429
Configuring an attack defense policy
Creating an attack defense policy
An attack defense policy can contain a set of attack detection and prevention configuration against
multiple attacks.
To create an attack defense policy:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create an attack defense
policy and enter its view.
attack-defense policy
policy-name
By default, no attack defense policy
exists.
Configuring a single-packet attack defense policy
Single-packet attack detection inspects packets destined for the device based on packet signatures.
If an attack packet is detected, the device can take the following actions:
• Output logs (the default action).
• Drop attack packets.
You can also configure the device to not take any actions.
To configure a single-packet attack defense policy:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter attack defense
policy view.
attack-defense policy
policy-name
N/A
3. Configure signature
detection for
single-packet attacks.
• signature detect { fraggle |
fragment | impossible | land |
large-icmp | large-icmpv6 | smurf
| snork | tcp-all-flags |
tcp-fin-only | tcp-invalid-flags |
tcp-null-flag | tcp-syn-fin |
tiny-fragment | traceroute |
udp-bomb | winnuke } [ action
{ { drop | logging } * | none } ]
• signature detect
{ ip-option-abnormal |
ping-of-death | teardrop } action
{ drop | logging } *
• signature detect icmp-type
{ icmp-type-value |
address-mask-reply |
address-mask-request |
destination-unreachable |
echo-reply | echo-request |
information-reply |
information-request |
param
eter-problem | redirect |
source-quench | time-exceeded |
timestamp-reply |
timestamp-request } [ action
{ { drop | logging } * | none } ]
By default, signature detection
is not configured for
single-packet attacks.
You can configure signature
detection for multiple
single-packet attacks.
To Next Page
Loading...
