643
# Configure scanning attack detection in attack defense policy atk-policy-1. Specify the detection level
as low and the prevention actions as block-source and logging. Set the aging time for the dynamically
added blacklist entries to 10 minutes.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action logging
block-source timeout 10
Related commands
• blacklist enable
• blacklist global enable
signature { large-icmp | large-icmpv6 } max-length
Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or
ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the
specified length is detected.
Use undo signature { large-icmp | large-icmpv6 } max-length to restore the default.
Syntax
signature { large-icmp | large-icmpv6 } max-length length
undo signature { large-icmp | large-icmpv6 } max-length
Default
The maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
large-icmp: Specifies large ICMP packet attack signature.
large-icmpv6: Specifies large ICMPv6 packet attack signature.
length: Specifies the maximum length of safe ICMP or ICMPv6 packets, in bytes. The value range for
ICMP packet is 28 to 65534. The value range for ICMPv6 packet is 48 to 65534.
Examples
# Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature large-icmp max-length 50000
Related commands
signature detect
To Next Page
Loading...
Need help?
General
