone-id | default } [ ip source-ip-address | ipv6 source-ipv6-address ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.

default: Specifies the default anti-DDoS zone. The zone ID is fixed at 1.

ip source-ip-address: Specifies a source IPv4 address.

ipv6 source-ipv6-address: Specifies a source IPv6 address.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

If you do not specify an anti-DDoS zone, the command displays all anti-DDoS zone-based static whitelist entries.

If you do not specify the IPv4 or IPv6 address for an anti-DDoS zone-based whitelist entry, the command displays all static whitelist entries for this zone.

Examples

# Display all anti-DDoS zone-based static whitelist entries.

<Sysname> display anti-ddos whitelist zone

Total: 4 Blacklist: 3 Whitelist: 1

-------------------------------------------------------------------

ZoneID Source-ip/MaskLen Black/White

2 3.3.3.4/32 White

# Display the static whitelist entry matching source IP address 10.0.0.3 in anti-DDoS zone 2.

<Sysname> display anti-ddos whitelist zone 2 ip 3.3.3.4

Total: 4 Blacklist: 3 Whitelist: 1

-------------------------------------------------------------------

ZoneID Source-ip/MaskLen Black/White

2 3.3.3.4/32 White

# Display the static whitelist entry matching source IPv6 address 8000::1 in anti-DDoS zone 2.

<Sysname> display anti-ddos whitelist zone 2 ipv6 8000::1

Total: 4 Blacklist: 3 Whitelist: 1

-------------------------------------------------------------------

ZoneID Source-ip/MaskLen Black/White

2 8000::/64 White

Table 15 Command output

Field	Description
Total	Total number of IPv4 or IPv6 blacklist and whitelist entries in the anti-DDoS zone.
Blacklist	Number of IPv4 or IPv6 blacklist entries in the anti-DDoS zone.
Whitelist	Number of IPv4 or IPv6 whitelist entries in the anti-DDoS zone.
ZoneID	Anti-DDoS zone ID.
Source-ip/MaskLen	Source IP address and mask length.
Black/White	Entry type, blacklist or whitelist.

Related commands

zone-whitelist

display anti-ddos zone configuration

Use display anti-ddos zone configuration to display anti-DDoS zone configuration.

Syntax

display anti-ddos zone configuration [ default | id zone-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

default: Specifies the default anti-DDoS zone.

id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

If you do not specify the default keyword or the id zone-id option, this command displays brief configuration information about all anti-DDoS zones.

Examples

# Display the configuration of anti-DDoS zone 2.

<Sysname> display anti-ddos zone configuration id 2

Anti-DDoS zone configuration information

Zone ID : 2

Zone name : abc

IP range configuration:

Start IP End IP

1.1.1.1 1.1.1.100

2.2.2.2 2.2.2.10

Filter configuration:

Name Type Preference

IPFliter IP 10

UdpFliter UDP 20

Flood detection configuration:

Flood type Thres(pps/Mbps)

DNS query 1000 pps

DNS reply 1000 pps

HTTP 1000 bps

SYN 1000 pps

ACK 1000 Mbps

SYN-ACK 1000 pps

RST 1000 pps

UDP 1000 Mbps

ICMP 1000 Mbps

SIP 1000 Mbps

TCP fragment 1000 Mbps

UDP fragment 1000 Mbps

ICMP fragment 1000 Mbps

User-defined 2 1000 pps

ACK session check configuration: Enabled

Source verification configuration:

Type Status

TCP Enabled

HTTP Enabled

DNS query Enabled

DNS reply Enabled

SIP Enabled

HTTPS Enabled

HTTPS flood SSL defense configuration: Enabled

Bandwidth configuration:

bandwidth-detection destination-ip threshold: 20

bandwidth-limit destination-ip max-rate: 10

Fingerprint configuration:

Type GroupID

IPv4 10

Threshold Learning: Enabled

Black/White list:

Type IP MaskLength

Black 2.2.2.0 24

White 192.168.13.0 24

HTTP slow attack configuration: Enabled

Alert number Content length Payload length Packet number Block source

100 10000 50 10 Enabled

Table 16 Command output

Field	Description
Anti-ddos zone Information	Configuration of the anti-DDoS zone.
Zone name	Name of the anti-DDoS zone.
Zone ID	ID of the anti-DDoS zone.
IP configuration	IP address ranges in the anti-DDoS zone.
Start IP	Start IP address.
End IP	End IP address.
Filter configuration	Configuration of filters.
Name	Filter name.
Type	Filter type.
Preference	Filter preference.
Flood detection configuration	Configuration of flood attack protection.
Flood type	Flood attack type: · ACK—ACK flood attack type. · DNS query—DNS query flood attack type. · DNS reply—DNS reply flood attack type. · ICMP—ICMP flood attack type. · SYN—SYN flood attack type. · SYN-ACK—SYN-ACK flood attack type. · UDP—UDP flood attack type. · RST—RST flood attack type. · HTTP—HTTP flood attack type. · SIP—SIP flood attack type. · HTTPS—HTTPS flood attack type. · TCP fragment—TCP fragment flood attack type. · UDP fragment—UDP fragment flood attack type. · ICMP—ICMP fragment flood attack type. · User-defined—User-defined flood attack type. The attack type ID is displayed after User-defined.
Thres(pps/Mbps)	Flood attack detection threshold, in pps or Mbps.
Ack session check configuration	Enabling status of the session check for ACK flood attack protection.
Source verification configuration	Configuration of source verification.
Type	Source verification type: · DNS query—DNS query source verification. · DNS reply—DNS reply source verification. · TCP—TCP SYN source verification. · HTTP—HTTP source verification. · SIP—SIP source verification. · HTTPS—HTTPS source verification.
Status	Status of source verification: · Enabled. · Disabled.
HTTPS flood ssl defend configuration	Enabling status of the SSL renegotiation protection for HTTPS flood attack protection.
Bandwidth configuration	Bandwidth threshold setting.
Bandwidth-detection destination-ip threshold	IP traffic attack detection threshold.
Bandwidth-limit destination-ip max-rate	Maximum bandwidth for IP traffic.
Fingerprint configuration	Fingerprint protection configuration.
Type	Type of the fingerprint policy group: · IPv4. · IPv6.
GroupID	ID of the fingerprint policy group.
Black/White list	Blacklist or whitelist.
Type	Entry type: · Black—Blacklist. · White—Whitelist.
IP	IP address.
MaskLength	Mask length.
Slow attack configuration	Enabling status of HTTP slow attack protection.
Alert number	HTTP concurrent connection threshold that triggers HTTP slow attack protection.
Content length	Threshold for the Content-Length field in HTTP packets.
Payload length	Payload size threshold.
Packet number	Threshold of abnormal packets.
Block source	Enabling status of blocking packet source IP addresses.

# Display brief configuration information about all anti-DDoS zones.

<Sysname> display anti-ddos zone configuration

Anti-ddos Zone Brief information

Zone ID Zone Name

2 abc

100 p1

10 p12

Table 17 Command output

Field	Description
Zone ID	ID of the anti-DDoS zone.
Zone Name	Name of the anti-DDoS zone.

dns-query-flood defense source-verify

Use dns-query-flood defense source-verify to enable DNS query source verification.

Use undo dns-query-flood defense source-verify to disable DNS query source verification.

Syntax

dns-query-flood defense source-verify

undo dns-query-flood defense source-verify

Default

DNS query source verification is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

This feature protects internal DNS servers against DNS query flood attacks initiated by external illegitimate clients. After receiving a DNS reply destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.

· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent DNS queries from this IP address to pass through.

· If the source IP address fails verification, the device drops the DNS query and subsequent queries form this IP address.

Examples

# Enable DNS query source verification for anti-DDoS zone 3.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] dns-query-flood defense source-verify

Related commands

display anti-ddos zone configuration

dns-query-flood detection threshold

Use dns-query-flood detection threshold to enable DNS query flood attack detection and set a detection threshold.

Use undo dns-query-flood detection threshold to disable DNS query flood attack detection.

Syntax

dns-query-flood detection threshold { bit-based value | packet-based value}

undo dns-query-flood detection threshold

Default

DNS query flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable DNS query flood attack flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of DNS queries per destination IP address in this zone. When the sending rate of DNS queries destined for an IP address keeps exceeding the threshold, a DNS query flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of DNS queries destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable DNS query flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] dns-query-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

dns-reply-flood defense source-verify

Use dns-reply-flood defense source-verify to enable DNS reply source verification.

Use undo dns-reply-flood defense source-verify to disable DNS reply source verification.

Syntax

dns-reply-flood defense source-verify

undo dns-reply-flood defense source-verify

Default

DNS reply source verification is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

This feature protects DNS clients against DNS reply flood attacks. After receiving a DNS reply destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.

· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent DNS replies from this IP address to pass through.

· If the source IP address fails verification, the device drops the DNS reply.

Examples

# Enable DNS reply source verification for anti-DDoS zone 3.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] dns-reply-flood defense source-verify

Related commands

display anti-ddos zone configuration

dns-reply-flood detection threshold

Use dns-reply-flood detection threshold to enable DNS reply flood attack detection and set a detection threshold.

Use undo dns-reply-flood detection threshold to disable DNS reply flood attack detection.

Syntax

dns-reply-flood detection threshold { bit-based value | packet-based value}

undo dns-reply-flood detection threshold

Default

DNS reply flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable DNS reply flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of DNS replies per destination IP address in this zone. When the sending rate of DNS replies destined for an IP address keeps exceeding the threshold, a DNS reply attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of DNS replies destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable DNS reply flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] dns-reply-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

domain

Use domain to create a domain name field match rule for DNS packets.

Use undo domain to delete a domain name field match rule for DNS packets.

Syntax

domain { equal | include } domain-string

undo domain [ { equal | include } domain-string ]

Default

No domain name field match rules exist.

Views

DNS filter view

Predefined user roles

network-admin

Parameters

equal: Specifies to be identical to the specified domain name keyword.

include: Specifies to include the specified domain name keyword.

domain-string: Specifies the domain name keyword, a case-insensitive string of 2 to 63 characters.

Usage guidelines

The device uses this rule to match the domain name keyword of DNS packets.

A DNS filter supports a maximum of 32 rules for the domain name field. A packet matches the domain name field if its domain name matches one of these rules.

If you do not specify any parameters, the undo domain command deletes all domain name field match rules in the filter.

Examples

# Create a rule for DNS filter test to match packets that contain www.abc.com in the domain name field.

<Sysname> system-view

[Sysname] anti-ddos filter name test type dns

[Sysname-anti-ddos-filter-dns-test] domain include www.abc.com

Related commands

anti-ddos filter

display anti-ddos filter statistics

dscp

Use dscp to create a DSCP match rule.

Use undo dscp to delete a DSCP match rule.

Syntax

dscp dscp

undo dscp [ dscp ]

Default

No DSCP match rules exist.

Views

Filter view

Predefined user roles

network-admin

Parameters

dscp: Specifies a DSCP value in the range of 0 to 63.

Usage guidelines

The device uses this rule to match the DSCP value in packets.

A filter supports a maximum of 10 rules for the DSCP field. A packet matches the DSCP field if its DSCP value matches one of these rules.

If you do not specify a DSCP value, the undo dscp command deletes all DSCP match rules in the filter.

Examples

# Create a rule for HTTP filter test to match packets with DSCP value 20.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] dscp 20

Related commands

anti-ddos filter

display anti-ddos filter statistics

fingerprint (filter view)

Use fingerprint to create a fingerprint match rule.

Use undo fingerprint to delete a fingerprint match rule.

Syntax

fingerprint id { offset offset-value content content [ depth depth-value ] } &<1-4>

undo fingerprint [ id ]

Default

No fingerprint match rules exist.

Views

Filter view

Predefined user roles

network-admin

Parameters

id: Specifies a fingerprint ID in the range of 0 to 31.

offset offset-value: Specifies an offset value in bytes after which the match operation starts. The value range is 0 to 1500.

content content: Specifies the fingerprint content. The fingerprint content is 4 to 16 bytes long, and each byte includes two hexadecimal characters.

depth depth-value: Specifies the number of bytes to match. This depth value defines a range for the device to search for the specified fingerprint content. The value range is 1 to 1500.

&<1-4>: Specifies a list of up to four fingerprint segments. Each fingerprint segment contains the fingerprint offset, content, and depth.

Usage guidelines

The device uses this rule to match the fingerprint content in the specified byte range of packets.

A filter supports a maximum of 10 fingerprint match rules. Each rule supports a maximum of four fingerprint segments. The device supports a maximum of 512 fingerprint segments.

For each fingerprint segment, the device searches for the specified fingerprint content starting from offset byte in the packet header.

· If the depth-value argument is specified, the search range is determined by the depth value.

· If the depth-value argument is not specified, the search range is the same as the length of the specified fingerprint content.

If you configure multiple fingerprint segments for a fingerprint match rule, a packet matches this rule only if the packet matches all these fingerprint segments.

If you do not specify a fingerprint ID, the undo fingerprint command deletes all fingerprint match rules in the filter.

Examples

# Create a rule for HTTP filter test to match packets if they have fingerprint aabbccdd after the 10th bytes and have fingerprint 2233 in the 10 bytes after the 20th bytes.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] fingerprint 20 offset 10 content aabbccdd offset 20 content 22334455 depth 10

Related commands

anti-ddos filter

display anti-ddos filter statistics

fingerprint (fingerprint policy group view)

Use fingerprint to create a fingerprint policy.

Use undo fingerprint to delete a fingerprint policy.

Syntax

fingerprint policy-id protocol { icmp | other | tcp | udp } { offset offset-value length length-value [ content content ] } &<1-3> threshold threshold-value action { bandwidth-limit | drop | watch }

undo fingerprint id

Default

No fingerprint policies exist.

Views

Fingerprint policy group view

Predefined user roles

network-admin

Parameters

policy-id: Specifies the ID of a fingerprint policy, in the range of 0 to 31.

protocol { icmp | other | tcp | udp }: Specifies a protocol type, which can be ICMP, TCP, UDP, and Other.

offset offset-value: Specifies an offset value in bytes after which the match operation starts. The value range is 0 to 254.

length length-value: Specifies the fingerprint length in bytes. The value range is 1 to 4.

content content: Specifies the fingerprint content. The fingerprint content is 1 to 4 bytes long, and each byte includes two hexadecimal characters.

&<1-3>: Specifies a list of up to three fingerprint segments. Each fingerprint segment contains the fingerprint offset, length, and content.

threshold threshold-value: Specifies a threshold in pps. The value range is 1 to 10000000.

action: Specifies an action on matching packets that exceed the threshold.

bandwidth-limit: Rate limits matching packets and drops packets that exceed the threshold.

drop: Drops matching packets that exceed the threshold.

watch: Takes no action on matching packets that exceed the threshold.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

A fingerprint policy contains a packet match criterion, a threshold, and a protection action to take when the receiving rate of the matching packets exceeds the threshold.

If a fingerprint policy contains multiple fingerprint segments, a packet matches the policy only when the packet matches all segments.

The device always sends logs upon threshold violations no matter which protection action is specified.

A fingerprint does not support matching IP options or IPv6 extension headers.

A fingerprint policy group supports a maximum of 32 fingerprint policies. You can configure a maximum of eight fingerprint policies for each type (ICMP, TCP, UDP, and Other).

The content of each segment in a fingerprint policy must be unique.

Examples

# Add fingerprint policy 5 to IPv4 fingerprint policy group 10, configure the fingerprint signature, set the threshold to 2000 pps, and specify watch as the protection action.

<Sysname> system-view

[Sysname] fingerprint-group ip 10

[Sysname-fingerprint-group-ip-10] fingerprint 5 protocol tcp offset 40 length 4 content 01ab3f0c threshold 2000 action watch

Related commands

bandwidth-limit destination-ip max-rate

fingerprint-group

Use fingerprint-group to create a fingerprint policy group and enter its view, or enter the view of an existing fingerprint policy group.

Use undo fingerprint-group to delete a fingerprint policy group.

Syntax

fingerprint-group { ip | ipv6 } group-id

undo fingerprint-group { ip | ipv6 } group-id

Default

No fingerprint policy groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

ip: Specifies the IPv4 fingerprint policy group.

ipv6: Specifies the IPv6 fingerprint policy group.

group-id: Specifies the ID of a fingerprint policy group, in the range of 0 to 31.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

The device supports a maximum of 64 fingerprint policy groups, including 32 IPv4 fingerprint policy groups and 32 IPv6 fingerprint policy groups.

Examples

# Create IPv4 fingerprint policy group 10 and enter its view.

<Sysname> system-view

[Sysname] fingerprint-group ip 10

[Sysname-fingerprint-group-ip-10]

Related commands

fingerprint

fingerprint-group { ip | ipv6 }

display anti-ddos zone configuration

fingerprint-group apply

Use fingerprint-group apply to apply a fingerprint policy group to an anti-DDoS zone.

Use undo fingerprint-group apply to remove the application of a fingerprint policy group.

Syntax

fingerprint-group apply { ip | ipv6 } group-id

undo fingerprint-group apply { ip | ipv6 }

Default

No fingerprint policy group is applied to an anti-DDoS zone.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

ip: Specifies the IPv4 fingerprint policy group.

ipv6: Specifies the IPv6 fingerprint policy group.

group-id: Specifies the ID of a fingerprint policy group, in the range of 0 to 31.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

You can apply one IPv4 fingerprint policy group and one IPv6 fingerprint policy group to an anti-DDoS zone.

Examples

# Apply fingerprint policy group 10 to anti-DDoS zone 3.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-ddos-zone-3] fingerprint-group apply ip 10

Related commands

fingerprint-group { ip | ipv6 }

fragment

Use fragment to create a fragment match rule.

Use undo fragment to delete a fragment match rule.

Syntax

fragment { donot | first | last | middle | non }

undo fragment [ donot | first | last | middle | non ]

Default

No fragment match rules exist.

Views

Filter view

Predefined user roles

network-admin

Parameters

donot: Specifies packets where the DF bit is 1 in the IP header. Fragmentation of those packets is not allowed.

first: Specifies first fragments where the offset value is 0 and MF bit is 1 in the IP header.

last: Specifies last fragments where the offset value is not 0 and the MF bit is 0 in the IP header.

middle: Specifies middle fragments where the offset value is not 0 and MF bit is 1 in the IP header.

non: Specifies non-fragments where the offset value is 0 and MF bit is 0 in the IP header.

Usage guidelines

The device uses this rule to match packets or fragments.

A filter supports a maximum of five fragment match rules.

If you do not specify any keyword, the undo fragment command deletes all fragment match rules in the filter.

Examples

# Create a rule for HTTP filter test to match non-fragments.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] fragment non

Related commands

anti-ddos filter

display anti-ddos filter statistics

host

Use host to create a host field match rule for HTTP packets.

Use undo host to delete a host field match rule for HTTP packets.

Syntax

host include host-name

undo host [ include host-name ]

Default

No host field match rules exist for HTTP packets.

Views

HTTP filter view

Predefined user roles

network-admin

Parameters

include: Specifies to include the specified host keyword.

host-name: Specifies the host keyword, a case-insensitive string of 2 to 63 characters.

Usage guidelines

The device uses this rule to match the host field in HTTP packets.

An HTTP filter supports a maximum of 32 rules for the host field. A packet matches the host field if its host field matches one of these rules.

If you do not specify any parameters, the undo host command deletes all host field match rules in the filter.

Examples

# Create a rule for HTTP filter test to match packets that contain www.abc.com in the host field.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] host include www.abc.com

Related commands

anti-ddos filter

display anti-ddos filter statistics

http-flood defense source-verify

Use http-flood defense source-verify to enable HTTP source verification.

Use undo http-flood defense source-verify to disable HTTP source verification.

Syntax

http-flood defense source-verify

undo http-flood defense source-verify

Default

HTTP source verification is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

This feature protects the internal HTTP server against HTTP flood attacks initiated by external illegitimate clients. After receiving an HTTP packet destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.

The device verifies the source IP address of the HTTP GET request destined for an IP address in this zone.

· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent HTTP GET requests from this IP address to pass through.

· If the source IP address fails verification, the device drops the HTTP GET request.

Examples

# Enable HTTP source verification for anti-DDoS zone 3.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] http-flood defense source-verify

Related commands

display anti-ddos zone configuration

http-flood detection threshold

Use http-flood detection threshold enable HTTP flood attack detection and set a detection threshold.

Use undo http-flood detection threshold to disable HTTP flood attack detection.

Syntax

http-flood detection threshold { bit-based value | packet-based value}

undo http-flood detection threshold

Default

HTTP flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable HTTP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of HTTP packets per destination IP address in this zone. When the sending rate of HTTP packets destined for an IP address keeps exceeding the threshold, an HTTP flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of HTTP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable HTTP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] http-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

http-slow-attack defense threshold

Use http-slow-attack defense threshold to enable HTTP slow attack detection and set thresholds.

Use undo http-slow-attack defense to disable HTTP slow attack detection.

Syntax

http-slow-attack defense threshold alert-number alert-number [ content-length content-length | packet-number packet-number | payload-length payload-length ] * [ action block-source ]

undo http-slow-attack defense

Default

HTTP slow attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

alert-number alert-number: Specifies the HTTP concurrent connection threshold. A threshold violation triggers HTTP slow attack protection. The value range is 1 to 1200000.

content-length content-length: Specifies a threshold for the Content-Length field in an HTTP packet. The value range is 100 to 100000000, and the default is 10000.

packet-number packet-number: Specifies a threshold for HTTP slow attack packets. The value range is 1 to 1000, and the default is 10.

payload-length payload-length: Specifies a threshold for the payload size in an HTTP packet. The value range is 1 to 1000, and the default is 50.

action block-source: Specifies a source block action against HTTP slow attacks. This action enables the device to drop subsequent packets from IP addresses that launch HTTP slow attacks.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

With HTTP slow attack detection enabled, the device counts the number of concurrent HTTP connections on a per-destination IP basis. When the number of concurrent connections to an IP address exceeds the threshold, the device inspects the following types of HTTP packets and counts the number of attack packets:

· Slow headers—If the packet header does not start with \r\n\r\n, the device marks those packets as attack packets.

· Slow POST—If the value in the Content-Length field is greater than the content-length threshold and the payload size is smaller than the payload-length threshold, the device marks those packets as attack packets.

When the number of HTTP attack packets destined for an IP address exceeds the threshold, the device blocks subsequent packets to this IP address and sends an attack alarm log. If you specify the block-source keyword, the device adds the packet source IP address to the dynamic blacklist.

Examples

# In anti-DDoS zone 3, enable HTTP slow attack detection, set thresholds, and specify the block-source action.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] http-slow-attack defense threshold alert-number 3000 content-length 10000 payload-length 20 packet-number 10 action block-source

Related commands

anti-ddos zone id

https-flood defense source-verify

Use https-flood defense source-verify to enable HTTPS source verification.

Use undo https-flood defense source-verify to disable HTTPS source verification.

Syntax

https-flood defense source-verify

undo https-flood defense source-verify

Default

HTTPS source verification is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

This feature protects the internal HTTPS server against HTTPS flood attacks that are initiated by external clients. After receiving an HTTPS packet destined for the zone, the device adds the packet destination IP address as a protected IP address, and verifies its source IP address.

· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent HTTPS packets from this IP address to pass through.

· If the source IP address fails verification, the device drops the HTTPS packet.

Examples

# Enable HTTPS source verification for anti-DDoS zone 5.

<Sysname> system-view

[Sysname] anti-ddos zone id 5

[Sysname-anti-ddos-id-5] https-flood defense source-verify

Related commands

https-flood detection threshold

https-flood defense ssl-defend

Use https-flood defense ssl-defend to enable SSL renegotiation protection against HTTPS flood attacks.

Use undo https-flood defense ssl-defend to disable SSL renegotiation protection against HTTPS flood attacks.

Syntax

https-flood defense ssl-defend [ negotiation-num negotiation-num [ interval interval ] | illegal-session-num illegal-session-num [ interval interval2 ] ]*

undo https-flood defense ssl-defend

Default

SSL renegotiation protection against HTTPS flood attacks is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

negotiation-num negotiation-num: Specifies the maximum number of negotiations for an SSL session. The value range is 1 to 10, and the default is 3.

interval interval: Specifies the SSL renegotiation check interval in seconds. The value range is 1 to 240, and the default is 30.

illegal-session-num illegal-session-num: Specifies the threshold for abnormal SSL sessions. The value range is 1 to 10, and the default is 3.

interval interval2: Specifies the abnormal SSL session check interval in seconds. The value range is 1 to 240, and the default is 15.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

With the SSL renegotiation protection enabled, the device starts the following operations when an SSL session fails the first negotiation:

· Counting the number of renegotiations for the session.

· Counting down the renegotiation check interval and the abnormal SSL session check interval.

If the number of renegotiations exceeds the threshold (negotiation-num minus 1) within the renegotiation check interval, the device identifies this session as abnormal.

If the number of abnormal sessions originated from an IP address exceeds the threshold (illegal-session-num) within the abnormal session check interval, the device adds this IP address to the blacklist. The device drops subsequent session establishment requests from the blacklisted IP address.

For this command to take effect, first execute the https-flood defense source-verify command to enable HTTPS source verification.

Examples

# In anti-DDoS zone 5, enable HTTPS source verification, and configure SSL renegotiation protection.

<Sysname> system-view

[Sysname] anti-ddos zone id 5

[Sysname-anti-ddos-id-5] https-flood defense source-verify

[Sysname-anti-ddos-id-5] https-flood defense ssl-defend negotiation-num 20 interval 3 illegal-session-num 5 interval 5

Related commands

https-flood detection threshold

https-flood defense source-verify

https-flood detection threshold

Use https-flood detection threshold to enable HTTPS flood attack detection and set a detection threshold.

Use undo https-flood detection threshold to disable HTTPS flood attack detection.

Syntax

https-flood detection threshold { bit-based | packet-based } value

undo https-flood detection threshold

Default

HTTPS flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable HTTPS flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of HTTPS packets per destination IP address in this zone. When the sending rate of HTTPS packets destined for an IP address keeps exceeding the threshold, an HTTPS flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of HTTPS packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable HTTPS flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] https-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

icmp-flood detection threshold

Use icmp-flood detection threshold to enable ICMP flood attack detection and set a detection threshold.

Use undo icmp-flood detection threshold to disable ICMP flood attack detection.

Syntax

icmp-flood detection threshold { bit-based value | packet-based value}

undo icmp-flood detection threshold

Default

ICMP flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable ICMP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of ICMP packets per destination IP address in this zone. When the sending rate of ICMP packets destined for an IP address keeps exceeding the threshold, an ICMP flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of ICMP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable ICMP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] icmp-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

icmp-frag-flood detection threshold

Use icmp-frag-flood detection threshold to enable ICMP fragment flood attack detection and set a detection threshold.

Use undo icmp-frag-flood detection threshold to disable ICMP fragment flood attack detection.

Syntax

icmp-frag-flood detection threshold { bit-based | packet-based } value

undo icmp-frag-flood detection threshold

Default

ICMP fragment flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable ICMP fragment flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of ICMP fragments per destination IP address in this zone. When the sending rate of ICMP fragments destined for an IP address keeps exceeding the threshold, an ICMP fragment flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of ICMP fragments destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable ICMP fragment flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] icmp-frag-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

ip-range

Use ip-range to add an IPv4 address range to an anti-DDoS zone.

Use undo ip-range to remove an IPv4 address range from an anti-DDoS zone.

Syntax

ip-range start-ip end-ip

undo ip-range start-ip end-ip

Default

No IPv4 address range is configured in an anti-DDoS zone.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

start-ip: Specifies a start IPv4 address.

end-ip: Specifies an end IPv4 address.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

An anti-DDoS zone supports a maximum of 128 IPv4 address ranges. The highest 16 bits of all IPv4 addresses in a zone must be the same.

IPv4 address ranges in each anti-DDoS zone cannot overlap. The device supports a maximum of 512 IPv4 and IPv6 address ranges that contain IP addresses with different highest 16 bits.

This command is not available in the default anti-DDoS zone.

Examples

# Add IPv4 address range 192.168.30.10 to 192.168.30.120 to anti-DDoS zone 3.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] ip-range 192.168.30.10 192.168.30.120

Related commands

display anti-ddos zone configuration

ipv6-range

Use ipv6-range to add an IPv6 address range to an anti-DDoS zone.

Use undo ipv6-range to remove an IPv6 address range from an anti-DDoS zone.

Syntax

ipv6-range start-ip end-ip

undo ipv6-range start-ip end-ip

Default

No IPv6 address range is configured in an anti-DDoS zone.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

start-ip: Specifies a start IPv6 address.

end-ip: Specifies an end IPv6 address.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

An anti-DDoS zone supports a maximum of 128 IPv6 address ranges. The highest 16 bits of all IPv6 addresses in a zone must be the same.

IPv6 address ranges in each anti-DDoS zone cannot overlap. The device supports a maximum of 512 IPv4 and IPv6 address ranges that contain IP addresses with different highest 16 bits.

This command is not available in the default anti-DDoS zone.

Examples

# Add IPv6 address range 192:168:30::10 to 192:168:30::120 to anti-DDoS zone 3.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] ipv6-range 192:168:30::10 192:168:30::120

Related commands

display anti-ddos zone configuration

ip-range

name

Use name to assign a name to an anti-DDoS zone.

Use undo name to restore the default.

Syntax

name zone-name

undo name

Default

An anti-DDoS zone does not have a name.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

zone-name: Specifies the name of an anti-DDoS zone, a case-insensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), and hyphens (-). The name cannot be default.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

The name of the default anti-DDoS zone is not configurable.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify name test for anti-DDoS zone 3.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] name test

Related commands

anti-ddos zone

display anti-ddos zone configuration

opcode

Use opcode to create a request packet type match rule for HTTP packets.

Use undo opcode to delete a request packet type match rule for HTTP packets.

Syntax

opcode { connect | delete | get | head | options | post | put | trace }

undo opcode { connect | delete | get | head | options | post | put | trace }

Default

No request packet type match rules exist for HTTP packets.

Views

HTTP filter view

Predefined user roles

network-admin

Parameters

connect: Specifies the HTTP CONNECT request packet type.

delete: Specifies the HTTP DELETE request packet type.

get: Specifies the HTTP GET request packet type.

head: Specifies the HTTP HEAD request packet type.

options: Specifies the HTTP OPTIONS request packet type.

post: Specifies the HTTP POST request packet type.

put: Specifies the HTTP PUT request packet type.

trace: Specifies the HTTP TRACE request packet type.

Usage guidelines

The device uses this rule to match the packet type of HTTP request packets.

An HTTP filter supports a maximum of eight request packet types for packet match.

Examples

# Create a rule for HTTP filter test to match HTTP PUT request packets.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] opcode put

Related commands

anti-ddos filter

display anti-ddos filter statistics

packet-length

Use packet-length to create a packet length match rule.

Use undo packet-length to delete a packet length match rule.

Syntax

packet-length range length1 length2

undo packet-length [ range length1 length2 ]

Default

No packet length match rules exist.

Views

Filter view

Predefined user roles

network-admin

Parameters

range: Specifies a packet length range.

length1: Specifies the minimum packet length in bytes. The value range is 1 to 1500.

length2: Specifies the maximum packet length in bytes. The value range is 1 to 1500.

Usage guidelines

The device uses this rule to match the packet length.

A filter supports a maximum of 10 rules for the packet length field. A packet matches the packet length field if its packet length matches one of these rules.

The minimum packet length cannot be greater than the maximum packet length. The packet length ranges in one filter cannot overlap.

If you do not specify any parameters, the undo packet-length command deletes all packet length match rules in the filter.

Examples

# Create a rule for HTTP filter test to match packets that are 50 to 500 bytes long.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] packet-length range 50 500

Related commands

anti-ddos filter

display anti-ddos filter statistics

protocol

Use protocol to create a protocol field match rule.

Use undo protocol to delete a protocol field match rule.

Syntax

protocol protocol-number

undo protocol [ protocol-number ]

Default

No packet protocol match rules exist.

Views

IP filter view

Predefined user roles

network-admin

Parameters

protocol-number: Specifies a protocol number in the range of 0 to 255.

Usage guidelines

The device uses this rule to match the protocol field of packets.

An IP filter supports a maximum of 10 rules for the protocol field. A packet matches the protocol field if its protocol field matches one of these rules.

If you do not specify a protocol number, the undo protocol command deletes all packet protocol match rules in the filter.

Examples

# Create a rule for IP filter test to match VRRP packets (protocol number 112).

<Sysname> system-view

[Sysname] anti-ddos filter name test type ip

[Sysname-anti-ddos-filter-ip-test] protocol 112

Related commands

anti-ddos filter

display anti-ddos filter statistics

qr

Use qr to create a QR field match rule for DNS packets.

Use undo qr to delete a QR field match rule for DNS packets.

Syntax

qr { query | reply }

undo qr { query | reply }

Default

No QR field match rules for DNS packets exist.

Views

DNS filter view

Predefined user roles

network-admin

Parameters

query: Specifies DNS queries.

reply: Specifies DNS replies.

Usage guidelines

The device uses this rule to match the QR field of DNS packets.

A DNS filter supports a maximum of two rules for the QR field. A packet matches the QR field if its QR field matches one of these rules.

Examples

# Create a rule to match DNS replies for DNS filer test.

<Sysname> system-view

[Sysname] anti-ddos filter name test type dns

[Sysname-anti-ddos-filter-dns-test] qr query

Related commands

anti-ddos filter

display anti-ddos filter statistics

referer

Use referer to create a referer field match rule for HTTP packets.

Use undo referer to delete a referer field match rule for HTTP packets.

Syntax

referer include referrer-string

undo referer [ include referrer-string ]

Default

No referer field match rules exist for HTTP packets.

Views

HTTP filter view

Predefined user roles

network-admin

Parameters

include: Specifies to include the specified referer keyword.

referrer-string: Specifies the referer keyword, a case-insensitive string of 2 to 63 characters.

Usage guidelines

The device uses this rule to match the referer field of HTTP packets.

An HTTP filter supports a maximum of 32 rules for the referer field. A packet matches the referer field if its referer field matches one of these rules.

If you do not specify any parameters, the undo referer command deletes all referer field match rules in the filter.

Examples

# Create a rule for HTTP filter test to match HTTP packets that contain www.abc.com in the referer field.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] referer include www.abc.com

Related commands

anti-ddos filter

display anti-ddos filter statistics

request-uri

Use request-uri to create a match rule for the request URI field in HTTP packets.

Use undo request-uri to delete a match rule for the request URI field in HTTP packets.

Syntax

request-uri include uri

undo request-uri [ include uri ]

Default

No URI match rules exist for HTTP packets.

Views

HTTP filter view

Predefined user roles

network-admin

Parameters

include: Specifies to include the specified URI keyword.

uri: Specifies the URI keyword, a case-insensitive string of 2 to 63 characters.

Usage guidelines

The device uses this rule to match HTTP packets that contains the specified URI keyword.

An HTTP filter supports a maximum of 32 rules for the request URI field. A packet matches the request URI field if its request URI matches one of these rules.

If you do not specify any parameters, the undo request-uri command deletes all URI match rules in the filter.

Examples

# Create a rule for HTTP filter test to match HTTP packets that contain favicon.ico in the request URI field.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] request-uri include favicon.ico

Related commands

anti-ddos filter

display anti-ddos filter statistics

reset anti-ddos dynamic-blacklist

Use reset anti-ddos dynamic-blacklist to clear dynamic blacklist entries in anti-DDoS zones.

Syntax

reset anti-ddos dynamic-blacklist { ipv4 | ipv6 } [ zone [ default | id zone-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

ip: Specifies IPv4 dynamic blacklist entries.

ipv6: Specifies IPv6 dynamic blacklist entries.

zone: Specifies an anti-DDoS zone.

default: Specifies the default anti-DDoS zone.

id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

If you do not specify an anti-DDoS zone, this command clears dynamic blacklist entries in all anti-DDoS zones.

Examples

# Clear dynamic IPv4 blacklist entries in anti-DDoS zone 3.

<Sysname> system-view

[Sysname] reset anti-ddos dynamic-blacklist ip zone id 3

reset anti-ddos filter statistics zone

Use reset anti-ddos filter statistics to clear filter statistics in an anti-DDoS zone.

Syntax

reset anti-ddos filter statistics name name anti-ddos-zone { id zone-id | default }

Views

User view

Predefined user roles

network-admin

Parameters

name name: Specifies a filter by its name, a string of 1 to 63 characters. The filter name contains case-insensitive letters, digits, and underscores (_), and it must start with a letter.

anti-ddos-zone: Specifies an anti-DDoS zone.

id zone-id: Specifies an anti-DDoS zone by its ID in the range of 2 to 1024.

default: Specifies the default anti-DDoS zone.

Examples

# Clear statistics about filter test in anti-DDoS zone 3.

<Sysname> reset anti-ddos filter statistics name test anti-ddos-zone id 3

Related commands

display anti-ddos filter statistics

rst-flood detection threshold

Use rst-flood detection threshold to enable RST flood attack detection and set a detection threshold.

Use undo rst-flood detection threshold to disable RST flood attack detection.

Syntax

rst-flood detection threshold { bit-based value | packet-based value}

undo rst-flood detection threshold

Default

RST flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable RST flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of RST packets per destination IP address in this zone. When the sending rate of RST packets destined for an IP address keeps exceeding the threshold, an RST flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of RST packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable RST flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] rst-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

sip-flood defense source-verify

Use sip-flood defense source-verify to enable SIP source verification.

Use undo sip-flood defense source-verify to disable SIP source verification.

Syntax

sip-flood defense source-verify

undo sip-flood defense source-verify

Default

SIP source verification is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

This feature protects the internal SIP server against SIP flood attacks initiated by external illegitimate clients. After receiving a SIP packet destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.

· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent SIP packets from this IP address to pass through.

· If the source IP address fails verification, the device drops the SIP packet.

Examples

# Enable SIP source verification for anti-DDoS zone 3.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] sip-flood defense source-verify

Related commands

display anti-ddos zone configuration

sip-flood detection threshold

Use sip-flood detection threshold to enable SIP flood attack detection and set a detection threshold.

Use undo sip-flood detection threshold to disable SIP flood attack detection.

Syntax

sip-flood detection threshold { bit-based value | packet-based value}

undo sip-flood detection threshold

Default

SIP flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable SIP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of SIP packets per destination IP address in this zone. When the sending rate of SIP packets destined for an IP address keeps exceeding the threshold, a SIP flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of SIP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable SIP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] sip-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

source-ip

Use source-ip to create a source IP address match rule.

Use undo source-ip to delete a source IP address match rule.

Syntax

source-ip { ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 }

undo source-ip [ ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 ]

Default

No source IP address match rules exist.

Views

Filter view

Predefined user roles

network-admin

Parameters

ip-range: Specifies a source IPv4 address range.

start-ip: Specifies a start IPv4 address. This address cannot be higher than the end IPv4 address.

end-ip: Specifies an end IPv4 address. If the end IPv4 address is the same as the start IPv4 address, the IPv4 address range has only one IPv4 address.

ipv6-range: Specifies a source IPv6 address range.

start-ipv6: Specifies a start IPv6 address. This address cannot be higher than the end IPv6 address.

end-ipv6: Specifies an end IPv6 address. If the end IPv6 address is the same as the start IPv6 address, the IPv6 address range has only one IPv6 address.

Usage guidelines

The device uses this rule to match the source IP addresses of packets.

A filter supports a maximum of 512 rules for the source IP address field. A packet matches the source IP address field if its source IP address matches one of these rules.

The source IP address ranges in one filter cannot overlap.

If you do not specify any parameters, the undo source-ip command deletes all source IP address match rules in the filter.

Examples

# Create a rule for HTTP filter test to match packets with source IPv4 addresses in the range of 1.1.1.10 to 1.1.1.20.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] source-ip ip-range 1.1.1.10 1.1.1.20

Related commands

anti-ddos filter

display anti-ddos filter statistics

source-port

Use source-port to create a source port match rule.

Use undo source-port to delete a source port match rule.

Syntax

source-port range start-port end-port

undo source-port [ range start-port end-port ]

Default

No source port match rules exist.

Views

TCP filter view

UDP filter view

DNS filter view

HTTP filter view

SIP filter view

Predefined user roles

network-admin

Parameters

range: Specifies a source port range.

start-port: Specifies a start port number in the range of 1 to 65535. The start port number cannot be greater than the end port number.

end-port: Specifies an end port number in the range of 1 to 65535.

Usage guidelines

The device uses this rule to match the source port numbers of packets.

A filter supports a maximum of 10 rules for the source port number field. A packet matches the source port number field if its source port number matches one of these rules.

The source port number ranges in one filter cannot overlap.

If you do not specify any parameters, the undo source-port command deletes all source port match rules in the filter.

Examples

# Create a rule for HTTP filter test to match packets with source port numbers in the range of 10 to 20.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] source-port range 10 20

Related commands

anti-ddos filter

display anti-ddos filter statistics

syn-ack-flood detection threshold

Use syn-ack-flood detection threshold to enable SYN-ACK flood attack detection and set a detection threshold.

Use undo syn-ack-flood detection threshold to disable SYN-ACK flood attack detection.

Syntax

syn-ack-flood detection threshold { bit-based value | packet-based value}

undo syn-ack-flood detection threshold

Default

SYN-ACK flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable SYN-ACK flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of SYN-ACK packets per destination IP address in this zone. When the sending rate of SYN-ACK packets destined for an IP address keeps exceeding the threshold, a SYN-ACK flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of SYN-ACK packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable SYN-ACK flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] syn-ack-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

syn-flood defense source-verify

Use syn-flood defense source-verify to enable SYN source verification.

Use undo syn-flood defense source-verify to disable SYN source verification.

Syntax

syn-flood defense source-verify

undo syn-flood defense source-verify

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Default

SYN source verification is disabled.

Usage guidelines

This command is available only on anti-DDoS cleaning devices.

This feature protects the internal server against SYN flood attacks initiated by external illegitimate clients. After receiving a SYN packet destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.

· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent SYN packets from this IP address to pass through.

· If the source IP address fails verification, the device drops the SYN packet.

Examples

# Enable SYN source verification for anti-DDoS zone 3.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] syn-flood defense source-verify

Related commands

display anti-ddos zone configuration

syn-flood detection threshold

Use syn-flood detection threshold to enable SYN flood attack detection and set a detection threshold.

Use undo syn-flood detection threshold to disable SYN flood attack detection.

Syntax

syn-flood detection threshold { bit-based value | packet-based value}

undo syn-flood detection threshold

Default

SYN flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable SYN flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of SYN packets per destination IP address in this zone. When the sending rate of SYN packets destined for an IP address keeps exceeding the threshold, a SYN flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of SYN packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable SYN flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] syn-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

tcp-flag

Use tcp-flag to create a TCP flags field match rule.

Use undo tcp-flag to delete a TCP flags field match rule.

Syntax

tcp-flag tcp-flag

undo tcp-flag [ tcp-flag ]

Default

No TCP flags field match rules exist.

Views

TCP filter view

HTTP filter view

Predefined user roles

network-admin

Parameters

tcp-flag: Specifies a value of the TCP flags field, in the range of 0 to 63.

Usage guidelines

The device uses this rule to match the TCP flags field of packets.

A TCP or HTTP filter supports a maximum of 10 rules for the TCP flags field. A packet matches the TCP flags field if its TCP flags field value matches one of these rules.

If you do not specify a value, the undo tcp-flag command deletes all TCP flags field match rules in the filter.

Examples

# Create a rule for HTTP filter test to match HTTP packets in which the TCP flags field value is 20.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] tcp-flag 20

Related commands

anti-ddos filter

display anti-ddos filter statistics

tcp-frag-flood detection threshold

Use tcp-frag-flood detection threshold to enable TCP fragment flood attack detection and set a detection threshold.

Use undo tcp-frag-flood detection threshold to disable TCP fragment flood attack detection.

Syntax

tcp-frag-flood detection threshold { bit-based | packet-based } value

undo tcp-frag-flood detection threshold

Default

TCP fragment flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable TCP fragment flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of TCP fragments per destination IP address in this zone. When the sending rate of TCP fragments destined for an IP address keeps exceeding the threshold, a TCP fragment flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of TCP fragments destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable TCP fragment flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] tcp-frag-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

threshold-learning enable

Use threshold-learning enable to enable threshold learning for an anti-DDoS zone.

Use undo threshold-learning enable to disable threshold learning for an anti-DDoS zone.

Syntax

threshold-learning enable

undo threshold-learning enable

Default

Threshold learning is disabled for an anti-DDoS zone.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

The threshold learning feature enables the device to learn attack detection thresholds for different types of DDoS attacks based on the actual network traffic. As a best practice, enable this feature if you are not sure about thresholds for DDoS attack protection.

After you enable this feature for a non-default anti-DDoS zone, the device collects the traffic baseline values for IP addresses in this zone every 5 minutes and reports the values to the anti-DDoS management center. The management center calculates the threshold and assigns policies accordingly.

Only non-default anti-DDoS zones support this command.

Examples

# Enable threshold learning for an anti-DDoS zone 6.

<Sysname> system-view

[Sysname] anti-ddos zone id 6

[Sysname-anti-ddos-zone-id-6] threshold-learning enable

Related commands

display anti-ddos zone configuration

ttl

Use ttl to create a TTL field match rule.

Use undo ttl to delete a TTL field match rule.

Syntax

ttl ttl-value

undo ttl [ ttl-value ]

Default

No TTL field match rules exist.

Views

Filter view

Predefined user roles

network-admin

Parameters

ttl-value: Specifies a TTL value in the range of 1 to 255.

Usage guidelines

The device uses this rule to match the TTL value of packets.

A filter supports a maximum of 10 rules for the TTL field. A packet matches the TTL field if its TTL value matches one of these rules.

If you do not specify a TTL value, the undo ttl command deletes all TTL field match rules in the filter.

Examples

# Create a rule for HTTP filter test to match packets with TTL value 63.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] ttl 63

Related commands

anti-ddos filter

display anti-ddos filter statistics

type

Use type to create a DNS packet type match rule.

Use undo type to delete a DNS packet type match rule.

Syntax

type type-value

undo type [ type-value ]

Default

No DNS packet type match rules exist.

Views

DNS filter view

Predefined user roles

network-admin

Parameters

type-value: Specifies a DNS type ID in the range of 0 to 255.

Usage guidelines

The device uses this rule to match the packet type of DNS packets.

A DNS filter supports a maximum of 10 rules for the DNS type field. A DNS packet matches the type field if its type matches one of these rules.

If you do not specify a packet type, the undo type command deletes all DNS packet type match rules in the filter.

Examples

# Create a rule for DNS filter test to match DNS packet with type ID 6.

<Sysname> system-view

[Sysname] anti-ddos filter name test type dns

[Sysname-anti-ddos-filter-dns-test] type 6

Related commands

anti-ddos filter

display anti-ddos filter statistics

udp-flood detection threshold

Use udp-flood detection threshold to enable UDP flood attack detection and set a detection threshold.

Use undo udp-flood detection threshold to disable UDP flood attack detection.

Syntax

udp-flood detection threshold { bit-based value | packet-based value }

undo udp-flood detection threshold

Default

UDP flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable UDP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of UDP packets per destination IP address in this zone. When the sending rate of UDP packets destined for an IP address keeps exceeding the threshold, a UDP flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of UDP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable UDP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] udp-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

udp-frag-flood detection threshold

Use udp-frag-flood detection threshold to enable UDP fragment flood attack detection and set a detection threshold.

Use undo udp-frag-flood detection threshold to disable UDP fragment flood attack detection.

Syntax

udp-frag-flood detection threshold { bit-based | packet-based } value

undo udp-frag-flood detection threshold

Default

UDP fragment flood attack detection is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable UDP fragment flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of UDP fragments per destination IP address in this zone. When the sending rate of UDP fragments destined for an IP address keeps exceeding the threshold, a UDP fragment flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of UDP fragments destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# Enable UDP fragment flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] udp-frag-flood detection threshold packet-based 20

Related commands

display anti-ddos zone configuration

user-agent

Use user-agent to create a user-agent field match rule for HTTP packets.

Use undo user-agent to delete a user-agent field match rule for HTTP packets.

Syntax

user-agent include user-agent

undo user-agent [ include user-agent ]

Default

No user-agent field match rules exist for HTTP packets.

Views

HTTP filter view

Predefined user roles

network-admin

Parameters

include: Specifies to include the specified user-agent keyword.

user-agent: Specifies the user-agent keyword, a case-insensitive string of 2 to 63 characters.

Usage guidelines

The device uses this rule to match HTTP packets that contains the specified keyword in the user-agent field.

An HTTP filter supports a maximum of 32 rules for the user-agent field. An HTTP packet matches the user-agent field if its user-agent field matches one of these rules.

If you do not specify any parameters, the undo user-agent command deletes all user-agent field match rules in the filter.

Examples

# Create a rule for HTTP filter test to match HTTP packets that contain Linux in the user-agent field.

<Sysname> system-view

[Sysname] anti-ddos filter name test type http

[Sysname-anti-ddos-filter-http-test] user-agent include Linux

Related commands

anti-ddos filter

display anti-ddos filter statistics

user-defined attack-type detection threshold

Use user-defined attack-type detection threshold to enable flood attack detection for a user-defined attack type and set a detection threshold.

Use undo user-defined attack-type detection threshold to disable flood attack detection for a user-defined attack type.

Syntax

user-defined attack-type id id detection threshold { bit-based | packet-based } value

undo user-defined attack-type [ id id ] detection threshold

Default

Flood attack detection for all user-defined attack types is disabled.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15.

bit-based: Specified the bit-based threshold.

packet-based: Specified the packet-based threshold.

value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.

Usage guidelines

The command is available on anti-DDoS detection devices and cleaning devices.

After you enable flood attack detection for a user-defined protocol-specific attack type in a zone, the device enters attack detection state. The device also monitors the sending rate of protocol packets per destination IP address in this zone. When the sending rate of protocol packets destined for an IP address keeps exceeding the threshold, a flood attack occurs and triggers one of the following protection actions:

· In the inline deployment mode, the cleaning device cleans the attack traffic locally.

When the sending rate of the protocol packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.

Examples

# In anti-DDoS zone 3, enable flood attack detection for attack type 2 and set the threshold to 20 pps.

<Sysname> system-view

[Sysname] anti-ddos zone id 3

[Sysname-anti-ddos-zone-id-3] user-defined attack-type id 2 threshold packet-based 20

zone-blacklist

Use zone-blacklist to add an anti-DDoS zone-based static blacklist entry.

Use undo zone-blacklist to delete an anti-DDoS zone-based static blacklist entry.

Syntax

zone-blacklist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }

undo zone-blacklist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }

Default

No anti-DDoS zone-based static blacklist entries exist.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

all: Deletes all anti-DDoS zone-based static blacklist entries, including IPv4 and IPv6 entries.

Usage guidelines

The command is available only on anti-DDoS cleaning devices.

The device drops a packet if the source IP address of the packet destined for an anti-DDoS zone is on the static blacklist of this zone.

For an anti-DDoS zone, IP addresses on its static blacklist and whitelist entries cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.

An anti-DDoS zone supports a maximum of 10 static blacklist and whitelist entries in total. All anti-DDoS zones support a maximum of 12040 static blacklist and whitelist entries in total.

Examples

# Add subnet 1.1.1.1/24 to the static blacklist for anti-DDoS zone 2.

<Sysname> system-view

[Sysname] anti-ddos zone id 2

[Sysname-anti-ddos-zone-id-2] zone-blacklist ip 1.1.1.1 24

Related commands

zone-whitelist

display anti-ddos blacklist zone

zone-whitelist

Use zone-whitelist to add an anti-DDoS zone-based static whitelist entry.

Use undo zone-whitelist to delete an anti-DDoS zone-based static whitelist entry.

Syntax

zone-whitelist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }

undo zone-whitelist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }

Default

No anti-DDoS zone-based static whitelist entries exist.

Views

Anti-DDoS zone view

Predefined user roles

network-admin

Parameters

all: Deletes all anti-DDoS zone-based static whitelist entries, including IPv4 and IPv6 entries.

Usage guidelines

The command is available only on anti-DDoS cleaning devices.

If the source IP address of a packet destined for an anti-DDoS zone matches a static whitelist entry specific to this zone, the packet bypasses DDoS protection (except rate limiting).

For an anti-DDoS zone, IP addresses on its blacklist and whitelist entries cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.

An anti-DDoS zone supports a maximum of static 10 blacklist and whitelist entries in total. All anti-DDoS zones support a maximum of 12040 static blacklist and whitelist entries in total.

Examples

# Add subnet 1.1.1.1/24 to the static whitelist for anti-DDoS zone 2.

<Sysname> system-view

[Sysname] anti-ddos zone id 2

[Sysname-anti-ddos-zone-id-2] zone-whitelist ip 1.1.1.1 24

Related commands

zone-blacklist

display anti-ddos whitelist zone

03-Security Command Reference

DDoS protection commands

anti-ddos out-of-band interface

fingerprint (filter view)

fingerprint (fingerprint policy group view)

ipv6-range

name

rst-flood detection threshold

sip-flood defense source-verify

sip-flood detection threshold

syn-ack-flood detection threshold

syn-flood defense source-verify

syn-flood detection threshold

threshold-learning enable

udp-flood detection threshold

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us