To Next Page

To Previous Page

973

Examples

# Specify drop as the global action against ACK flood attacks in the attack defense policy

atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] ack-flood action drop

Related commands

ack-flood threshold

ack-flood detect

ack-flood detect non-specific

client-verify tcp enable

ack-flood detect

Use ack-flood detect to configure IP address-specific ACK flood attack detection.

Use undo ack-flood detect to remove IP address-specific ACK flood attack detection configuration.

Syntax

ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

[ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]

undo ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

IP address-specific ACK flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be

255.255.255.255 or 0.0.0.0.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP

address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

Do not specify this option if the protected IP address is on the public network.

threshold threshold-value: Specifies the threshold for triggering ACK flood attack prevention. The

value range is 1 to 1000000 in units of ACK packets sent to the specified IP address per second.

action: Specifies the actions when an ACK flood attack is detected. If no action is specified, the

global actions set by the ack-flood action command apply.

client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP

client verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent ACK packets destined for the protected IP address.

logging: Enables logging for ACK flood attack events.

none: Takes no action.

Other manuals for H3C MSR Series

Manual33 pages

Probe Command Reference28 pages

Configuration Guide80 pages

Troubleshooting Guide28 pages

User Guide26 pages

Questions and Answers:

Need help?

Do you have a question about the H3C MSR Series and is the answer not in the manual?

H3C MSR Series Specifications

General

Category	Network Router
IPv6 Support	Yes
Dimensions	Varies by model
Weight	Varies by model
Product Type	Modular Router
Ports	Varies by model
WAN Interfaces	Varies by model
Firewall	Yes
QoS	Yes
Wireless Support	Varies by model
USB Ports	Varies by model
Console Port	Yes
Power Supply	Varies by model
Redundancy	Varies by model
Operating Temperature	0°C to 45°C
Storage Temperature	-40°C to 70°C
Humidity	5% to 95% non-condensing
Series	MSR
Certifications	CE, FCC, RoHS