Contents

IP-based attack prevention commands· 1

Naptha attack prevention commands· 1

tcp anti-naptha enable· 1

tcp check-state interval 1

tcp state· 2

TCP connection attack prevention commands· 3

tcp abnormal-packet-defend· 3

ICMP attack prevention commands· 4

display ip icmp fast-reply statistics· 4

display ipv6 icmpv6 fast-reply statistics· 4

ip icmp fast-reply enable· 5

ipv6 icmpv6 fast-reply enable· 5

reset ip icmp fast-reply statistics· 6

reset ipv6 icmpv6 fast-reply statistics· 6

TCP SYN flood attack prevention commands· 7

display ipv6 tcp anti-syn-flood flow-based entry· 7

display ipv6 tcp anti-syn-flood flow-based entry count 9

display tcp anti-syn-flood flow-based configuration· 9

display tcp anti-syn-flood flow-based entry· 10

display tcp anti-syn-flood flow-based entry count 12

display tcp anti-syn-flood interface-based configuration· 12

display tcp anti-syn-flood interface-based entry· 13

display tcp anti-syn-flood interface-based entry count 15

reset ipv6 tcp anti-syn-flood flow-based entry· 15

reset ipv6 tcp anti-syn-flood flow-based statistics· 16

reset tcp anti-syn-flood flow-based entry· 17

reset tcp anti-syn-flood flow-based statistics· 18

reset tcp anti-syn-flood interface-based entry· 19

reset tcp anti-syn-flood interface-based statistics· 20

tcp anti-syn-flood flow-based duration· 21

tcp anti-syn-flood flow-based enable· 21

tcp anti-syn-flood flow-based threshold· 22

tcp anti-syn-flood interface-based check-interval 23

tcp anti-syn-flood interface-based duration· 24

tcp anti-syn-flood interface-based enable· 25

tcp anti-syn-flood interface-based threshold· 26

tcp anti-syn-flood log enable· 26

tcp anti-syn-flood flow-based check-interval 27

UDP flood attack prevention commands· 28

display ipv6 udp anti-flood flow-based entry· 28

display ipv6 udp anti-flood flow-based entry count 30

display udp anti-flood flow-based configuration· 30

display udp anti-flood flow-based entry· 31

display udp anti-flood flow-based entry count 33

display udp anti-flood interface-based configuration· 34

display udp anti-flood interface-based entry· 34

display udp anti-flood interface-based entry count 36

reset ipv6 udp anti-flood flow-based entry· 37

reset ipv6 udp anti-flood flow-based statistics· 37

reset udp anti-flood flow-based entry· 38

reset udp anti-flood flow-based statistics· 39

reset udp anti-flood interface-based entry· 40

reset udp anti-flood interface-based statistics· 41

udp anti-flood flow-based check-interval 42

udp anti-flood flow-based destination-port 43

udp anti-flood flow-based duration· 44

udp anti-flood flow-based enable· 44

udp anti-flood flow-based exclude destination-port 45

udp anti-flood flow-based threshold· 46

udp anti-flood interface-based check-interval 47

udp anti-flood interface-based duration· 48

udp anti-flood interface-based enable· 49

udp anti-flood interface-based threshold· 49

udp anti-flood log enable· 50

Abnormal IP packet attack prevention commands· 51

display ip abnormal-packet-defend statistics· 51

ip abnormal-packet-defend enable· 52

reset ip abnormal-packet-defend statistics· 52

 

IP-based attack prevention commands

Naptha attack prevention commands

tcp anti-naptha enable

Use tcp anti-naptha enable to enable Naptha attack prevention.

Use undo tcp anti-naptha enable to disable Naptha attack prevention.

Syntax

tcp anti-naptha enable

undo tcp anti-naptha enable

Default

Naptha attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you enable Naptha attack prevention, the device periodically checks the number of TCP connections in each state. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in that state. The check interval is set by the tcp check-state interval command. The TCP connection limits are set by the tcp state command.

Examples

# Enable Naptha attack prevention.

<Sysname> system-view

[Sysname] tcp anti-naptha enable

Related commands

tcp state

tcp check-state interval

tcp check-state interval

Use tcp check-state interval to set the interval for checking the number of TCP connections in each state.

Use undo tcp check-state interval to restore the default.

Syntax

tcp check-state interval interval

undo tcp check-state interval

Default

The interval is 30 seconds for checking the number of TCP connections in each state.

Views

System

Predefined user roles

network-admin

Parameter

interval: Specifies the check interval in the range of 1 to 60 seconds.

Usage guidelines

This command takes effect after you enable Naptha attack prevention.

After you enable Naptha attack prevention, the device checks the number of TCP connections in each state at intervals. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in that state.

Examples

# Set the interval to 40 seconds for checking the number of TCP connections in each state.

<Sysname> system-view

[Sysname] tcp check-state interval 40

Related commands

tcp anti-naptha enable

tcp state

tcp state

Use tcp state to set the maximum number of TCP connections in a state.

Use undo tcp state to restore the default.

Syntax

tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack } connection-limit number

undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack } connection-limit

Default

The maximum number of TCP connections in each state (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, and LAST_ACK) is 50.

Views

System view

Predefined user roles

network-admin

Parameters

closing: Specifies the CLOSING state.

established: Specifies the ESTABLISHED state.

fin-wait-1: Specifies the FIN_WAIT_1 state.

fin-wait-2: Specifies the FIN_WAIT_2 state.

last-ack: Specifies the LAST_ACK state.

connection-limit number: Specifies the maximum number of TCP connections, in the range of 0 to 500. The value of 0 represents that the device does not accelerate the aging of the TCP connections in a state.

Usage guidelines

This command takes effect after you enable Naptha attack prevention. If the number of TCP connections in a state exceeds the limit, the device will accelerate the aging of the TCP connections in the state.

Examples

# Set the maximum number of TCP connections in the ESTABLISHED state to 100.

<Sysname> system-view

[Sysname] tcp state established connection-limit 100

Related commands

tcp anti-naptha enable

tcp check-state interval

TCP connection attack prevention commands

tcp abnormal-packet-defend

Use tcp abnormal-packet-defend to enable TCP connection attack prevention.

Use undo tcp abnormal-packet-defend to disable TCP connection attack prevention.

Syntax

tcp abnormal-packet-defend [ log | threshold threshold-value ]*

undo tcp abnormal-packet-defend

Default

TCP connection attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

log: Enables logging for TCP connection attack prevention. By default, logging for TCP connection attack prevention is disabled.

threshold threshold-value: Specifies the threshold for error packets received by a TCP connection within a statistics interval in the range of 100 to 1000000. The default value for the threshold-value argument is 1000.

Usage guidelines

This feature enables the device to count the error packets received by each established TCP connection. If the number of error packets received by a TCP connection within a statistics interval (one second) exceeds the threshold, the device determines that the TCP connection is attacked and disconnects the TCP connection. If you enable logging for TCP connection attack prevention, the device generates a log about the attacked TCP connection.

Examples

# Enable TCP connection attack prevention and set the threshold for error packets received by a TCP connection within a statistics interval to 200.

<Sysname> system-view

[Sysname] tcp abnormal-packet-defend threshold 200

ICMP attack prevention commands

display ip icmp fast-reply statistics

Use display ip icmp fast-reply statistics to display fast replied ICMP message statistics.

Syntax

display ip icmp fast-reply statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays fast replied ICMP message statistics on all cards.

Examples

# Display fast replied ICMP message statistics.

<Sysname> display ip icmp fast-reply statistics slot 10

Number of fast replied ICMP messages: 419455

Related commands

reset ip icmp fast-reply statistics

display ipv6 icmpv6 fast-reply statistics

Use display ipv6 icmpv6 fast-reply statistics to display fast replied ICMPv6 message statistics.

Syntax

display ipv6 icmpv6 fast-reply statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays fast replied ICMPv6 message statistics on all cards.

Examples

# Display fast replied ICMPv6 message statistics.

<Sysname> display ipv6 icmpv6 fast-reply statistics slot 10

Number of fast replied ICMPv6 messages: 419455

Related commands

reset ipv6 icmpv6 fast-reply statistics

ip icmp fast-reply enable

Use ip icmp fast-reply enable to enable ICMP fast reply.

Use undo ip icmp fast-reply enable to disable ICMP fast reply.

Syntax

ip icmp fast-reply enable

undo ip icmp fast-reply enable

Default

ICMP fast reply is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ICMP fast reply feature allows the hardware to reply to incoming ICMP requests, preventing ICMP request attacks.

Examples

# Enable ICMP fast reply.

<Sysname> system-view

[Sysname] ip icmp fast-reply enable

Related commands

ipv6 icmpv6 fast-reply enable

ipv6 icmpv6 fast-reply enable

Use ipv6 icmpv6 fast-reply enable to enable ICMPv6 fast reply.

Use undo ipv6 icmpv6 fast-reply enable to disable ICMPv6 fast reply.

Syntax

ipv6 icmpv6 fast-reply enable

undo ipv6 icmpv6 fast-reply enable

Default

ICMPv6 fast reply is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The ICMPv6 fast reply feature allows the hardware to reply to incoming ICMPv6 requests, preventing ICMPv6 request attacks.

Examples

# Enable ICMPv6 fast reply.

<Sysname> system-view

[Sysname] ipv6 icmpv6 fast-reply enable

Related commands

ip icmp fast-reply enable

reset ip icmp fast-reply statistics

Use reset ip icmp fast-reply statistics to clear fast replied ICMP message statistics.

Syntax

reset ip icmp fast-reply statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears fast replied ICMP message statistics on all cards.

Examples

# Clear fast replied ICMP message statistics on slot 1.

<Sysname> reset ip icmp fast-reply statistics slot 1

Related commands

display ip icmp fast-reply statistics

reset ipv6 icmpv6 fast-reply statistics

Use reset ipv6 icmpv6 fast-reply statistics to clear fast replied ICMPv6 message statistics.

Syntax

reset ipv6 icmpv6 fast-reply statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears fast replied ICMPv6 message statistics on all cards.

Examples

#  Clear fast replied ICMPv6 message statistics on slot 1.

<Sysname> reset ipv6 icmpv6 fast-reply statistics slot 1

Related commands

display ipv6 icmpv6 fast-reply statistics

TCP SYN flood attack prevention commands

display ipv6 tcp anti-syn-flood flow-based entry

Use display ipv6 tcp anti-syn-flood flow-based entry to display IPv6 flow-based TCP SYN flood attack prevention entries.

Syntax

display ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * slot slot-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all IPv6 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To display IPv6 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv6 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command displays IPv6 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 TCP SYN flood attack packets. If you do not specify this option, the command displays IPv6 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv6 flow-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number.

verbose: Displays detailed information about IPv6 flow-based TCP SYN flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv6 flow-based TCP SYN flood attack prevention entries.

Examples

# Display brief information about IPv6 flow-based TCP SYN flood attack prevention entries on slot 1 on the public network.

<Sysname> display ipv6 tcp anti-syn-flood flow-based entry slot 1

SrcAddr              DstPort VPN                       Type Packets dropped

2::1                 179     --                        IP   987654321

# Display detailed information about IPv6 flow-based TCP SYN flood attack prevention entries on slot 1 on the public network.

<Sysname> display ipv6 tcp anti-syn-flood flow-based entry slot 1 verbose

SrcAddr: 2::1

DstPort: 179

VPN: --

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 987654321

Table 1 Command output

Field	Description
SrcAddr	Source IPv6 address of the TCP SYN flood attack packets.
DstPort	Destination port number of the TCP SYN flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the flow-based TCP SYN flood attack prevention entry setting to hardware: ·     Succeeded. ·     Failed. ·     Not enough resources.
Aging time	Remaining lifetime of the IPv6 flow-based TCP SYN flood attack prevention entry, in seconds.
Attack time	Time when the IPv6 TCP SYN flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv6 flow-based TCP SYN flood attack prevention.

 

Related commands

reset ipv6 tcp anti-syn-flood flow-based entry

reset ipv6 tcp anti-syn-flood flow-based statistics

display ipv6 tcp anti-syn-flood flow-based entry count

Use display ipv6 tcp anti-syn-flood flow-based entry count to display the number of IPv6 flow-based TCP SYN flood attack prevention entries.

Syntax

display ipv6 tcp anti-syn-flood flow-based entry slot slot-number count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number.

Examples

# Display the number of IPv6 flow-based TCP SYN flood attack prevention entries on slot 1.

<Sysname> display ipv6 tcp anti-syn-flood flow-based entry slot 1 count

Total flow-based entries: 2

Table 2 Command output

Field	Description
Total flow-based entries	Total number of IPv6 flow-based TCP SYN flood attack prevention entries.

 

Related commands

reset ipv6 tcp anti-syn-flood flow-based entry

reset ipv6 tcp anti-syn-flood flow-based statistics

display tcp anti-syn-flood flow-based configuration

Use display tcp anti-syn-flood flow-based configuration display the configuration of flow-based TCP SYN flood attack prevention.

Syntax

display tcp anti-syn-flood flow-based configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of flow-based TCP SYN flood attack prevention.

<Sysname> display tcp anti-syn-flood flow-based configuration

Flow-based TCP SYN flood attack prevention is enabled.

Check interval: 1 seconds     

Duration: 5 minutes

Threshold: 100 packets per check interval

Table 3 Command output

Field	Description
Flow-based TCP SYN flood attack prevention is enabled.	The flow-based TCP SYN flood attack prevention feature is enabled.
Flow-based TCP SYN flood attack prevention is disabled.	The flow-based TCP SYN flood attack prevention feature is disabled.
Check interval	Check interval of flow-based TCP SYN flood attack prevention, in seconds.
Duration	Flow-based TCP SYN flood attack prevention duration, in minutes.
Threshold	Threshold for triggering flow-based TCP SYN flood attack prevention.

 

Related commands

tcp anti-syn-flood flow-based enable

display tcp anti-syn-flood flow-based entry

Use display tcp anti-syn-flood flow-based entry to display IPv4 flow-based TCP SYN flood attack prevention entries.

Syntax

display tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * slot slot-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all IPv4 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To display IPv4 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv4 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command displays IPv4 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 TCP SYN flood attack packets. If you do not specify this option, the command displays IPv4 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv4 flow-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number.

verbose: Displays detailed information about IPv4 flow-based TCP SYN flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv4 flow-based TCP SYN flood attack prevention entries.

Examples

# Display brief information about IPv4 flow-based TCP SYN flood attack prevention entries on slot 1 on the public network.

<Sysname> display tcp anti-syn-flood flow-based entry slot 1

SrcAddr         DstPort VPN                             Type Packets dropped

1.1.1.1         179     --                              MPLS 12345678

2.1.1.1         179     --                              IP   87654321

# Display detailed information about IPv4 flow-based TCP SYN flood attack prevention entries on slot 1 on the public network.

<Sysname> display tcp anti-syn-flood flow-based entry slot 1 verbose

SrcAddr: 1.1.1.1

DstPort: 179

VPN: --

Type: MPLS

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/01/07 18:55:03

Packets dropped: 12345678

SrcAddr: 2.1.1.1

DstPort: 179

VPN: 1

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/01/07 18:30:00

Packets dropped: 87654321

Table 4 Command output

Field	Description
SrcAddr	Source IPv4 address of the TCP SYN flood attack packets.
DstPort	Destination port number of the TCP SYN flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the  flow-based TCP SYN flood attack prevention entry setting to hardware: ·     Succeeded. ·     Failed. ·     Not enough resources.
Aging time	Remaining lifetime of the IPv4 flow-based TCP SYN flood attack prevention entry, in seconds.
Attack time	Time when the TCP SYN flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv4 flow-based TCP SYN flood attack prevention.

 

Related commands

reset tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based statistics

display tcp anti-syn-flood flow-based entry count

Use display tcp anti-syn-flood flow-based entry count to display the number of IPv4 flow-based TCP SYN flood attack prevention entries.

Syntax

display tcp anti-syn-flood flow-based entry slot slot-number count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number.

Examples

# Display the number of IPv4 flow-based TCP SYN flood attack prevention entries on slot 1.

<Sysname> display tcp anti-syn-flood flow-based entry slot 1 count

Total flow-based entries: 2

Table 5 Command output

Field	Description
Total flow-based entries	Total number of IPv4 flow-based TCP SYN flood attack prevention entries.

 

Related commands

reset tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based statistics

display tcp anti-syn-flood interface-based configuration

Use display tcp anti-syn-flood interface-based configuration to display the configuration of interface-based TCP SYN flood attack prevention.

Syntax

display tcp anti-syn-flood interface-based configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of interface-based TCP SYN flood attack prevention.

<Sysname> display tcp anti-syn-flood interface-based configuration

Interface-based TCP SYN flood attack prevention is enabled.

Check interval: 1 seconds

Duration: 5 minutes

Threshold: 100 packets per check interval

Table 6 Command output

Field	Description
Interfaced-based TCP SYN flood attack prevention is enabled.	The interfaced-based TCP SYN flood attack prevention feature is enabled.
Interface-based TCP SYN flood attack prevention is disabled.	The interface-based TCP SYN flood attack prevention feature is disabled.
Check interval	Check interval of interface-based TCP SYN flood attack prevention, in seconds.
Duration	Interface-based TCP SYN flood attack prevention duration, in minutes.
Threshold	Threshold for triggering interface-based TCP SYN flood attack prevention.

 

Related commands

tcp anti-syn-flood interface-based enable

display tcp anti-syn-flood interface-based entry

Use display tcp anti-syn-flood interface-based entry to display interface-based TCP SYN flood attack prevention entries.

Syntax

display tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * slot slot-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays interface-based TCP SYN flood attack prevention entries for all interfaces.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays interface-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number.

verbose: Displays detailed information about interface-based TCP SYN flood attack prevention entries. If you do not specify this keyword, the command displays brief information about interface-based TCP SYN flood attack prevention entries.

Examples

# Display brief information about interface-based TCP SYN flood attack prevention entries on slot 1.

<Sysname> display tcp anti-syn-flood interface-based entry slot 1

Interface                Type Packets totally received

XGE3/0/1                  MPLS 18446

XGE3/0/2                  IP   12345

# Display detailed information about interface-based TCP SYN flood attack prevention entries on slot 1.

<Sysname> display tcp anti-syn-flood interface-based entry slot 1 verbose

Interface: XGE3/0/1

Type: MPLS

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/08/07 10:33:35

Packets totally received: 18446

Packets sent to CPU: 184

Interface: XGE3/0/2

Type: IP

Hardware status: Succeeded

Aging time: 3210 seconds

Attack time: 2018/08/07 09:33:12

Packets totally received: 12345

Packets sent to CPU: 100

Table 7 Command output

Field	Description
Interface	Interface where the TCP SYN flood attack is detected.
Type	Packet type: MPLS or IP.
Hardware status	Status of the interface-based TCP SYN flood attack prevention entry setting to hardware: ·     Succeeded. ·     Failed. ·     Not enough resources.
Aging time	Remaining lifetime of the interface-based TCP SYN flood attack prevention entry, in seconds.
Attack time	Time when the interface-based TCP SYN flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets totally received	Total number of received packets.
Packets sent to CPU	Number of packets sent to the CPU.

 

Related commands

reset tcp anti-syn-flood interface-based entry

reset tcp anti-syn-flood interface-based entry statistics

display tcp anti-syn-flood interface-based entry count

Use display tcp anti-syn-flood interface-based entry count to display the number of interface-based TCP SYN flood attack prevention entries.

Syntax

display tcp anti-syn-flood interface-based entry slot slot-number count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number.

Examples

# Display the number of interface-based TCP SYN flood attack prevention entries on slot 1.

<Sysname> display tcp anti-syn-flood interface-based entry slot 1 count

Total interface-based entries: 2

Table 8 Command output

Field	Description
Total interface-based entries	Total number of interface-based TCP SYN flood attack prevention entries.

 

Related commands

reset tcp anti-syn-flood interface-based entry

reset tcp anti-syn-flood interface-based entry statistics

reset ipv6 tcp anti-syn-flood flow-based entry

Use reset ipv6 tcp anti-syn-flood flow-based entry to delete IPv6 flow-based TCP SYN flood attack prevention entries.

Syntax

reset ipv6 tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Deletes all IPv6 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To delete IPv6 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv6 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command deletes IPv6 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 TCP SYN flood attack packets. If you do not specify this option, the command deletes IPv6 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv6 flow-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes IPv6 flow-based TCP SYN flood attack prevention entries on all cards.

Usage guidelines

If you do not specify any parameters, this command deletes all IPv6 flow-based TCP SYN flood attack prevention entries on the public network.

Examples

# Delete IPv6 flow-based TCP SYN flood attack prevention entries with source IP address 2000::1 and destination port number 179 on the public network.

<Sysname> reset ipv6 tcp anti-syn-flood flow-based entry destination-port 179 source 2000::1

Related commands

display ipv6 tcp anti-syn-flood flow-based entry

reset ipv6 tcp anti-syn-flood flow-based statistics

Use reset ipv6 tcp anti-syn-flood flow-based statistics to clear statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention.

Syntax

reset ipv6 tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network and VPN instances. To clear statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 TCP SYN flood attack packets. If you do not specify this option, the command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on all cards.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv6 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

Examples

# Clear statistics for IPv6 TCP SYN packets with source IPv6 address 2000::1 and destination port number 179 dropped by flow-based TCP SYN flood attack prevention on the public network.

<Sysname> reset ipv6 tcp anti-syn-flood flow-based statistics destination-port 179 source 2000::1

Related commands

display ipv6 tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based entry

Use reset tcp anti-syn-flood flow-based entry to delete IPv4 flow-based TCP SYN flood attack prevention entries.

Syntax

reset tcp anti-syn-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Deletes all IPv4 flow-based TCP SYN flood attack prevention entries on the public network and VPN instances. To delete IPv4 flow-based TCP SYN flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv4 flow-based TCP SYN flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command deletes IPv4 flow-based TCP SYN flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 TCP SYN flood attack packets. If you do not specify this option, the command deletes IPv4 flow-based TCP SYN flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv4 flow-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes IPv4 flow-based TCP SYN flood attack prevention entries on all cards.

Usage guidelines

If you do not specify any parameters, this command deletes all IPv4 flow-based TCP SYN flood attack prevention entries on the public network.

Examples

# Delete IPv4 flow-based TCP SYN flood attack prevention entries with source IPv4 address 2.2.2.2 and destination port number 179 on the public network.

<Sysname> reset tcp anti-syn-flood flow-based entry destination-port 179 source 2.2.2.2

Related commands

display tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood flow-based statistics

Use reset tcp anti-syn-flood flow-based statistics to clear statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention.

Syntax

reset tcp anti-syn-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network and VPN instances. To clear statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 TCP SYN flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 TCP SYN flood attack packets. If you do not specify this option, the command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv4 SYN packets dropped by flow-based TCP SYN flood attack prevention for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on all cards.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv4 TCP SYN packets dropped by flow-based TCP SYN flood attack prevention on the public network.

Examples

# Clear statistics for IPv4 TCP SYN packets with source IP address 2.2.2.2 and destination port number 179 dropped by flow-based TCP SYN flood attack prevention on the public network.

<Sysname> reset tcp anti-syn-flood flow-based statistics destination-port 179 source 2.2.2.2

Related commands

display tcp anti-syn-flood flow-based entry

reset tcp anti-syn-flood interface-based entry

Use reset tcp anti-syn-flood interface-based entry to delete interface-based TCP SYN flood attack prevention entries.

Syntax

reset tcp anti-syn-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command deletes interface-based TCP SYN flood attack prevention entries for all interfaces.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes interface-based TCP SYN flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes interface-based TCP SYN flood attack prevention entries on all cards.

Usage guidelines

If you do not specify any parameters, this command deletes all interface-based TCP SYN flood attack prevention entries.

Examples

# Delete all interface-based TCP SYN flood attack prevention entries.

<Sysname> reset tcp anti-syn-flood interface-based entry

Related commands

display tcp anti-syn-flood interface-based entry

reset tcp anti-syn-flood interface-based statistics

Use reset tcp anti-syn-flood interface-based statistics to clear statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention.

Syntax

reset tcp anti-syn-flood interface-based statistics [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command clears statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention for all interfaces.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for TCP SYN packets received by interface-based TCP SYN flood attack prevention for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for SYN packets received by interface-based TCP SYN flood attack prevention on all cards.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all TCP SYN packets received by interface-based TCP SYN flood attack prevention.

Examples

# Clear statistics for all TCP SYN packets received by interface-based TCP SYN flood attack prevention.

<Sysname> reset tcp anti-syn-flood interface-based statistics

Related commands

display tcp anti-syn-flood interface-based entry

tcp anti-syn-flood flow-based duration

Use tcp anti-syn-flood flow-based duration to set the flow-based TCP SYN flood attack prevention duration.

Use undo tcp anti-syn-flood flow-based duration to restore the default.

Syntax

tcp anti-syn-flood flow-based duration minutes

undo tcp anti-syn-flood flow-based duration

Default

The flow-based TCP SYN flood attack prevention duration is 5 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

minutes: Specifies the flow-based TCP SYN flood attack prevention duration in minutes. The value range is of 1 to 3600.

Usage guidelines

After you enable flow-based TCP SYN flood attack prevention, the device enters attack detection state. When the device detects an attack, it changes to prevention state and drops subsequent SYN packets received in the TCP SYN flood attack prevention duration. The device returns to the attack detection state when the duration expires.

Examples

# Set the flow-based TCP SYN flood attack prevention duration to 10 minutes.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based duration 10

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood flow-based check-interval

tcp anti-syn-flood flow-based threshold

tcp anti-syn-flood flow-based enable

Use tcp anti-syn-flood flow-based enable to enable flow-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood flow-based enable to disable flow-based TCP SYN flood attack prevention.

Syntax

tcp anti-syn-flood flow-based enable

undo tcp anti-syn-flood flow-based enable

Default

Flow-based TCP SYN flood attack prevention is disabled.

Views   

System view

Predefined user roles

network-admin

Usage guidelines

A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim unresponsive to legal users. An attacker sends a large number of SYN packets to a server. This causes the server to open a large number of half-open connections and respond to the requests. However, the server will never receive the expected ACK packets. Because all of its resources are bound to half-open connections, the server is unable to accept new incoming connection requests.

The flow-based TCP SYN flood attack prevention feature monitors the SYN packet receiving rate. When the number of received SYN packets within a check interval reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent SYN packets.

Examples

# Enable flow-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based enable

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based check-interval

tcp anti-syn-flood flow-based threshold

tcp anti-syn-flood flow-based duration

tcp anti-syn-flood flow-based threshold

Use tcp anti-syn-flood flow-based threshold to set the threshold for triggering flow-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood flow-based threshold to restore the default.

Syntax

tcp anti-syn-flood flow-based threshold threshold-value

undo tcp anti-syn-flood flow-based threshold

Default

The threshold is 100 packets per check interval for triggering flow-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

threshold threshold-value: Specifies the threshold for triggering flow-based TCP SYN flood attack prevention, in the range of 1 to 1000000. This threshold defines the maximum number of TCP SYN packets that can be received per flow within a check interval.

Usage guidelines

The flow-based TCP SYN flood attack prevention feature monitors the SYN packet receiving rate on a per-flow basis. When the number of received SYN packets within a check interval reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent SYN packets.

Examples

# Set the threshold to 200 for triggering flow-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based threshold 200

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based check-interval

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood flow-based duration

tcp anti-syn-flood interface-based check-interval

Use tcp anti-syn-flood interface-based check-interval to set the check interval for interface-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood interface-based check-interval to restore the default.

Syntax

tcp anti-syn-flood interface-based check-interval interval

undo tcp anti-syn-flood interface-based check-interval

Default

The check interval is 1 second for interface-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval for interface-based TCP SYN flood attack prevention, in seconds. The value range is 1 to 60.

Usage guidelines

The interface-based TCP SYN flood attack prevention feature monitors the number of received SYN flood packets on a per-interface basis. When the number of received SYN packets within a check interval reaches or exceeds the threshold on an interface, the device enters prevention state and limits SYN packet receiving rate on the interface.

If attacks occur frequently in your network, set a short check interval so that TCP SYN flood attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for interface-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood interface-based check-interval 30

Related commands

display tcp anti-syn-flood interface-based configuration

tcp anti-syn-flood interface-based duration

tcp anti-syn-flood interface-based enable

tcp anti-syn-flood interface-based threshold

tcp anti-syn-flood interface-based duration

Use tcp anti-syn-flood interface-based duration to set the interface-based TCP SYN flood attack prevention duration.

Use undo tcp anti-syn-flood interface-based duration to restore the default.

Syntax

tcp anti-syn-flood interface-based duration minutes

undo tcp anti-syn-flood interface-based duration

Default

The interface-based TCP SYN flood attack prevention duration is 5 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

minutes: Specifies the interface-based TCP SYN flood attack prevention duration in minutes. The value range is of 1 to 3600.

Usage guidelines

After you enable interface-based TCP SYN flood attack prevention, the device enters attack detection state. When the device detects an attack, it changes to prevention state and limits the receiving rate of subsequent SYN packets in the TCP SYN flood attack prevention duration. The device returns to attack detection state when the duration expires.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the interface-based TCP SYN flood attack prevention duration to 1 minute.

<Sysname> system-view

[Sysname] tcp anti-syn-flood interface-based duration 1

Related commands

display tcp anti-syn-flood interface-based configuration

tcp anti-syn-flood interface-based check-interval

tcp anti-syn-flood interface-based enable

tcp anti-syn-flood interface-based threshold

tcp anti-syn-flood interface-based enable

Use tcp anti-syn-flood interface-based enable to enable interface-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood interface-based enable to disable interface-based TCP SYN flood attack prevention.

Syntax

tcp anti-syn-flood interface-based enable

undo tcp anti-syn-flood interface-based enable

Default

Interface-based TCP SYN flood attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim unresponsive to legal users. An attacker sends a large number of SYN packets to a server. This causes the server to open a large number of half-open connections and respond to the requests. However, the server will never receive the expected ACK packets. Because all of its resources are bound to half-open connections, the server is unable to accept new incoming connection requests.

The interface-based TCP SYN flood attack prevention feature monitors the SYN packet receiving rate on a per-interface basis. When the number of received SYN packets within a check interval reaches or exceeds the threshold on an interface, the device determines that an attack occurs and limits the SYN packet receiving rate on the interface.

Examples

# Enable interface-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood interface-based enable

Related commands

display tcp anti-syn-flood interface-based configuration

tcp anti-syn-flood interface-based duration

tcp anti-syn-flood interface-based check-interval

tcp anti-syn-flood interface-based threshold

tcp anti-syn-flood interface-based threshold

Use tcp anti-syn-flood interface-based threshold to set the threshold for triggering interface-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood interface-based threshold to restore the default.

Syntax

tcp anti-syn-flood interface-based threshold threshold-value

undo tcp anti-syn-flood interface-based threshold

Default

The threshold is 100 packets per check interval for triggering interface-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

threshold threshold-value: Specifies the threshold for triggering interface-based TCP SYN flood attack prevention, in the range of 1 to 1000000. This threshold defines the maximum number of TCP SYN packets that can be received on an interface within a check interval.

Usage guidelines

The interface-based TCP SYN flood attack prevention feature monitors the SYN packet receiving rate on a per-interface basis. When the number of received SYN packets on an interface within a check interval reaches or exceeds the threshold, the device determines that the interface is attacked.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the threshold to 10000 for triggering interface-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood interface-based threshold 10000

Related commands

display tcp anti-syn-flood interface-based configuration

tcp anti-syn-flood interface-based check-interval

tcp anti-syn-flood interface-based duration

tcp anti-syn-flood interface-based enable

tcp anti-syn-flood log enable

Use tcp anti-syn-flood log enable to enable logging for TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood log enable to disable logging for TCP SYN flood attack prevention.

Syntax

tcp anti-syn-flood log enable

undo tcp anti-syn-flood log enable

Default

Logging is disabled for TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature generates TCP SYN flood attack prevention logs and sends them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

To avoid the device performance being degraded by excessive TCP SYN flood attack prevention logs, disable this feature as a best practice. Enable this feature only for auditing or troubleshooting.

Examples

# Enable logging for TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood log enable

Related commands

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood interface-based enable

tcp anti-syn-flood flow-based check-interval

Use tcp anti-syn-flood flow-based check-interval to set the check interval for flow-based TCP SYN flood attack prevention.

Use undo tcp anti-syn-flood flow-based check-interval to restore the default.

Syntax

tcp anti-syn-flood flow-based check-interval interval

undo tcp anti-syn-flood flow-based check-interval

Default

The check interval is 1 second for flow-based TCP SYN flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval for flow-based TCP SYN flood attack prevention, in seconds. The value range is 1 to 60.

Usage guidelines

The flow-based TCP SYN flood attack prevention feature uses the source IP address, destination port number, VPN instance, and packet type to identify a flow. When the number of received SYN packets within a check interval exceeds the threshold, the device enters prevention state and drops subsequent SYN packets.

If attacks occur frequently in your network, set a short check interval so that TCP SYN flood attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for flow-based TCP SYN flood attack prevention.

<Sysname> system-view

[Sysname] tcp anti-syn-flood flow-based check-interval 30

Related commands

display tcp anti-syn-flood flow-based configuration

tcp anti-syn-flood flow-based enable

tcp anti-syn-flood flow-based duration

tcp anti-syn-flood flow-based threshold

UDP flood attack prevention commands

display ipv6 udp anti-flood flow-based entry

Use display ipv6 udp anti-flood flow-based entry to display IPv6 flow-based UDP flood attack prevention entries.

Syntax

display ipv6 udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * slot slot-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all IPv6 flow-based UDP flood attack prevention entries on the public network and VPN instances. To display IPv6 flow-based UDP flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv6 flow-based UDP flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 UDP flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command displays IPv6 flow-based UDP flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 UDP flood attack packets. If you do not specify this option, the command displays IPv6 flow-based UDP flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv6 flow-based UDP flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number.

verbose: Displays detailed information about IPv6 flow-based UDP flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv6 flow-based UDP flood attack prevention entries.

Examples

# Display brief information about IPv6 flow-based UDP flood attack prevention entries on slot 1 on the public network.

<Sysname> display ipv6 udp anti-flood flow-based entry slot 1

SrcAddr              DstPort VPN                       Type Packets dropped

2::1                 69      --                        IP   987654321

# Display detailed information about IPv6 flow-based UDP flood attack prevention entries on slot 1 on the public network.

<Sysname> display ipv6 udp anti-flood flow-based entry slot 1 verbose

SrcAddr: 2::1

DstPort: 69

VPN: --

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/05/18 09:30:00

Packets dropped: 987654321

Table 9 Command output

Field	Description
SrcAddr	Source IPv6 address of the UDP flood attack packets.
DstPort	Destination port number of the UDP flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the flow-based UDP flood attack prevention entry setting to hardware: ·     Succeeded. ·     Failed. ·     Not enough resources.
Aging time	Remaining lifetime of the IPv6 flow-based UDP flood attack prevention entry, in seconds.
Attack time	Time when the IPv6 UDP flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv6 flow-based UDP flood attack prevention.

 

Related commands

reset ipv6 udp anti-flood flow-based entry

reset ipv6 udp anti-flood flow-based statistics

display ipv6 udp anti-flood flow-based entry count

Use display ipv6 udp anti-flood flow-based entry count to display the number of IPv6 flow-based UDP flood attack prevention entries.

Syntax

display ipv6 udp anti-flood flow-based entry slot slot-number count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number.

Examples

# Display the number of IPv6 flow-based UDP flood attack prevention entries on slot 1.

<Sysname> display ipv6 udp anti-flood flow-based entry slot 1 count

Total flow-based entries: 2

Table 10 Command output

Field	Description
Total flow-based entries	Total number of IPv6 flow-based UDP flood attack prevention entries.

 

Related commands

reset ipv6 udp anti-flood flow-based entry

reset ipv6 udp anti-flood flow-based statistics

display udp anti-flood flow-based configuration

Use display udp anti-flood flow-based configuration display the configuration of flow-based UDP flood attack prevention.

Syntax

display udp anti-flood flow-based configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of flow-based UDP flood attack prevention.

<Sysname> display udp anti-flood flow-based configuration

Flow-based UDP flood attack prevention is enabled.

Check interval: 1 seconds     

Duration: 5 minutes

Threshold: 100 packets per check interval

UDP anti-flood flow-based exclude ipv4 destination-port dns

UDP anti-flood flow-based exclude ipv6 destination-port 100

UDP anti-flood flow-based ipv4 destination-port SNMP check-interval 1 threshold 100

Table 11 Command output

Field	Description
Flow-based UDP flood attack prevention is enabled.	The flow-based UDP flood attack prevention feature is enabled.
Flow-based UDP flood attack prevention is disabled.	The flow-based UDP flood attack prevention feature is disabled.
Check interval	Check interval of flow-based UDP flood attack prevention, in seconds.
Duration	Flow-based UDP flood attack prevention duration, in minutes.
Threshold	Threshold for triggering flow-based UDP flood attack prevention.
UDP anti-flood flow-based exclude ipv4/ipv6 destination-port xxx	The protected destination port of an IPv4 or IPv6 packet for flow-based UDP flood attack prevention.
UDP anti-flood flow-based ipv4/ipv6 destination-port port check-interval xxx threshold yyy	For an IPv4 or IPv6 packet whose destination port is the specified port: ·     The check interval of flow-based UDP flood attack prevention is xxx seconds. ·     The threshold for triggering flow-based UDP flood attack prevention is yyy.

 

Related commands

udp anti-flood flow-based destination-port

udp anti-flood flow-based enable

udp anti-flood flow-based exclude destination-port

display udp anti-flood flow-based entry

Use display udp anti-flood flow-based entry to display IPv4 flow-based UDP flood attack prevention entries.

Syntax

display udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * slot slot-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all IPv4 flow-based UDP flood attack prevention entries on the public network and VPN instances. To display IPv4 flow-based UDP flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv4 flow-based UDP flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 UDP flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command displays IPv4 flow-based UDP flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 UDP flood attack packets. If you do not specify this option, the command displays IPv4 flow-based UDP flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays IPv4 flow-based UDP flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number.

verbose: Displays detailed information about IPv4 flow-based UDP flood attack prevention entries. If you do not specify this keyword, the command displays brief information about IPv4 flow-based UDP flood attack prevention entries.

Examples

# Display brief information about IPv4 flow-based UDP flood attack prevention entries on slot 1 on the public network.

<Sysname> display udp anti-flood flow-based entry slot 1

SrcAddr         DstPort VPN                             Type Packets dropped

1.1.1.1         69      --                              MPLS 12345678

2.1.1.1         69      --                              IP   87654321

# Display detailed information about IPv4 flow-based UDP flood attack prevention entries on slot 1 on the public network.

<Sysname> display udp anti-flood flow-based entry slot 1 verbose

SrcAddr: 1.1.1.1

DstPort: 69

VPN: --

Type: MPLS

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/01/07 18:55:03

Packets dropped: 12345678

SrcAddr: 2.1.1.1

DstPort: 69

VPN: 1

Type: IP

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/01/07 19:30:00

Packets dropped: 87654321

Table 12 Command output

Field	Description
SrcAddr	Source IPv4 address of the UDP flood attack packets.
DstPort	Destination port number of the UDP flood attack packets.
VPN	Name of the VPN instance. This field displays hyphens (--) for the public network.
Type	Packet type: MPLS or IP.
Hardware status	Status of the  flow-based UDP flood attack prevention entry setting to hardware: ·     Succeeded. ·     Failed. ·     Not enough resources.
Aging time	Remaining lifetime of the IPv4 flow-based UDP flood attack prevention entry, in seconds.
Attack time	Time when the UDP flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets dropped	Total number of packets dropped by IPv4 flow-based UDP flood attack prevention.

 

Related commands

reset udp anti-flood flow-based entry

reset udp anti-flood flow-based statistics

display udp anti-flood flow-based entry count

Use display udp anti-flood flow-based entry count to display the number of IPv4 flow-based UDP flood attack prevention entries.

Syntax

display udp anti-flood flow-based entry slot slot-number count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number.

Examples

# Display the number of IPv4 flow-based UDP flood attack prevention entries on slot 1.

<Sysname> display udp anti-flood flow-based entry slot 1 count

Total flow-based entries: 2

Table 13 Command output

Field	Description
Total flow-based entries	Total number of IPv4 flow-based UDP flood attack prevention entries.

 

Related commands

reset udp anti-flood flow-based entry

reset udp anti-flood flow-based statistics

display udp anti-flood interface-based configuration

Use display udp anti-flood interface-based configuration to display the configuration of interface-based UDP flood attack prevention.

Syntax

display udp anti-flood interface-based configuration

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the configuration of interface-based UDP flood attack prevention.

<Sysname> display udp anti-flood interface-based configuration

Interface-based UDP flood attack prevention is enabled.

Check interval: 1 seconds

Duration: 5 minutes

Threshold: 100 packets per check interval

Table 14 Command output

Field	Description
Interfaced-based UDP flood attack prevention is enabled.	The interfaced-based UDP flood attack prevention feature is enabled.
Interface-based UDP flood attack prevention is disabled.	The interface-based UDP flood attack prevention feature is disabled.
Check interval	Check interval of interface-based UDP flood attack prevention, in seconds.
Duration	Interface-based UDP flood attack prevention duration, in minutes.
Threshold	Threshold for triggering interface-based UDP flood attack prevention.

 

Related commands

udp anti-flood interface-based enable

display udp anti-flood interface-based entry

Use display udp anti-flood interface-based entry to display interface-based UDP flood attack prevention entries.

Syntax

display udp anti-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * slot slot-number [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays interface-based UDP flood attack prevention entries for all interfaces.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command displays interface-based UDP flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number.

verbose: Displays detailed information about interface-based UDP flood attack prevention entries. If you do not specify this keyword, the command displays brief information about interface-based UDP flood attack prevention entries.

Examples

# Display brief information about interface-based UDP flood attack prevention entries on slot 1.

<Sysname> display udp anti-flood interface-based entry slot 1

Interface                Type Packets totally received

XGE3/0/1                  MPLS 18446

XGE3/0/2                  IP   12345

# Display detailed information about interface-based UDP flood attack prevention entries on slot 1.

<Sysname> display udp anti-flood interface-based entry slot 1 verbose

Interface: XGE3/0/1

Type: MPLS

Hardware status: Succeeded

Aging time: 5432 seconds

Attack time: 2018/08/07 10:33:35

Packets totally received: 18446

Packets sent to CPU: 184

Interface: XGE3/0/2

Type: IP

Hardware status: Succeeded

Aging time: 3210 seconds

Attack time: 2018/08/07 09:33:12

Packets totally received: 12345

Packets sent to CPU: 100

Table 15 Command output

Field	Description
Interface	Interface where the UDP flood attack is detected.
Type	Packet type: MPLS or IP.
Hardware status	Status of the interface-based UDP flood attack prevention entry setting to hardware: ·     Succeeded. ·     Failed. ·     Not enough resources.
Aging time	Remaining lifetime of the interface-based UDP flood attack prevention entry, in seconds.
Attack time	Time when the interface-based UDP flood attack was detected, in the format of YYYY/MM/DD HH:MM:SS.
Packets totally received	Total number of received packets.
Packets sent to CPU	Number of packets sent to the CPU.

 

Related commands

reset udp anti-flood interface-based entry

reset udp anti-flood interface-based entry statistics

display udp anti-flood interface-based entry count

Use display udp anti-flood interface-based entry count to display the number of interface-based UDP flood attack prevention entries.

Syntax

display udp anti-flood interface-based entry slot slot-number count

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number.

Examples

# Display the number of interface-based UDP flood attack prevention entries on slot 1.

<Sysname> display udp anti-flood interface-based entry slot 1 count

Total interface-based entries: 2

Table 16 Command output

Field	Description
Total interface-based entries	Total number of interface-based UDP flood attack prevention entries.

 

Related commands

reset udp anti-flood interface-based entry

reset udp anti-flood interface-based entry statistics

reset ipv6 udp anti-flood flow-based entry

Use reset ipv6 udp anti-flood flow-based entry to delete IPv6 flow-based UDP flood attack prevention entries.

Syntax

reset ipv6 udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Deletes all IPv6 flow-based UDP flood attack prevention entries on the public network and VPN instances. To delete IPv6 flow-based UDP flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv6 flow-based UDP flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 UDP flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command deletes IPv6 flow-based UDP flood attack prevention entries with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 UDP flood attack packets. If you do not specify this option, the command deletes IPv6 flow-based UDP flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv6 flow-based UDP flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes IPv6 flow-based UDP flood attack prevention entries on all cards.

Usage guidelines

If you do not specify any parameters, this command deletes all IPv6 flow-based UDP flood attack prevention entries on the public network.

Examples

# Delete IPv6 flow-based UDP flood attack prevention entries with source IP address 2000::1 and destination port number 69 on the public network.

<Sysname> reset ipv6 udp anti-flood flow-based entry destination-port 69 source 2000::1

Related commands

display ipv6 udp anti-flood flow-based entry

reset ipv6 udp anti-flood flow-based statistics

Use reset ipv6 udp anti-flood flow-based statistics to clear statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention.

Syntax

reset ipv6 udp anti-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv6-address | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention on the public network and VPN instances. To clear statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv6 UDP flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention with all destination ports.

source ipv6-address: Specifies the source IPv6 address of the IPv6 UDP flood attack packets. If you do not specify this option, the command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for IPv6 UDP packets dropped by flow-based UDP flood attack prevention on all cards.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv6 UDP packets dropped by flow-based UDP flood attack prevention on the public network.

Examples

# Clear statistics for IPv6 UDP packets with source IPv6 address 2000::1 and destination port number 69 dropped by flow-based UDP flood attack prevention on the public network.

<Sysname> reset ipv6 udp anti-flood flow-based statistics destination-port 69 source 2000::1

Related commands

display ipv6 udp anti-flood flow-based entry

reset udp anti-flood flow-based entry

Use reset udp anti-flood flow-based entry to delete IPv4 flow-based UDP flood attack prevention entries.

Syntax

reset udp anti-flood flow-based entry [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Deletes all IPv4 flow-based UDP flood attack prevention entries on the public network and VPN instances. To delete IPv4 flow-based UDP flood attack prevention entries only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command deletes IPv4 flow-based UDP flood attack prevention entries on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 UDP flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command deletes IPv4 flow-based UDP flood attack prevention entries with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 UDP flood attack packets. If you do not specify this option, the command deletes IPv4 flow-based UDP flood attack prevention entries with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes IPv4 flow-based UDP flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes IPv4 flow-based UDP flood attack prevention entries on all cards.

Usage guidelines

If you do not specify any parameters, this command deletes all IPv4 flow-based UDP flood attack prevention entries on the public network.

Examples

# Delete IPv4 flow-based UDP flood attack prevention entries with source IPv4 address 2.2.2.2 and destination port number 69 on the public network.

<Sysname> reset udp anti-flood flow-based entry destination-port 69 source 2.2.2.2

Related commands

display udp anti-flood flow-based entry

reset udp anti-flood flow-based statistics

Use reset udp anti-flood flow-based statistics to clear statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention.

Syntax

reset udp anti-flood flow-based statistics [ { all | vpn-instance vpn-instance-name } | destination-port port-number | source ipv4-address | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention on the public network and VPN instances. To clear statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention only for the public network, do not specify this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention on the public network.

destination-port port-number: Specifies the destination port number of the IPv4 UDP flood attack packets. The port-number argument specifies a port number in the range of 0 to 65535. If you do not specify this option, the command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention with all destination ports.

source ipv4-address: Specifies the source IPv4 address of the IPv4 UDP flood attack packets. If you do not specify this option, the command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention with all source addresses.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for IPv4 UDP packets dropped by flow-based UDP flood attack prevention on all cards.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all IPv4 UDP packets dropped by flow-based UDP flood attack prevention on the public network.

Examples

# Clear statistics for IPv4 UDP packets with source IP address 2.2.2.2 and destination port number 69 dropped by flow-based UDP flood attack prevention on the public network.

<Sysname> reset udp anti-flood flow-based statistics destination-port 69 source 2.2.2.2

Related commands

display udp anti-flood flow-based entry

reset udp anti-flood interface-based entry

Use reset udp anti-flood interface-based entry to delete interface-based UDP flood attack prevention entries.

Syntax

reset udp anti-flood interface-based entry [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command deletes interface-based UDP flood attack prevention entries for all interfaces.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command deletes interface-based UDP flood attack prevention entries for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command deletes interface-based UDP flood attack prevention entries on all cards.

Usage guidelines

If you do not specify any parameters, this command deletes all interface-based UDP flood attack prevention entries.

Examples

# Delete all interface-based UDP flood attack prevention entries.

<Sysname> reset udp anti-flood interface-based entry

Related commands

display udp anti-flood interface-based entry

reset udp anti-flood interface-based statistics

Use reset udp anti-flood interface-based statistics to clear statistics for UDP packets received by interface-based UDP flood attack prevention.

Syntax

reset udp anti-flood interface-based statistics [ interface interface-type interface-number | type { ip | mpls } ] * [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command clears statistics for UDP packets received by interface-based UDP flood attack prevention for all interfaces.

type { ip | mpls }: Specifies the packet type. The ip keyword represents IP packets and the mpls keyword represents MPLS packets. If no type is specified, this command clears statistics for UDP packets received by interface-based UDP flood attack prevention for all packet types.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for UDP packets received by interface-based UDP flood attack prevention on all cards.

Usage guidelines

If you do not specify any parameters, this command clears statistics for all UDP packets received by interface-based UDP flood attack prevention.

Examples

# Clear statistics for all UDP packets received by interface-based UDP flood attack prevention.

<Sysname> reset udp anti-flood interface-based statistics

Related commands

display udp anti-flood interface-based entry

udp anti-flood flow-based check-interval

Use udp anti-flood flow-based check-interval to set the check interval for flow-based UDP flood attack prevention.

Use undo udp anti-flood flow-based check-interval to restore the default.

Syntax

udp anti-flood flow-based check-interval interval

undo udp anti-flood flow-based check-interval

Default

The check interval is 1 second for flow-based UDP flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval for flow-based UDP flood attack prevention, in seconds. The value range is 1 to 60.

Usage guidelines

The flow-based UDP flood attack prevention feature uses the source IP address, destination port number, VPN instance, and packet type to identify a flow. When the number of received UDP packets within a check interval reaches or exceeds the threshold, the device enters prevention state and drops subsequent UDP packets.

If attacks occur frequently in your network, set a short check interval so that UDP flood attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for flow-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood flow-based check-interval 30

Related commands

display udp anti-flood flow-based configuration

udp anti-flood flow-based enable

udp anti-flood flow-based duration

udp anti-flood flow-based threshold

udp anti-flood flow-based destination-port

Use udp anti-flood flow-based destination-port to set the check interval and triggering threshold for flow-based UDP flood attack prevention on a specified destination port.

Use undo udp anti-flood flow-based destination-port to restore the default.

Syntax

udp anti-flood flow-based { ipv4 | ipv6 } destination-port port-number [ check-interval interval ] [ threshold threshold-value ]

undo udp anti-flood flow-based { ipv4 | ipv6 } destination-port port-number

Default

The check interval is 1 second for flow-based UDP flood attack prevention and the threshold for triggering flow-based UDP flood attack prevention is 100 packets per check interval.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4: Specifies IPv4 packet attacks.

Ipv6: Specifies IPv6 packet attacks.

port-number: Specifies the destination UDP port number. You can specify the value for this argument as follows:

·     Specify the port-number argument as a number in the range of 0 to 65535.

·     Specify the port-number argument as a protocol name. The value can be biff (512), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).

interval: Specifies the check interval for flow-based UDP flood attack prevention on a specified destination port. The value range is 1 to 60 seconds.

threshold-value: Specifies the threshold for triggering flow-based UDP flood attack prevention on the specified destination port, in the range of 1 to 1000000. This threshold defines the maximum number of UDP packets that can be received per flow within a check interval on the destination port.

Usage guidelines

When the number of received UDP packets in a flow within a check interval on a specified destination port reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent UDP packets sent to the port.

If attacks occur frequently in your network, set a short check interval so that UDP flood attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the triggering threshold to 10 and the check interval to 10 seconds for flow-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood flow-based ipv4 destination-port 53 check-interval 10 threshold 10

udp anti-flood flow-based duration

Use udp anti-flood flow-based duration to set the flow-based UDP flood attack prevention duration.

Use undo udp anti-flood flow-based duration to restore the default.

Syntax

udp anti-flood flow-based duration minutes

undo udp anti-flood flow-based duration

Default

The flow-based UDP flood attack prevention duration is 5 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

minutes: Specifies the flow-based UDP flood attack prevention duration in minutes. The value range is of 1 to 3600.

Usage guidelines

After you enable flow-based UDP flood attack prevention, the device enters attack detection state. When the device detects an attack, it changes to prevention state and drops subsequent UDP packets received in the prevention duration. The device returns to the attack detection state when the duration expires.

Examples

# Set the flow-based UDP flood attack prevention duration to 10 minutes.

<Sysname> system-view

[Sysname] udp anti-flood flow-based duration 10

Related commands

display udp anti-flood flow-based configuration

udp anti-flood flow-based enable

udp anti-flood flow-based check-interval

udp anti-flood flow-based threshold

udp anti-flood flow-based enable

Use udp anti-flood flow-based enable to enable flow-based UDP flood attack prevention.

Use undo udp anti-flood flow-based enable to disable flow-based UDP flood attack prevention.

Syntax

udp anti-flood flow-based enable

undo udp anti-flood flow-based enable

Default

Flow-based UDP flood attack prevention is disabled.

Views   

System view

Predefined user roles

network-admin

Usage guidelines

The flow-based UDP flood attack prevention feature monitors the UDP packet receiving rate on a per-flow basis. The device uses the source IP address, destination port number, VPN instance, and packet type to identify a flow. When the number of received UDP packets within a check interval reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent UDP packets.

Examples

# Enable flow-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood flow-based enable

Related commands

display udp anti-flood flow-based configuration

udp anti-flood flow-based check-interval

udp anti-flood flow-based threshold

udp anti-flood flow-based duration

udp anti-flood flow-based exclude destination-port

Use udp anti-flood flow-based exclude destination-port to configure a protected destination port for flow-based UDP flood attack prevention.

Use undo udp anti-flood flow-based exclude destination-port to cancel protection for the destination port.

Syntax

udp anti-flood flow-based exclude { ipv4 | ipv6 } destination-port port-number

undo udp anti-flood flow-based exclude { ipv4 | ipv6 } destination-port port-number

Default

No protected destination port is configured for flow-based UDP flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4: Specifies IPv4 packet attacks.

Ipv6: Specifies IPv6 packet attacks.

port-number: Specifies the destination UDP port number. You can specify the value for this argument as follows:

·     Specify the port-number argument as a number in the range of 0 to 65535.

·     Specify the port-number argument as a protocol name. The value can be biff (512), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177), ldp (646), bfdctl (3784), bfdecho (3785), bfdmultihop (4784), bfdlagg (6784), sbfd (7784), L2TP(1702), and vxlan(4789).

The bootps (67), bootpc (68), dhcpv6-client (546), dhcpv6-server (547), L2TP (1701), VXLAN extension (4790) ports are protected ports by default.

Usage guidelines

After you enable flow-based UDP flood attack prevention, you can configure the UDP destination port of a protocol to allow the protocol packets to pass. The UDP packets whose destination ports are protected ports will not be identified as attack packets.

Examples

# Configure 53 as a protected destination port for flow-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood flow-based global exclude ipv4 destination-port 53

Related commands

display udp anti-flood flow-based configuration

udp anti-flood flow-based enable

udp anti-flood flow-based threshold

Use udp anti-flood flow-based threshold to set the threshold for triggering flow-based UDP flood attack prevention.

Use undo udp anti-flood flow-based threshold to restore the default.

Syntax

udp anti-flood flow-based threshold threshold-value

undo udp anti-flood flow-based threshold

Default

The threshold is 100 packets per check interval for triggering flow-based UDP flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

threshold threshold-value: Specifies the threshold for triggering flow-based UDP flood attack prevention, in the range of 1 to 1000000. This threshold defines the maximum number of UDP packets that can be received per flow within a check interval.

Usage guidelines

When the number of received UDP packets in a flow within a check interval reaches or exceeds the threshold, the device determines that an attack occurs and drops subsequent UDP packets.

Examples

# Set the threshold to 200 for triggering flow-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood flow-based threshold 200

Related commands

display udp anti-syn-flood flow-based configuration

udp anti-flood flow-based check-interval

udp anti-flood flow-based enable

udp anti-flood flow-based duration

udp anti-flood interface-based check-interval

Use udp anti-flood interface-based check-interval to set the check interval for interface-based UDP flood attack prevention.

Use undo udp anti-flood interface-based check-interval to restore the default.

Syntax

udp anti-flood interface-based check-interval interval

undo udp anti-flood interface-based check-interval

Default

The check interval is 1 second for interface-based UDP flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the check interval for interface-based UDP flood attack prevention, in seconds. The value range is 1 to 60.

Usage guidelines

The interface-based UDP flood attack prevention feature monitors the number of received UDP packets on a per-interface basis. When the number of received UDP packets within a check interval reaches or exceeds the threshold on an interface, the device enters prevention state and limits the receiving rate of subsequent UDP packets on the interface.

If attacks occur frequently in your network, set a short check interval so that UDP flood attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the check interval to 30 seconds for interface-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood interface-based check-interval 30

Related commands

display udp anti-flood interface-based configuration

udp anti-flood interface-based duration

udp anti-flood interface-based enable

udp anti-flood interface-based threshold

udp anti-flood interface-based duration

Use udp anti-flood interface-based duration to set the interface-based UDP flood attack prevention duration.

Use undo udp anti-flood interface-based duration to restore the default.

Syntax

udp anti-flood interface-based duration minutes

undo udp anti-flood interface-based duration

Default

The interface-based UDP flood attack prevention duration is 5 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

minutes: Specifies the interface-based UDP flood attack prevention duration in minutes. The value range is of 1 to 3600.

Usage guidelines

After you enable interface-based UDP flood attack prevention, the device enters attack detection state. When the device detects an attack, it changes to prevention state and limits the receiving rate of subsequent UDP packets in the UDP flood attack prevention duration. The device returns to attack detection state when the duration expires.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the interface-based UDP flood attack prevention duration to 1 minute.

<Sysname> system-view

[Sysname] udp anti-flood interface-based duration 1

Related commands

display udp anti-flood interface-based configuration

udp anti-flood interface-based check-interval

udp anti-flood interface-based enable

udp anti-flood interface-based threshold

udp anti-flood interface-based enable

Use udp anti-flood interface-based enable to enable interface-based UDP flood attack prevention.

Use undo udp anti-flood interface-based enable to disable interface-based UDP flood attack prevention.

Syntax

udp anti-flood interface-based enable

undo udp anti-flood interface-based enable

Default

Interface-based UDP flood attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The interface-based UDP flood attack prevention feature monitors the UDP packet receiving rate on a per-interface basis. When the number of received UDP packets within a check interval reaches or exceeds the threshold on an interface, an attack occurs. The device limits the UDP packet receiving rate on this interface and drops UDP packets that exceed the threshold.

Examples

# Enable interface-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood interface-based enable

Related commands

display udp anti-flood interface-based configuration

udp anti-flood interface-based duration

udp anti-flood interface-based check-interval

udp anti-flood interface-based threshold

udp anti-flood interface-based threshold

Use udp anti-flood interface-based threshold to set the threshold for triggering interface-based UDP flood attack prevention.

Use undo udp anti-flood interface-based threshold to restore the default.

Syntax

udp anti-flood interface-based threshold threshold-value

undo udp anti-flood interface-based threshold

Default

The threshold is 100 packets per check interval for triggering interface-based UDP flood attack prevention.

Views

System view

Predefined user roles

network-admin

Parameters

threshold threshold-value: Specifies the threshold for triggering interface-based UDP flood attack prevention, in the range of 1 to 1000000. This threshold defines the maximum number of UDP packets that can be received on an interface within a check interval.

Usage guidelines

The interface-based UDP flood attack prevention feature monitors the UDP packet receiving rate on a per-interface basis. When the number of received UDP packets on an interface within a check interval reaches or exceeds the threshold, the device determines that the interface is attacked.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the threshold to 10000 for triggering interface-based UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood interface-based threshold 10000

Related commands

display udp anti-flood interface-based configuration

udp anti-flood interface-based check-interval

udp anti-flood interface-based duration

udp anti-flood interface-based enable

udp anti-flood log enable

Use udp anti-flood log enable to enable logging for UDP flood attack prevention.

Use undo udp anti-flood log enable to disable logging for UDP flood attack prevention.

Syntax

udp anti-flood log enable

undo udp anti-flood log enable

Default

Logging is disabled for UDP flood attack prevention.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature generates UDP flood attack prevention logs and sends them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

To avoid the device performance being degraded by excessive UDP flood attack prevention logs, disable this feature as a best practice. Enable this feature only for auditing or troubleshooting.

Examples

# Enable logging for UDP flood attack prevention.

<Sysname> system-view

[Sysname] udp anti-flood log enable

Related commands

udp anti-flood flow-based enable

udp anti-flood interface-based enable

Abnormal IP packet attack prevention commands

display ip abnormal-packet-defend statistics

Use display ip abnormal-packet-defend statistics to display statistics about abnormal IP attack packets dropped by the device.

Syntax

display ip abnormal-packet-defend statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics about dropped abnormal IP attack packets on all cards.

Examples

# Display statistics about dropped abnormal IP attack packets for slot 1.

<Sysname> display ip abnormal-packet-defend statistics slot 1

  Attack type                Packets dropped

  LAND                       0

  Empty IP                   0

  Smurf                      100

Table 17 Command output

Field	Description
Attack type	Attack packet type.
Packets dropped	Number of dropped packets.
LAND	LAND attack packets.
Empty IP	IP attack packets with no payload.
Smurf	Smurf attack packets.

 

Related commands

ip abnormal-packet-defend enable

ip abnormal-packet-defend enable

Use ip abnormal-packet-defend enable to enable abnormal IP packet attack prevention.

Use undo ip abnormal-packet-defend enable to disable abnormal IP packet attack prevention.

Syntax

ip abnormal-packet-defend enable

undo ip abnormal-packet-defend enable

Default

Abnormal IP packet attack prevention is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Network devices might suffer from the following abnormal IP packet attacks:

·     LAND attack—An attacker sends the victim a large number of forged SYN packets. In these packets, the victim's IP address is used as the source and destination IP addresses, and the source and destination ports are the same. After receiving the packets, the target host repeatedly sends replies to itself to establish half-open TCP connection. This attack exhausts the resources on the victim and locks the victim's system.

·     Null payload IP packet flood attack—An attacker floods packets that contain only IP headers but no payload to the victim, which makes the victim unable to process other services.

·     Smurf attack—An attacker broadcasts an ICMP echo request to the target network. These requests contain the victim's IP address as the source IP address. Every receiver on the target networks will send an ICMP echo reply to the victim. The victim will be flooded with replies, and will be unable to provide services.

This feature enables the device to examine each received packet and drop abnormal IP packets. It protects the device against the abnormal IP packet attack but slows down the packet processing speed.

Examples

# Enable abnormal IP packet attack prevention.

<Sysname> system-view

[Sysname] ip abnormal-packet-defend enable

Related commands

display ip abnormal-packet-defend statistics

reset ip abnormal-packet-defend statistics

reset ip abnormal-packet-defend statistics

Use reset ip abnormal-packet-defend statistics to clear statistics about abnormal IP attack packets dropped by the device.

Syntax

reset ip abnormal-packet-defend statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics about dropped abnormal IP attack packets on all cards.

Examples

# Clear statistics about abnormal IP attack packets dropped by the device.

<Sysname> reset ip abnormal-packet-defend statistics

Related commands

display ip abnormal-packet-defend statistics

ip abnormal-packet-defend enable