Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
firewall defend large-icmp max-length length
The parameter for large ICMP packet attack defense is set.
For large ICMP packet attack defense, only one parameter needs to be set, namely, the maximum
packet length. When the length of an ICMP packet exceeds the limit, the AR1200-S considers
that an attack occurs and discards the packet.
By default, the maximum length of an ICMP packet is 4000 bytes.
----End
3.10.5 Setting Parameters for Scanning Attack Defense
Context
Step 2 and step 3 are optional and can be performed in any sequence. You can select these steps
to defend against different types of scanning attacks.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }
The parameters for IP address sweep attack defense are set.
Step 3 Run:
firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }
The parameters for port scanning attack defense are set.
For scanning attack defense, the following two parameters need to be set:
l Maximum session rate: When the session rate of an IP address or a port exceeds the limit,
the AR1200-S considers that a scanning attack occurs, and then adds the IP address to the
blacklist and denies new sessions from the IP address or port.
l Blacklist timeout: When the duration of an IP address in the blacklist exceeds the limit, the
AR1200-S deletes the IP address from the blacklist and allows new sessions from the IP
address or port.
By default, the maximum session rate for IP address sweeping and port scanning attack defense
is 4000 pps, and the blacklist timeout is 20 minutes.
----End
Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security 3 Firewall Configuration
Issue 02 (2012-03-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
71
To Next Page
Loading...
