417
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create an attack protection
policy and enter attack
protection policy view.
attack-defense policy
policy-number [
interface
interface-type interface-number ]
By default, no attack protection
policy is created.
Configuring an attack protection policy
In an attack protection policy, you can specify the signatures for attack detection and the
corresponding protection measures according to the security requirements of your network.
Different types of attack protection policies have different configurations, which are described below
in terms of single-packet attacks, scanning attacks, and flood attacks.
Configuring a single-packet attack protection policy
The single-packet attack protection function determines whether a packet is an attack packet mainly
by analyzing the characteristics of the packet. It is usually applied to interfaces connecting external
networks, and inspects only the inbound packets of the interfaces. If detecting an attack packet, the
device outputs an alarm log by default and, depending on your configuration, drop or forward the
packet.
To configure a policy for preventing single-packet attacks:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter attack protection policy
view.
attack-defense policy
policy-number
N/A
3. Enable signature detection for
single-packet attacks.
signature-detect
{
fraggle
|
icmp-redirect
|
icmp-unreachable
|
land
|
large-icmp
|
route-record
|
smurf
|
source-route
|
tcp-flag
|
tracert
|
winnuke
}
enable
By default, signature detection
is disabled for all kinds of
single-packet attacks.
4. Configure the ICMP packet
length threshold that triggers
large ICMP attack protection.
signature-detect large-icmp
max-length
length
Optional.
4000 bytes by default.
5. Configure the device to drop
single-packet attack packets.
signature-detect action
drop-packet
Optional.
By default, the device only
outputs alarm logs if detecting a
single-packet attack.
Configuring a scanning attack protection policy
The scanning attack protection function detects scanning attacks by monitoring the establishment
rate of connections to the target systems. It is usually applied to interfaces connecting external
networks and inspects only the inbound packets of the interfaces. If the device detects that the rate
at which an IP address initiates connections reaches or exceeds the pre-defined threshold, the
device outputs alarm logs, drop subsequent packets received from the IP address, and, depending
on your configuration, add the IP address to the blacklist.
To configure a policy for preventing scanning attacks:
Step Command Remarks
1. Enter system view.
system-view
N/A
To Next Page
Loading...
Need help?
General
