614
Examples
# Specify drop as the global action against DNS flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood action drop
Related commands
• dns-flood detect
• dns-flood detect non-specific
• dns-flood threshold
• client-verify dns enable
dns-flood detect
Use dns-flood detect to configure IP-specific DNS flood attack detection.
Use undo dns-flood detect to remove the DNS flood attack detection configuration for an IP address.
Syntax
dns-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ]
[ threshold threshold-value ] [ action { client-verify | drop | logging } * ]
undo dns-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
DNS flood attack detection is not configured for any IP address.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The ipv6-address argument cannot be a
multicast address or all 0s.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address
belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify
this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a
port by its port number or a range of ports in the form of start-port-number to end-port-number. The
end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the
global ports apply.
threshold threshold-value: Sets the threshold for triggering DNS flood attack prevention. The value range
is 1 to 1000000 in units of DNS packets sent to the specified IP address per second.
action: Specifies the actions when a DNS flood attack is detected. If no action is specified, the global
actions set by the dns-flood action command apply.
To Next Page
Loading...
Need help?
General
