Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Trusted access control commands
- 30-Location identification commands
- 31-Server connection detection commands
- 32-MAC authentication commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 19-DDoS protection commands | 666.56 KB |
Contents
ack-flood defense session-check
anti-ddos out-of-band interface
anti-ddos user-defined attack-type protocol
anti-ddos user-defined attack-type protocol icmp
anti-ddos user-defined attack-type protocol icmpv6
anti-ddos user-defined attack-type protocol tcp
anti-ddos user-defined attack-type protocol udp
bandwidth-detection destination-ip threshold
bandwidth-limit destination-ip type max-rate
display anti-ddos blacklist zone
display anti-ddos dynamic-blacklist
display anti-ddos filter statistics
display anti-ddos source-verify protected ip
display anti-ddos source-verify protected ipv6
display anti-ddos source-verify trusted ip
display anti-ddos source-verify trusted ipv6
display anti-ddos ssl-defend illegal-session-stat-nodes
display anti-ddos ssl-defend session-stat-nodes
display anti-ddos statistics bandwidth-limit destination-ip
display anti-ddos statistics destination-ip
display anti-ddos statistics http-slow-attack
display anti-ddos whitelist zone
display anti-ddos zone configuration
dns-query-flood defense source-verify
dns-query-flood detection threshold
dns-reply-flood defense source-verify
dns-reply-flood detection threshold
fingerprint (fingerprint policy group view)
http-flood defense source-verify
http-flood detection threshold
http-slow-attack defense threshold
https-flood defense source-verify
https-flood defense ssl-defend
https-flood detection threshold
icmp-flood detection threshold
icmp-frag-flood detection threshold
reset anti-ddos dynamic-blacklist
reset anti-ddos filter statistics zone
sip-flood defense source-verify
syn-ack-flood detection threshold
syn-flood defense source-verify
tcp-frag-flood detection threshold
udp-frag-flood detection threshold
user-defined attack-type detection threshold
DDoS protection commands
ack-flood defense session-check
Use ack-flood defense session-check to enable session check for ACK flood attack protection.
Use undo ack-flood defense to disable session check for ACK flood attack protection.
Syntax
ack-flood defense session-check
undo ack-flood defense session-check
Default
Session check is disabled for ACK flood attack protection.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
The command is available on anti-DDoS cleaning devices.
This feature allows incoming ACK packets to pass through only when the packets have matching sessions. Those incoming ACK packets are dropped if they do not have any matching session.
Do not enable this feature on the cleaning device deployed in one-arm mode. If you do so, the cleaning device will drop ACK packets of sessions that are established before the dynamic traffic redirection.
Examples
# Enable session check for ACK flood attack protection in anti-DDoS zone 5.
<Sysname> system-view
[Sysname] anti-ddos zone id 5
[Sysname-anti-ddos-id-5] ack-flood defense session-check
Related commands
ack-flood detection threshold
ack-flood detection threshold
Use ack-flood detection threshold to enable ACK flood attack detection and set a detection threshold.
Use undo ack-flood detection threshold to disable ACK flood attack detection.
Syntax
ack-flood detection threshold { bit-based value | packet-based value}
undo ack-flood detection threshold
Default
ACK flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable ACK flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of ACK packets per destination IP address in this zone. When the sending rate of ACK packets destined for an IP address keeps exceeding the threshold, an ACK flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of ACK packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable ACK flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] ack-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
action
Use action to specify an action on packets that match a filter.
Use undo action to restore the default.
Syntax
action { drop | limit { bit-based value | packet-based value } | pass | source-verify }
undo action
Default
The device drops packets that match a filter.
Views
Filter view
Predefined user roles
network-admin
Parameters
drop: Drops the matching packets.
limit: Rate limits the matching packets. The device drops the matching packets that exceed the threshold.
bit-based value: Specifies a bit-based threshold, in Mbps. The value range is 1 to 4294967295.
packet-based value: Specifies a packet-based threshold, in pps. The value range is 1 to 4294967295.
pass: Allows the matching packets to pass through.
source-verify: Performs source verification of the matching packets.
Usage guidelines
The source-verify keyword is applicable only to HTTP filters. If you specify this keyword, the device permits packets that pass source verification and drops packets that fail source verification.
If you execute this command multiple times for one filter, the most recent configuration takes effect.
Examples
# Configure the device to perform source verification on packets matching HTTP filter test.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] action source-verify
Related commands
anti-ddos filter
display anti-ddos filter statistics
anti-ddos apply filter
Use anti-ddos apply filter to apply a filter to an anti-DDOS zone and set a preference for the filter.
Use undo anti-ddos apply filter to remove the application of a filter from the anti-DDoS zone.
Syntax
anti-ddos apply filter filter-name preference preference
undo anti-ddos apply filter filter-name
Default
No filters are applied to an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
filter-name: Specifies a filter name, a string of 1 to 63 characters. The filter name contains case-insensitive letters, digits, and underscores (_), and it must start with a letter. The specified filter must already exist.
preference preference: Sets the filter preference, in the range of 1 to 255. A smaller value indicates a higher priority.
Usage guidelines
The device uses the filters in an anti-DDoS zone to match a packet in the descending order of priority:
1. If the packet matches the filter with the highest priority, the device takes the filter-specific action.
2. If the packet does not match the filter with the highest priority, the device uses filters with lower priorities to match the packet one by one in the descending order. If the packet matches a filter, the device stops the matching process and takes the action specified in this filter.
3. If the packet does not match any filters, the device delivers the packet to the next DDoS protection process.
The preference value of each filter applied to the same anti-DDoS zone must be unique.
You can apply a maximum of 10 filters to an anti-DDoS zone.
Examples
# Apply filter test to anti-DDoS zone 3, and set the filter preference to 10.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] anti-ddos apply filter test preference 10
Related commands
anti-ddos filter
display anti-ddos filter statistics
anti-ddos blacklist
Use anti-ddos blacklist to add a global static anti-DDoS blacklist entry.
Use undo anti-ddos blacklist to delete a global static anti-DDoS blacklist entry.
Syntax
anti-ddos blacklist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
undo anti-ddos blacklist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
Default
No global static anti-DDoS blacklist entries exist.
Views
System view
Predefined user roles
network-admin
Parameters
all: Deletes all global static blacklist entries, including IPv4 and IPv6 entries.
ip source-ip-address ip-mask-length: Specifies an IPv4 address and mask length. The value range for the ip-mask-length argument is 8 to 32. The device uses the specified address range for source IPv4 address match.
ipv6 source-ipv6-address ipv6-mask-length: Specifies an IPv6 address and mask length. The value range for the ipv6-mask-length argument is 8 to 128. The device uses the specified address range for source IPv6 address match.
Usage guidelines
The device drops a packet if the source IP address of the packet is on the global static anti-DDoS blacklist.
IP addresses on the global static anti-DDoS blacklist and whitelist cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.
The device supports a maximum of 1024 global static anti-DDoS blacklist and whitelist entries in total.
Examples
# Add subnet 1.1.1.1/24 to the global static anti-DDoS blacklist.
<Sysname> system-view
[Sysname] anti-ddos blacklist ip 1.1.1.1 24
Related commands
anti-ddos whitelist
display anti-ddos blacklist
anti-ddos blacklist timeout
Use anti-ddos blacklist timeout to set an aging time for dynamic blacklist entries.
Use undo anti-ddos blacklist timeout to restore the default.
Syntax
anti-ddos blacklist timeout aging-time
undo anti-ddos blacklist timeout
Default
The aging time is 1 minute for dynamic blacklist entries.
Views
System view
Predefined user roles
network-admin
Parameters
aging-time: Specifies an aging time in minutes. The value range is 1 to 1000.
Examples
# Set the aging time to 2 minutes for dynamic blacklist entries.
<Sysname> system-view
[Sysname] anti-ddos blacklist timeout 2
anti-ddos cleaner deploy-mode
Use anti-ddos cleaner deploy-mode set the deployment mode of the anti-DDoS cleaning device.
Use undo anti-ddos cleaner deploy-mode to restore the default.
Syntax
anti-ddos cleaner deploy-mode { inline | out-of-path }
undo anti-ddos cleaner deploy-mode
Default
The anti-DDoS cleaning device uses the inline deployment mode.
Views
System view
Predefined user roles
network-admin
Parameters
inline: Specifies the inline deployment mode.
out-of-path: Specifies the one-arm deployment mode.
Usage guidelines
This command is available only on anti-DDoS cleaning devices. The deployment of the anti-DDoS cleaning device must be consistent with the network connection method of the device.
The DDoS attack detection features on the anti-DDoS cleaning device takes effect in both deployment modes.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the one-arm deployment mode for the anti-DDoS cleaning device.
<Sysname> system-view
[Sysname] anti-ddos cleaner deploy-mode out-of-path
anti-ddos default-zone enable
Use anti-ddos default-zone enable to enable the default anti-DDoS zone.
Use undo anti-ddos default-zone enable to disable the default anti-DDoS zone.
Syntax
anti-ddos default-zone enable
undo anti-ddos default-zone enable
Default
The default anti-DDoS zone is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
If the IP addresses of packets passing through the device does not belong to any non-default anti-DDoS zone, the DDoS protection in the default anti-DDoS zone applies.
The configuration of the default anti-DDoS zone does not take effect if you do not enable the default anti-DDoS zone.
Examples
# Enable the default anti-DDoS zone.
<Sysname> system-view
[Sysname] anti-ddos default-zone enable
Related commands
anti-ddos zone default
anti-ddos filter
Use anti-ddos filter to create a filter and enter its view, or enter the view of an existing filter.
Use undo anti-ddos filter to delete a filter.
Syntax
anti-ddos filter name filter-name [ type { dns | http | icmp | ip | sip | tcp | udp } ]
undo anti-ddos filter name filter-name
Default
No filters exist.
Views
System view
Predefined user roles
network-admin
Parameters
name filter-name: Specifies a filter by its name, a string of 1 to 63 characters. The filter name contains case-insensitive letters, digits, and underscores (_), and it must start with a letter.
type: Specifies a filter type. To enter the view of an existing filter, you do not need to specify its filter type.
dns: Specifies the DNS type.
http: Specifies the HTTP type.
icmp: Specifies the ICMP type.
ip: Specifies the IP type.
sip: Specifies the SIP type.
tcp: Specifies the TCP type.
udp: Specifies the UDP type.
Usage guidelines
A filter allows you to use different packet fields to identify packets. For each field, you can specify multiple rules. A packet matches a field if it matches one of these rules. The device takes the filter action only when the packet matches all the fields specified in the filter.
You can configure a maximum of 1024 filters. The filter name must be unique on the device.
Examples
# Create an HTTP filter named test and enter its view.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test]
Related commands
action
display anti-ddos filter statistics
anti-ddos log-local-ip
Use anti-ddos log-local-ip to specify a source IP address for DDoS protection logs.
Use undo anti-ddos log-local-ip to restore the default.
Syntax
anti-ddos log-local-ip { ip ipv4-address | ipv6 ipv6-address }
undo anti-ddos log-local-ip
Default
No source IP address is specified for anti-DDoS logs.
Views
System view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a source IPv4 address for anti-DDoS logs. The IP address must be an IP address on the device.
ipv6 ipv6-address: Specifies a source IPv6 address for anti-DDoS logs. The IP address must be an IP address on the device.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The device uses the specified source IP address to report DDoS protection logs to the management center.
Only one IPv4 or IPv6 address is supported. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify 192.168.1.2 as the source IP address for anti-DDoS logs.
<Sysname> system-view
[Sysname] anti-ddos log-local-ip ip 192.168.1.2
Related commands
anti-ddos log-server-ip
anti-ddos log-server-ip
Use anti-ddos log-server-ip to specify a log server address.
Use undo anti-ddos log-server-ip to restore the default.
Syntax
anti-ddos log-server-ip { ip ipv4-address | ipv6 ipv6-address } [ port port-number ]
undo anti-ddos log-server-ip
Default
No log server address is specified.
Views
System view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address of a log server.
ipv6 ipv6-address: Specifies the IPv6 address of a log server.
port port-number: Specifies a destination port number for reported logs. The value range is 1 to 65535, and the default is 10083.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The device sends DDoS protection logs to the specified IP address and port number.
Only one IPv4 or IPv6 address is supported. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify 192.168.1.1 as the IP address of the log server.
<Sysname> system-view
[Sysname] anti-ddos log-server-ip ip 192.168.1.1
Related commands
anti-ddos log-local-ip
anti-ddos out-of-band interface
Use anti-ddos out-of-band interface to exclude interfaces from DDoS protection.
Use undo anti-ddos out-of-band interface to cancel the configuration.
Syntax
anti-ddos out-of-band interface { interface-type interface-number } &<1-10>
undo anti-ddos out-of-band interface [ interface-type interface-number ]
Default
Only GigabitEthernet 1/0/0 is excluded from DDoS protection.
Views
System view
Predefined user roles
network-admin
Parameters
interface-type interface-number &<1-10>: Specifies a list of up to 10 interfaces. The interface-type interface-number arguments specify the interface type and interface number.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can exclude only physical interfaces from DDoS protection.
If you do not specify any interface type or interface number in the undo command, the device removes all excluded interfaces.
Examples
# Exclude GigabitEthernet 1/0/1, GigabitEthernet 1/0/4, and Loopback 1 from DDoS protection.
<Sysname> system-view
[Sysname] anti-ddos out-of-band interface gigabitethernet 1/0/1 gigabitethernet 1/0/4 loopback 1
anti-ddos user-defined attack-type protocol
Use anti-ddos user-defined attack-type protocol to configure a user-defined protocol-specific DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol protocol-number [ packet-length { equal | greater-than | less-than } packet-length ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined protocol-specific DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
protocol-number: Specifies a protocol number in the range of 0 to 255.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can specify a packet length match criterion for a protocol-specific DDoS attack type.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure an attack type 3 to match VRRP packets with the packet length less than 28 bytes.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol 112 packet-length less-than 28
anti-ddos user-defined attack-type protocol icmp
Use anti-ddos user-defined attack-type protocol icmp to configure a user-defined ICMP-based DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol icmp [ packet-length { equal | greater-than | less-than } packet-length ] [ icmp-type icmp-type icmp-code icmp-code ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined ICMP-based DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
icmp-type icmp-type: Specifies an ICMP type, in the range to 0 to 255.
icmp-code icmp-code: Specifies an ICMP code in the range to 0 to 255.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can use the packet length, ICMP type, and ICMP code as the packet match criteria for an ICMP-based DDoS attack type.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure an ICMP-based attack type 3 to match ICMP packets with ICMP type 8 and ICMP code 0.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol icmp icmp-type 8 icmp-code 0
anti-ddos user-defined attack-type protocol icmpv6
Use anti-ddos user-defined attack-type protocol icmpv6 to configure a user-defined ICMPv6-based DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol icmpv6 [ packet-length { equal | greater-than | less-than } packet-length ] [ icmpv6-type icmpv6-type icmpv6-code icmpv6-code ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined ICMPv6-based DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
icmpv6-type icmp-type: Specifies an ICMPv6 type, in the range to 0 to 255.
icmpv6-code icmp-code: Specifies an ICMPv6 code in the range to 0 to 255.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can use the packet length, ICMPv6 type, and ICMPv6 code as the packet match criteria for an ICMPv6-based DDoS attack type.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure an ICMPv6-based attack type 3 to match ICMPv6 packets that are greater than 65535 bytes.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol icmpv6 packet-length greater-than 65535
anti-ddos user-defined attack-type protocol tcp
Use anti-ddos user-defined attack-type protocol tcp to configure a user-defined TCP-based DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol tcp [ packet-length { equal | greater-than | less-than } packet-length ] [ port port-num port-type { source | destination } ] [ tcp-flag flag-value ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined TCP-based DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
port port-num: Specifies a port number in the range of 1 to 65535.
port-type: Specifies the port type.
source: Specifies the source port type
destination: Specifies the destination port type.
tcp-flag flag-value: Specifies a value of the TCP flags field, in the range of 0 to 63.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can use the packet length, port, and the value of TCP flags field as the packet match criteria for a TCP-based DDoS attack type. If all criteria are specified, a TCP packet is an attack packet only if it matches all criteria.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure a TCP-based attack type 3 to match TCP packets that are greater than 65535 bytes and destined for port 80.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol tcp packet-length greater-than 65535 port 80 port-type destination
anti-ddos user-defined attack-type protocol udp
Use anti-ddos user-defined attack-type protocol udp to configure a user-defined UDP-based DDoS attack type.
Use undo anti-ddos user-defined attack-type to delete user-defined DDoS attack types.
Syntax
anti-ddos user-defined attack-type id id protocol udp [ packet-length { equal | greater-than | less-than } packet-length ] [ port port-num port-type { source | destination } ]
undo anti-ddos user-defined attack-type [ id id ]
Default
No user-defined UDP-based DDoS attack types exist.
Views
System view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15. The attack type ID must be unique.
packet-length: Specifies the packet length match criterion.
equal: Equal to the specified packet length.
greater-than: Greater than the specified packet length.
less-than: Less than the specified packet length.
packet-length: Specifies a packet length in bytes. The value range is 20 to 65535.
port port-num: Specifies a port number in the range of 1 to 65535.
port-type: Specifies the port type.
source: Specifies the source port type
destination: Specifies the destination port type.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
You can use the packet length and port number as the packet match criteria for a UDP-based DDoS attack type. If both criteria are specified, a UDP packet is an attack packet only if it matches these criteria.
If you execute this command multiple times for one attack type ID, the most recent configuration takes effect.
If you do not specify any attack type ID in the undo command, the device deletes all user-defined DDoS attack types.
Examples
# Configure a TCP-based attack type 3 to match UDP packets with a packet length of 48 bytes.
<Sysname> system-view
[Sysname] anti-ddos user-defined attack-type id 3 protocol udp packet-length equal 48
anti-ddos whitelist
Use anti-ddos whitelist to add a global static anti-DDoS whitelist entry.
Use undo anti-ddos whitelist to delete a global static anti-DDoS whitelist entry.
Syntax
anti-ddos whitelist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
undo anti-ddos whitelist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
Default
No global static anti-DDoS whitelist entries exist.
Views
System view
Predefined user roles
network-admin
Parameters
all: Deletes all global static anti-DDoS whitelist entries, including IPv4 and IPv6 entries.
ip source-ip-address ip-mask-length: Specifies an IPv4 address and mask length. The value range for the ip-mask-length argument is 8 to 32. The device uses the specified address range for source IPv4 address match.
ipv6 source-ipv6-address ipv6-mask-length: Specifies an IPv6 address and mask length. The value range for the ipv6-mask-length argument is 8 to 128. The device uses the specified address range for source IPv6 address match.
Usage guidelines
If the source IP address of a packet matches a global static anti-DDoS whitelist entry, the packet bypasses DDoS protection except rate limiting.
IP addresses on the global static anti-DDoS blacklist and whitelist cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.
The device supports a maximum of 1024 global static anti-DDoS blacklist and whitelist entries in total.
Examples
# Add subnet 1.1.1.1/24 to the global static anti-DDoS whitelist.
<Sysname> system-view
[Sysname] anti-ddos whitelist ip 1.1.1.1 24
Related commands
anti-ddos blacklist
display anti-ddos whitelist
anti-ddos whitelist timeout
Use anti-ddos whitelist timeout to set an aging time for dynamic whitelist entries.
Use undo anti-ddos whitelist timeout to restore the default.
Syntax
anti-ddos whitelist timeout aging-time
undo anti-ddos whitelist timeout
Default
The aging time is 10 minutes for dynamic whitelist entries.
Views
System view
Predefined user roles
network-admin
Parameters
aging-time: Specifies an aging time in minutes. The value range is 1 to 1000.
Usage guidelines
The command is available only on anti-DDoS cleaning devices.
The device adds the source IP addresses of packets that pass anti-DDoS source verification to the dynamic whitelist (also known as trusted IP address list). Packets with source IP addresses on the dynamic whitelist bypass DDoS protection except rate limit.
In the current software version, the device generates dynamic whitelist entries only based on the anti-DDoS source verification result.
Examples
# Set the aging time to 2 minutes for dynamic whitelist entries.
<Sysname> system-view
[Sysname] anti-ddos whitelist timeout 2
Related commands
display anti-ddos source-verify trusted ip
display anti-ddos source-verify trusted ipv6
anti-ddos zone
Use anti-ddos zone to create an anti-DDoS zone and enter its view, or enter the view of an existing anti-DDoS zone.
Use undo anti-ddos zone to delete an anti-DDoS zone.
Syntax
anti-ddos zone { id zone-id | default }
undo anti-ddos zone [ id zone-id ]
Default
Only the default anti-DDoS zone named default exists.
Views
System view
Predefined user roles
network-admin
Parameters
id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone. The zone ID is fixed at 1.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The device does not take any protection action if no anti-DDoS zone is configured.
The device supports a maximum of 1024 anti-DDoS zones, including the default anti-DDoS zone.
If you do not specify an anti-DDoS zone ID in the undo command, the device deletes all user-defined anti-DDoS zones.
The default anti-DDoS zone exists by default and cannot be deleted.
Examples
# Create an anti-DDoS zone with ID 3 and enter its view.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3]
bandwidth-detection destination-ip threshold
Use bandwidth-detection destination-ip threshold to enable IP traffic attack detection and set a detection threshold.
Use undo bandwidth-detection destination-ip threshold to disable IP traffic attack detection.
Syntax
bandwidth-detection destination-ip threshold threshold-value
undo bandwidth-detection destination-ip threshold
Default
IP traffic attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold in Mbps, in the range of 1 to 4294967295.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable IP traffic attack detection for a zone, the device enters attack detection state and monitors the sending rate of IP packets per destination IP address in this zone. When the sending rate of IP packets destined for an IP address keeps exceeding the threshold, an IP traffic attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the IP attack traffic locally. If IP traffic rate limiting is not enabled, the IP traffic is allowed to pass through. If IP traffic rate limiting is enabled, the device limits the sending rate of IP traffic.
When the sending rate of IP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable IP traffic attack detection for anti-DDoS zone 3 and set the threshold to 20 Mbps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] bandwidth-detection destination-ip threshold 20
Related commands
anti-ddos cleaner deploy-mode
bandwidth-limit destination-ip type max-rate
display anti-ddos zone configuration
bandwidth-limit destination-ip type max-rate
Use bandwidth-limit destination-ip type max-rate to enable rate limiting for protocol-specific packets and set the maximum rate.
Use undo bandwidth-limit destination-ip type to disable rate limiting for protocol-specific packets.
Syntax
bandwidth-limit destination-ip type { icmp | icmp-fragment | other | tcp | tcp-fragment | total | udp | udp-fragment } max-rate value
undo bandwidth-limit destination-ip [ type { icmp | icmp-fragment | other | tcp | tcp-fragment | total | udp | udp-fragment } ]
Default
Rate limiting is disabled for all supported types of packets.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
icmp: Specifies ICMP packets.
icmp-fragment: Specifies ICMP fragments.
other: Specifies other types of IP-based packets, except TCP packets, UDP packets, and ICMP packets.
tcp: Specifies TCP packets.
tcp-fragment: Specifies TCP fragments.
total: Specifies the total rate threshold for all IP-based packets.
udp: Specifies UDP packets.
udp-fragment: Specifies UDP fragments.
value: Sets a maximum rate in Mbps on a per destination IP address basis. The value range is 1 to 4294967295.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature monitors the protocol packet rate on a per destination IP address basis in an anti-DDoS zone. Protocol packets that exceed the maximum rate are dropped.
If you set the total rate threshold, and packet threshold and fragment threshold of a protocol, the device rate limits the packets and fragments as follows:
· Rate limits non-fragment packets based on the packet threshold and the total rate threshold in the descending order.
· Rate limits fragments based on the packet threshold, fragment threshold, and the total threshold in the descending order.
When you set maximum rates for both packets and fragments of a protocol, set the fragment maximum rate to a smaller value as a best practice.
If you do not specify any parameter in the undo command, the device disables rate limiting for all types of packets in this zone.
Examples
# In anti-DDoS zone 3, rate limit TCP packets to 50 Mbps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] bandwidth-limit destination-ip type tcp max-rate 50
Related commands
bandwidth-detect destination-ip threshold
display anti-ddos zone configuration
callee
Use callee to create a callee field match rule for SIP packets.
Use undo callee to delete a callee field match rule for SIP packets.
Syntax
callee { equal | include } callee-string
undo callee [ { equal | include } callee-string ]
Default
No callee field match rules exist.
Views
SIP filter view
Predefined user roles
network-admin
Parameters
equal: Specifies to be identical to the specified URI.
include: Specifies to include the specified URI.
callee-string: Specifies the URI of the callee, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the URI of the callee in SIP packets.
A SIP filter supports a maximum of 32 rules for the callee field. A SIP packet matches the callee field if its callee field matches one of these rules.
If you do not specify any parameters, the undo callee command deletes all callee field match rules in the filter.
Examples
# Create a rule for SIP filter test to match SIP packets that contain www.example.com in the callee field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type sip
[Sysname-anti-ddos-filter-sip-test] callee include www.example.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
caller
Use caller to create a caller field match rule for SIP packets.
Use undo caller to delete a caller field match rule for SIP packets.
Syntax
caller { equal | include } caller-string
undo caller [ { equal | include } caller-string ]
Default
No caller field match rules exist.
Views
SIP filter view
Predefined user roles
network-admin
Parameters
equal: Specifies to be identical to the specified URI.
include: Specifies to include the specified URI.
callee-string: Specifies the URI of the caller, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the URI of the caller in SIP packets.
A SIP filter supports a maximum of 32 rules for the caller field. A SIP packet matches the caller field if its caller field matches one of these rules.
If you do not specify any parameters, the undo caller command deletes all caller field match rules in the filter.
Examples
# Create a rule for SIP filter test to match SIP packets that contain www.example.com in the caller field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type sip
[Sysname-anti-ddos-filter-sip-test] caller include www.example.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
cookie
Use cookie to create a cookie field match rule for HTTP packets.
Use undo cookie to delete a cookie field match rule for HTTP packets.
Syntax
cookie include cookie-string
undo cookie [ include cookie-string ]
Default
No cookie field match rules exist.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified cookie keyword.
cookie-string: Specifies the cookie keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the cookie field in HTTP packets.
An HTTP filter supports a maximum of 32 rules for the cookie field. An HTTP packet matches the cookie field if its cookie field matches one of these rules.
If you do not specify any parameters, the undo cookie command deletes all cookie field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets that contain abc in the cookie field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] cookie include abc
Related commands
anti-ddos filter
display anti-ddos filter statistics
destination-ip
Use destination-ip to create a destination IP address match rule.
Use undo destination-ip to delete a destination IP address match rule.
Syntax
destination-ip { ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 }
undo destination-ip [ ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 ]
Default
No destination IP address match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
ip-range: Specifies a destination IPv4 address range.
start-ip: Specifies a start IPv4 address. This address cannot be higher than the end IPv4 address.
end-ip: Specifies an end IPv4 address. If the end IPv4 address is the same as the start IPv4 address, the IPv4 address range has only one IPv4 address.
ipv6-range: Specifies a destination IPv6 address range.
start-ipv6: Specifies a start IPv6 address. This address cannot be higher than the end IPv6 address.
end-ipv6: Specifies an end IPv6 address. If the end IPv6 address is the same as the start IPv6 address, the IPv6 address range has only one IPv6 address.
Usage guidelines
The device uses this rule to match the destination IP addresses of packets.
A filter supports a maximum of 100 rules for the destination IP address field. A packet matches the destination IP address field if its destination IP address matches one of these rules.
The destination IP address ranges in one filter cannot overlap.
If you do not specify any parameters, the undo destination-ip command deletes all destination IP address match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with destination IPv4 addresses in the range of 2.2.2.10 to 2.2.2.20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] destination-ip ip-range 2.2.2.10 2.2.2.20
Related commands
anti-ddos filter
display anti-ddos filter statistics
destination-port
Use destination-port to create a destination port match rule.
Use undo destination-port to delete a destination port match rule.
Syntax
destination-port range start-port end-port
undo destination-port [ range start-port end-port ]
Default
No destination port match rules exist.
Views
TCP filter view
UDP filter view
Predefined user roles
network-admin
Parameters
range: Specifies a destination port range.
start-port: Specifies a start port number in the range of 1 to 65535. The start port number cannot be greater than the end port number.
end-port: Specifies an end port number in the range of 1 to 65535.
Usage guidelines
The device uses this rule to match the destination port numbers of packets.
A TCP or UDP filter supports a maximum of 10 rules for the destination port number field. A packet matches the destination port number field if its destination port number matches one of these rules.
The destination port number ranges in one filter cannot overlap.
If you do not specify any parameters, the undo destination-port command deletes all destination port match rules in the filter.
Examples
# Create a rule for TCP filter test to match packets with destination port numbers in the range of 10 to 20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type tcp
[Sysname-anti-ddos-filter-tcp-test] destination-port range 10 20
Related commands
anti-ddos filter
display anti-ddos filter statistics
display anti-ddos blacklist
Use display anti-ddos blacklist to display global static anti-DDoS blacklist entries.
Syntax
display anti-ddos blacklist [ ip source-ip-address | ipv6 source-ipv6-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip source-ip-address: Specifies a source IPv4 address.
ipv6 source-ipv6-address: Specifies a source IPv6 address.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an IPv4 or IPv6 address, the command displays all IPv4 and IPv6 global static anti-DDoS blacklist entries.
Examples
# Display all global static anti-DDoS blacklist entries.
<Sysname> display anti-ddos blacklist
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
3.3.3.3/32 Black
10.0.0.0/24 Black
8000::/64 Black
# Display the global static anti-DDoS blacklist entry for the specified IPv4 address.
<Sysname> display anti-ddos blacklist ip 10.0.0.3
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
10.0.0.0/24 Black
# Display the global static anti-DDoS blacklist entry for the specified IPv6 address.
<Sysname> display anti-ddos blacklist ipv6 8000::1
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
8000::/64 Black
Table 1 Command output
|
Field |
Description |
|
Total |
Total number of IPv4 or IPv6 blacklist and whitelist entries. |
|
Blacklist |
Number of IPv4 or IPv6 blacklist entries. |
|
Whitelist |
Number of IPv4 or IPv6 whitelist entries. |
|
Source-ip/MaskLen |
Source IP address and mask length. |
|
Black/White |
Entry type, blacklist or whitelist. |
Related commands
anti-ddos blacklist
display anti-ddos blacklist zone
Use display anti-ddos blacklist zone to display anti-DDoS zone-based static blacklist entries.
Syntax
display anti-ddos blacklist zone [ { id zone-id | default } [ ip source-ip-address | ipv6 source-ipv6-address ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone. The zone ID is fixed at 1.
ip source-ip-address: Specifies a source IPv4 address.
ipv6 source-ipv6-address: Specifies a source IPv6 address.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an anti-DDoS zone, the command displays all anti-DDoS zone-based static blacklist entries.
If you do not specify the IPv4 or IPv6 address for an anti-DDoS zone-based blacklist entry, the command displays all static blacklist entries for this zone.
Examples
# Display all anti-DDoS zone-based static blacklist entries.
<Sysname> display anti-ddos blacklist zone
Total:4 Blacklist:3 Whitelist:1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
default 3.3.3.3/32 Black
2 10.0.0.0/24 Black
2 8000::/64 Black
# Display the static blacklist entry matching source IP address 10.0.0.3 in anti-DDoS zone 2.
<Sysname> display anti-ddos blacklist zone id 2 ip 10.0.0.3
Total:4 Blacklist:3 Whitelist:1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
2 10.0.0.0/24 Black
# Display the static blacklist entry matching source IPv6 address 8000::1 in the default anti-DDoS zone.
<Sysname> display anti-ddos blacklist zone default ipv6 8000::1
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
default 8000::/64 Black
Table 2 Command output
|
Field |
Description |
|
Total |
Total number of IPv4 or IPv6 blacklist and whitelist entries in the anti-DDoS zone. |
|
Blacklist |
Number of IPv4 or IPv6 blacklist entries in the anti-DDoS zone. |
|
Whitelist |
Number of IPv4 or IPv6 whitelist entries in the anti-DDoS zone. |
|
ZoneID |
Anti-DDoS zone ID. |
|
Source-ip/MaskLen |
Source IP address and mask length. |
|
Black/White |
Entry type, blacklist or whitelist. |
Related commands
zone-blacklist
display anti-ddos dynamic-blacklist
Use display anti-ddos dynamic-blacklist to display dynamic blacklist entries in anti-DDoS zones.
Syntax
display anti-ddos dynamic-blacklist { ip | ipv6 } [ zone [ default | id zone-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip: Specifies IPv4 dynamic blacklist entries.
ipv6: Specifies IPv6 dynamic blacklist entries.
zone: Specifies an anti-DDoS zone. If you do not specify an anti-DDoS zone, this command displays dynamic blacklist entries in all anti-DDoS zones.
default: Specifies the default anti-DDoS zone.
id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# Display dynamic IPv4 blacklist entries in all anti-DDoS zones.
<sysname> display anti-ddos dynamic-blacklist ip
Zone ID Source-ip Aging time (min) Reason
2 192.168.8.9 10 -
2 192.168.3.6 20 -
3 192.168.9.6 5 -
# Display dynamic IPv6 blacklist entries in anti-DDoS zone 2.
<sysname> display anti-ddos dynamic-blacklist ipv6 zone id 2
Source-ipv6 Aging time (min) Reason
fe80::64fb:D5cf:3131:c1af 10 -
Table 3 Command output
|
Field |
Description |
|
Zone ID |
Anti-DDoS zone ID. |
|
Source-ip |
IPv4 blacklist entry. |
|
Source-ipv6 |
IPv6 blacklist entry. |
|
Aging time(min) |
Remaining aging time in minutes. |
|
Reason |
Reason for adding the IP address to the dynamic blacklist. |
display anti-ddos filter statistics
Use display anti-ddos filter statistics to display filter statistics in an anti-DDoS zone.
Syntax
display anti-ddos filter statistics name name anti-ddos-zone { id zone-id | default }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name name: Specifies a filter by its name, a string of 1 to 63 characters. The filter name must contain case-insensitive letters, digits, and underscores (_), and it must start with a letter.
anti-ddos-zone: Specifies an anti-DDoS zone.
id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone.
Examples
# Display statistics about filter test in anti-DDoS zone 3.
<Sysname> display anti-ddos filter statistics name test anti-ddos-zone id 3
Type : HTTP
Action : drop
PPS : 100000
Bps : 200000000
Dropped packets : 20750
Dropped bytes : 5
Table 4 Command output
|
Field |
Description |
|
Type |
Filter type: · IP. · TCP. · UDP. · HTTP. · DNS. · ICMP. · SIP. |
|
Action |
Action on the matching packets: · drop—Drops the matching packets. · pass—Allows the matching packets to pass through. · limit—Rate limits the matching packets. · source-verify—Verifies the source of the matching packets. |
|
PPS |
Sending rate of the matching packets, in pps. |
|
Bps |
Sending rate of the matching packets, in Bps. |
|
Dropped packets |
Number of packets dropped by the filter. |
|
Dropped bytes |
Number of bytes dropped by the filter. |
display anti-ddos source-verify protected ip
Use display anti-ddos source-verify protected ip to display protected IPv4 addresses for source verification.
Syntax
In standalone mode:
display anti-ddos source-verify { dns-query | dns-reply | http | https | sip | syn } protected ip [ ip-address ] [ count ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos source-verify { dns-query | dns-reply | http | https | sip | syn } protected ip [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns-query: Specifies the DNS query source verification feature.
dns-reply: Specifies the DNS reply source verification feature.
http: Specifies the HTTP source verification feature.
https: Specifies the HTTPS source verification feature.
sip: Specifies the SIP source verification feature.
syn: Specifies the SYN source verification feature.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays all protected IPv4 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv4 addresses on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv4 addresses on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching protected IPv4 addresses.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# (In standalone mode.) Display the protected IPv4 addresses for SYN source verification.
<Sysname> display anti-ddos source-verify syn protected ip
Slot 1:
IP address Port Type Requested Trusted
192.168.11.5 23 Dynamic 353452 555
123.123.123.123 23 Dynamic 4294967295 15151
Slot 2:
IP address Port Type Requested Trusted
192.168.11.6 23 Dynamic 467901 78578
201.55.7.45 23 Dynamic 236829 7237
# (In standalone mode.) Display the number of protected IPv4 addresses for SYN source verification.
<Sysname> display anti-ddos source-verify syn protected ip count
Slot 1:
Totally 3 protected IP addresses.
Slot 2:
Totally 1 protected IP addresses.
Table 5 Command output
|
Field |
Description |
|
Totally n protected IP addresses. |
Total number of protected IPv4 addresses. |
|
IP address |
Protected IPv4 address. |
|
Port |
Destination port number of the connection. |
|
Type |
Type of the protected IPv4 address. Dynamic represents a dynamically learned IP address. |
|
Requested |
Number of packets destined for the protected IPv4 address. |
|
Trusted |
Number of packets that passed the source verification. |
display anti-ddos source-verify protected ipv6
Use display anti-ddos source-verify protected ipv6 to display protected IPv6 addresses for source verification.
Syntax
In standalone mode:
display anti-ddos source-verify { dns-query | dns-reply | http | https | sip | syn } protected ipv6 [ ipv6-address ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display anti-ddos source-verify { dns-query | dns-reply | http | https | sip | syn } protected ipv6 [ ipv6-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns-query: Specifies the DNS query source verification feature.
dns-reply: Specifies the DNS reply source verification feature.
http: Specifies the HTTP source verification feature.
https: Specifies the HTTPS source verification feature.
sip: Specifies the SIP source verification feature.
syn: Specifies the SYN source verification feature.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays all protected IPv6 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv6 addresses on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv6 addresses on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching protected IPv6 addresses.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# (In standalone mode.) Display the protected IPv6 addresses for SYN source verification.
<Sysname> display anti-ddos source-verify syn protected ipv6
Slot 1:
IPv6 address Port Type Requested Trusted
192:168:11::5 23 Dynamic 353452 555
123:123:123::123 23 Dynamic 4294967295 15151
Slot 2:
IPv6 address Port Type Requested Trusted
192:168:11::5 23 Dynamic 467901 78578
201:55:7::45 23 Dynamic 236829 7237
# (In standalone mode.) Display the number of protected IPv6 addresses for SYN source verification.
<Sysname> display anti-ddos source-verify syn protected ipv6 count
Slot 1:
Totally 3 protected IPv6 addresses.
Slot 2:
Totally 1 protected IPv6 addresses.
Table 6 Command output
|
Field |
Description |
|
Totally n protected IPv6 addresses. |
Total number of protected IPv6 addresses. |
|
IPv6 address |
Protected IPv6 address. |
|
Port |
Destination port number of the connection. |
|
Type |
Type of the protected IPv6 address. Dynamic represents a dynamically learned IP address. |
|
Requested |
Number of packets destined for the protected IPv6 address. |
|
Trusted |
Number of packets that passed the source verification. |
display anti-ddos source-verify trusted ip
Use display anti-ddos source-verify trusted ip to display trusted IPv4 addresses for source verification.
Syntax
In standalone mode:
display anti-ddos source-verify { dns-query | dns-reply | http | https | sip | syn } trusted ip [ ip-address ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display anti-ddos source-verify { dns-query | dns-reply | http | https | sip | syn } trusted ip [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns-query: Specifies the DNS query source verification feature.
dns-reply: Specifies the DNS reply source verification feature.
http: Specifies the HTTP source verification feature.
https: Specifies the HTTPS source verification feature.
sip: Specifies the SIP source verification feature.
syn: Specifies the SYN source verification feature.
ip-address: Specifies a trusted IPv4 address. If you do not specify an IPv4 address, this command displays all trusted IPv4 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv4 addresses on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv4 addresses on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching trusted IPv4 addresses.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# (In standalone mode.) Display the trusted IPv4 addresses for HTTP source verification.
<Sysname> display anti-ddos source-verify http trusted ip
Slot 1:
IP address Age-time (sec)
11.1.1.2 600
123.123.123.123 550
Slot 2:
IP address Age-time (sec)
11.1.1. 200
# (In standalone mode.) Display the number of trusted IPv4 addresses for HTTP source verification.
<Sysname> display anti-ddos source-verify http trusted ip count
Slot 1:
Totally 3 trusted IP addresses.
Slot 2:
Totally 1 trusted IP addresses.
Table 7 Command output
|
Field |
Description |
|
Totally n trusted IP addresses |
Total number of trusted IPv4 addresses. |
|
IP address |
Trusted IPv4 address. |
|
Age-time(sec) |
Remaining aging time of the trusted IPv4 address, in seconds. |
display anti-ddos source-verify trusted ipv6
Use display anti-ddos source-verify trusted ipv6 to display trusted IPv6 addresses for source verification.
Syntax
In standalone mode:
display anti-ddos source-verify { dns-query | dns-reply | http | https | sip | syn } trusted ipv6 [ ipv6-address ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display anti-ddos source-verify { dns-query | dns-reply | http | https | sip | syn } trusted ipv6 [ ipv6-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns-query: Specifies the DNS query source verification feature.
dns-reply: Specifies the DNS reply source verification feature.
http: Specifies the HTTP source verification feature.
https: Specifies the HTTPS source verification feature.
sip: Specifies the SIP source verification feature.
syn: Specifies the SYN source verification feature.
ipv6-address: Specifies a trusted IPv6 address. If you do not specify an IPv6 address, this command displays all trusted IPv6 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv6 addresses on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv6 addresses on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching trusted IPv6 addresses.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# (In standalone mode.) Display the trusted IPv6 addresses for HTTP source verification.
<Sysname> display anti-ddos source-verify http trusted ipv6
Slot 1:
IPv6 address Age-time(sec)
11:1:1::2 600
123:123:123::123 550
Slot 2:
IPv6 address Age-time(sec)
11:1:1::3 200
# (In standalone mode.) Display the number of trusted IPv6 addresses for HTTP source verification.
<Sysname> display anti-ddos zone source-verify http trusted ipv6 count
Slot 1:
Totally 3 trusted IPv6 addresses.
Slot 2:
Totally 1 trusted IPv6 addresses.
Table 8 Command output
|
Field |
Description |
|
Totally n trusted IPv6 addresses |
Total number of trusted IPv6 addresses. |
|
IPv6 address |
Trusted IPv6 address. |
|
Age-time(sec) |
Remaining aging time of the trusted IPv6 address, in seconds. |
display anti-ddos ssl-defend illegal-session-stat-nodes
Use display anti-ddos ssl-defend illegal-session-stat-nodes to display the abnormal session statistics nodes for SSL renegotiation protection.
Syntax
In standalone mode:
display anti-ddos ssl-defend illegal-session-stat-nodes { ip | ipv6 } [ count | zone { default | id zone-id } ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos ssl-defend illegal-session-stat-nodes { ip | ipv6 } [ count | zone { default | id zone-id } ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip: Displays abnormal IPv4 session statistics nodes for SSL renegotiation protection.
ipv6: Displays abnormal IPv6 session statistics nodes for SSL renegotiation protection.
count: Displays the number of abnormal session statistics nodes for SSL renegotiation protection.
zone: Specifies an anti-DDoS zone.
default: Specifies the default anti-DDoS zone.
id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the abnormal session statistics nodes on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays the abnormal session statistics nodes on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an anti-DDoS zone, this command displays the abnormal session statistics nodes for SSL renegotiation protection in all anti-DDoS zones.
Examples
# (In standalone mode.) Display the abnormal IPv6 session statistics nodes for SSL renegotiation protection in all anti-DDoS zones.
<Sysname> display anti-ddos ssl-defend illegal-session-stat-nodes ipv6 zone id 2
Slot 1:
Zone ID Source-ipv6 Illegal sessions
3 3::2:1 8
Slot 2:
Zone ID Source-ipv6 Illegal sessions
6 5:1::ff 10
Table 9 Command output
|
Field |
Description |
|
Zone ID |
Anti-DDoS zone ID. |
|
Source-ip |
Source IPv4 address of abnormal SSL sessions. |
|
Source-ipv6 |
Source IPv6 address of abnormal SSL sessions. |
|
Illegal-num |
Number of abnormal SSL sessions. |
Related commands
https-flood defense ssl-defend
display anti-ddos ssl-defend session-stat-nodes
Use display anti-ddos ssl-defend session-stat-nodes to display the session statistics nodes for SSL renegotiation protection.
Syntax
In standalone mode:
display anti-ddos ssl-defend session-stat-nodes { ip | ipv6 } [ count | zone { default | id zone-id } ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos ssl-defend session-stat-nodes { ip | ipv6 } [ count | zone { default | id zone-id } ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip: Displays IPv4 session statistics nodes for SSL renegotiation protection.
ipv6: Displays IPv6 session statistics nodes for SSL renegotiation protection.
count: Displays the number of session statistics nodes for SSL renegotiation protection.
zone: Specifies an anti-DDoS zone.
default: Specifies the default anti-DDoS zone.
id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the session statistics nodes for SSL renegotiation protection on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays the session statistics nodes for SSL renegotiation protection on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an anti-DDoS zone, this command displays the session statistics nodes for SSL renegotiation protection in all anti-DDoS zones.
Examples
# (In standalone mode.) Display the IPv6 session statistics nodes for SSL renegotiation protection in all anti-DDoS zones.
<Sysname> display anti-ddos ssl-defend session-stat-node ipv6 zone id 2
Slot 1:
Zone ID Source-ipv6 Negotiation-num State
2 1::1 8 normal
Slot 2:
Zone ID Source-ipv6 Negotiation-num State
3 ff::1 8 illegal
Table 10 Command output
|
Field |
Description |
|
Zone ID |
Anti-DDoS zone ID. |
|
Source-ip |
Source IPv4 address of an abnormal IPv4 session. |
|
Source-ipv6 |
Source IPv6 address of an abnormal IPv4 session. |
|
Negotiation-num |
Number of SSL session negotiations. |
|
State |
Status of the SSL session statistics node: · Normal. · Illegal. |
Related commands
https-flood defense ssl-defend
display anti-ddos statistics
Use display anti-ddos statistics to display DDoS protection statistics.
Syntax
In standalone mode:
display anti-ddos statistics { destination-ip { ipv4 [ ip-address ] | ipv6 [ ipv6-address ] } | destination-port | source-ip { ipv4 | ipv6 } | source-port } [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos statistics { destination-ip { ipv4 [ ip-address ] | ipv6 [ ipv6-address ] } | destination-port | source-ip { ipv4 | ipv6 } | source-port } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
destination-ip: Displays statistics on a per destination IP basis.
destination-port: Displays statistics on a per destination port basis.
source-ip: Displays statistics on a per source IP basis.
source-port: Displays statistics on a per source port basis.
ipv4: Specifies the IPv4 address type.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays anti-DDoS statistics for all destination IPv4 addresses.
ipv6: Specifies the IPv6 address type.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv4 address, this command displays DDoS protection statistics for all destination IPv6 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays DDoS protection statistics on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays DDoS protection statistics on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command is available only on anti-DDoS detection devices.
The anti-DDoS cleaning device supports the display anti-ddos statistics { destination-ip { ipv4 [ ip-address ] | ipv6 [ ipv6-address ] } command.
Examples
# (In standalone mode.) Display DDoS protection statistics on a per source IPv4 basis.
<Sysname> display anti-ddos statistics source-ip ipv4
Slot 1:
Source IP Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3.3.3.3 4.4.4.4 - 100 20 100 30
3.3.3.3 4.4.4.4 - 100 20 100 30
Slot 2:
Source IP Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
2.2.2.2 4.4.4.4 - 100 30 100 30
# (In standalone mode.) Display DDoS protection statistics on a per source IPv6 basis.
<Sysname> display anti-ddos statistics source-ip ipv6
Slot 1:
Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3::3 - 100 20 100 30
3::5 - 100 20 100 30
2::6 - 100 30 100 30
Slot 2:
Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)
8::3 ACK 100 20 100 30
# (In standalone mode.) Display DDoS protection statistics on a per source port basis.
<Sysname> display anti-ddos statistics source-port
Slot 1:
Source Port Dest addr Packet type Input(bps) Output(bps) Input(pps) Output(pps)
78 3.3.3.3 - 100 20 100 30
54321 3.3.3.3 - 100 20 100 30
Slot 2:
Source Port Dest addr Packet type Input(bps) Output(bps) Input(pps) Output(pps)
8080 3.3.3.3 - 100 30 100 30
# (In standalone mode.) Display DDoS protection statistics on a per destination IPv4 basis.
<Sysname> display anti-ddos statistics destination-ip ipv4
Slot 1:
Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3.3.3.3 UDP 100 20 60 10
3.3.3.3 IP 100 20 60 10
3.3.3.2 ACK 100 20 60 10
3.3.3.2 IP 100 20 60 10
6.6.6.6 HTTPS 500 50 60 10
6.6.6.6 TCP-FRAG 500 50 60 10
6.6.6.6 User-defined 2 500 50 60 10
6.6.6.6 IP 1500 150 180 30
Slot 2:
Dest IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
4.3.2.3 UDP 100 20 60 10
4.3.2.3 IP 100 20 60 10
5.3.2.3 ACK 100 20 60 10
5.3.2.3 IP 100 20 60 10
Table 11 Command output
|
Field |
Description |
|
Source IP |
Source IPv4 address. |
|
Source IPv6 |
Source IPv6 address. |
|
Source port |
Source port number. |
|
Dest IP |
Destination IPv4 address. |
|
Dest IPv6 |
Destination IPv6 address. |
|
Dest addr |
Destination address. |
|
Dest port |
Destination port number. |
|
Packet type |
Packet type: · ACK—ACK packets. · DNS-QUERY—DNS query packets. · DNS-REPLY—DNS reply packets. · ICMP—ICMP packets. · HTTP—HTTP packets. · SYN—SYN packets. · SYN-ACK—SYN-ACK packets. · UDP—UDP packets. · RST—RST packets. · SIP—SIP packets. · HTTPS—HTTPS packets. · TCP-FRAG—TCP fragments. · UDP-FRAG—UDP fragments. · ICMP-FRAG—ICMP fragments. · User-defined—Packets of a user-defined attack type. The attack type ID is displayed after User-defined. · IP—IP packets. |
|
Input(bps) |
Number of input bits per second. |
|
Output(bps) |
Number of output bits per second. |
|
Input(pps) |
Number of input packets per second. |
|
Output (pps) |
Number of output packets per second. |
display anti-ddos statistics bandwidth-limit destination-ip
Use display anti-ddos statistics bandwidth-limit destination-ip to display rate limiting statistics for a destination IP address.
Syntax
In standalone mode:
display anti-ddos statistics bandwidth-limit destination-ip { ipv4 ipv4-address | ipv6 ipv6-address } [ slot slot-number ]
In IRF mode:
display anti-ddos statistics bandwidth-limit destination-ip { ipv4 ipv4-address | ipv6 ipv6-address } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4 ipv4-address: Specifies a destination IPv4 address.
ipv6 ipv6-address: Specifies a destination IPv6 address.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays related rate limiting statistics on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays related rate limiting statistics on all cards. (In IRF mode.)
Usage guidelines
This command is available only on anti-DDoS cleaning devices. The statistics shows information only about packets with the maximum rate defined. The information includes traffic thresholds and statistics for different protocol packets destined for an IP address.
The device generates a statistics node for a destination IP address when it receives the first packet destined for this address. If a node has no matching packets within its aging time, the node is deleted after it ages out.
If no statistics node exists for an IP address, no command output is displayed.
Examples
# (In standalone mode.) Display rate limiting statistics for a destination IPv4 address.
<Sysname> display anti-ddos statistics bandwidth-limit destination-ip ipv4 10.10.10.10
slot 1:
Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)
TCP 50000 50000 100 100 50
UDP 400000 393216 800 786 3
TCP-FRAG 50000 50000 100 100 50
IP 493216 493216 986 986 50
slot 2:
Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)
TCP 20000 20000 40 40 50
UDP 420000 393216 840 786 3
TCP-FRAG 50000 50000 100 100 50
IP 453216 453216 906 906 50
# (In IRF mode.) Display rate limiting statistics for a destination IPv4 address.
<Sysname> display anti-ddos statistics bandwidth-limit destination-ip ipv4 10.10.10.10
chassis 1 slot 1:
Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)
TCP 50000 50000 100 100 50
UDP 400000 393216 800 786 3
TCP-FRAG 50000 50000 100 100 50
IP 493216 493216 986 986 50
chassis 1 slot 2:
Type Input(bps) Output(bps) Input(pps) Output(pps) Threshold(Mbps)
TCP 20000 20000 40 40 50
UDP 420000 393216 840 786 3
TCP-FRAG 52000 52000 104 104 50
IP 453216 453216 906 906 50
Table 12 Command output
|
Field |
Description |
|
Type |
Packet types: · TCP—TCP packets. · UDP—UDP packets. · ICMP—ICMP packets. · TCP-FRAG—TCP fragments. · UDP-FRAG—UDP fragments. · ICMP-FRAG—ICMP fragments. · Other—Other types of packets. · IP—IP packets. |
|
Input(bps) |
Input rate for a specific type of packets or all IP packets, in bps. |
|
Input(pps) |
Input rate for a specific type of packets or all IP packets, in pps. |
|
Output(bps) |
Output rate for a specific type of packets or all IP packets, in bps. |
|
Output(pps) |
Output rate for a specific type of packets or all IP packets, in pps. |
|
Threshold(Mbps) |
Rate threshold for a specific type of packets or all IP packets, in Mbps. |
display anti-ddos statistics destination-ip
Use display anti-ddos statistics destination-ip to display DDoS protection statistics for IP addresses under attack.
Syntax
In standalone mode:
display anti-ddos statistics destination-ip { ipv4 ip-address | ipv6 ipv6-address } { destination-port | source-ip | source-port } [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos statistics destination-ip { ipv4 ip-address | ipv6 ipv6-address } { destination-port | source-ip | source-port } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4 ip-address: Specifies an IPv4 address.
ipv6 ipv6-address: Specifies an IPv6 address.
destination-port: Specifies destination port-based statistics.
source-ip: Specifies source IP-based statistics.
source-port: Specifies source port-based statistics.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display source IP-based DDoS protection statistics for IPv4 address 1.1.1.1.
<Sysname> display anti-ddos statistics destination-ip ipv4 1.1.1.1 source-ip
Slot 1:
Source IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3.3.3.3 - 100 20 60 10
3.3.3.3 - 100 20 60 10
Slot 2:
Source IP Packet type Input(bps) Output(bps) Input(pps) Output(pps)
1.1.1.2 - 100 20 60 10
2.2.2.3 - 100 20 60 10
# (In standalone mode.) Display source IP-based DDoS protection statistics for IPv6 address 1::1.
<Sysname> display anti-ddos statistics destination-ip ipv6 1::1 source-ip
Slot 1:
Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3::3 - 100 20 60 10
4::4 - 100 20 60 10
Slot 2:
Source IPv6 Packet type Input(bps) Output(bps) Input(pps) Output(pps)
3::6 - 100 20 60 10
4::5 - 100 20 60 10
Table 13 Command output
|
Field |
Description |
|
Source IP |
Source IPv4 address. |
|
Source IPv6 |
Source IPv6 address. |
|
Source port |
Source port number. |
|
Dest port |
Destination port number. |
|
Packet type |
Type of received packets. |
|
Input(bps) |
Number of input bits per second. |
|
Output(bps) |
Number of output bits per second. |
|
Input(pps) |
Number of input packets per second. |
|
Output(pps) |
Number of output packets per second. |
display anti-ddos statistics http-slow-attack
Use display anti-ddos statistics http-slow-attack to display statistics about HTTP slow attack protection.
Syntax
In standalone mode:
display anti-ddos statistics http-slow-attack destination-ip { ip [ ipv4-address ] | ipv6 [ ipv6-address ] } [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-ddos statistics http-slow-attack destination-ip { ip [ ipv4-address ] | ipv6 [ ipv6-address ] } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
destination-ip: Displays HTTP slow attack protection statistics for destination IP addresses.
ip [ ipv4-address ]: Specifies a destination IPv4 address. If you do not specify a destination IPv4 address, this command displays HTTP slow attack protection statistics for all destination IPv4 addresses.
ipv6 [ ipv6-address ]: Specifies a destination IPv6 address. If you do not specify a destination IPv6 address, this command displays HTTP slow attack protection statistics for all destination IPv6 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays HTTP slow attack protection statistics on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays HTTP slow attack protection statistics on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
Examples
# (In standalone mode.) Display HTTP slow attack protection statistics for all destination IPv4 addresses.
<Sysname> display anti-ddos statistics http-slow-attack destination-ip ip
Slot 1:
Zone ID Dest-ip Concurrent-num Illegal requests
3 192.168.8.9 100 80
3 192.168.3.6 200 90
Slot 2:
Zone ID Dest-ip Concurrent-num Illegal requests
4 192.168.9.6 5 0
Table 14 Command output
|
Field |
Description |
|
Zone ID |
Anti-DDoS zone ID. |
|
Dest-ip |
Destination IPv4 address of attack packets. |
|
Dest-ipv6 |
Destination IPv6 address of attack packets. |
|
Concurrent-num |
Number of concurrent connections. |
|
Illegal requests |
Number of illegal requests. |
Related commands
http-slow-attack defense threshold
display anti-ddos whitelist
Use display anti-ddos whitelist to display global static anti-DDoS whitelist entries.
Syntax
display anti-ddos whitelist [ ip source-ip-address | ipv6 source-ipv6-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip source-ip-address: Specifies a source IPv4 address.
ipv6 source-ipv6-address: Specifies a source IPv6 address.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an IPv4 or IPv6 address, the command displays all global static IPv4 and IPv6 anti-DDoS whitelist entries.
Examples
# Display all global static anti-DDoS whitelist entries.
<Sysname> display anti-ddos whitelist
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
3.3.3.4/32 White
# Display the global static anti-DDoS whitelist entry for the specified IPv4 address.
<Sysname> display anti-ddos whitelist ip 3.3.3.4
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
3.3.3.4/32 White
# Display the global static anti-DDoS whitelist entry for the specified IPv6 address.
<Sysname> display anti-ddos whitelist ipv6 8000::1
Total: 4 Blacklist: 3 Whitelist: 0
-------------------------------------------------------------------
Source-ip/MaskLen Black/White
Table 15 Command output
|
Field |
Description |
|
Total |
Total number of IPv4 or IPv6 blacklist and whitelist entries. |
|
Blacklist |
Number of IPv4 or IPv6 blacklist entries. |
|
Whitelist |
Number of IPv4 or IPv6 whitelist entries. |
|
Source-ip/MaskLen |
Source IP address and the mask length. |
|
Black/White |
Entry type, blacklist or whitelist. |
Related commands
anti-ddos whitelist
display anti-ddos whitelist zone
Use display anti-ddos whitelist zone to display anti-DDoS zone-based static whitelist entries.
Syntax
display anti-ddos whitelist zone [ { id zone-id | default } [ ip source-ip-address | ipv6 source-ipv6-address ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone. The zone ID is fixed at 1.
ip source-ip-address: Specifies a source IPv4 address.
ipv6 source-ipv6-address: Specifies a source IPv6 address.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an anti-DDoS zone, the command displays all anti-DDoS zone-based static whitelist entries.
If you do not specify the IPv4 or IPv6 address for an anti-DDoS zone-based whitelist entry, the command displays all static whitelist entries for this zone.
Examples
# Display all anti-DDoS zone-based static whitelist entries.
<Sysname> display anti-ddos whitelist zone
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
2 3.3.3.4/32 White
# Display the static whitelist entry matching source IP address 10.0.0.3 in anti-DDoS zone 2.
<Sysname> display anti-ddos whitelist zone 2 ip 3.3.3.4
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
2 3.3.3.4/32 White
# Display the static whitelist entry matching source IPv6 address 8000::1 in anti-DDoS zone 2.
<Sysname> display anti-ddos whitelist zone 2 ipv6 8000::1
Total: 4 Blacklist: 3 Whitelist: 1
-------------------------------------------------------------------
ZoneID Source-ip/MaskLen Black/White
2 8000::/64 White
Table 16 Command output
|
Field |
Description |
|
Total |
Total number of IPv4 or IPv6 blacklist and whitelist entries in the anti-DDoS zone. |
|
Blacklist |
Number of IPv4 or IPv6 blacklist entries in the anti-DDoS zone. |
|
Whitelist |
Number of IPv4 or IPv6 whitelist entries in the anti-DDoS zone. |
|
ZoneID |
Anti-DDoS zone ID. |
|
Source-ip/MaskLen |
Source IP address and mask length. |
|
Black/White |
Entry type, blacklist or whitelist. |
Related commands
zone-whitelist
display anti-ddos zone configuration
Use display anti-ddos zone configuration to display anti-DDoS zone configuration.
Syntax
display anti-ddos zone configuration [ default | id zone-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
default: Specifies the default anti-DDoS zone.
id zone-id: Specifies the ID of an anti-DDoS zone, in the range of 2 to 1024.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
If you do not specify the default keyword or the id zone-id option, this command displays brief configuration information about all anti-DDoS zones.
Examples
# Display the configuration of anti-DDoS zone 2.
<Sysname> display anti-ddos zone configuration id 2
Anti-DDoS zone configuration information
Zone ID : 2
Zone name : abc
IP range configuration:
Start IP End IP
1.1.1.1 1.1.1.100
2.2.2.2 2.2.2.10
Filter configuration:
Name Type Preference
IPFliter IP 10
UdpFliter UDP 20
Flood detection configuration:
Flood type Thres(pps/Mbps)
DNS query 1000 pps
DNS reply 1000 pps
HTTP 1000 bps
SYN 1000 pps
ACK 1000 Mbps
SYN-ACK 1000 pps
RST 1000 pps
UDP 1000 Mbps
ICMP 1000 Mbps
SIP 1000 Mbps
TCP fragment 1000 Mbps
UDP fragment 1000 Mbps
ICMP fragment 1000 Mbps
User-defined 2 1000 pps
ACK session check configuration: Enabled
Source verification configuration:
Type Status
TCP Enabled
HTTP Enabled
DNS query Enabled
DNS reply Enabled
SIP Enabled
HTTPS Enabled
HTTPS flood SSL defense configuration:Enabled
Bandwidth configuration:
bandwidth-detection destination-ip threshold: 20
bandwidth-limit destination-ip max-rate: 10
Fingerprint configuration:
Type GroupID
IPv4 10
Threshold Learning: Enabled
Black/White list:
Type IP MaskLength
Black 2.2.2.0 24
White 192.168.13.0 24
HTTP slow attack configuration:Enabled
Alert number Content length Payload length Packet number Block source
100 10000 50 10 Enabled
Table 17 Command output
|
Field |
Description |
|
Anti-ddos zone Information |
Configuration of the anti-DDoS zone. |
|
Zone name |
Name of the anti-DDoS zone. |
|
Zone ID |
ID of the anti-DDoS zone. |
|
IP configuration |
IP address ranges in the anti-DDoS zone. |
|
Start IP |
Start IP address. |
|
End IP |
End IP address. |
|
Filter configuration |
Configuration of filters. |
|
Name |
Filter name. |
|
Type |
Filter type. |
|
Preference |
Filter preference. |
|
Flood detection configuration |
Configuration of flood attack protection. |
|
Flood type |
Flood attack type: · ACK—ACK flood attack type. · DNS query—DNS query flood attack type. · DNS reply—DNS reply flood attack type. · ICMP—ICMP flood attack type. · SYN—SYN flood attack type. · SYN-ACK—SYN-ACK flood attack type. · UDP—UDP flood attack type. · RST—RST flood attack type. · HTTP—HTTP flood attack type. · SIP—SIP flood attack type. · HTTPS—HTTPS flood attack type. · TCP fragment—TCP fragment flood attack type. · UDP fragment—UDP fragment flood attack type. · ICMP—ICMP fragment flood attack type. · User-defined—User-defined flood attack type. The attack type ID is displayed after User-defined. |
|
Thres(pps/Mbps) |
Flood attack detection threshold, in pps or Mbps. |
|
Ack session check configuration |
Enabling status of the session check for ACK flood attack protection. |
|
Source verification configuration |
Configuration of source verification. |
|
Type |
Source verification type: · DNS query—DNS query source verification. · DNS reply—DNS reply source verification. · TCP—TCP SYN source verification. · HTTP—HTTP source verification. · SIP—SIP source verification. · HTTPS—HTTPS source verification. |
|
Status |
Status of source verification: · Enabled. · Disabled. |
|
HTTPS flood ssl defend configuration |
Enabling status of the SSL renegotiation protection for HTTPS flood attack protection. |
|
Bandwidth configuration |
Bandwidth threshold setting. |
|
Bandwidth-detection destination-ip threshold |
IP traffic attack detection threshold. |
|
Bandwidth-limit destination-ip max-rate |
Maximum bandwidth for IP traffic. |
|
Fingerprint configuration |
Fingerprint protection configuration. |
|
Type |
Type of the fingerprint policy group: · IPv4. · IPv6. |
|
GroupID |
ID of the fingerprint policy group. |
|
Threshold Learning |
Enabling status of threshold learning. |
|
Black/White list |
Blacklist or whitelist. |
|
Type |
Entry type: · Black—Blacklist. · White—Whitelist. |
|
IP |
IP address. |
|
MaskLength |
Mask length. |
|
Slow attack configuration |
Enabling status of HTTP slow attack protection. |
|
Alert number |
HTTP concurrent connection threshold that triggers HTTP slow attack protection. |
|
Content length |
Threshold for the Content-Length field in HTTP packets. |
|
Payload length |
Payload size threshold. |
|
Packet number |
Threshold of abnormal packets. |
|
Block source |
Enabling status of blocking packet source IP addresses. |
# Display brief configuration information about all anti-DDoS zones.
<Sysname> display anti-ddos zone configuration
Anti-ddos Zone Brief information
Zone ID Zone Name
2 abc
100 p1
10 p12
Table 18 Command output
|
Field |
Description |
|
Zone ID |
ID of the anti-DDoS zone. |
|
Zone Name |
Name of the anti-DDoS zone. |
dns-query-flood defense source-verify
Use dns-query-flood defense source-verify to enable DNS query source verification.
Use undo dns-query-flood defense source-verify to disable DNS query source verification.
Syntax
dns-query-flood defense source-verify
undo dns-query-flood defense source-verify
Default
DNS query source verification is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects internal DNS servers against DNS query flood attacks initiated by external illegitimate clients. After receiving a DNS reply destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent DNS queries from this IP address to pass through.
· If the source IP address fails verification, the device drops the DNS query and subsequent queries form this IP address.
Examples
# Enable DNS query source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] dns-query-flood defense source-verify
Related commands
display anti-ddos zone configuration
dns-query-flood detection threshold
Use dns-query-flood detection threshold to enable DNS query flood attack detection and set a detection threshold.
Use undo dns-query-flood detection threshold to disable DNS query flood attack detection.
Syntax
dns-query-flood detection threshold { bit-based value | packet-based value}
undo dns-query-flood detection threshold
Default
DNS query flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable DNS query flood attack flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of DNS queries per destination IP address in this zone. When the sending rate of DNS queries destined for an IP address keeps exceeding the threshold, a DNS query flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of DNS queries destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable DNS query flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] dns-query-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
dns-reply-flood defense source-verify
Use dns-reply-flood defense source-verify to enable DNS reply source verification.
Use undo dns-reply-flood defense source-verify to disable DNS reply source verification.
Syntax
dns-reply-flood defense source-verify
undo dns-reply-flood defense source-verify
Default
DNS reply source verification is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects DNS clients against DNS reply flood attacks. After receiving a DNS reply destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent DNS replies from this IP address to pass through.
· If the source IP address fails verification, the device drops the DNS reply.
Examples
# Enable DNS reply source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] dns-reply-flood defense source-verify
Related commands
display anti-ddos zone configuration
dns-reply-flood detection threshold
Use dns-reply-flood detection threshold to enable DNS reply flood attack detection and set a detection threshold.
Use undo dns-reply-flood detection threshold to disable DNS reply flood attack detection.
Syntax
dns-reply-flood detection threshold { bit-based value | packet-based value}
undo dns-reply-flood detection threshold
Default
DNS reply flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable DNS reply flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of DNS replies per destination IP address in this zone. When the sending rate of DNS replies destined for an IP address keeps exceeding the threshold, a DNS reply attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of DNS replies destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable DNS reply flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] dns-reply-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
domain
Use domain to create a domain name field match rule for DNS packets.
Use undo domain to delete a domain name field match rule for DNS packets.
Syntax
domain { equal | include } domain-string
undo domain [ { equal | include } domain-string ]
Default
No domain name field match rules exist.
Views
DNS filter view
Predefined user roles
network-admin
Parameters
equal: Specifies to be identical to the specified domain name keyword.
include: Specifies to include the specified domain name keyword.
domain-string: Specifies the domain name keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the domain name keyword of DNS packets.
A DNS filter supports a maximum of 32 rules for the domain name field. A packet matches the domain name field if its domain name matches one of these rules.
If you do not specify any parameters, the undo domain command deletes all domain name field match rules in the filter.
Examples
# Create a rule for DNS filter test to match packets that contain www.example.com in the domain name field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type dns
[Sysname-anti-ddos-filter-dns-test] domain include www.example.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
dscp
Use dscp to create a DSCP match rule.
Use undo dscp to delete a DSCP match rule.
Syntax
dscp dscp
undo dscp [ dscp ]
Default
No DSCP match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
dscp: Specifies a DSCP value in the range of 0 to 63.
Usage guidelines
The device uses this rule to match the DSCP value in packets.
A filter supports a maximum of 10 rules for the DSCP field. A packet matches the DSCP field if its DSCP value matches one of these rules.
If you do not specify a DSCP value, the undo dscp command deletes all DSCP match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with DSCP value 20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] dscp 20
Related commands
anti-ddos filter
display anti-ddos filter statistics
fingerprint (filter view)
Use fingerprint to create a fingerprint match rule.
Use undo fingerprint to delete a fingerprint match rule.
Syntax
fingerprint id { offset offset-value content content [ depth depth-value ] } &<1-4>
undo fingerprint [ id ]
Default
No fingerprint match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
id: Specifies a fingerprint ID in the range of 0 to 31.
offset offset-value: Specifies an offset value in bytes after which the match operation starts. The value range is 0 to 1500.
content content: Specifies the fingerprint content. The fingerprint content is 4 to 16 bytes long, and each byte includes two hexadecimal characters.
depth depth-value: Specifies the number of bytes to match. This depth value defines a range for the device to search for the specified fingerprint content. The value range is 1 to 1500.
&<1-4>: Specifies a list of up to four fingerprint segments. Each fingerprint segment contains the fingerprint offset, content, and depth.
Usage guidelines
The device uses this rule to match the fingerprint content in the specified byte range of packets.
A filter supports a maximum of 10 fingerprint match rules. Each rule supports a maximum of four fingerprint segments. The device supports a maximum of 512 fingerprint segments.
For each fingerprint segment, the device searches for the specified fingerprint content starting from offset byte in the packet header.
· If the depth-value argument is specified, the search range is determined by the depth value.
· If the depth-value argument is not specified, the search range is the same as the length of the specified fingerprint content.
If you configure multiple fingerprint segments for a fingerprint match rule, a packet matches this rule only if the packet matches all these fingerprint segments.
If you do not specify a fingerprint ID, the undo fingerprint command deletes all fingerprint match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets if they have fingerprint aabbccdd after the 10th bytes and have fingerprint 2233 in the 10 bytes after the 20th bytes.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] fingerprint 20 offset 10 content aabbccdd offset 20 content 22334455 depth 10
Related commands
anti-ddos filter
display anti-ddos filter statistics
fingerprint (fingerprint policy group view)
Use fingerprint to create a fingerprint policy.
Use undo fingerprint to delete a fingerprint policy.
Syntax
fingerprint policy-id protocol { icmp | other | tcp | udp } { offset offset-value length length-value [ content content ] } &<1-3> threshold threshold-value action { bandwidth-limit | drop | watch }
undo fingerprint id
Default
No fingerprint policies exist.
Views
Fingerprint policy group view
Predefined user roles
network-admin
Parameters
policy-id: Specifies the ID of a fingerprint policy, in the range of 0 to 31.
protocol { icmp | other | tcp | udp }: Specifies a protocol type, which can be ICMP, TCP, UDP, and Other.
offset offset-value: Specifies an offset value in bytes after which the match operation starts. The value range is 0 to 254.
length length-value: Specifies the fingerprint length in bytes. The value range is 1 to 4.
content content: Specifies the fingerprint content. The fingerprint content is 1 to 4 bytes long, and each byte includes two hexadecimal characters.
&<1-3>: Specifies a list of up to three fingerprint segments. Each fingerprint segment contains the fingerprint offset, length, and content.
threshold threshold-value: Specifies a threshold in pps. The value range is 1 to 10000000.
action: Specifies an action on matching packets that exceed the threshold.
bandwidth-limit: Rate limits matching packets and drops packets that exceed the threshold.
drop: Drops matching packets that exceed the threshold.
watch: Takes no action on matching packets that exceed the threshold.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
A fingerprint policy contains a packet match criterion, a threshold, and a protection action to take when the receiving rate of the matching packets exceeds the threshold.
If a fingerprint policy contains multiple fingerprint segments, a packet matches the policy only when the packet matches all segments.
The device always sends logs upon threshold violations no matter which protection action is specified.
A fingerprint does not support matching IP options or IPv6 extension headers.
A fingerprint policy group supports a maximum of 32 fingerprint policies. You can configure a maximum of eight fingerprint policies for each type (ICMP, TCP, UDP, and Other).
The content of each segment in a fingerprint policy must be unique.
Examples
# Add fingerprint policy 5 to IPv4 fingerprint policy group 10, configure the fingerprint signature, set the threshold to 2000 pps, and specify watch as the protection action.
<Sysname> system-view
[Sysname] fingerprint-group ip 10
[Sysname-fingerprint-group-ip-10] fingerprint 5 protocol tcp offset 40 length 4 content 01ab3f0c threshold 2000 action watch
Related commands
bandwidth-limit destination-ip max-rate
fingerprint-group
Use fingerprint-group to create a fingerprint policy group and enter its view, or enter the view of an existing fingerprint policy group.
Use undo fingerprint-group to delete a fingerprint policy group.
Syntax
fingerprint-group { ip | ipv6 } group-id
undo fingerprint-group { ip | ipv6 } group-id
Default
No fingerprint policy groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
ip: Specifies the IPv4 fingerprint policy group.
ipv6: Specifies the IPv6 fingerprint policy group.
group-id: Specifies the ID of a fingerprint policy group, in the range of 0 to 31.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
The device supports a maximum of 64 fingerprint policy groups, including 32 IPv4 fingerprint policy groups and 32 IPv6 fingerprint policy groups.
Examples
# Create IPv4 fingerprint policy group 10 and enter its view.
<Sysname> system-view
[Sysname] fingerprint-group ip 10
[Sysname-fingerprint-group-ip-10]
Related commands
fingerprint
fingerprint-group { ip | ipv6 }
display anti-ddos zone configuration
fingerprint-group apply
Use fingerprint-group apply to apply a fingerprint policy group to an anti-DDoS zone.
Use undo fingerprint-group apply to remove the application of a fingerprint policy group.
Syntax
fingerprint-group apply { ip | ipv6 } group-id
undo fingerprint-group apply { ip | ipv6 }
Default
No fingerprint policy group is applied to an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
ip: Specifies the IPv4 fingerprint policy group.
ipv6: Specifies the IPv6 fingerprint policy group.
group-id: Specifies the ID of a fingerprint policy group, in the range of 0 to 31.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
You can apply one IPv4 fingerprint policy group and one IPv6 fingerprint policy group to an anti-DDoS zone.
Examples
# Apply fingerprint policy group 10 to anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-ddos-zone-3] fingerprint-group apply ip 10
Related commands
fingerprint-group { ip | ipv6 }
fragment
Use fragment to create a fragment match rule.
Use undo fragment to delete a fragment match rule.
Syntax
fragment { donot | first | last | middle | non }
undo fragment [ donot | first | last | middle | non ]
Default
No fragment match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
donot: Specifies packets where the DF bit is 1 in the IP header. Fragmentation of those packets is not allowed.
first: Specifies first fragments where the offset value is 0 and MF bit is 1 in the IP header.
last: Specifies last fragments where the offset value is not 0 and the MF bit is 0 in the IP header.
middle: Specifies middle fragments where the offset value is not 0 and MF bit is 1 in the IP header.
non: Specifies non-fragments where the offset value is 0 and MF bit is 0 in the IP header.
Usage guidelines
The device uses this rule to match packets or fragments.
A filter supports a maximum of five fragment match rules.
If you do not specify any keyword, the undo fragment command deletes all fragment match rules in the filter.
Examples
# Create a rule for HTTP filter test to match non-fragments.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] fragment non
Related commands
anti-ddos filter
display anti-ddos filter statistics
host
Use host to create a host field match rule for HTTP packets.
Use undo host to delete a host field match rule for HTTP packets.
Syntax
host include host-name
undo host [ include host-name ]
Default
No host field match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified host keyword.
host-name: Specifies the host keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the host field in HTTP packets.
An HTTP filter supports a maximum of 32 rules for the host field. A packet matches the host field if its host field matches one of these rules.
If you do not specify any parameters, the undo host command deletes all host field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets that contain www.example.com in the host field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] host include www.example.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
http-flood defense source-verify
Use http-flood defense source-verify to enable HTTP source verification.
Use undo http-flood defense source-verify to disable HTTP source verification.
Syntax
http-flood defense source-verify
undo http-flood defense source-verify
Default
HTTP source verification is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects the internal HTTP server against HTTP flood attacks initiated by external illegitimate clients. After receiving an HTTP packet destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
The device verifies the source IP address of the HTTP GET request destined for an IP address in this zone.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent HTTP GET requests from this IP address to pass through.
· If the source IP address fails verification, the device drops the HTTP GET request.
Examples
# Enable HTTP source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] http-flood defense source-verify
Related commands
display anti-ddos zone configuration
http-flood detection threshold
Use http-flood detection threshold to enable HTTP flood attack detection and set a detection threshold.
Use undo http-flood detection threshold to disable HTTP flood attack detection.
Syntax
http-flood detection threshold { bit-based value | packet-based value}
undo http-flood detection threshold
Default
HTTP flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable HTTP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of HTTP packets per destination IP address in this zone. When the sending rate of HTTP packets destined for an IP address keeps exceeding the threshold, an HTTP flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of HTTP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable HTTP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] http-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
http-slow-attack defense threshold
Use http-slow-attack defense threshold to enable HTTP slow attack detection and set thresholds.
Use undo http-slow-attack defense to disable HTTP slow attack detection.
Syntax
http-slow-attack defense threshold alert-number alert-number [ content-length content-length | packet-number packet-number | payload-length payload-length ] * [ action block-source ]
undo http-slow-attack defense
Default
HTTP slow attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
alert-number alert-number: Specifies the HTTP concurrent connection threshold. A threshold violation triggers HTTP slow attack protection. The value range is 1 to 1200000.
content-length content-length: Specifies a threshold for the Content-Length field in an HTTP packet. The value range is 100 to 100000000, and the default is 10000.
packet-number packet-number: Specifies a threshold for HTTP slow attack packets. The value range is 1 to 1000, and the default is 10.
payload-length payload-length: Specifies a threshold for the payload size in an HTTP packet. The value range is 1 to 1000, and the default is 50.
action block-source: Specifies a source block action against HTTP slow attacks. This action enables the device to drop subsequent packets from IP addresses that launch HTTP slow attacks.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
With HTTP slow attack detection enabled, the device counts the number of concurrent HTTP connections on a per-destination IP basis. When the number of concurrent connections to an IP address exceeds the threshold, the device inspects the following types of HTTP packets and counts the number of attack packets:
· Slow headers—If the packet header does not start with \r\n\r\n, the device marks those packets as attack packets.
· Slow POST—If the value in the Content-Length field is greater than the content-length threshold and the payload size is smaller than the payload-length threshold, the device marks those packets as attack packets.
When the number of HTTP attack packets destined for an IP address exceeds the threshold, the device blocks subsequent packets to this IP address and sends an attack alarm log. If you specify the block-source keyword, the device adds the packet source IP address to the dynamic blacklist.
Examples
# In anti-DDoS zone 3, enable HTTP slow attack detection, set thresholds, and specify the block-source action.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] http-slow-attack defense threshold alert-number 3000 content-length 10000 payload-length 20 packet-number 10 action block-source
Related commands
anti-ddos zone id
https-flood defense source-verify
Use https-flood defense source-verify to enable HTTPS source verification.
Use undo https-flood defense source-verify to disable HTTPS source verification.
Syntax
https-flood defense source-verify
undo https-flood defense source-verify
Default
HTTPS source verification is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects the internal HTTPS server against HTTPS flood attacks that are initiated by external clients. After receiving an HTTPS packet destined for the zone, the device adds the packet destination IP address as a protected IP address, and verifies its source IP address.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent HTTPS packets from this IP address to pass through.
· If the source IP address fails verification, the device drops the HTTPS packet.
Examples
# Enable HTTPS source verification for anti-DDoS zone 5.
<Sysname> system-view
[Sysname] anti-ddos zone id 5
[Sysname-anti-ddos-id-5] https-flood defense source-verify
Related commands
https-flood detection threshold
https-flood defense ssl-defend
Use https-flood defense ssl-defend to enable SSL renegotiation protection against HTTPS flood attacks.
Use undo https-flood defense ssl-defend to disable SSL renegotiation protection against HTTPS flood attacks.
Syntax
https-flood defense ssl-defend [ negotiation-num negotiation-num [ interval interval ] | illegal-session-num illegal-session-num [ interval interval2 ] ]*
undo https-flood defense ssl-defend
Default
SSL renegotiation protection against HTTPS flood attacks is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
negotiation-num negotiation-num: Specifies the maximum number of negotiations for an SSL session. The value range is 1 to 10, and the default is 3.
interval interval: Specifies the SSL renegotiation check interval in seconds. The value range is 1 to 240, and the default is 30.
illegal-session-num illegal-session-num: Specifies the threshold for abnormal SSL sessions. The value range is 1 to 10, and the default is 3.
interval interval2: Specifies the abnormal SSL session check interval in seconds. The value range is 1 to 240, and the default is 15.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
With the SSL renegotiation protection enabled, the device starts the following operations when an SSL session fails the first negotiation:
· Counting the number of renegotiations for the session.
· Counting down the renegotiation check interval and the abnormal SSL session check interval.
If the number of renegotiations exceeds the threshold (negotiation-num minus 1) within the renegotiation check interval, the device identifies this session as abnormal.
If the number of abnormal sessions originated from an IP address exceeds the threshold (illegal-session-num) within the abnormal session check interval, the device adds this IP address to the blacklist. The device drops subsequent session establishment requests from the blacklisted IP address.
For this command to take effect, first execute the https-flood defense source-verify command to enable HTTPS source verification.
Examples
# In anti-DDoS zone 5, enable HTTPS source verification, and configure SSL renegotiation protection.
<Sysname> system-view
[Sysname] anti-ddos zone id 5
[Sysname-anti-ddos-id-5] https-flood defense source-verify
[Sysname-anti-ddos-id-5] https-flood defense ssl-defend negotiation-num 20 interval 3 illegal-session-num 5 interval 5
Related commands
https-flood detection threshold
https-flood defense source-verify
https-flood detection threshold
Use https-flood detection threshold to enable HTTPS flood attack detection and set a detection threshold.
Use undo https-flood detection threshold to disable HTTPS flood attack detection.
Syntax
https-flood detection threshold { bit-based | packet-based } value
undo https-flood detection threshold
Default
HTTPS flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable HTTPS flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of HTTPS packets per destination IP address in this zone. When the sending rate of HTTPS packets destined for an IP address keeps exceeding the threshold, an HTTPS flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of HTTPS packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable HTTPS flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] https-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
icmp-flood detection threshold
Use icmp-flood detection threshold to enable ICMP flood attack detection and set a detection threshold.
Use undo icmp-flood detection threshold to disable ICMP flood attack detection.
Syntax
icmp-flood detection threshold { bit-based value | packet-based value}
undo icmp-flood detection threshold
Default
ICMP flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable ICMP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of ICMP packets per destination IP address in this zone. When the sending rate of ICMP packets destined for an IP address keeps exceeding the threshold, an ICMP flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of ICMP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable ICMP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] icmp-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
icmp-frag-flood detection threshold
Use icmp-frag-flood detection threshold to enable ICMP fragment flood attack detection and set a detection threshold.
Use undo icmp-frag-flood detection threshold to disable ICMP fragment flood attack detection.
Syntax
icmp-frag-flood detection threshold { bit-based | packet-based } value
undo icmp-frag-flood detection threshold
Default
ICMP fragment flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable ICMP fragment flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of ICMP fragments per destination IP address in this zone. When the sending rate of ICMP fragments destined for an IP address keeps exceeding the threshold, an ICMP fragment flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of ICMP fragments destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable ICMP fragment flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] icmp-frag-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
ip-range
Use ip-range to add an IPv4 address range to an anti-DDoS zone.
Use undo ip-range to remove an IPv4 address range from an anti-DDoS zone.
Syntax
ip-range start-ip end-ip
undo ip-range start-ip end-ip
Default
No IPv4 address range is configured in an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
start-ip: Specifies a start IPv4 address.
end-ip: Specifies an end IPv4 address.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
An anti-DDoS zone supports a maximum of 128 IPv4 address ranges. The highest 16 bits of all IPv4 addresses in a zone must be the same.
IPv4 address ranges in each anti-DDoS zone cannot overlap. The device supports a maximum of 512 IPv4 and IPv6 address ranges that contain IP addresses with different highest 16 bits.
This command is not available in the default anti-DDoS zone.
Examples
# Add IPv4 address range 192.168.30.10 to 192.168.30.120 to anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] ip-range 192.168.30.10 192.168.30.120
Related commands
display anti-ddos zone configuration
ipv6-range
ipv6-range
Use ipv6-range to add an IPv6 address range to an anti-DDoS zone.
Use undo ipv6-range to remove an IPv6 address range from an anti-DDoS zone.
Syntax
ipv6-range start-ip end-ip
undo ipv6-range start-ip end-ip
Default
No IPv6 address range is configured in an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
start-ip: Specifies a start IPv6 address.
end-ip: Specifies an end IPv6 address.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
An anti-DDoS zone supports a maximum of 128 IPv6 address ranges. The highest 16 bits of all IPv6 addresses in a zone must be the same.
IPv6 address ranges in each anti-DDoS zone cannot overlap. The device supports a maximum of 512 IPv4 and IPv6 address ranges that contain IP addresses with different highest 16 bits.
This command is not available in the default anti-DDoS zone.
Examples
# Add IPv6 address range 192:168:30::10 to 192:168:30::120 to anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] ipv6-range 192:168:30::10 192:168:30::120
Related commands
display anti-ddos zone configuration
ip-range
name
Use name to assign a name to an anti-DDoS zone.
Use undo name to restore the default.
Syntax
name zone-name
undo name
Default
An anti-DDoS zone does not have a name.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
zone-name: Specifies the name of an anti-DDoS zone, a case-insensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), and hyphens (-). The name cannot be default.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The name of the default anti-DDoS zone is not configurable.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify name test for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] name test
Related commands
anti-ddos zone
display anti-ddos zone configuration
opcode
Use opcode to create a request packet type match rule for HTTP packets.
Use undo opcode to delete a request packet type match rule for HTTP packets.
Syntax
opcode { connect | delete | get | head | options | post | put | trace }
undo opcode { connect | delete | get | head | options | post | put | trace }
Default
No request packet type match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
connect: Specifies the HTTP CONNECT request packet type.
delete: Specifies the HTTP DELETE request packet type.
get: Specifies the HTTP GET request packet type.
head: Specifies the HTTP HEAD request packet type.
options: Specifies the HTTP OPTIONS request packet type.
post: Specifies the HTTP POST request packet type.
put: Specifies the HTTP PUT request packet type.
trace: Specifies the HTTP TRACE request packet type.
Usage guidelines
The device uses this rule to match the packet type of HTTP request packets.
An HTTP filter supports a maximum of eight request packet types for packet match.
Examples
# Create a rule for HTTP filter test to match HTTP PUT request packets.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] opcode put
Related commands
anti-ddos filter
display anti-ddos filter statistics
packet-length
Use packet-length to create a packet length match rule.
Use undo packet-length to delete a packet length match rule.
Syntax
packet-length range length1 length2
undo packet-length [ range length1 length2 ]
Default
No packet length match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
range: Specifies a packet length range.
length1: Specifies the minimum packet length in bytes. The value range is 1 to 1500.
length2: Specifies the maximum packet length in bytes. The value range is 1 to 1500.
Usage guidelines
The device uses this rule to match the packet length.
A filter supports a maximum of 10 rules for the packet length field. A packet matches the packet length field if its packet length matches one of these rules.
The minimum packet length cannot be greater than the maximum packet length. The packet length ranges in one filter cannot overlap.
If you do not specify any parameters, the undo packet-length command deletes all packet length match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets that are 50 to 500 bytes long.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] packet-length range 50 500
Related commands
anti-ddos filter
display anti-ddos filter statistics
protocol
Use protocol to create a protocol field match rule.
Use undo protocol to delete a protocol field match rule.
Syntax
protocol protocol-number
undo protocol [ protocol-number ]
Default
No packet protocol match rules exist.
Views
IP filter view
Predefined user roles
network-admin
Parameters
protocol-number: Specifies a protocol number in the range of 0 to 255.
Usage guidelines
The device uses this rule to match the protocol field of packets.
An IP filter supports a maximum of 10 rules for the protocol field. A packet matches the protocol field if its protocol field matches one of these rules.
If you do not specify a protocol number, the undo protocol command deletes all packet protocol match rules in the filter.
Examples
# Create a rule for IP filter test to match VRRP packets (protocol number 112).
<Sysname> system-view
[Sysname] anti-ddos filter name test type ip
[Sysname-anti-ddos-filter-ip-test] protocol 112
Related commands
anti-ddos filter
display anti-ddos filter statistics
qr
Use qr to create a QR field match rule for DNS packets.
Use undo qr to delete a QR field match rule for DNS packets.
Syntax
qr { query | reply }
undo qr { query | reply }
Default
No QR field match rules for DNS packets exist.
Views
DNS filter view
Predefined user roles
network-admin
Parameters
query: Specifies DNS queries.
reply: Specifies DNS replies.
Usage guidelines
The device uses this rule to match the QR field of DNS packets.
A DNS filter supports a maximum of two rules for the QR field. A packet matches the QR field if its QR field matches one of these rules.
Examples
# Create a rule to match DNS replies for DNS filer test.
<Sysname> system-view
[Sysname] anti-ddos filter name test type dns
[Sysname-anti-ddos-filter-dns-test] qr query
Related commands
anti-ddos filter
display anti-ddos filter statistics
referer
Use referer to create a referer field match rule for HTTP packets.
Use undo referer to delete a referer field match rule for HTTP packets.
Syntax
referer include referrer-string
undo referer [ include referrer-string ]
Default
No referer field match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified referer keyword.
referrer-string: Specifies the referer keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match the referer field of HTTP packets.
An HTTP filter supports a maximum of 32 rules for the referer field. A packet matches the referer field if its referer field matches one of these rules.
If you do not specify any parameters, the undo referer command deletes all referer field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets that contain www.example.com in the referer field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] referer include www.example.com
Related commands
anti-ddos filter
display anti-ddos filter statistics
request-uri
Use request-uri to create a match rule for the request URI field in HTTP packets.
Use undo request-uri to delete a match rule for the request URI field in HTTP packets.
Syntax
request-uri include uri
undo request-uri [ include uri ]
Default
No URI match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified URI keyword.
uri: Specifies the URI keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match HTTP packets that contains the specified URI keyword.
An HTTP filter supports a maximum of 32 rules for the request URI field. A packet matches the request URI field if its request URI matches one of these rules.
If you do not specify any parameters, the undo request-uri command deletes all URI match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets that contain favicon.ico in the request URI field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] request-uri include favicon.ico
Related commands
anti-ddos filter
display anti-ddos filter statistics
reset anti-ddos dynamic-blacklist
Use reset anti-ddos dynamic-blacklist to clear dynamic blacklist entries in anti-DDoS zones.
Syntax
reset anti-ddos dynamic-blacklist { ipv4 | ipv6 } [ zone [ default | id zone-id ] ]
Views
User view
Predefined user roles
network-admin
Parameters
ip: Specifies IPv4 dynamic blacklist entries.
ipv6: Specifies IPv6 dynamic blacklist entries.
zone: Specifies an anti-DDoS zone.
default: Specifies the default anti-DDoS zone.
id zone-id: Specifies an anti-DDoS zone ID in the range of 2 to 1024.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
If you do not specify an anti-DDoS zone, this command clears dynamic blacklist entries in all anti-DDoS zones.
Examples
# Clear dynamic IPv4 blacklist entries in anti-DDoS zone 3.
<Sysname> reset anti-ddos dynamic-blacklist ip zone id 3
reset anti-ddos filter statistics zone
Use reset anti-ddos filter statistics to clear filter statistics in an anti-DDoS zone.
Syntax
reset anti-ddos filter statistics name name zone { id zone-id | default }
Views
User view
Predefined user roles
network-admin
Parameters
name name: Specifies a filter by its name, a string of 1 to 63 characters. The filter name contains case-insensitive letters, digits, and underscores (_), and it must start with a letter.
zone: Specifies an anti-DDoS zone.
id zone-id: Specifies an anti-DDoS zone by its ID in the range of 2 to 1024.
default: Specifies the default anti-DDoS zone.
Examples
# Clear statistics about filter test in anti-DDoS zone 3.
<Sysname> reset anti-ddos filter statistics name test zone id 3
Related commands
display anti-ddos filter statistics
rst-flood detection threshold
Use rst-flood detection threshold to enable RST flood attack detection and set a detection threshold.
Use undo rst-flood detection threshold to disable RST flood attack detection.
Syntax
rst-flood detection threshold { bit-based value | packet-based value}
undo rst-flood detection threshold
Default
RST flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable RST flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of RST packets per destination IP address in this zone. When the sending rate of RST packets destined for an IP address keeps exceeding the threshold, an RST flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of RST packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable RST flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] rst-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
sip-flood defense source-verify
Use sip-flood defense source-verify to enable SIP source verification.
Use undo sip-flood defense source-verify to disable SIP source verification.
Syntax
sip-flood defense source-verify
undo sip-flood defense source-verify
Default
SIP source verification is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects the internal SIP server against SIP flood attacks initiated by external illegitimate clients. After receiving a SIP packet destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent SIP packets from this IP address to pass through.
· If the source IP address fails verification, the device drops the SIP packet.
Examples
# Enable SIP source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] sip-flood defense source-verify
Related commands
display anti-ddos zone configuration
sip-flood detection threshold
Use sip-flood detection threshold to enable SIP flood attack detection and set a detection threshold.
Use undo sip-flood detection threshold to disable SIP flood attack detection.
Syntax
sip-flood detection threshold { bit-based value | packet-based value}
undo sip-flood detection threshold
Default
SIP flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable SIP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of SIP packets per destination IP address in this zone. When the sending rate of SIP packets destined for an IP address keeps exceeding the threshold, a SIP flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of SIP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable SIP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] sip-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
source-ip
Use source-ip to create a source IP address match rule.
Use undo source-ip to delete a source IP address match rule.
Syntax
source-ip { ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 }
undo source-ip [ ip-range start-ip end-ip | ipv6-range start-ipv6 end-ipv6 ]
Default
No source IP address match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
ip-range: Specifies a source IPv4 address range.
start-ip: Specifies a start IPv4 address. This address cannot be higher than the end IPv4 address.
end-ip: Specifies an end IPv4 address. If the end IPv4 address is the same as the start IPv4 address, the IPv4 address range has only one IPv4 address.
ipv6-range: Specifies a source IPv6 address range.
start-ipv6: Specifies a start IPv6 address. This address cannot be higher than the end IPv6 address.
end-ipv6: Specifies an end IPv6 address. If the end IPv6 address is the same as the start IPv6 address, the IPv6 address range has only one IPv6 address.
Usage guidelines
The device uses this rule to match the source IP addresses of packets.
A filter supports a maximum of 512 rules for the source IP address field. A packet matches the source IP address field if its source IP address matches one of these rules.
The source IP address ranges in one filter cannot overlap.
If you do not specify any parameters, the undo source-ip command deletes all source IP address match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with source IPv4 addresses in the range of 1.1.1.10 to 1.1.1.20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] source-ip ip-range 1.1.1.10 1.1.1.20
Related commands
anti-ddos filter
display anti-ddos filter statistics
source-port
Use source-port to create a source port match rule.
Use undo source-port to delete a source port match rule.
Syntax
source-port range start-port end-port
undo source-port [ range start-port end-port ]
Default
No source port match rules exist.
Views
TCP filter view
UDP filter view
DNS filter view
HTTP filter view
SIP filter view
Predefined user roles
network-admin
Parameters
range: Specifies a source port range.
start-port: Specifies a start port number in the range of 1 to 65535. The start port number cannot be greater than the end port number.
end-port: Specifies an end port number in the range of 1 to 65535.
Usage guidelines
The device uses this rule to match the source port numbers of packets.
A filter supports a maximum of 10 rules for the source port number field. A packet matches the source port number field if its source port number matches one of these rules.
The source port number ranges in one filter cannot overlap.
If you do not specify any parameters, the undo source-port command deletes all source port match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with source port numbers in the range of 10 to 20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] source-port range 10 20
Related commands
anti-ddos filter
display anti-ddos filter statistics
syn-ack-flood detection threshold
Use syn-ack-flood detection threshold to enable SYN-ACK flood attack detection and set a detection threshold.
Use undo syn-ack-flood detection threshold to disable SYN-ACK flood attack detection.
Syntax
syn-ack-flood detection threshold { bit-based value | packet-based value}
undo syn-ack-flood detection threshold
Default
SYN-ACK flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable SYN-ACK flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of SYN-ACK packets per destination IP address in this zone. When the sending rate of SYN-ACK packets destined for an IP address keeps exceeding the threshold, a SYN-ACK flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of SYN-ACK packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable SYN-ACK flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] syn-ack-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
syn-flood defense source-verify
Use syn-flood defense source-verify to enable SYN source verification.
Use undo syn-flood defense source-verify to disable SYN source verification.
Syntax
syn-flood defense source-verify
undo syn-flood defense source-verify
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Default
SYN source verification is disabled.
Usage guidelines
This command is available only on anti-DDoS cleaning devices.
This feature protects the internal server against SYN flood attacks initiated by external illegitimate clients. After receiving a SYN packet destined for the zone, the device adds the destination IP address of the packet as a protected IP address, and verifies its source IP address.
· If the source IP address passes verification, the device adds the IP address to the trusted IP address list and allows subsequent SYN packets from this IP address to pass through.
· If the source IP address fails verification, the device drops the SYN packet.
Examples
# Enable SYN source verification for anti-DDoS zone 3.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] syn-flood defense source-verify
Related commands
display anti-ddos zone configuration
syn-flood detection threshold
Use syn-flood detection threshold to enable SYN flood attack detection and set a detection threshold.
Use undo syn-flood detection threshold to disable SYN flood attack detection.
Syntax
syn-flood detection threshold { bit-based value | packet-based value}
undo syn-flood detection threshold
Default
SYN flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable SYN flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of SYN packets per destination IP address in this zone. When the sending rate of SYN packets destined for an IP address keeps exceeding the threshold, a SYN flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of SYN packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable SYN flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] syn-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
tcp-flag
Use tcp-flag to create a TCP flags field match rule.
Use undo tcp-flag to delete a TCP flags field match rule.
Syntax
tcp-flag tcp-flag
undo tcp-flag [ tcp-flag ]
Default
No TCP flags field match rules exist.
Views
TCP filter view
HTTP filter view
Predefined user roles
network-admin
Parameters
tcp-flag: Specifies a value of the TCP flags field, in the range of 0 to 63.
Usage guidelines
The device uses this rule to match the TCP flags field of packets.
A TCP or HTTP filter supports a maximum of 10 rules for the TCP flags field. A packet matches the TCP flags field if its TCP flags field value matches one of these rules.
If you do not specify a value, the undo tcp-flag command deletes all TCP flags field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets in which the TCP flags field value is 20.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] tcp-flag 20
Related commands
anti-ddos filter
display anti-ddos filter statistics
tcp-frag-flood detection threshold
Use tcp-frag-flood detection threshold to enable TCP fragment flood attack detection and set a detection threshold.
Use undo tcp-frag-flood detection threshold to disable TCP fragment flood attack detection.
Syntax
tcp-frag-flood detection threshold { bit-based | packet-based } value
undo tcp-frag-flood detection threshold
Default
TCP fragment flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable TCP fragment flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of TCP fragments per destination IP address in this zone. When the sending rate of TCP fragments destined for an IP address keeps exceeding the threshold, a TCP fragment flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of TCP fragments destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable TCP fragment flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] tcp-frag-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
threshold-learning enable
Use threshold-learning enable to enable threshold learning for an anti-DDoS zone.
Use undo threshold-learning enable to disable threshold learning for an anti-DDoS zone.
Syntax
threshold-learning enable
undo threshold-learning enable
Default
Threshold learning is disabled for an anti-DDoS zone.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
The threshold learning feature enables the device to learn attack detection thresholds for different types of DDoS attacks based on the actual network traffic. As a best practice, enable this feature if you are not sure about thresholds for DDoS attack protection.
After you enable this feature for a non-default anti-DDoS zone, the device collects the traffic baseline values for IP addresses in this zone every 5 minutes and reports the values to the anti-DDoS management center. The management center calculates the threshold and assigns policies accordingly.
Only non-default anti-DDoS zones support this command.
Examples
# Enable threshold learning for an anti-DDoS zone 6.
<Sysname> system-view
[Sysname] anti-ddos zone id 6
[Sysname-anti-ddos-zone-id-6] threshold-learning enable
Related commands
display anti-ddos zone configuration
ttl
Use ttl to create a TTL field match rule.
Use undo ttl to delete a TTL field match rule.
Syntax
ttl ttl-value
undo ttl [ ttl-value ]
Default
No TTL field match rules exist.
Views
Filter view
Predefined user roles
network-admin
Parameters
ttl-value: Specifies a TTL value in the range of 1 to 255.
Usage guidelines
The device uses this rule to match the TTL value of packets.
A filter supports a maximum of 10 rules for the TTL field. A packet matches the TTL field if its TTL value matches one of these rules.
If you do not specify a TTL value, the undo ttl command deletes all TTL field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match packets with TTL value 63.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] ttl 63
Related commands
anti-ddos filter
display anti-ddos filter statistics
type
Use type to create a DNS packet type match rule.
Use undo type to delete a DNS packet type match rule.
Syntax
type type-value
undo type [ type-value ]
Default
No DNS packet type match rules exist.
Views
DNS filter view
Predefined user roles
network-admin
Parameters
type-value: Specifies a DNS type ID in the range of 0 to 255.
Usage guidelines
The device uses this rule to match the packet type of DNS packets.
A DNS filter supports a maximum of 10 rules for the DNS type field. A DNS packet matches the type field if its type matches one of these rules.
If you do not specify a packet type, the undo type command deletes all DNS packet type match rules in the filter.
Examples
# Create a rule for DNS filter test to match DNS packet with type ID 6.
<Sysname> system-view
[Sysname] anti-ddos filter name test type dns
[Sysname-anti-ddos-filter-dns-test] type 6
Related commands
anti-ddos filter
display anti-ddos filter statistics
udp-flood detection threshold
Use udp-flood detection threshold to enable UDP flood attack detection and set a detection threshold.
Use undo udp-flood detection threshold to disable UDP flood attack detection.
Syntax
udp-flood detection threshold { bit-based value | packet-based value }
undo udp-flood detection threshold
Default
UDP flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable UDP flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of UDP packets per destination IP address in this zone. When the sending rate of UDP packets destined for an IP address keeps exceeding the threshold, a UDP flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of UDP packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable UDP flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] udp-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
udp-frag-flood detection threshold
Use udp-frag-flood detection threshold to enable UDP fragment flood attack detection and set a detection threshold.
Use undo udp-frag-flood detection threshold to disable UDP fragment flood attack detection.
Syntax
udp-frag-flood detection threshold { bit-based | packet-based } value
undo udp-frag-flood detection threshold
Default
UDP fragment flood attack detection is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable UDP fragment flood attack detection for a zone, the device enters attack detection state and monitors the sending rate of UDP fragments per destination IP address in this zone. When the sending rate of UDP fragments destined for an IP address keeps exceeding the threshold, a UDP fragment flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of UDP fragments destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# Enable UDP fragment flood attack detection for anti-DDoS zone 3 and set the detection threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] udp-frag-flood detection threshold packet-based 20
Related commands
display anti-ddos zone configuration
user-agent
Use user-agent to create a user-agent field match rule for HTTP packets.
Use undo user-agent to delete a user-agent field match rule for HTTP packets.
Syntax
user-agent include user-agent
undo user-agent [ include user-agent ]
Default
No user-agent field match rules exist for HTTP packets.
Views
HTTP filter view
Predefined user roles
network-admin
Parameters
include: Specifies to include the specified user-agent keyword.
user-agent: Specifies the user-agent keyword, a case-insensitive string of 2 to 63 characters.
Usage guidelines
The device uses this rule to match HTTP packets that contains the specified keyword in the user-agent field.
An HTTP filter supports a maximum of 32 rules for the user-agent field. An HTTP packet matches the user-agent field if its user-agent field matches one of these rules.
If you do not specify any parameters, the undo user-agent command deletes all user-agent field match rules in the filter.
Examples
# Create a rule for HTTP filter test to match HTTP packets that contain Linux in the user-agent field.
<Sysname> system-view
[Sysname] anti-ddos filter name test type http
[Sysname-anti-ddos-filter-http-test] user-agent include Linux
Related commands
anti-ddos filter
display anti-ddos filter statistics
user-defined attack-type detection threshold
Use user-defined attack-type detection threshold to enable flood attack detection for a user-defined attack type and set a detection threshold.
Use undo user-defined attack-type detection threshold to disable flood attack detection for a user-defined attack type.
Syntax
user-defined attack-type id id detection threshold { bit-based | packet-based } value
undo user-defined attack-type [ id id ] detection threshold
Default
Flood attack detection for all user-defined attack types is disabled.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
id id: Specifies the ID of a user-defined attack type, in the range of 1 to 15.
bit-based: Specified the bit-based threshold.
packet-based: Specified the packet-based threshold.
value: Specifies a threshold value. The value range for a packet-based threshold is 1 to 4294967295, in pps. The value range for a bit-based threshold is 1 to 4294967295, in Mbps.
Usage guidelines
The command is available on anti-DDoS detection devices and cleaning devices.
After you enable flood attack detection for a user-defined protocol-specific attack type in a zone, the device enters attack detection state. The device also monitors the sending rate of protocol packets per destination IP address in this zone. When the sending rate of protocol packets destined for an IP address keeps exceeding the threshold, a flood attack occurs and triggers one of the following protection actions:
· In the one-arm deployment mode, the detection device sends an attack alarm log to the management center. Upon receiving the log, the management center assigns a traffic redirection policy to guide the attack traffic to the cleaning device where the attack traffic will be cleaned.
· In the inline deployment mode, the cleaning device cleans the attack traffic locally.
When the sending rate of the protocol packets destined for the IP address drops below the silence threshold (three-fourths of the detection threshold), the device returns to the attack detection state.
Examples
# In anti-DDoS zone 3, enable flood attack detection for attack type 2 and set the threshold to 20 pps.
<Sysname> system-view
[Sysname] anti-ddos zone id 3
[Sysname-anti-ddos-zone-id-3] user-defined attack-type id 2 detection threshold packet-based 20
zone-blacklist
Use zone-blacklist to add an anti-DDoS zone-based static blacklist entry.
Use undo zone-blacklist to delete an anti-DDoS zone-based static blacklist entry.
Syntax
zone-blacklist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
undo zone-blacklist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
Default
No anti-DDoS zone-based static blacklist entries exist.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
all: Deletes all anti-DDoS zone-based static blacklist entries, including IPv4 and IPv6 entries.
ip source-ip-address ip-mask-length: Specifies an IPv4 address and mask length. The value range for the ip-mask-length argument is 8 to 32. The device uses the specified address range for source IPv4 address match.
ipv6 source-ipv6-address ipv6-mask-length: Specifies an IPv6 address and mask length. The value range for the ipv6-mask-length argument is 8 to 128. The device uses the specified address range for source IPv6 address match.
Usage guidelines
The command is available only on anti-DDoS cleaning devices.
The device drops a packet if the source IP address of the packet destined for an anti-DDoS zone is on the static blacklist of this zone.
For an anti-DDoS zone, IP addresses on its static blacklist and whitelist entries cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.
An anti-DDoS zone supports a maximum of 10 static blacklist and whitelist entries in total. All anti-DDoS zones support a maximum of 12040 static blacklist and whitelist entries in total.
Examples
# Add subnet 1.1.1.1/24 to the static blacklist for anti-DDoS zone 2.
<Sysname> system-view
[Sysname] anti-ddos zone id 2
[Sysname-anti-ddos-zone-id-2] zone-blacklist ip 1.1.1.1 24
Related commands
zone-whitelist
display anti-ddos blacklist zone
zone-whitelist
Use zone-whitelist to add an anti-DDoS zone-based static whitelist entry.
Use undo zone-whitelist to delete an anti-DDoS zone-based static whitelist entry.
Syntax
zone-whitelist { ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
undo zone-whitelist { all | ip source-ip-address ip-mask-length | ipv6 source-ipv6-address ipv6-mask-length }
Default
No anti-DDoS zone-based static whitelist entries exist.
Views
Anti-DDoS zone view
Predefined user roles
network-admin
Parameters
all: Deletes all anti-DDoS zone-based static whitelist entries, including IPv4 and IPv6 entries.
ip source-ip-address ip-mask-length: Specifies an IPv4 address and mask length. The value range for the ip-mask-length argument is 8 to 32. The device uses the specified address range for source IPv4 address match.
ipv6 source-ipv6-address ipv6-mask-length: Specifies an IPv6 address and mask length. The value range for the ipv6-mask-length argument is 8 to 128. The device uses the specified address range for source IPv6 address match.
Usage guidelines
The command is available only on anti-DDoS cleaning devices.
If the source IP address of a packet destined for an anti-DDoS zone matches a static whitelist entry specific to this zone, the packet bypasses DDoS protection (except rate limiting).
For an anti-DDoS zone, IP addresses on its blacklist and whitelist entries cannot overlap. The IPv4 address cannot be 0.0.0.0 or 255.255.255.255. The IPv6 address cannot be an unspecified address (::/128), or IPv6 multicast address FF00::/8.
An anti-DDoS zone supports a maximum of static 10 blacklist and whitelist entries in total. All anti-DDoS zones support a maximum of 12040 static blacklist and whitelist entries in total.
Examples
# Add subnet 1.1.1.1/24 to the static whitelist for anti-DDoS zone 2.
<Sysname> system-view
[Sysname] anti-ddos zone id 2
[Sysname-anti-ddos-zone-id-2] zone-whitelist ip 1.1.1.1 24
Related commands
zone-blacklist
display anti-ddos whitelist zone
