Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-Security policy commands
- 03-Object group commands
- 04-Object policy commands
- 05-AAA commands
- 06-IPoE commands
- 07-Portal commands
- 08-User identification commands
- 09-Password control commands
- 10-Public key management commands
- 11-PKI commands
- 12-SSH commands
- 13-SSL commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Attack detection and prevention commands
- 19-DDoS protection commands
- 20-uRPF commands
- 21-ARP attack protection commands
- 22-ND attack defense commands
- 23-IP-MAC binding commands
- 24-Keychain commands
- 25-Crypto engine commands
- 26-SMS commands
- 27-Terminal identification commands
- 28-Flow manager commands
- 29-Trusted access control commands
- 30-Location identification commands
- 31-Server connection detection commands
- 32-MAC authentication commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-Attack detection and prevention commands | 1.14 MB |
Attack detection and prevention commands
attack-defense cpu-core action
attack-defense ipcar session-rate-limit enable
attack-defense login block-timeout
attack-defense login max-attempt
attack-defense login reauthentication-delay
attack-defense malformed-packet defend enable
attack-defense mandatory-cpu-forwarding enable
attack-defense signature log non-aggregate
attack-defense top-attack-statistics enable
client-verify dns-reply enable
display attack-defense cpu-core flow info
display attack-defense flood statistics ip
display attack-defense flood statistics ipv6
display attack-defense http-slow-attack statistics ip
display attack-defense http-slow-attack statistics ipv6
display attack-defense malformed-packet statistics
display attack-defense policy ip
display attack-defense policy ipv6
display attack-defense scan attacker ip
display attack-defense scan attacker ipv6
display attack-defense statistics security-zone
display attack-defense top-attack-statistics
display blacklist destination-ip
display blacklist destination-ipv6
display client-verify protected ip
display client-verify protected ipv6
display client-verify trusted ip
display client-verify trusted ipv6
display whitelist object-group
dns-reply-flood detect non-specific
dns-reply-flood source-threshold
http-flood detect non-specific
http-slow-attack detect non-specific
https-flood detect non-specific
icmp-flood detect non-specific
icmpv6-flood detect non-specific
reset attack-defense malformed-packet statistics
reset attack-defense policy flood
reset attack-defense statistics security-zone
reset attack-defense top-attack-statistics
reset blacklist destination-ip
reset blacklist destination-ipv6
reset client-verify protected statistics
signature { large-icmp | large-icmpv6 } max-length
snmp-agent trap enable attack-defense
syn-ack-flood detect non-specific
syn-ack-flood source-threshold
threshold-learn auto-apply enable
threshold-learn tolerance-value
Attack detection and prevention commands
Non-default vSystems do not support some of the attack detection and prevention commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
ack-flood action
Use ack-flood action to specify global actions against ACK flood attacks.
Use undo ack-flood action to restore the default.
Syntax
ack-flood action { client-verify | drop | logging } *
undo ack-flood action
Default
No global action is specified for ACK flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent ACK packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent ACK packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for ACK flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the ACK flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
The logging keyword enables the attack detection and prevention module to log ACK flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output ACK flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view ACK flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against ACK flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood action drop
Related commands
ack-flood detect
ack-flood detect non-specific
ack-flood source-threshold
ack-flood threshold
ack-flood detect
Use ack-flood detect to configure IP address-specific ACK flood attack detection.
Use undo ack-flood detect to remove IP address-specific ACK flood attack detection configuration.
Syntax
ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific ACK flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the maximum receiving rate in pps for ACK packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected ACK flood attack. If no action is specified, the global actions set by the ack-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent ACK packets destined for the protected IP address.
logging: Enables logging for ACK flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With ACK flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of ACK packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure ACK flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log ACK flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output ACK flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view ACK flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure ACK flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect ip 192.168.1.2 threshold 2000
Related commands
ack-flood action
ack-flood detect non-specific
ack-flood threshold
client-verify tcp enable
ack-flood detect non-specific
Use ack-flood detect non-specific to enable global ACK flood attack detection.
Use undo ack-flood detect non-specific to disable global ACK flood attack detection.
Syntax
ack-flood detect non-specific
undo ack-flood detect non-specific
Default
Global ACK flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following ACK flood attack prevention types:
· Source-based ACK flood attack prevention—Monitors the receiving rate of ACK packets on a per-source IP basis.
· Destination-based ACK flood attack prevention—Monitors the receiving rate of ACK packets on a per-destination IP basis.
The global ACK flood attack detection applies to all IP addresses except those specified by the ack-flood detect command. The global detection uses the global trigger threshold set by the ack-flood threshold or ack-flood source-threshold command and global actions specified by the ack-flood action command.
Examples
# Enable global ACK flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect non-specific
Related commands
ack-flood action
ack-flood detect
ack-flood source-threshold
ack-flood threshold
ack-flood threshold
Use ack-flood threshold to set the global threshold for triggering destination-based ACK flood attack prevention.
Use undo ack-flood threshold to restore the default.
Syntax
ack-flood threshold threshold-value
undo ack-flood threshold
Default
The global threshold is 40000 for triggering destination-based ACK flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for ACK packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based ACK flood attack prevention is disabled.
Usage guidelines
With global ACK flood attack detection configured, the device is in attack detection state. When the receiving rate of ACK packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global ACK flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based ACK flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood threshold 100
Related commands
ack-flood action
ack-flood detect
ack-flood detect non-specific
ack-flood source-threshold
Use ack-flood source-threshold to set the global threshold for triggering source-based ACK flood attack prevention.
Use undo ack-flood source-threshold to restore the default.
Syntax
ack-flood source-threshold threshold-value
undo ack-flood source-threshold
Default
The global threshold is 40000 for triggering source-based ACK flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for ACK packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based ACK flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global ACK flood attack detection configured, the device is in attack detection state. When the receiving rate of ACK packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based ACK flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood source-threshold 100
Related commands
ack-flood action
ack-flood detect
ack-flood detect non-specific
attack-defense apply policy
Use attack-defense apply policy to apply an attack defense policy to a security zone.
Use undo attack-defense apply policy to restore the default.
Syntax
attack-defense apply policy policy-name
undo attack-defense apply policy
Default
No attack defense policy is applied to a security zone.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Usage guidelines
A security zone can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect.
An attack defense policy can be applied to multiple security zones.
Examples
# Apply attack defense policy atk-policy-1 to security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name DMZ
[Sysname-security-zone-DMZ] attack-defense apply policy atk-policy-1
Related commands
attack-defense policy
display attack-defense policy
attack-defense cpu-core action
Use attack-defense cpu-core action to specify an attack prevention action for CPU core protection.
Use undo attack-defense cpu-core action to restore the default.
Syntax
attack-defense cpu-core action { bypass | drop | isolate | per-packet-balance }
undo attack-defense cpu-core action
Default
The attack prevention action for a CPU core is drop.
Views
System view
Predefined user roles
network-admin
Parameters
bypass: Places a bypass tag on the subsequent packets sent to a CPU core when the CPU core is attacked.
drop: Drops subsequent packets sent to a CPU core when the CPU core is attacked.
isolate: Isolates the flow that uses the most CPU time to lower its priority when a CPU core is attacked. This parameter takes effect on only one flow at a time.
per-packet-balance: Distributes subsequent packets across CPU cores on a per-packet basis when a CPU core is attacked.
Usage guidelines
Non-default vSystems do not support this command.
After the usage of a CPU core reaches the specified threshold and the shared queue of the driver is full, the system determines that an attack risk is present on the CPU core. Then, it processes the subsequent packets sent to the CPU core as follows:
· Bypass—The CPU core uses all its available processing capability to process packets. The driver places a bypass tag on the packets beyond the maximum processing capability. These packets will be handled specially at a later stage.
· Drop—The CPU core uses all its available processing capability to process packets. The driver drops the packets beyond the maximum processing capability to decrease the CPU core usage. This action affects normal service processing.
· Per-packet balance—The CPU core uses all its available processing capability to process packets. Packets exceeding the maximum processing capability are sent to other CPU cores for load sharing on a per-packet basis. This action ensures normal service processing to some extent, but leads to risk of attacks on other CPU cores.
· Isolate—The driver isolates the flow that uses the most CPU time to lower the flow's processing priority. It sends the isolated packets to the CPU core for processing after the shared queue has no packets to process. This action ensures normal service processing to some extent, but it cannot significantly decrease the CPU usage because the packets in the public queue are still sent to the CPU core for processing.
To set the CPU usage threshold per CPU core, execute the context-capability inbound unicast total command. For more information about this command, see context commands in Virtual Technologies Command Reference.
Examples
# Specify drop as the attack prevention action for CPU core protection.
<Sysname> system-view
[Sysname] attack-defense cpu-core action drop
Related commands
context-capability inbound unicast total (Virtual Technologies Command Reference)
display attack-defense cpu-core flow info
attack-defense ipcar action
Use attack-defense ipcar action to set defense actions upon threshold violations for monitored sessions.
Use undo attack-defense ipcar action to restore the default settings for a rate limit type.
Syntax
attack-defense ipcar { destination | source } { ip | ipv6 } [ threshold threshold ] action { { drop | logging } * | none }
undo attack-defense ipcar { destination | source } { ip | ipv6 }
Default
The packet receiving rate threshold is 5000 pps for each monitored session, and no defense actions are set.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
destination: Limits session creation rate on a per-destination basis.
source: Limits session creation rate on a per-source basis.
ip: Specifies IPv4 sessions.
ipv6: Specifies IPv6 sessions.
threshold threshold: Sets the packet receiving rate threshold, in pps. The value range is 1 to 500000, and the default is 5000.
logging: Enables logging upon threshold violations.
drop: Drops subsequent packets of sessions encountering threshold violations.
none: Takes no action.
Usage guidelines
Non-default vSystems do not support this command.
The device supports limiting session creation rate based on the following criteria:
· Source IPv4 addresses.
· Source IPv6 addresses.
· Destination IPv4 addresses.
· Destination IPv6 addresses.
Make sure you define the same criteria as those defined in the attack-defense ipcar session-rate-limit enable command. Otherwise, the attack-defense ipcar action command does not take effect.
Examples
# Limit sessions on a per-source IPv4 address, set the packet receiving rate threshold to 5000 pps, and set the drop action.
<Sysname> system-view
[Sysname] attack-defense ipcar source ip threshold 5000 action drop
Related commands
attack-defense ipcar session-rate-limit enable
attack-defense ipcar session-rate-limit enable
Use attack-defense ipcar session-rate-limit enable to enable session creation rate limit.
Use undo attack-defense ipcar session-rate-limit enable to disable session creation rate limit.
Syntax
attack-defense ipcar { destination | source } { ip | ipv6 } session-rate-limit enable
undo attack-defense ipcar { destination | source } { ip | ipv6 } session-rate-limit enable
Default
Session creation rate limit is disabled.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Layer 3 Reth interface view
Layer 3 Reth subinterface view
Layer 3 aggregate interface view
Layer 3 aggregate subinterface view
VLAN interface view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
destination: Limits session creation rate on a per-destination basis.
source: Limits session creation rate on a per-source basis.
ip: Specifies IPv4 sessions.
ipv6: Specifies IPv6 sessions.
Usage guidelines
The device supports limiting session creation rate based on the following criteria:
· Source IPv4 addresses.
· Source IPv6 addresses.
· Destination IPv4 addresses.
· Destination IPv6 addresses.
With this feature enabled, the device enters attack detection state. It monitors the receiving rate of IP packets originating from or destined for an IP address. If the receiving rate reaches or exceeds the threshold, the device enters prevention state and takes defense actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state. To set the threshold, execute the attack-defense ipcar action command.
You cannot enable session creation rate limit based on both source and destination IP addresses on the same interface.
Examples
# Enable session creation rate limit based on source IPv4 addresses on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] attack-defense ipcar destination ip session-rate-limit enable
Related commands
attack-defense ipcar action
attack-defense login block-timeout
Use attack-defense login block-timeout to set the block period during which a login attempt is blocked.
Use undo attack-defense login block-timeout to restore the default.
Syntax
attack-defense login block-timeout minutes
undo attack-defense login block-timeout
Default
The block period is 60 minutes.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
minutes: Specifies the block period in minutes, in the range of 1 to 2880.
Usage guidelines
Non-default vSystems do not support this command.
After a user fails the maximum number of login attempts, login attack prevention triggers the blacklist module to add the user's IP address to the blacklist. The block period determines how long the user is on the blacklist. During the period, login attempts from the user are blocked.
Examples
# Set the block period to 5 minutes.
<Sysname> system-view
[Sysname] attack-defense login block-timeout 5
attack-defense login enable
Use attack-defense login enable to enable login attack prevention.
Use undo attack-defense login enable to disable login attack prevention.
Syntax
attack-defense login enable
undo attack-defense login enable
Default
Login attack prevention is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
After a user fails the maximum number of login attempts, login attack prevention uses the blacklist to block the user from logging in during the block period.
For login attack prevention to take effect, you must enable the global blacklist feature.
Examples
# Enable login attack prevention.
<Sysname> system-view
[Sysname] attack-defense login enable
Related commands
blacklist global enable
attack-defense login max-attempt
Use attack-defense login max-attempt to set the maximum number of successive login failures for each user.
Use undo attack-defense login max-attempt to restore the default.
Syntax
attack-defense login max-attempt max-attempt
undo attack-defense login max-attempt
Default
Login attack prevention detects a login attack if a user fails three successive login attempts.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
max-attempt: Specifies the maximum number of login failures. The value range is 1 to 60.
Usage guidelines
Non-default vSystems do not support this command.
After a user fails the maximum number of login attempts, login attack prevention uses the blacklist to block the user from logging in during the block period.
For login attack prevention to take effect, you must enable the global blacklist feature.
The login failure counter for a user is reset after the user logs in successfully. If the device reboots, all login failure counters are reset.
Examples
# Set the maximum number of successive login failures to five.
<Sysname> system-view
[Sysname] attack-defense login max-attempt 5
Related commands
attack-defense login enable
attack-defense login reauthentication-delay
Use attack-defense login reauthentication-delay to enable the login delay feature and set the delay period.
Use undo attack-defense login reauthentication-delay to restore the default.
Syntax
attack-defense login reauthentication-delay seconds
undo attack-defense login reauthentication-delay
Default
The login delay feature is disabled. The device does not delay accepting a login request from a user who has failed a login attempt.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
seconds: Specifies the delay period in seconds, in the range of 4 to 60.
Usage guidelines
Non-default vSystems do not support this command.
The login delay feature delays the device to accept a login request from a user after the user fails a login attempt. This feature can slow down login dictionary attacks.
The login delay feature is independent of the login attack prevention feature.
Examples
# Enable the login delay feature and set the delay period to 5 seconds.
[Sysname] attack-defense login reauthentication-delay 5
attack-defense malformed-packet defend enable
Use attack-defense malformed-packet defend enable to enable malformed packet attack detection and prevention.
Use undo attack-defense malformed-packet defend enable to disable malformed packet attack detection and prevention.
Syntax
attack-defense malformed-packet defend enable
undo attack-defense malformed-packet defend enable
Default
Malformed packet attack detection and prevention is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This feature improves the single-packet attack prevention efficiency because it drops malformed packets of the following attacks without an attack defense policy match:
· IP impossible packet attack.
· TCP packet attacks that use TCP packets with different flag settings (all flags set, only the FIN flag set, invalid flags, no flags set, and both SYN and FIN flags set).
· Land attack and WinNuke attack.
· UDP fraggle attack, UDP bomb attack, and UDP snork attack.
For a single-packet attack that cannot be detected by this feature, you can use the signature detect command to enable detection and prevention specific to that attack.
Examples
# Enable malformed packet attack detection and prevention.
<Sysname> system-view
[Sysname] attack-defense malformed-packet defend enable
Related commands
signature detect
attack-defense mandatory-cpu-forwarding enable
Use attack-defense mandatory-cpu-forwarding enable to enable mandatory software forwarding.
Use undo attack-defense mandatory-cpu-forwarding enable to disable mandatory software forwarding.
Syntax
attack-defense mandatory-cpu-forwarding enable
undo attack-defense mandatory-cpu-forwarding enable
Default
Mandatory software forwarding is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
If attack detection and prevention permits the first packet of a traffic flow, the device will forward subsequent packets in the same way the first packet is forwarded. The device supports the following forwarding methods:
· Hardware forwarding—Delivers the packets to chips for forwarding. This method is applicable only when hardware fast forwarding is enabled. The following attack defense features support this forwarding method:
¡ SYN, ACK, SYNC-ACK, FIN, RST, UDP flood attack defense.
¡ Threshold learning.
¡ TCP client verification in safe reset mode.
To enable hardware fast forwarding, use the hardware fast-forwarding enable command.
· Software forwarding—Delivers the packets to the CPU for forwarding.
This command enables the device to perform software forwarding on packets permitted by attack detection and prevention.
Examples
# Enable mandatory software forwarding.
<Sysname> system-view
[Sysname] attack-defense mandatory-cpu-forwarding enable
Related commands
hardware fast-forwarding enable (Layer 3—IP Services Command Reference)
attack-defense policy
Use attack-defense policy to create an attack defense policy and enter its view, or enter the view of an existing attack defense policy.
Use undo attack-defense policy to delete an attack defense policy.
Syntax
attack-defense policy policy-name
undo attack-defense policy policy-name
Default
No attack defense policies exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Usage guidelines
|
|
CAUTION: The default thresholds for triggering attack prevention might not be appropriate for your network. Set appropriate thresholds according to the actual application scenarios. Small thresholds might affect the Internet or webpage access speed. Large thresholds might make your network vulnerable to attacks. |
Examples
# Create attack defense policy atk-policy-1 and enter its view.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1]
Related commands
attack-defense apply policy
display attack-defense policy
attack-defense signature log non-aggregate
Use attack-defense signature log non-aggregate to enable log non-aggregation for single-packet attack events.
Use undo attack-defense signature log non-aggregate to restore the default.
Syntax
attack-defense signature log non-aggregate
undo attack-defense signature log non-aggregate
Default
Log non-aggregation is disabled for single-packet attack events.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
Log aggregation aggregates multiple logs generated during a period of time and sends one log. Logs that are aggregated must have the following attributes in common:
· Location where the attacks are detected: security zone.
· Attack type.
· Attack prevention action.
· Source and destination IP addresses.
· VPN instance to which the victim IP address belongs.
As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console.
Examples
# Enable log non-aggregation for single-packet attack events.
<Sysname> system-view
[Sysname] attack-defense signature log non-aggregate
Related commands
signature detect
attack-defense top-attack-statistics enable
Use attack-defense top-attack-statistics enable to enable the top attack statistics ranking feature.
Use undo attack-defense top-attack-statistics enable to disable the top attack statistics ranking feature.
Syntax
attack-defense top-attack-statistics enable
undo attack-defense top-attack-statistics enable
Default
The top attack statistics ranking feature is disabled.
Views
System view.
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This feature collects statistics about number of dropped attack packets based on attacker, victim, and attack type and ranks the statistics by attacker and victim.
To display the top attack statistics, use the display attack-defense top-attack-statistics command.
Examples
# Enable the top attack statistics ranking feature.
<Sysname> system-view
[Sysname] attack-defense top-attack-statistics enable
Related commands
display attack-defense top-attack-statistics
blacklist destination-ip
Use blacklist destination-ip to add a destination IPv4 blacklist entry.
Use undo blacklist destination-ip to delete a destination IPv4 blacklist entry.
Syntax
blacklist destination-ip destination-ip-address [ vpn-instance vpn-instance-name ] [ comment comment-string ] [ timeout minutes ]
undo blacklist destination-ip destination-ip-address [ vpn-instance vpn-instance-name ]
Default
No destination IPv4 blacklist entries exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
destination-ip-address Specifies an IPv4 address for the destination blacklist entry. Packets destined for this address will be dropped.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.
comment comment-string: Specifies the remarks for the blacklist entry, a case-sensitive string of 1 to 127 characters. If you do not specify this option, the blacklist entry does not have remarks.
timeout minutes: Specifies the aging time for the destination blacklist entry, in the range of 1 to 525600 minutes. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.
Usage guidelines
The undo blacklist destination-ip command deletes only manually added destination IPv4 blacklist entries. To delete dynamically added destination IPv4 blacklist entries, use the reset blacklist destination-ip command.
A destination blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.
You can use the display blacklist destination-ip command to display all effective destination IPv4 blacklist entries.
Examples
# Add a destination blacklist entry for IPv4 address 192.168.1.2 and set the aging time to 20 minutes for the entry.
<Sysname> system-view
[Sysname] blacklist ip 192.168.1.2 timeout 20
Related commands
blacklist enable
blacklist global enable
display blacklist destination-ip
blacklist destination-ipv6
Use blacklist destination-ipv6 to add a destination IPv6 blacklist entry.
Use undo blacklist destination-ipv6 to delete a destination IPv6 blacklist entry.
Syntax
blacklist destination-ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ comment comment-string ] [ timeout minutes ]
undo blacklist destination-ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ]
Default
No destination IPv6 blacklist entries exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
destination-ipv6-address: Specifies an IPv6 address for the blacklist entry. Packets destined for this address will be dropped.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.
comment comment-string: Specifies the remarks for the blacklist entry, a case-sensitive string of 1 to 127 characters. If you do not specify this option, the blacklist entry does not have remarks.
timeout minutes: Specifies the aging time for the blacklist entry, in the range of 1 to 525600 minutes. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.
Usage guidelines
The undo blacklist destination-ipv6 command deletes only manually added destination IPv6 blacklist entries. To delete dynamically added destination IPv6 blacklist entries, use the reset blacklist ipv6 command.
A destination blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.
You can use the display blacklist destination-ipv6 command to display all effective destination IPv6 blacklist entries.
Examples
# Add a destination blacklist entry for IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry.
<Sysname> system-view
[Sysname] blacklist ipv6 2012::12:25 timeout 10
Related commands
blacklist enable
blacklist global enable
blacklist destination-ipv6
blacklist enable
Use blacklist enable to enable the blacklist feature on a security zone.
Use undo blacklist enable to disable the blacklist feature on a security zone.
Syntax
blacklist enable
undo blacklist enable
Default
The blacklist feature is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
If the global blacklist feature is enabled, the blacklist feature is enabled on all security zones. If the global blacklist feature is disabled, you can use this command to enable blacklist on individual security zones.
Examples
# Enable the blacklist feature on security zone Untrust.
<Sysname> system-view
[Sysname] security-zone name untrust
[Sysname-security-zone-Untrust] blacklist enable
Related commands
blacklist ip
blacklist ipv6
blacklist global enable
Use blacklist global enable to enable the global blacklist feature.
Use undo blacklist global enable to disable the global blacklist feature.
Syntax
blacklist global enable
undo blacklist global enable
Default
The global blacklist feature is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
If you enable the global blacklist feature, the blacklist feature is enabled on all security zones.
Examples
# Enable the global blacklist feature.
<Sysname> system-view
[Sysname] blacklist global enable
Related commands
blacklist enable
blacklist ip
blacklist ip
Use blacklist ip to add a source IPv4 blacklist entry.
Use undo blacklist ip to delete a source IPv4 blacklist entry.
Syntax
blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] [ comment comment-string ] [ timeout minutes ]
undo blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ]
Default
No source IPv4 blacklist entries exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
source-ip-address: Specifies an IPv4 address for the source blacklist entry. Packets sourced from this address will be dropped.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.
ds-lite-peer ds-lite-peer-address: Specifies the IPv6 address of the B4 element of the DS-Lite tunnel that transmits packets from the blacklisted IPv4 address.
comment comment-string: Specifies the remarks for the blacklist entry, a case-sensitive string of 1 to 127 characters. If you do not specify this option, the blacklist entry does not have remarks.
timeout minutes: Specifies the aging time in minutes for the source blacklist entry, in the range of 1 to 525600. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.
Usage guidelines
The undo blacklist ip command deletes only manually added source IPv4 blacklist entries. To delete dynamically added source IPv4 blacklist entries, use the reset blacklist ip command.
A source blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.
You can use the display blacklist ip command to display all effective source IPv4 blacklist entries.
Examples
# Add a source blacklist entry for IPv4 address 192.168.1.2 and set the aging time to 20 minutes for the entry.
<Sysname> system-view
[Sysname] blacklist ip 192.168.1.2 timeout 20
Related commands
blacklist enable
blacklist global enable
display blacklist ip
blacklist ipv6
Use blacklist ipv6 to add a source IPv6 blacklist entry.
Use undo blacklist ipv6 to delete a source IPv6 blacklist entry.
Syntax
blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ] [ comment comment-string ] [ timeout minutes ]
undo blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ]
Default
No source IPv6 blacklist entries exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
source-ipv6-address: Specifies an IPv6 address for the source blacklist entry. Packets sourced from this address will be dropped.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.
comment comment-string: Specifies the remarks for the blacklist entry, a case-sensitive string of 1 to 127 characters. If you do not specify this option, the blacklist entry does not have remarks.
timeout minutes: Specifies the aging time in minutes for the source blacklist entry, in the range of 1 to 525600. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.
Usage guidelines
The undo blacklist ipv6 command deletes only manually added source IPv6 blacklist entries. To delete dynamically added source IPv6 blacklist entries, use the reset blacklist ipv6 command.
A source blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.
You can use the display blacklist ipv6 command to display all effective source IPv6 blacklist entries.
Examples
# Add a source blacklist entry for IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry.
<Sysname> system-view
[Sysname] blacklist ipv6 2012::12:25 timeout 10
Related commands
blacklist enable
blacklist global enable
blacklist ip
blacklist logging enable
Use blacklist logging enable to enable logging for the blacklist feature.
Use undo blacklist logging enable to disable logging for the blacklist feature.
Syntax
blacklist logging enable
undo blacklist logging enable
Default
Logging is disabled for the blacklist feature.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
With logging enabled for the blacklist feature, the system outputs logs in the following situations:
· A blacklist entry is manually added.
· A blacklist entry is dynamically added by the scanning attack detection feature.
· A blacklist entry is manually deleted.
· A blacklist entry ages out.
A blacklist log records the following information:
· Source IP address of the blacklist entry.
· Remote IP address of the DS-Lite tunnel.
· VPN instance name.
· Reason for adding or deleting the blacklist entry.
· Aging time for the blacklist entry.
This command enables the attack detection and prevention module to log blacklist events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output blacklist logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view blacklist logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for the blacklist feature.
<Sysname> system-view
[Sysname] blacklist logging enable
# Add 192.168.1.2 to the blacklist. A log is output for the adding event.
[Sysname] blacklist ip 192.168.100.12
%Mar 13 03:47:49:736 2013 Sysname BLS/5/BLS_ENTRY_ADD:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; TTL(1051)=; Reason(1052)=Configuration.
# Delete 192.168.1.2 from the blacklist. A log is output for the deletion event.
[Sysname] undo blacklist ip 192.168.100.12
%Mar 13 03:49:52:737 2013 Sysname BLS/5/BLS_ENTRY_DEL:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; Reason(1052)=Configuration.
Related commands
blacklist ip
blacklist ipv6
blacklist object-group
Use blacklist object-group to add an address object group to the blacklist.
Use undo blacklist object-group to restore the default.
Syntax
blacklist object-group object-group-name
undo blacklist object-group
Default
No address object group is on the blacklist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command must be used together with the address object group feature. For more information about address object groups, see object group configuration in Security Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Add address object group object-group1 to the blacklist.
<Sysname> system-view
[Sysname] blacklist object-group object-group1
blacklist user
Use blacklist user to add a user blacklist entry.
Use undo blacklist user to delete a user blacklist entry.
Syntax
blacklist user user-name [ domain domain-name ] [ timeout minutes ]
undo blacklist user user-name [ domain domain-name ]
Default
No user blacklist entries exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
user-name: Specifies a user by the username, a case-sensitive string of 1 to 55 characters. Packets sourced from this user will be dropped.
domain domain-name: Specifies a user identification domain by its name, a case-insensitive string of 1 to 255 characters. The user identification domain name cannot include question marks (?). If you do not specify a user identification domain, the user does not belong to any user identification domain.
timeout minutes: Specifies the aging time for the blacklist entry, in the range of 1 to 1000 minutes. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.
Usage guidelines
Non-default vSystems do not support this command.
The user blacklist feature must be used together with the user identification feature. For more information about user identification, see "Configuring user identification."
Examples
# Add a user blacklist entry for user usera and set the aging time to 20 minutes for the entry.
<Sysname> system-view
[Sysname] blacklist user usera timeout 20
# Add a user blacklist entry for user usera in user identification domain domaina and set the aging time to 20 minutes for the entry.
<Sysname> system-view
[Sysname] blacklist user usera domain domaina timeout 20
Related commands
blacklist global enable
display blacklist user
client-verify dns enable
Use client-verify dns enable to enable DNS client verification on a security zone.
Use undo client-verify dns enable to disable DNS client verification on a security zone.
Syntax
client-verify dns enable
undo client-verify dns enable
Default
DNS client verification is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
Enable DNS client verification on the security zone that is connected to the external network. This feature protects internal DNS servers against DNS flood attacks.
For the DNS client verification to collaborate with DNS flood attack prevention, specify client-verify as the DNS flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a DNS flood attack. You can use the display client-verify dns protected ip command to display the protected IP list for DNS client verification.
Examples
# Enable DNS client verification on security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name DMZ
[Sysname-security-zone-DMZ] client-verify dns enable
Related commands
client-verify dns protected ip
display client-verify dns protected ip
client-verify dns-reply enable
Use client-verify dns-reply enable to enable DNS response verification on a security zone.
Use undo client-verify dns-reply enable to disable DNS response verification on a security zone.
Syntax
client-verify dns-reply enable
undo client-verify dns-reply enable
Default
DNS response verification is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
Enable DNS response verification on the security zone that is connected to the external network. This feature protects internal DNS clients against DNS response flood attacks.
For the DNS response verification to collaborate with DNS response flood attack prevention, specify client-verify as the DNS response flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted servers if it detects a DNS response flood attack. You can use the display client-verify dns-reply protected ip command to display the protected IP list for DNS response verification.
Examples
# Enable DNS response verification on security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name dmz
[Sysname-security-zone-DMZ] client-verify dns-reply enable
Related commands
client-verify dns-reply protected ip
display client-verify dns-reply protected ip
client-verify http enable
Use client-verify http enable to enable HTTP client verification on a security zone.
Use undo client-verify http enable to disable HTTP client verification on a security zone.
Syntax
client-verify http enable
undo client-verify http enable
Default
HTTP client verification is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
Enable HTTP client verification on the security zone that is connected to the external network. This feature protects internal servers against HTTP flood attacks.
For the HTTP client verification to collaborate with HTTP flood attack prevention, specify client-verify as the HTTP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects an HTTP flood attack. You can use the display client-verify http protected ip command to display the protected IP list for HTTP client verification.
Examples
# Enable HTTP client verification on security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name DMZ
[Sysname- security-zone-DMZ] client-verify http enable
Related commands
client-verify http protected ip
display client-verify http protected ip
client-verify https enable
Use client-verify https enable to enable HTTPS client verification on a security zone.
Use undo client-verify https enable to disable HTTPS client verification on a security zone.
Syntax
client-verify http enable
undo client-verify http enable
Default
HTTPS client verification is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
Enable HTTPS client verification on the security zone that is connected to the external network. This feature protects internal servers against HTTPS flood attacks.
For the HTTPS client verification to collaborate with HTTPS flood attack prevention, specify client-verify as the HTTPS flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects an HTTPS flood attack. You can use the display client-verify https protected ip command to display the protected IP list for HTTPS client verification.
Examples
# Enable HTTPS client verification on security zone Trust.
<Sysname> system-view
[Sysname] security-zone name trust
[Sysname- security-zone-DMZ] client-verify https enable
Related commands
client-verify https protected ip
display client-verify https protected ip
client-verify sip enable
Use client-verify sip enable to enable SIP client verification on a security zone.
Use undo client-verify sip enable to disable SIP client verification on a security zone.
Syntax
client-verify sip enable
undo client-verify sip enable
Default
SIP client verification is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
Enable SIP client verification on the security zone that is connected to the external network. This feature protects internal servers against SIP flood attacks.
For the SIP client verification to collaborate with SIP flood attack prevention, specify client-verify as the SIP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects an SIP flood attack. You can use the display client-verify sip protected ip command to display the protected IP list for SIP client verification.
Examples
# Enable SIP client verification on security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name DMZ
[Sysname-security-zone-DMZ] client-verify sip enable
Related commands
client-verify sip protected ip
display client-verify sip protected ip
client-verify protected ip
Use client-verify protected ip to specify an IPv4 address to be protected by the client verification feature.
Use undo client-verify protected ip to remove an IPv4 address protected by the client verification feature.
Syntax
client-verify { dns | dns-reply | http | https | sip | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ]
undo client-verify { dns | dns-reply | http | https | sip | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ]
Default
The client verification feature does not protect any IPv4 addresses.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
dns: Specifies the DNS client verification feature.
dns-reply: Specifies the DNS response verification feature.
http: Specifies the HTTP client verification feature.
https: Specifies the HTTPS client verification feature.
sip: Specifies the SIP client verification feature.
tcp: Specifies the TCP client verification feature.
destination-ip-address: Specifies the IPv4 address to be protected. All connection requests destined for this address are verified by the client verification feature.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
port port-number: Specifies the port to be protected, in the range of 1 to 65535. If you do not specify this option, the verification feature protects ports for different protocols as follows:
· DNS client or DNS response verification protects port 53.
· HTTP client verification protects port 80.
· HTTPS client verification protects port 443.
· SIP client verification protects port 5060.
· TCP client verification protects all ports.
Usage guidelines
You can specify multiple protected IP addresses by using this command multiple times.
Examples
# Configure TCP client verification to protect IPv4 address 2.2.2.5 and port 25.
<Sysname> system-view
[Sysname] client-verify tcp protected ip 2.2.2.5 port 25
# Configure DNS client verification to protect IPv4 address 2.2.2.5 and port 50.
<Sysname> system-view
[Sysname] client-verify dns protected ip 2.2.2.5 port 50
Related commands
display client-verify protected ip
client-verify protected ipv6
Use client-verify protected ipv6 to specify an IPv6 address to be protected by the client verification feature.
Use undo client-verify protected ipv6 to remove an IPv6 address protected by the client verification feature.
Syntax
client-verify { dns | dns-reply | http | https | sip | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ]
undo client-verify { dns | dns-reply | http | https | sip | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ]
Default
The client verification feature does not protect any IPv6 addresses.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
dns: Specifies the DNS client verification feature.
dns-reply: Specifies the DNS response verification feature.
http: Specifies the HTTP client verification feature.
https: Specifies the HTTPS client verification feature.
sip: Specifies the SIP client verification feature.
tcp: Specifies the TCP client verification feature.
destination-ipv6-address: Specifies the IPv6 address to be protected. All connection requests destined for this address are verified by the client verification feature.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
port port-number: Specifies the port to be protected, in the range of 1 to 65535. If you do not specify this option, the verification feature for different protocols protects ports as follows:
· DNS client or DNS response verification protects port 53.
· HTTP client verification protects port 80.
· HTTPS client verification protects port 443.
· SIP client verification protects port 5060.
· TCP client verification protects all ports.
Usage guidelines
You can specify multiple protected IPv6 addresses by using this command multiple times.
Examples
# Configure TCP client verification to protect IPv6 address 2013::12 and port 23.
<Sysname> system-view
[Sysname] client-verify tcp protected ipv6 2013::12 port 23
# Configure HTTP client verification to protect IPv6 address 2013::12.
<Sysname> system-view
[Sysname] client-verify http protected ipv6 2013::12
Related commands
display client-verify protected ipv6
client-verify tcp enable
Use client-verify tcp enable to enable TCP client verification on a security zone.
Use undo client-verify tcp enable to disable TCP client verification on a security zone.
Syntax
client-verify tcp enable [ mode { syn-cookie | safe-reset } ]
undo client-verify tcp enable
Default
TCP client verification is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
mode: Specifies a working mode for TCP client verification. If you do not specify this keyword, the SYN cookie mode is used.
syn-cookie: Specifies the SYN cookie mode. In this mode, bidirectional TCP proxy is enabled.
safe-reset: Specifies the safe reset mode. In this mode, unidirectional TCP proxy is enabled.
Usage guidelines
Enable TCP client verification on the security zone that is connected to the external network. This feature protects internal servers against TCP flood attacks, including SYN flood attacks, SYN-ACK flood attacks, RST flood attacks, FIN flood attacks, and ACK flood attacks.
For TCP client verification to collaborate with TCP flood attack prevention, specify client-verify as the TCP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a TCP flood attack. You can use the display client-verify tcp protected ip command to display the protected IP list for TCP client verification.
TCP client verification supports the following modes:
· Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators.
· SYN cookie—Enables bidirectional TCP proxy for packets from both TCP clients and TCP servers.
Choose a TCP proxy mode according to the network scenarios. If packets from clients pass through the TCP proxy device, but packets from servers do not, specify the safe reset mode. If packets from clients and servers both pass through the TCP proxy device, specify either safe reset or SYN cookie. TCP proxy must be enabled on input security zones. Otherwise, TCP connections cannot be established correctly.
Examples
# Enable TCP client verification in safe reset mode on security zone DMZ.
<Sysname> system-view
[Sysname] security-zone name DMZ
[Sysname-security-zone-DMZ] client-verify tcp enable mode safe-reset
Related commands
client-verify tcp protected ip
display client-verify tcp protected ip
display attack-defense cpu-core flow info
Use display attack-defense cpu-core flow info to display attack flow information for CPU cores.
Syntax
In standalone mode:
display attack-defense cpu-core flow info slot slot-number cpu cpu-number
In IRF mode:
display attack-defense cpu-core flow info chassis chassis-number slot slot-number cpu cpu-number
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
Non-default vSystems do not support this command.
Parameters
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number.
Examples
# (In standalone mode.) Display attack flow information for the CPU cores on CPU 1 in slot 2.
<Sysname> display attack-defense cpu-core flow info slot 2 cpu 1
Hardware Buffer Full: Full
TimeStamp: 2018-09-19 08:59:07
CPU ID: 10
SMAC: 02:1c:2b:3c:4d:5f DMAC: 0a:bc:2c:3d:4f:5e
VLAN ID: 0 Interface: GiabitEthernet1/0/1
SIP: 1.1.1.1 DIP: 2.2.2.2
Pro: 17
SPort: 1223 DPort: 2668
CPU Usage: 60% IfIsolate: true
SMAC: 03:11:22:33:44:55 DMAC: 04:aa:bb:cc:dd:5e
VLAN ID: 0 Interface: GiabitEthernet1/0/1
SIP: 1::1 DIP: 2::2
Pro: 132
CPU Usage: 40% IfIsolate: false
TimeStamp: 2018-09-19 08:59:07
CPU ID: 12
SMAC: 02:1c:2b:3c:4d:5f DMAC: 0a:bc:2c:3d:4f:5e
VLAN ID: 0 Interface: GiabitEthernet1/0/1
SIP: 1.1.1.1 DIP: 2.2.2.2
Pro: 17
SPort: 1223 DPort: 2668
CPU Usage: 70% IfIsolate: false
SMAC: 03:11:22:33:44:55 DMAC: 04:aa:bb:cc:dd:5e
VLAN ID: 0 Interface: GiabitEthernet1/0/1
SIP: 1::1 DIP: 2::2
Pro: 132
CPU Usage: 30% IfIsolate: false
Table 1 Command output
|
Field |
Description |
|
Hardware Buffer Full |
Whether the shared hardware queue of the driver is full. · Full—The shared hardware queue of the driver is full. · Free—The shared hardware queue of the driver is not full. |
|
TimeStamp |
Time when information collection finished. |
|
CPU ID |
ID of the CPU core to which the flow was sent. |
|
SMAC |
Source MAC address of the attack flow. |
|
DMAC |
Destination MAC address of the attack flow. |
|
VLAN ID |
ID of the VLAN to which the attack flow belongs. |
|
Interface |
Ingress interface of the attack flow. |
|
SIP |
Source IP address of the attack flow. |
|
DIP |
Destination IP address of the attack flow. |
|
Pro |
Protocol type of the attack flow. |
|
SPort |
Source port of the attack flow. This field is available only when the protocol type is TCP or UDP. |
|
DPort |
Destination port of the attack flow. This field is available only when the protocol type is TCP or UDP. |
|
CPU Usage |
Percentage of the CPU time used by the attack flow. |
|
IfIsolate |
Whether the isolation entry has been deployed to the hardware successfully. · True—Deployment succeeded. · False—Deployment failed. |
Related commands
attack-defense cpu-core action
display attack-defense flood statistics ip
Use display attack-defense flood statistics ip to display IPv4 flood attack detection and prevention statistics.
Syntax
In standalone mode:
display attack-defense { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | https-flood | icmp-flood | rst-flood | sip-flood | syn-flood | syn-ack-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ security-zone zone-name ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display attack-defense { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | https-flood | icmp-flood | rst-flood | sip-flood | syn-flood | syn-ack-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ security-zone zone-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
dns-reply-flood: Specifies DNS response flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv4 flood attacks.
http-flood: Specifies HTTP flood attack.
https-flood: Specifies HTTPS flood attack.
icmp-flood: Specifies ICMP flood attack.
rst-flood: Specifies RST flood attack.
sip-flood: Specifies SIP flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays flood attack detection and prevention statistics for all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv4 address is on the public network.
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv4 flood attack detection and prevention statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv4 flood attack detection and prevention statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of flood attack prevention entries.
Usage guidelines
The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
Examples
# (In standalone mode.) Display all IPv4 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ip
Slot 1:
Dest IP VPN Detected on Detect type State PPS Dropped
201.55.7.45 -- Trust1 SYN-ACK-FLOOD Normal 1000 111111111
192.168.11.5 -- Trust2 ACK-FLOOD Normal 1000 222222222
Src IP VPN Detected on Detect type State PPS Dropped
10.118.21.14 -- Trust4 SIP-FLOOD Normal 1000 265387945
Slot 2:
Dest IP VPN Detected on Detect type State PPS Dropped
IP address VPN Detected on Detect type State PPS Dropped
201.55.1.10 -- Trust1 ACK-FLOOD Normal 1000 222222222
Src IP VPN Detected on Detect type State PPS Dropped
192.168.100.30 -- Trust3 DNS-FLOOD Normal 1000 333333333
192.168.100.66 -- Trust4 SYN-ACK-FLOOD Normal 1000 165467998
# (In standalone mode.) Display the number of flood attack prevention entries.
<Sysname> display attack-defense flood statistics ip count
Slot 1:
Totally 2 flood destination entries.
Totally 1 flood source entries.
Slot 2:
Totally 1 flood destination entries.
Totally 2 flood source entries.
Table 2 Command output
|
Field |
Description |
|
Dest IP |
Destination IPv4 address in attack packets. |
|
Src IP |
Source IPv4 address in attack packets. |
|
VPN |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--). |
|
Detected on |
Name of the security zone where the attack is detected. |
|
Detect type |
Type of the detected flood attack: · ACK flood. · DNS flood. · DNS reply flood. · FIN flood. · ICMP flood. · ICMPv6 flood. · SYN flood. · SYN-ACK flood. · UDP flood. · RST flood. · HTTP flood. · SIP flood. · HTTPS flood. |
|
State |
Whether the security zone is attacked: · Attacked. · Normal. |
|
PPS |
Number of packets sent to the IPv4 address per second. |
|
Dropped |
Number of attack packets dropped by the security zone. |
|
Totally 2 flood destination entries |
Total number of IPv4 destination-based flood attack prevention entries. |
|
Totally 2 flood source entries |
Total number of IPv4 source-based flood attack prevention entries. |
display attack-defense flood statistics ipv6
Use display attack-defense flood statistics ipv6 to display IPv6 flood attack detection and prevention statistics.
Syntax
In standalone mode:
display attack-defense { ack-flood | dns-flood | dns-reply-flood | fin-flood |flood | http-flood | https-flood | icmpv6-flood | rst-flood | sip-flood | syn-flood | syn-ack-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ security-zone zone-name ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display attack-defense { ack-flood | dns-flood | dns-reply-flood | fin-flood |flood | http-flood | https-flood | icmpv6-flood | rst-flood | sip-flood | syn-flood | syn-ack-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ security-zone zone-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
dns-reply-flood: Specifies DNS response flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv6 flood attacks.
http-flood: Specifies HTTP flood attack.
https-flood: Specifies HTTPS flood attack.
icmpv6-flood: Specifies ICMPv6 flood attack.
rst-flood: Specifies RST flood attack.
sip-flood: Specifies SIP flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays flood attack detection and prevention statistics for all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 flood attack detection and prevention statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 flood attack detection and prevention statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of flood attack prevention entries.
Usage guidelines
The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
Examples
# (In standalone mode.) Display all IPv6 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ipv6
Slot 1:
Dest IPv6 VPN Detected on Detect type State PPS Dropped
1::2 -- Trust1 DNS-FLOOD Normal 1000 111111111
1::3 -- Trust2 SYN-ACK-FLOOD Normal 1000 222222222
Src IPv6 VPN Detected on Detect type State PPS Dropped
17::14 -- Trust4 SIP-FLOOD Normal 1000 266649789
Slot 2:
Dest IPv6 VPN Detected on Detect type State PPS Dropped
1::2 -- Trust1 SYN-FLOOD Normal 1000 468792363
1::5 -- Trust2 ACK-FLOOD Normal 1000 452213396
Src IPv6 VPN Detected on Detect type State PPS Dropped
1::6 -- Trust4 DNS-FLOOD Normal 1000 12569985
# (In standalone mode.) Display the number of flood attack prevention entries.
<Sysname> display attack-defense flood statistics ipv6 count
Slot 1:
Totally 1 flood destination entries.
Totally 2 flood source entries
Slot 2:
Totally 2 flood destination entries.
Totally 1 flood source entries
Table 3 Command output
|
Field |
Description |
|
Dest IPv6 |
Destination IPv6 address in attack packets. |
|
Src IPv6 |
Source IPv6 address in attack packets. |
|
VPN |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). |
|
Detected on |
Name of the security zone where the attack is detected. |
|
Detect type |
Type of the detected flood attack: · ACK flood. · DNS flood. · DNS reply flood. · FIN flood. · ICMPv6 flood. · SYN flood. · SYN-ACK flood. · UDP flood. · RST flood. · HTTP flood. · SIP flood. · HTTPS flood. |
|
State |
Whether the security zone is attacked: · Attacked. · Normal. |
|
PPS |
Number of packets sent to the IPv6 address per second. |
|
Dropped |
Number of attack packets dropped by the security zone. |
|
Totally 2 flood destination entries |
Total number of IPv6 destination-based flood attack prevention entries. |
|
Totally 2 flood source entries |
Total number of IPv6 source-based flood attack prevention entries. |
display attack-defense http-slow-attack statistics ip
Use display attack-defense http-slow-attack statistics ip to display statistics about IPv4 HTTP slow attack detection and prevention.
Syntax
In standalone mode:
display attack-defense http-slow-attack statistics ip [ ip-address [ vpn-instance vpn-instance-name ] ] [ security-zone zone-name ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display attack-defense http-slow-attack statistics ip [ ip-address [ vpn-instance vpn-instance-name ] ] [ security-zone zone-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ip-address: Specifies a destination IPv4 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the destination IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the destination IPv4 address is on the public network.
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics about IPv4 HTTP slow attack detection and prevention for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics about IPv4 HTTP slow attack detection and prevention for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of IPv4 HTTP slow attack prevention entries for matching protected IPv4 addresses.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# (In standalone mode.) Display statistics about IPv4 HTTP slow attack detection and prevention.
<Sysname> display attack-defense http-slow-attack statistics ip
Slot 1:
IP address VPN Detected on State
192.168.11.4 asd Trust1 Normal
201.55.7.44 -- Trust4 Normal
Slot 2:
IP address VPN Detected on State
192.168.11.4 asd Trust1 Normal
201.55.7.44 -- Trust4 Normal
# (In IRF mode.) Display statistics about IPv4 HTTP slow attack detection and prevention.
<Sysname> display attack-defense http-slow-attack statistics ip
Slot 1 in chassis 1:
IP address VPN Detected on State
192.168.11.4 asd Trust1 Normal
201.55.7.44 -- Trust4 Normal
slot 2 in chassis 2:
IP address VPN Detected on State
192.168.11.4 asd Trust1 Normal
201.55.7.44 -- Trust4 Normal
# (In standalone mode.) Display the number of IPv4 HTTP slow attack prevention entries for protected IPv4 addresses.
<Sysname> display attack-defense http-slow-attack statistics ip count
Slot 1:
Totally 2 HTTP slow attack entries.
Slot 2:
Totally 1 HTTP slow attack entries.
# (In IRF mode.) Display the number of IPv4 HTTP slow attack prevention entries for protected IPv4 addresses.
<Sysname> display attack-defense http-slow-attack statistics ip count
Slot 1 in chassis 1:
Totally 2 HTTP slow attack entries.
Slot 2 in chassis 2:
Totally 3 HTTP slow attack entries.
Table 4 Command output
|
Field |
Description |
|
IP address |
Destination IPv4 address. |
|
VPN |
MPLS L3VPN instance to which the destination IPv6 address belongs. If the destination IPv6 address is on the public network, this field displays hyphens (--). |
|
Detected on |
Name of the security zone where the attack is detected. |
|
State |
Whether the security zone is attacked: · Attacked—It is being attacked. · Normal—It is not attacked. |
|
Totally 2 HTTP slow attack entries |
Total number of IPv4 HTTP slow attack prevention entries. |
display attack-defense http-slow-attack statistics ipv6
Use display attack-defense http-slow-attack statistics ipv6 to display statistics about IPv6 HTTP slow attack detection and prevention.
Syntax
In standalone mode:
display attack-defense http-slow-attack statistics ipv6 [ ipv6-address [ vpn-instance vpn-instance-name ] ] [ security-zone zone-name ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display attack-defense http-slow-attack statistics ipv6 [ ipv6-address [ vpn-instance vpn-instance-name ] ] [ security-zone zone-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ipv6-address: Specifies a destination IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the destination IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the destination IPv6 address is on the public network.
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics about IPv6 HTTP slow attack detection and prevention for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics about IPv6 HTTP slow attack detection and prevention for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of IPv6 HTTP slow attack prevention entries for matching protected IPv6 addresses.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# (In standalone mode.) Display statistics about IPv6 HTTP slow attack detection and prevention.
<Sysname> display attack-defense http-slow-attack statistics ipv6
Slot 1:
IPv6 address VPN Detected on State
2000::1011 asd Trust1 Normal
1::4 -- Trust4 Normal
Slot 2:
IPv6 address VPN Detected on State
2000::1011 asd Trust1 Normal
1::4 -- Trust4 Normal
# (In IRF mode.) Display statistics about IPv6 HTTP slow attack detection and prevention.
<Sysname> display attack-defense http-slow-attack statistics ipv6
Slot 1 in chassis 1:
IPv6 address VPN Detected on State
2000::1011 asd Trust1 Normal
1::4 -- Trust4 Normal
slot 2 in chassis 2:
IPv6 address VPN Detected on State
2000::1011 asd Trust1 Normal
1::4 -- Trust4 Normal
# (In standalone mode.) Display the number of IPv6 HTTP slow attack prevention entries for protected IPv6 addresses.
<Sysname> display attack-defense http-slow-attack statistics ipv6 count
Slot 1:
Totally 5 HTTP slow attack entries.
Slot 2:
Totally 3 HTTP slow attack entries.
# (In IRF mode.) Display the number of IPv6 HTTP slow attack prevention entries for protected IPv6 addresses.
<Sysname> display attack-defense http-slow-attack statistics ipv6 count
Slot 1 in chassis 1:
Totally 5 HTTP slow attack entries.
Slot 2 in chassis 2:
Totally 3 HTTP slow attack entries.
Table 5 Command output
|
Field |
Description |
|
IPv6 address |
Destination IPv6 address. |
|
VPN |
MPLS L3VPN instance to which the destination IPv6 address belongs. If the destination IPv6 address is on the public network, this field displays hyphens (--). |
|
Detected on |
Name of the security zone where the attack is detected. |
|
State |
Whether the security zone is attacked: · Attacked. · Normal. |
|
Totally 5 HTTP slow attack entries |
Total number of IPv6 HTTP slow attack prevention entries. |
display attack-defense malformed-packet statistics
Use display attack-defense malformed-packet statistics to display statistics about malformed packets.
Syntax
In standalone mode:
display attack-defense malformed-packet statistics [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display attack-defense malformed-packet statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics about malformed packets for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics about malformed packets for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# (In standalone mode.) Display statistics about malformed packets.
<Sysname> display attack-defense malformed-packet statistics
Slot 1:
Malformed packets dropped: 10000
Slot 2:
Malformed packets dropped: 1000
Table 6 Command output
|
Field |
Description |
|
Malformed packets dropped |
Number of dropped malformed packets. |
Related commands
reset attack-defense malformed-packet statistics
display attack-defense policy
Use display attack-defense policy to display attack defense policy configuration.
Syntax
display attack-defense policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.
Usage guidelines
This command output includes the following configuration information about an attack defense policy:
· Whether attack detection is enabled.
· Attack prevention actions.
· Attack prevention trigger thresholds.
Examples
# Display the configuration of attack defense policy abc.
<Sysname> display attack-defense policy abc
Attack-defense Policy Information
--------------------------------------------------------------------------
Policy name : abc
Applied list : Trust
--------------------------------------------------------------------------
Exempt IPv4 ACL: : Not configured
Exempt IPv6 ACL: : vip
--------------------------------------------------------------------------
Actions: CV-Client verify BS-Block source L-Logging D-Drop N-None
Signature attack defense configuration:
Signature name Defense Level Actions
Fragment Enabled Info L
Impossible Enabled Info L
Teardrop Disabled Info L
Tiny fragment Disabled Info L
IP option abnormal Disabled Info L
Smurf Disabled Info N
Traceroute Disabled Medium L,D
Ping of death Disabled Low L
Large ICMP Disabled Medium L,D
Max length 4000 bytes
Large ICMPv6 Disabled Low L
Max length 4000 bytes
TCP invalid flags Disabled medium L,D
TCP null flag Disabled Low L
TCP all flags Enabled Info L
TCP SYN-FIN flags Disabled Info L
TCP FIN only flag Enabled Info L
TCP Land Disabled Info L
Winnuke Disabled Info L
UDP Bomb Disabled Info L
UDP Snork Disabled Info L
UDP Fraggle Enabled Info L
IP option record route Disabled Info L
IP option internet timestamp Enabled Info L
IP option security Disabled Info L
IP option loose source routing Enabled Info L
IP option stream ID Disabled Info L
IP option strict source routing Disabled Info L
IP option route alert Disabled Info L
ICMP echo request Disabled Info L
ICMP echo reply Disabled Info L
ICMP source quench Disabled Info L
ICMP destination unreachable Enabled Info L
ICMP redirect Enabled Info L
ICMP time exceeded Enabled Info L
ICMP parameter problem Disabled Info L
ICMP timestamp request Disabled Info L
ICMP timestamp reply Disabled Info L
ICMP information request Disabled Info L
ICMP information reply Disabled Medium L,D
ICMP address mask request Disabled Medium L,D
ICMP address mask reply Disabled Medium L,D
ICMPv6 echo request Enabled Medium L,D
ICMPv6 echo reply Disabled Medium L,D
ICMPv6 group membership query Disabled Medium L,D
ICMPv6 group membership report Disabled Medium L,D
ICMPv6 group membership reduction Disabled Medium L,D
ICMPv6 destination unreachable Enabled Medium L,D
ICMPv6 time exceeded Enabled Medium L,D
ICMPv6 parameter problem Disabled Medium L,D
ICMPv6 packet too big Disabled Medium L,D
IPv6 extension header abnormal Disabled Info L
IPv6 extension header exceeded Disabled Info L
Limit 7
Scan attack defense configuration:
Preset defense:
Defense: Disabled
User-defined defense:
Port scan defense: Enabled
Port scan defense threshold: 5000 packets
IP sweep defense: Enabled
IP sweep defense threshold: 8000 packets
Period: 100s
Actions: L
Flood type Global dest/src thres(pps) Global actions Service ports Non-specific
DNS flood 1000/1000 - 53 Disabled
DNS reply flood 1000/1000 - - Disabled
HTTP flood 1000/1000 80 - Disabled
SIP flood 1000/1000 50 - Enabled
HTTPS flood 1000/1000 - 443 Disabled
SYN flood 1000/1000 - - Disabled
ACK flood 1000/1000 - - Disabled
SYN-ACK flood 1000/1000 - - Disabled
RST flood 1000/1000 - - Disabled
FIN flood 1000/1000 - - Disabled
UDP flood 1000/1000 - - Disabled
ICMP flood 1000/1000 - - Disabled
ICMPv6 flood 1000/1000 - - Enabled
Flood attack defense for protected IP addresses:
Address VPN instance Flood type Thres(pps) Actions Ports
1::1 -- FIN-FLOOD 10 L,D -
192.168.1.1 -- SYN-ACK-FLOOD 10 - -
1::1 -- FIN-FLOOD - L -
2013:2013:2013:2013: -- DNS-FLOOD 100 L,CV 53
2013:2013:2013:2013
10::13:13 A0123458589 SIP-FLOOD 100 L,CV 5060
HTTP slow attack defense configuration:
Non-specific: Enabled
Global threshold:
Alert-number: 1200000
Content-length: 100000000
Payload-length: 1000
Packet-number: 1000
Global period: 1200 seconds
Global action: L, BS (1000)
Ports: 80, 8000 to 8001
Threshold: AN-Alert number, CL-Content length, PL-Payload length, PN-Packet number
HTTP slow attack defense configuration for protected IP addresses:
Address VPN instance Threshold (AN/CL/PL/PN) Period Actions Ports
1111:2222:3333:4 abcdefghigkl 1200000,100000000,1000,1000 1000 L,BS(10) 80
444::8888 mnopqrstuvwx
yz
Table 7 Command output
|
Field |
Description |
|
Policy name |
Name of the attack defense policy. |
|
Applied list |
Locations to which the attack defense policy is applied. |
|
Exempt IPv4 ACL |
IPv4 ACL used for attack detection exemption. |
|
Exempt IPv6 ACL |
IPv6 ACL used for attack detection exemption. |
|
Actions |
Attack prevention actions: · CV—Client verification. · BS—Blocking sources. · L—Logging. · D—Dropping packets. · N—No action. |
|
Signature attack defense configuration |
Configuration information about single-packet attack detection and prevention. |
|
Signature name |
Type of the single-packet attack. |
|
Defense |
Whether attack detection is enabled. |
|
Level |
Level of the single-packet attack, info, low, medium, or high. Currently, no high-level single-packet attacks exist. |
|
Actions |
Prevention actions against the scanning attack: · L—Logging. · D—Dropping packets. · N—No action. |
|
Large ICMPv6 |
Large ICMPv6 attack. |
|
ICMPv6 echo request |
ICMPv6 echo request attack. |
|
ICMPv6 echo reply |
ICMPv6 echo reply attack. |
|
ICMPv6 group membership query |
ICMPv6 group membership query attack. |
|
ICMPv6 group membership report |
ICMPv6 group membership report attack. |
|
ICMPv6 group membership reduction |
ICMPv6 group membership reduction attack. |
|
ICMPv6 destination unreachable |
ICMPv6 destination unreachable attack. |
|
ICMPv6 time exceeded |
ICMPv6 time exceeded attack. |
|
ICMPv6 parameter problem |
ICMPv6 parameter problem attack. |
|
ICMPv6 packet too big |
ICMPv6 packet too big attack. |
|
IPv6 extension header abnormal |
Abnormal IPv6 extension header attack. |
|
IPv6 extension header exceeded |
IPv6 extension header exceeded attack. |
|
Limit |
Upper limit of IPv6 extension headers. |
|
Scan attack defense configuration |
Configuration information about scanning attack detection and prevention. |
|
Preset defense |
Configuration information about predefined scanning attack detection and prevention. |
|
Defense |
Whether scanning attack detection is enabled. |
|
Level |
Level of the scanning attack detection, low, medium, or high. |
|
User-defined defense |
Configuration information about user-defined scanning attack detection and prevention. |
|
Port scan defense |
Status of port scan attack prevention, which can be Enabled or Disabled. |
|
Port scan defense threshold |
Threshold for triggering port scan attack prevention. |
|
IP sweep defense |
Status of IP sweep attack prevention, which can be Enabled or Disabled. |
|
IP sweep defense threshold |
Threshold for triggering IP sweep attack prevention. |
|
Period |
Scanning attack detection cycle in seconds. |
|
Actions |
Scanning attack prevention actions: · BS—Blocking sources. · D—Dropping packets. · L—Logging. |
|
Flood attack defense configuration |
Configuration information about flood attack detection and prevention. |
|
Flood type |
Type of the flood attack: · ACK flood. · DNS flood. · DNS reply flood. · FIN flood. · ICMP flood. · ICMPv6 flood. · SYN flood. · SYN-ACK flood. · UDP flood. · RST flood. · HTTP flood. · SIP flood. · HTTPS flood. |
|
Global dest/src thres(pps) |
Global thresholds for triggering the destination-based and source-based flood attack prevention. The default is 1000 pps. |
|
Global actions |
Global prevention actions against the flood attack: · D—Dropping packets. · L—Logging. · CV—Client verification. If no actions are configured, this field displays a hyphen (-). |
|
Service ports |
Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-). |
|
Non-specific |
Whether the global flood attack detection is enabled. |
|
Flood attack defense for protected IP addresses |
Configuration of the IP address-specific flood attack detection and prevention. |
|
Address |
Protected IP address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IP address belongs. If no MPLS L3VPN instance is specified, this field is not displayed. |
|
Thres(pps) |
Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no threshold is specified, this field displays 1000. |
|
Actions |
Flood attack prevention actions: · CV—Client verification. · BS—Blocking sources. · D—Dropping packets. · L—Logging. · N—No action. |
|
Ports |
Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-). |
|
HTTP slow attack defense configuration |
Configuration information about the global HTTP slow attack detection and prevention. |
|
Non-specific |
Whether global HTTP slow attack detection is enabled. |
|
Global threshold |
Global threshold settings: · Alert-number—HTTP concurrent connection threshold. If this threshold is not specified, the field displays 5000. · Content-length—Threshold for the Content-Length field value. If this threshold is not specified, the field displays 10000. · Payload-length—Payload size threshold. If this threshold is not specified, the field displays 50. · Packet-number—Threshold of abnormal packets. If this threshold is not specified, the field displays 10. |
|
Global period |
Global HTTP slow attack detection period. |
|
Global action |
Global HTTP slow attack prevention actions: · BS—Blocking sources. · L—Logging. |
|
Ports |
Ports protected by the global HTTP slow attack prevention. If protected no ports are specified, the field displays 80. |
|
HTTP slow attack defense configuration for protected IP addresses |
Configuration of the IP address-specific HTTP slow attack detection and prevention. |
|
Address |
Protected IP address. |
|
VPN instance |
VPN instance to which the protected IP address belongs. If no VPN instance is specified, this field is not displayed. |
|
Threshold (AN/CL/PL/PN) |
Threshold parameter settings for IP address-specific HTTP slow attack detection. Full spellings for threshold parameters are as follows: · AN—Alert number. · CL—Content length. · PL—Payload length. · PN—Packet number. If a parameter threshold is not specified, the global threshold for this parameter is displayed. |
|
Period |
IP address-specific HTTP slow attack detection period. If this period is not specified, the field displays the global detection period. |
|
Actions |
IP address-specific HTTP slow attack prevention actions: · BS—Blocking sources. · L—Logging. If no actions are specified, this field displays the global prevention actions. |
|
Ports |
Ports protected by the IP address-specific HTTP slow attack prevention. If no ports are specified, the field displays ports protected by the global HTTP slow attack prevention. |
# Display brief information about all attack defense policies.
<Sysname> display attack-defense policy
Attack-defense Policy Brief Information
------------------------------------------------------------
Policy Name Applied list
Atk-policy-1 Trust1
P2 Trust2
P123 Trust3
Table 8 Command output
|
Field |
Description |
|
Policy name |
Name of the attack defense policy. |
|
Applied list |
Locations to which the attack defense policy is applied. |
Related commands
attack-defense policy
display attack-defense policy ip
Use display attack-defense policy ip to display information about IPv4 addresses protected by flood attack detection and prevention.
Syntax
In standalone mode:
display attack-defense policy policy-name { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | https-flood | icmp-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display attack-defense policy policy-name { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | https-flood | icmp-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
dns-reply-flood: Specifies DNS response flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv4 flood attacks.
http-flood: Specifies HTTP flood attack.
https-flood: Specifies HTTPS flood attack.
icmp-flood: Specifies ICMP flood attack.
rst-flood: Specifies RST flood attack.
sip-flood: Specifies SIP flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays information about all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about IPv4 addresses protected by flood attack detection and prevention for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information about IPv4 addresses protected by flood attack detection and prevention for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching IPv4 addresses protected by flood attack detection and prevention.
Examples
# (In standalone mode.) Display information about all IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip
Slot 1:
IP address VPN instance Type Rate threshold(PPS) Dropped
123.123.123.123 -- SYN-ACK-FLOOD 100 4294967295
201.55.7.45 -- ICMP-FLOOD 100 10
192.168.11.5 -- DNS-FLOOD 23 100
10.168.200.5 -- SIP-FLOOD 100 102556
Slot 2:
IP address VPN instance Type Rate threshold(PPS) Dropped
123.123.123.123 -- SYN-ACK-FLOOD 100 2543
201.55.7.45 -- ICMP-FLOOD 100 122
192.168.11.5 -- DNS-FLOOD 23 0
# (In standalone mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip count
Slot 1:
Totally 3 flood protected IP addresses.
Slot 2:
Totally 0 flood protected IP addresses.
Table 9 Command output
|
Field |
Description |
|
Totally 3 flood protected IP addresses |
Total number of the IPv4 addresses protected by flood attack detection and prevention. |
|
IP address |
Protected IPv4 address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field is not displayed. |
|
Type |
Type of the flood attack. |
|
Rate threshold(PPS) |
Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no rate threshold is set, this field displays 1000. |
|
Dropped |
Number of dropped attack packets. If the prevention action is logging, this field displays 0. |
display attack-defense policy ipv6
Use display attack-defense policy ipv6 to display information about IPv6 addresses protected by flood attack detection and prevention.
Syntax
In standalone mode:
display attack-defense policy policy-name { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | https-flood | icmpv6-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] ] [ count ]
In IRF mode:
display attack-defense policy policy-name { ack-flood | dns-flood | dns-reply-flood | fin-flood | flood | http-flood | https-flood | icmpv6-flood | rst-flood | sip-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
dns-reply-flood: Specifies DNS response flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv6 flood attacks.
http-flood: Specifies HTTP flood attack.
https-flood: Specifies HTTPS flood attack.
icmpv6-flood: Specifies ICMPv6 flood attack.
rst-flood: Specifies RST flood attack.
sip-flood: Specifies SIP flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays information about all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about IPv6 addresses protected by flood attack detection and prevention for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information about IPv6 addresses protected by flood attack detection and prevention for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching IPv6 addresses protected by flood attack detection and prevention.
Examples
# (In standalone mode.) Display information about all IPv6 addresses protected by flood attack detection and prevention in attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6
Slot 1:
IPv6 address VPN instance Type Rate threshold(PPS) Dropped
2013::127f -- SYN-ACK-FLOOD 100 4294967295
2::5 -- ACK-FLOOD 100 10
1::5 -- ACK-FLOOD 100 23
10::15 -- SIP-FLOOD 100 1002
Slot 2:
IPv6 address VPN instance Type Rate threshold(PPS) Dropped
2013::127f -- SYN-ACK-FLOOD 100 5465
2::5 -- ACK-FLOOD 100 0
1::5 -- ACK-FLOOD 100 122
# (In standalone mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6 count
Slot 1:
Totally 3 flood protected IP addresses.
Slot 2:
Totally 0 flood protected IP addresses.
Table 10 Command output
|
Field |
Description |
|
Totally 3 flood protected IP addresses |
Total number of the IPv6 addresses protected by flood attack detection and prevention. |
|
IPv6 address |
Protected IPv6 address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field is not displayed. |
|
Type |
Type of the flood attack. |
|
Rate threshold(PPS) |
Threshold for triggering the flood attack prevention, in units of packets sent to the IPv6 address per second. If no rate threshold is set, this field displays 1000. |
|
Dropped |
Number of dropped attack packets. If the prevention action is logging, this field displays 0. |
display attack-defense scan attacker ip
Use display attack-defense scan attacker ip to display information about IPv4 scanning attackers.
Syntax
In standalone mode:
display attack-defense scan attacker ip [ security-zone zone-name [ slot slot-number [ cpu cpu-number ] ] ] [ count ]
In IRF mode:
display attack-defense scan attacker ip [ security-zone zone-name [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about IPv4 scanning attackers for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information about IPv4 scanning attackers for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching IPv4 scanning attackers.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv4 scanning attackers.
Examples
# (In standalone mode.) Display information about all IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip
Slot 1:
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.31.2(--) -- TCP DMZ 1284
2.2.2.3(--) -- UDP DMZ 23
Slot 2:
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.1.100(--) -- TCP DMZ 1586
202.2.1.172(--) -- UDP DMZ 258
# (In standalone mode.) Display the number of IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip count
Slot 1:
Totally 3 attackers.
Slot 2:
Totally 0 attackers.
Table 11 Command output
|
Field |
Description |
|
Totally 3 attackers |
Total number of IPv4 scanning attackers. |
|
IP addr(DslitePeer) |
The IP addr field displays the IPv4 address of the attacker. The DslitePeer field displays the DS-Lite tunnel source IPv6 address of the attacker in a DS-Lite network. In other situations, this field displays hyphens (--). |
|
VPN instance |
MPLS L3VPN instance to which the attacker's IPv4 address belongs. If the IPv4 address is on the public network, this field is not displayed. |
|
Protocol |
Name of the protocol. |
|
Detected on |
Name of the security zone where the attack is detected. |
|
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
scan detect
display attack-defense scan attacker ipv6
Use display attack-defense scan attacker ipv6 to display information about IPv6 scanning attackers.
Syntax
In standalone mode:
display attack-defense scan attacker ipv6 [ security-zone zone-name [ slot slot-number [ cpu cpu-number ] ] ] [ count ]
In IRF mode:
display attack-defense scan attacker ipv6 [ security-zone zone-name [chassis chassis-number slot slot-number [ cpu cpu-number ] ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
security-zone zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about IPv6 scanning attackers for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information about IPv6 scanning attackers for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching IPv6 scanning attackers.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv6 scanning attackers.
Examples
# (In standalone mode.) Display information about all IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6
Slot 1:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP DMZ 1234
1230::22 -- UDP DMZ 10
Slot 2:
IPv6 address VPN instance Protocol Detected on Duration(min)
2004::4 -- TCP DMZ 1122
1042::2 -- UDP DMZ 24
# (In standalone mode.) Display the number of IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6 count
Slot 1:
Totally 3 attackers.
Slot 2:
Totally 0 attackers.
Table 12 Command output
|
Field |
Description |
|
Totally 3 attackers |
Total number of IPv6 scanning attackers. |
|
IPv6 address |
IPv6 address of the attacker. |
|
VPN instance |
MPLS L3VPN instance to which the attacker IPv6 address belongs. If the attacker IPv6 address is on the public network, this field is not displayed. |
|
Protocol |
Name of the protocol. |
|
Detected on |
Name of the security zone where the attack is detected. |
|
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
scan detect
display attack-defense statistics security-zone
Use display attack-defense statistics security-zone to display attack detection and prevention statistics on a security zone.
Syntax
In standalone mode:
display attack-defense statistics security-zone zone-name [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display attack-defense statistics security-zone zone-name [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this commands displays attack detection and prevention statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this commands displays attack detection and prevention statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display attack detection and prevention statistics on security zone Untrust for the specified slot.
<Sysname> display attack-defense statistics security-zone untrust slot 1
Slot 1:
Attack policy name: abc
Scanning attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
DNS reply flood 1 0
HTTP flood 1 0
SIP flood 1 1000
HTTPS flood 1 0
HTTP slow attack defense statistics:
AttackType AttackTimes
HTTP slow attack 1
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
IPv6 extension header abnormal 1 0
IPv6 extension header exceeded 1 0
Table 13 Command output
|
Field |
Description |
|
AttackType |
Type of the attack. |
|
AttackTimes |
Number of times that the attack occurred. This command output displays only attacks that are detected. |
|
Dropped |
Number of dropped packets. |
|
ICMPv6 flood |
ICMPv6 flood attack. This field is not displayed when no ICMPv6 flood attack is detected. |
|
Large ICMPv6 |
Large ICMPv6 attack. This field is not displayed when no large ICMPv6 attack is detected. |
|
ICMPv6 echo request |
ICMPv6 echo request attack. This field is not displayed when no ICMPv6 echo request attack is detected. |
|
ICMPv6 echo reply |
ICMPv6 echo reply attack. This field is not displayed when no ICMPv6 echo reply attack is detected. |
|
ICMPv6 group membership query |
ICMPv6 group membership query attack. This field is not displayed when no ICMPv6 group membership query attack is detected. |
|
ICMPv6 group membership report |
ICMPv6 group membership report attack. This field is not displayed when no ICMPv6 group membership report attack is detected. |
|
ICMPv6 group membership reduction |
ICMPv6 group membership reduction attack. This field is not displayed when no ICMPv6 group membership reduction attack is detected. |
|
ICMPv6 destination unreachable |
ICMPv6 destination unreachable attack. This field is not displayed when no ICMPv6 destination unreachable attack is detected. |
|
ICMPv6 time exceeded |
ICMPv6 time exceeded attack. This field is not displayed when no ICMPv6 time exceeded attack is detected. |
|
ICMPv6 parameter problem |
ICMPv6 parameter problem attack. This field is not displayed when no ICMPv6 parameter problem attack is detected. |
|
ICMPv6 packet too big |
ICMPv6 packet too big attack. This field is not displayed when no ICMPv6 packet too big attack is detected. |
|
IPv6 extension header abnormal |
Abnormal IPv6 extension header attack. This field is not displayed when no abnormal IPv6 extension header attack is detected. |
|
IPv6 extension header exceeded |
IPv6 extension header exceeded attack. This field is not displayed when no IPv6 extension header exceeded attack is detected. |
Related commands
reset attack-defense statistics security-zone
display attack-defense top-attack-statistics
Use display attack-defense top-attack-statistics to display top 10 attack statistics.
Syntax
display attack-defense top-attack-statistics { last-1-hour | last-24-hours | last-30-days } [ by-attacker | by-type | by-victim ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
last-1-hour: Specifies the most recent 1 hour.
last-24-hours: Specifies the most recent 24 hours.
last-30-days: Specifies the most recent 30 days.
by-attacker: Displays top 10 attack statistics by attacker.
by-type: Displays all attack statistics by attack type.
by-victim: Displays top 10 attack statistics by victim.
Usage guidelines
Non-default vSystems do not support this command.
If you do not specify the by-attacker, by-type, or by-victim keyword, this command displays attack statistics by attacker, victim, attack type.
Examples
# Display top 10 attack statistics in the most recent 1 hour.
<Sysname> display attack-defense top-attack-statistics last-1-hour
Top attackers:
No. VPN instance Attacker IP Attacks
1 200.200.200.55 21
2 200.200.200.21 16
3 200.200.200.133 12
4 200.200.200.19 10
5 200.200.200.4 8
6 200.200.200.155 8
7 200.200.200.93 5
8 200.200.200.67 3
9 200.200.200.70 1
10 200.200.200.23 1
Top victims:
No. VPN instance Victim IP Attacks
1 -- 201.200.200.12 21
2 -- 201.200.200.32 16
3 -- 201.200.200.14 12
4 -- 201.200.200.251 12
5 -- 201.200.200.10 7
6 -- 201.200.200.77 6
7 -- 201.200.200.96 2
8 -- 201.200.200.22 2
9 -- 201.200.200.154 2
10 -- 201.200.200.18 1
Top attack types:
Attack type Attacks
Scan 155
Syn 155
Table 14 Command output
|
Field |
Description |
|
Top attackers |
Top 10 attack statistics by attacker. |
|
No. |
Rank on the list. |
|
VPN instance |
VPN instance to which the attacker or victim belongs. If the attacker or victim belongs to the public network, this field is not displayed. |
|
Attacks |
Number of attacks. |
|
Top victims |
Top 10 attack statistics by victim. |
|
Top attack types |
Attack statistics by attack type. |
Related commands
attack-defense top-attack-statistics enable
display blacklist destination-ip
Use display blacklist destination-ip to display destination IPv4 blacklist entries.
Syntax
In standalone mode:
display blacklist destination-ip [ destination-ip-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display blacklist destination-ip [ destination-ip-address [ vpn-instance vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
destination-ip-address: Specifies a destination IPv4 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the destination IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays destination IPv4 blacklist entries for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays destination IPv4 blacklist entries for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching destination IPv4 blacklist entries.
Usage guidelines
If you do not specify any parameters, this command displays all destination IPv4 blacklist entries.
Examples
# (In standalone mode.) Display all destination IPv4 blacklist entries.
<Sysname> display blacklist destination-ip
Slot 1:
IP address VPN instance Type Aging (sec) Dropped
192.168.11.5 -- Dynamic 10 353452
123.123.123.123 -- Dynamic 123 4294967295
201.55.7.45 -- Manual Never 14478
Slot 2:
IP address VPN instance Type Aging (sec) Dropped
123.55.123.7 -- Dynamic 123 164698
201.55.7.33 -- Manual Never 845969
# (In standalone mode.) Display the total number of destination IPv4 blacklist entries.
<Sysname> display blacklist destination-ip count
Slot 1:
Totally 3 blacklist entries.
Slot 2:
Totally 2 blacklist entries.
Table 15 Command output
|
Field |
Description |
|
IP address |
IPv4 address in the destination blacklist entry. |
|
VPN instance |
MPLS L3VPN instance to which the blacklisted IPv4 address belongs. If the blacklisted IPv4 address is on the public network, this field is not displayed. |
|
Type |
Type of the destination IPv4 blacklist entry: · Dynamic—Dynamically generated. · Manual—Manually configured. |
|
Aging (sec) |
Remaining aging time of the destination IPv4 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never. |
|
Dropped |
Number of dropped packets that are destined for the IPv4 address. |
|
Totally 3 blacklist entries. |
Total number of destination IPv4 blacklist entries. |
Related commands
blacklist destination-ip
display blacklist destination-ipv6
Use display blacklist destination-ipv6 to display destination IPv6 blacklist entries.
Syntax
In standalone mode:
display blacklist destination-ipv6 [ destination-ipv6-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display blacklist destination-ipv6 [ destination-ipv6-address [ vpn-instance vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
destination-ipv6-address: Specifies a destination IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the destination IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays destination IPv6 blacklist entries for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays destination IPv6 blacklist entries for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching destination IPv6 blacklist entries.
Usage guidelines
If you do not specify any parameters, this command displays all destination IPv6 blacklist entries.
Examples
# (In standalone mode.) Display all destination IPv6 blacklist entries.
<Sysname> display blacklist destination-ipv6
Slot 1:
IPv6 address VPN instance Type Aging (sec) Dropped
1::4 -- Manual Never 14478
1::5 -- Dynamic 10 353452
2013:fe07:221a:4011: -- Dynamic 123 4294967295
2013:fe07:221a:4011
Slot 2:
IPv6 address VPN instance Type Aging (sec) Dropped
1::3 -- Manual Never 74679
20::33 -- Dynamic 10 1697898
# (In standalone mode.) Display the total number of destination IPv6 blacklist entries.
<Sysname> display blacklist destination-ipv6 count
Slot 1:
Totally 3 blacklist entries.
Slot 2:
Totally 2 blacklist entries.
Table 16 Command output
|
Field |
Description |
|
IPv6 address |
IPv6 address in the destination blacklist entry. |
|
VPN instance |
MPLS L3VPN instance to which the blacklisted IPv6 address belongs. If the blacklisted IPv6 address is on the public network, this field is not displayed. |
|
Type |
Type of the destination IPv6 blacklist entry: · Dynamic—Dynamically generated. · Manual—Manually configured. |
|
Aging (sec) |
Remaining aging time of the destination IPv6 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never. |
|
Dropped |
Number of dropped packets that are destined for the IPv6 address. |
|
Totally 3 blacklist entries. |
Total number of destination IPv6 blacklist entries. |
Related commands
blacklist destination-ipv6
display blacklist ip
Use display blacklist ip to display source IPv4 blacklist entries.
Syntax
In standalone mode:
display blacklist ip [ source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display blacklist ip [ source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
source-ip-address: Specifies a source IPv4 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
ds-lite-peer ds-lite-peer-address: Specifies the IPv6 address of the B4 element of the DS-Lite tunnel that transmits packets from the blacklisted IPv4 address.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays source IPv4 blacklist entries for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays source IPv4 blacklist entries for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching source IPv4 blacklist entries.
Usage guidelines
If you do not specify any parameters, this command displays all source IPv4 blacklist entries.
Examples
# (In standalone mode.) Display all source IPv4 blacklist entries.
<Sysname> display blacklist ip
Slot 1:
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
192.168.11.5 -- -- Dynamic 10 353452
123.123.123.123 -- 2013::fe07:221a:4011 Dynamic 123 4294967295
201.55.7.45 -- 2013::1 Manual Never 14478
Slot 2:
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
123.55.123.7 -- -- Dynamic 123 164698
201.55.7.33 -- -- Manual Never 845969
# (In standalone mode.) Display the total number of source IPv4 blacklist entries.
<Sysname> display blacklist ip count
Slot 1:
Totally 3 blacklist entries.
Slot 2:
Totally 2 blacklist entries.
Table 17 Command output
|
Field |
Description |
|
IP address |
IPv4 address in the source blacklist entry. |
|
VPN instance |
MPLS L3VPN instance to which the blacklisted IPv4 address belongs. If the blacklisted IPv4 address is on the public network, this field is not displayed. |
|
DS-Lite tunnel peer |
IPv6 address of the DS-Lite tunnel peer. If the device is the AFTR of a DS-Lite tunnel, this field displays the IPv6 address of the B4 element from which the packet comes. In other situations, this field displays hyphens (--). |
|
Type |
Type of the source IPv4 blacklist entry: · Dynamic—Dynamically generated. · Manual—Manually configured. |
|
TTL(sec) |
Remaining aging time of the source IPv4 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never. |
|
Totally 3 blacklist entries |
Total number of source IPv4 blacklist entries. |
Related commands
blacklist ip
display blacklist ipv6
Use display blacklist ipv6 to display source IPv6 blacklist entries.
Syntax
In standalone mode:
display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
source-ipv6-address: Specifies a source IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays source IPv6 blacklist entries for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays source IPv6 blacklist entries for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching source IPv6 blacklist entries.
Usage guidelines
If you do not specify any parameters, this command displays all source IPv6 blacklist entries.
Examples
# (In standalone mode.) Display all source IPv6 blacklist entries.
<Sysname> display blacklist ipv6
Slot 1:
IPv6 address VPN instance Type TTL(sec) Dropped
1::4 -- Manual Never 14478
1::5 -- Dynamic 10 353452
2013:fe07:221a:4011: -- Dynamic 123 4294967295
2013:fe07:221a:4011
Slot 2:
IPv6 address VPN instance Type TTL(sec) Dropped
1::3 -- Manual Never 74679
20::33 -- Dynamic 10 1697898
# (In standalone mode.) Display the total number of source IPv6 blacklist entries.
<Sysname> display blacklist ipv6 slot 1 count
Slot 1:
Totally 3 blacklist entries.
Slot 2:
Totally 2 blacklist entries..
Table 18 Command output
|
Field |
Description |
|
IPv6 address |
IPv6 address in the source blacklist entry. |
|
VPN instance |
MPLS L3VPN instance to which the blacklisted IPv6 address belongs. If the blacklisted IPv6 address is on the public network, this field is not displayed. |
|
Type |
Type of the source IPv6 blacklist entry: · Dynamic—Dynamically generated. · Manual—Manually configured. |
|
TTL(sec) |
Remaining aging time of the source IPv6 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never. |
|
Totally 3 blacklist entries |
Total number of source IPv6 blacklist entries. |
Related commands
blacklist ipv6
display blacklist user
Use display blacklist user to display user blacklist entries.
Syntax
display blacklist user [ user-name ] [ domain domain-name ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
user-name: Specifies a user by the username, a case-sensitive string of 1 to 55 characters. If you do not specify a user, this command displays all user blacklist entries.
domain domain-name: Specifies a user identification domain by its name, a case-insensitive string of 1 to 255 characters. The user identification domain name cannot include question marks (?). If you do not specify a user identification domain, this command displays user blacklist entries that do not belong to any user identification domains.
count: Displays the number of matching user blacklist entries.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Display all user blacklist entries.
<Sysname> display blacklist user
User name Domain name Type TTL(sec) Dropped
Alex domaina Manual 10 353452
Bob Manual 123 4294967295
Cary Manual Never 14478
# Display the user blacklist entry for user Alex in user identification domain domaina.
<Sysname> display blacklist user Alex domain domaina
User name Domain name Type TTL(sec) Dropped
Alex domaina Manual 10 353452
# Display the number of user blacklist entries.
<Sysname> display blacklist user count
Totally 3 blacklist entries.
Table 19 Command output
|
Field |
Description |
|
Username |
Username in the user blacklist entry. |
|
Domain name |
User identification domain to which the user belongs. |
|
Type |
Type of the user blacklist entry. Only the manual mode is supported. |
|
TTL(sec) |
Remaining aging time of the user blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never. |
|
Dropped |
Number of dropped packets sourced from the user. |
|
Totally 3 blacklist entries |
Total number of user blacklist entries. |
Related commands
blacklist global enable
blacklist user
display client-verify protected ip
Use display client-verify protected ip to display protected IPv4 addresses for client verification.
Syntax
In standalone mode:
display client-verify { dns | dns-reply | http | https | sip | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display client-verify { dns | dns-reply | http | https | sip | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
dns: Specifies the DNS client verification feature.
dns-reply: Specifies the DNS response verification feature.
http: Specifies the HTTP client verification feature.
https: Specifies the HTTPS client verification feature.
sip: Specifies the SIP client verification feature.
tcp: Specifies the TCP client verification feature.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv4 address is on the public network.
port port-number: Specifies a protected port in the range of 1 to 65535. If you do not specify a port, this command displays protected IPv4 addresses with default ports. The default port for DNS client verification is port 53, the default port for HTTP client verification is port 80, and the default port for TCP client verification is all ports.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv4 addresses for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv4 addresses for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching protected IPv4 addresses.
Examples
# (In standalone mode.) Display the protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip
Slot 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 23 Dynamic 353452 555
123.123.123.123 -- 65535 Dynamic 4294967295 15151
201.55.7.45 -- 10 Manual 15000 222
Slot 2:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 23 Dynamic 46790 78578
201.55.7.45 -- 10 Dynamic 2368 7237
123.123.123.123 -- 65535 Manual 24587 1385
# (In standalone mode.) Display the number of protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 1:
Totally 3 protected IP addresses.
Slot 2:
Totally 0 protected IP addresses.
Table 20 Command output
|
Field |
Description |
|
Totally 3 protected IP addresses |
Total number of protected IPv4 addresses. |
|
IP address |
Protected IPv4 address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field is not displayed. |
|
Port |
Port protected by TCP client verification. If TCP client verification protects all ports, this field displays any. |
|
Type |
Type of the protected IPv4 address, Manual or Dynamic. |
|
Requested |
Number of packets destined for the protected IPv4 address. |
|
Trusted |
Number of packets that passed the client verification. |
Related commands
client-verify protected ip
display client-verify protected ipv6
Use display client-verify protected ipv6 to display protected IPv6 addresses for client verification.
Syntax
In standalone mode:
display client-verify { dns | dns-reply | http | https | sip | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display client-verify { dns | dns-reply | http | https | sip | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
dns: Specifies the DNS client verification feature.
dns-reply: Specifies the DNS response verification feature.
http: Specifies the HTTP client verification feature.
https: Specifies the HTTPS client verification feature.
sip: Specifies the SIP client verification feature.
tcp: Specifies the TCP client verification feature.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
port port-number: Specifies a protected port in the range of 1 to 65535. If you do not specify a port, this command displays protected IPv6 addresses with default ports. The default port for DNS client verification is port 53, the default port for HTTP client verification is port 80, and the default port for TCP client verification is all ports.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv6 addresses for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv6 addresses for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching protected IPv6 addresses.
Examples
# (In standalone mode.) Display the protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ipv6
Slot 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 100 Manual 14478 5501
1023::1123 -- 65535 Dynamic 4294967295 15151
Slot 2:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 100 Manual 4568 8798
1023::1123 -- 65535 Dynamic 15969 4679
# (In standalone mode.) Display the number of protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 1:
Totally 3 protected IPv6 addresses.
Slot 2:
Totally 0 protected IPv6 addresses.
Table 21 Command output
|
Field |
Description |
|
Totally 3 protected IPv6 addresses |
Total number of protected IPv6 addresses. |
|
IPv6 address |
Protected IPv6 address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field is not displayed. |
|
Port |
Port protected by TCP client verification. If TCP client verification protects all ports, this field displays any. |
|
Type |
Type of the protected IPv6 address, Manual or Dynamic. |
|
Requested |
Number of packets destined for the protected IPv6 address. |
|
Trusted |
Number of packets that passed the client verification. |
Related commands
client-verify protected ipv6
display client-verify trusted ip
Use display client-verify trusted ip to display trusted IPv4 addresses for client verification.
Syntax
In standalone mode:
display client-verify { dns | dns-reply | http | https | sip | tcp } trusted ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] [ count ]
In IRF mode:
display client-verify { dns | dns-reply | http | https | sip | tcp } trusted ip [ ip-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
dns: Specifies the DNS client verification feature.
dns-reply: Specifies the DNS response verification feature.
http: Specifies the HTTP client verification feature.
https: Specifies the HTTPS client verification feature.
sip: Specifies the SIP client verification feature.
tcp: Specifies the TCP client verification feature.
ip-address: Specifies a trusted IPv4 address. If you do not specify an IPv4 address, this command displays all trusted IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the trusted IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the trusted IPv4 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv4 addresses for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv4 addresses for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching trusted IPv4 addresses.
Examples
# (In standalone mode.) Display the trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip
Slot 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 -- -- 3600
123.123.123.123 -- -- 3550
Slot 2:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.3 -- -- 1200
# (In standalone mode.) Display the number of trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip count
Slot 1:
Totally 3 trusted IP addresses.
Slot 2:
Totally 0 trusted IP addresses.
Table 22 Command output
|
Field |
Description |
|
Totally 3 protected IP addresses |
Total number of trusted IPv4 addresses. |
|
IP address |
Trusted IPv4 address. |
|
VPN instance |
MPLS L3VPN instance to which the trusted IPv4 address belongs. If the trusted IPv4 address is on the public network, this field is not displayed. |
|
DS-Lite tunnel peer |
IPv6 address of the DS-Lite tunnel peer. If the device is the AFTR of a DS-Lite tunnel, this field displays the IPv6 address of the B4 element from which the packet comes. In other situations, this field displays hyphens (--). |
|
TTL(sec) |
Remaining aging time of the trusted IPv4 address, in seconds. |
display client-verify trusted ipv6
Use display client-verify trusted ipv6 to display trusted IPv6 addresses for client verification.
Syntax
In standalone mode:
display client-verify { dns | dns-reply | http | https | sip | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number [ cpu cpu-number ] ] ] [ count ]
In IRF mode:
display client-verify { dns | dns-reply | http | https | sip | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
dns: Specifies the DNS client verification feature.
dns-reply: Specifies the DNS response verification feature.
http: Specifies the HTTP client verification feature.
https: Specifies the HTTPS client verification feature.
sip: Specifies the SIP client verification feature.
tcp: Specifies the TCP client verification feature.
ipv6-address: Specifies a trusted IPv6 address. If you do not specify an IPv6 address, this command displays all trusted IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the trusted IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the trusted IPv6 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv6 addresses for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv6 addresses for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
count: Displays the number of matching trusted IPv6 addresses.
Examples
# (In standalone mode.) Display the trusted IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ipv6
Slot 1:
IPv6 address VPN instance TTL(sec)
1::3 -- 1643
1234::1234 -- 1234
Slot 2:
IPv6 address VPN instance TTL(sec)
1::3 -- 1643
# (In standalone mode.) Display the number of trusted IPv6 list for DNS client verification.
<Sysname> display client-verify dns trusted ipv6 count
Slot 1:
Totally 3 trusted IPv6 addresses.
Slot 2:
Totally 0 trusted IPv6 addresses.
Table 23 Command output
|
Field |
Description |
|
Totally 3 protected IPv6 addresses |
Number of trusted IPv6 addresses. |
|
IPv6 address |
Trusted IPv6 address. |
|
VPN instance |
MPLS L3VPN instance to which the trusted IPv6 address belongs. If the trusted IPv6 address is on the public network, this field is not displayed. |
|
TTL(sec) |
Remaining aging time of the trusted IPv6 address, in seconds. |
display whitelist object-group
Use display whitelist object-group to display statistics about packets that match the address object groups on the whitelist.
Syntax
In standalone mode:
display whitelist object-group [ object-group-name ] [ slot slot-number ]
In IRF mode:
display whitelist object-group [ object-group-name ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
Parameters
object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an address object group, this command displays statistics about packets that match all address object groups on the whitelist.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics for all cards. (In IRF mode.)
Usage guidelines
If you do not specify any parameters, this command displays statistics about packets that match all address object groups on the whitelist.
Examples
# (In standalone mode.) Display statistics about packets that match all address object groups on the whitelist.
<Sysname> display whitelist object-group
Slot 1:
Object group Type Matching Packets
objgrp-1 IPv4 15696
objgrp-2 IPv4 855864455
Slot 2:
Object group Type Matching Packets
objgrp-1 IPv4 353452
Table 24 Command output
|
Field |
Description |
|
Object group |
Name of the address object group. |
|
Type |
Type of the address object group. |
|
Matching packets |
Number of packets that match the address object group. |
Related commands
reset whitelist statistics
whitelist object-group
dns-flood action
Use dns-flood action to specify global actions against DNS flood attacks.
Use undo dns-flood action to restore the default.
Syntax
dns-flood action { client-verify | drop | logging } *
undo dns-flood action
Default
No global action is specified for DNS flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent DNS packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent DNS packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for DNS flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the DNS flood attack detection to collaborate with the DNS client verification, make sure the client-verify keyword is specified and the DNS client verification is enabled. To enable DNS client verification, use the client-verify dns enable command.
The logging keyword enables the attack detection and prevention module to log DNS flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output DNS flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view DNS flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against DNS flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood action drop
Related commands
client-verify dns enable
dns-flood detect
dns-flood detect non-specific
dns-flood port
dns-flood source-threshold
dns-flood threshold
dns-flood detect
Use dns-flood detect to configure IP address-specific DNS flood attack detection.
Use undo dns-flood detect to remove the IP address-specific DNS flood attack detection configuration.
Syntax
dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific DNS flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 24 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold threshold-value: Specifies the maximum receiving rate in pps for DNS packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected DNS flood attack. If no action is specified, the global actions set by the dns-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent DNS packets destined for the protected IP address.
logging: Enables logging for DNS flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With DNS flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of DNS packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure DNS flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log DNS flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output DNS flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view DNS flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure DNS flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect ip 192.168.1.2 port 53 threshold 2000
Related commands
dns-flood action
dns-flood detect non-specific
dns-flood port
dns-flood threshold
dns-flood detect non-specific
Use dns-flood detect non-specific to enable global DNS flood attack detection.
Use undo dns-flood detect non-specific to disable global DNS flood attack detection.
Syntax
dns-flood detect non-specific
undo dns-flood detect non-specific
Default
Global DNS flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following DNS flood attack prevention types:
· Source-based DNS flood attack prevention—Monitors the receiving rate of DNS packets on a per-source IP basis.
· Destination-based DNS flood attack prevention—Monitors the receiving rate of DNS packets on a per-destination IP basis.
The global DNS flood attack detection applies to all IP addresses except for those specified by the dns-flood detect command. The global detection uses the global trigger threshold set by the dns-flood threshold or dns-flood source-threshold command and global actions specified by the dns-flood action command.
Examples
# Enable global DNS flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific
Related commands
dns-flood action
dns-flood detect
dns-flood port
dns-flood source-threshold
dns-flood threshold
dns-flood port
Use dns-flood port to specify the global ports to be protected against DNS flood attacks.
Use undo dns-flood port to restore the default.
Syntax
dns-flood port port-list
undo dns-flood port
Default
The global DNS flood attack prevention protects port 53.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only DNS packets destined for the specified ports.
The global ports apply to global DNS flood attack detection and IP address-specific DNS flood attack detection with no port specified.
Examples
# Specify the ports 53 and 61000 as the global ports to be protected against DNS flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood port 53 61000
Related commands
dns-flood action
dns-flood detect
dns-flood detect non-specific
dns-flood source-threshold
dns-flood threshold
dns-flood threshold
Use dns-flood threshold to set the global threshold for triggering destination-based DNS flood attack prevention.
Use undo dns-flood threshold to restore the default.
Syntax
dns-flood threshold threshold-value
undo dns-flood threshold
Default
The global threshold is 10000 for triggering destination-based DNS flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for DNS packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based DNS flood attack prevention is disabled.
Usage guidelines
With global DNS flood attack detection configured, the device is in attack detection state. When the receiving rate of DNS packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global DNS flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of DNS packets sent to a protected DNS server is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based DNS flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood threshold 100
Related commands
dns-flood action
dns-flood detect
dns-flood detect non-specific
dns-flood port
dns-flood source-threshold
Use dns-flood source-threshold to set the global threshold for triggering source-based DNS flood attack prevention.
Use undo dns-flood source-threshold to restore the default.
Syntax
dns-flood source-threshold threshold-value
undo dns-flood source-threshold
Default
The global threshold is 10000 for triggering source-based DNS flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for DNS packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based DNS flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global DNS flood attack detection configured, the device is in attack detection state. When the receiving rate of DNS packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based DNS flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood source-threshold 100
Related commands
dns-flood action
dns-flood detect ip
dns-flood detect non-specific
dns-flood port
dns-reply-flood action
Use dns-reply-flood action to specify global actions against DNS response flood attacks.
Use undo dns-reply-flood action to restore the default.
Syntax
dns-reply-flood action { client-verify | drop | logging } *
undo dns-reply-flood action
Default
No global action is specified for DNS response flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for DNS response verification. If DNS response verification is enabled, the device provides proxy services for protected clients. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent DNS responses destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent DNS responses originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for DNS response flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the DNS response flood attack detection to collaborate with the DNS response verification, make sure the client-verify keyword is specified and the DNS response verification is enabled. To enable DNS response verification, use the client-verify dns-reply enable command.
The logging keyword enables the attack detection and prevention module to log DNS response flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output DNS response flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view DNS response flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against DNS response flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood action drop
Related commands
client-verify dns-reply enable
dns-reply-flood detect
dns-reply-flood detect non-specific
dns-reply-flood source-threshold
dns-reply-flood threshold
dns-reply-flood detect
Use dns-reply-flood detect to configure IP address-specific DNS response flood attack detection.
Use undo dns-reply-flood detect to remove the IP address-specific DNS response flood attack detection configuration.
Syntax
dns-reply-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo dns-reply-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific DNS response flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 24 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold threshold-value: Specifies the maximum receiving rate in pps for DNS responses that are destined for the protected IP address. The value range is 1 to 1000000, and the default value is 1000.
action: Specifies the actions against a detected DNS response flood attack.
client-verify: Adds the victim IP addresses to the protected IP list for DNS response verification. If DNS response verification is enabled, the device provides proxy services for protected clients.
drop: Drops subsequent DNS responses destined for the protected IP address.
logging: Enables logging for DNS response flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
You can configure DNS response flood attack detection for multiple IP addresses in one attack defense policy.
With DNS response flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of DNS responses destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The logging keyword enables the attack detection and prevention module to log DNS response flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output DNS response flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view DNS response flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure DNS response flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood detect ip 192.168.1.2 port 53 threshold 2000
Related commands
dns-reply-flood action
dns-reply-flood detect non-specific
dns-reply-flood port
dns-reply-flood threshold
dns-reply-flood detect non-specific
Use dns-reply-flood detect non-specific to enable global DNS response flood attack detection.
Use undo dns-reply-flood detect non-specific to disable global DNS response flood attack detection.
Syntax
dns-reply-flood detect non-specific
undo dns-reply-flood detect non-specific
Default
Global DNS response flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following DNS response flood attack prevention types:
· Source-based DNS response flood attack prevention—Monitors the receiving rate of DNS responses on a per-source IP basis.
· Destination-based DNS response flood attack prevention—Monitors the receiving rate of DNS responses on a per-destination IP basis.
The global DNS response flood attack detection applies to all IP addresses except for those specified by the dns-reply-flood detect or dns-reply-flood source-threshold command. The global detection uses the global trigger threshold set by the dns-reply-flood threshold command and global actions specified by the dns-flood action command.
Examples
# Enable global DNS response flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood detect non-specific
Related commands
dns-reply-flood action
dns-reply-flood detect
dns-reply-flood port
dns-reply-flood source-threshold
dns-reply-flood threshold
dns-reply-flood port
Use dns-reply-flood port to specify the global ports to be protected against DNS response flood attacks.
Use undo dns-reply-flood port to restore the default.
Syntax
dns-reply-flood port port-list
undo dns-reply-flood port
Default
The global DNS response flood attack prevention protects port 53.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only DNS response packets destined for the specified ports.
The global ports apply to global DNS response flood attack detection and IP address-specific DNS response flood attack detection with no port specified.
Examples
# Specify the ports 53 and 61000 as the global ports to be protected against DNS response flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood port 53 61000
Related commands
dns-reply-flood action
dns-reply-flood detect
dns-reply-flood detect non-specific
dns-reply-flood source-threshold
dns-reply-flood threshold
dns-reply-flood threshold
Use dns-reply-flood threshold to set the global threshold for triggering destination-based DNS response flood attack prevention.
Use undo dns-reply-flood threshold to restore the default.
Syntax
dns-reply-flood threshold threshold-value
undo dns-reply-flood threshold
Default
The global threshold is 10000 for triggering destination-based DNS response flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for DNS responses that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based DNS response flood attack prevention is disabled.
Usage guidelines
With global DNS response flood attack detection configured, the device is in attack detection state. When the receiving rate of DNS responses destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global DNS response flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of DNS responses sent to a protected DNS client is normally large, set a high threshold. A low threshold might affect the client services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based DNS response flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood threshold 100
Related commands
dns-reply-flood action
dns-reply-flood detect ip
dns-reply-flood detect non-specific
dns-reply-flood port
dns-reply-flood source-threshold
Use dns-reply-flood source-threshold to set the global threshold for triggering source-based DNS response flood attack prevention.
Use undo dns-reply-flood source-threshold to restore the default.
Syntax
dns-reply-flood source-threshold threshold-value
undo dns-reply-flood source-threshold
Default
The global threshold is 10000 for triggering source-based DNS response flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for DNS responses that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based DNS response flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global DNS response flood attack detection configured, the device is in attack detection state. When the receiving rate of DNS responses originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based DNS response flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-reply-flood source-threshold 100
Related commands
dns-reply-flood action
dns-reply-flood detect ip
dns-reply-flood detect non-specific
dns-reply-flood port
exempt acl
Use exempt acl to configure attack detection exemption.
Use undo exempt acl to restore the default.
Syntax
exempt acl [ ipv6 ] { acl-number | name acl-name }
undo exempt acl [ ipv6 ]
Default
Attack detection exemption is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not use this keyword.
acl-number: Specifies an ACL by its number:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
The attack defense policy uses an ACL to identify exempted packets. The policy does not check the packets permitted by the ACL. You can configure the ACL to identify packets from trusted hosts. The exemption feature reduces the false alarm rate and improves packet processing efficiency.
If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit rules take effect:
· Source IP address.
· Destination IP address.
· Source port.
· Destination port.
· Protocol.
· L3VPN instance.
· The fragment keyword for matching non-first fragments.
If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.
Examples
# Configure an ACL to permit packets sourced from 1.1.1.1. Configure attack detection exemption for packets matching the ACL in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] attack-defense policy atk-policy-1
[attack-defense-policy-atk-policy-1] exempt acl 2001
Related commands
attack-defense policy
fin-flood action
Use fin-flood action to specify global actions against FIN flood attacks.
Use undo fin-flood action to restore the default.
Syntax
fin-flood action { client-verify | drop | logging } *
undo fin-flood action
Default
No global action is specified for FIN flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent FIN packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent FIN packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for FIN flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the FIN flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
The logging keyword enables the attack detection and prevention module to log FIN flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output FIN flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view FIN flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against FIN flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood action drop
Related commands
client-verify tcp enable
fin-flood detect
fin-flood detect non-specific
fin-flood source-threshold
fin-flood threshold
fin-flood detect
Use fin-flood detect to configure IP address-specific FIN flood attack detection.
Use undo fin-flood detect to remove the IP address-specific FIN flood attack detection configuration.
Syntax
fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific FIN flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the maximum receiving rate in pps for FIN packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected FIN flood attack. If no action is specified, the global actions set by the fin-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent FIN packets destined for the protected IP address.
logging: Enables logging for FIN flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With FIN flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of FIN packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure FIN flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log FIN flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output FIN flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view FIN flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure FIN flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect ip 192.168.1.2 threshold 2000
Related commands
fin-flood action
fin-flood detect non-specific
fin-flood threshold
fin-flood detect non-specific
Use fin-flood detect non-specific to enable global FIN flood attack detection.
Use undo fin-flood detect non-specific to disable global FIN flood attack detection.
Syntax
fin-flood detect non-specific
undo fin-flood detect non-specific
Default
Global FIN flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following FIN flood attack prevention types:
· Source-based FIN flood attack prevention—Monitors the receiving rate of FIN packets on a per-source IP basis.
· Destination-based FIN flood attack prevention—Monitors the receiving rate of FIN packets on a per-destination IP basis.
The global FIN flood attack detection applies to all IP addresses except for those specified by the fin-flood detect command. The global detection uses the global trigger threshold set by the fin-flood threshold or fin-flood source-threshold command and global actions specified by the fin-flood action command.
Examples
# Enable global FIN flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect non-specific
Related commands
fin-flood action
fin-flood detect
fin-flood source-threshold
fin-flood threshold
fin-flood threshold
Use fin-flood threshold to set the global threshold for triggering destination-based FIN flood attack prevention.
Use undo fin-flood threshold to restore the default.
Syntax
fin-flood threshold threshold-value
undo fin-flood threshold
Default
The global threshold is 10000 for triggering destination-based FIN flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for FIN packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based FIN flood attack prevention is disabled.
Usage guidelines
With global FIN flood attack detection configured, the device is in attack detection state. When the receiving rate of FIN packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global FIN flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of FIN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based FIN flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood threshold 100
Related commands
fin-flood action
fin-flood detect
fin-flood detect non-specific
fin-flood source-threshold
Use fin-flood source-threshold to set the global threshold for triggering source-based FIN flood attack prevention.
Use undo fin-flood source-threshold to restore the default.
Syntax
fin-flood source-threshold threshold-value
undo fin-flood source-threshold
Default
The global threshold is 10000 for triggering source-based FIN flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for FIN packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based FIN flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global FIN flood attack detection configured, the device is in attack detection state. When the receiving rate of FIN packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based FIN flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood source-threshold 100
Related commands
fin-flood action
fin-flood detect
fin-flood detect non-specific
http-flood action
Use http-flood action to specify global actions against HTTP flood attacks.
Use undo http-flood action to restore the default.
Syntax
http-flood action { client-verify | drop | logging } *
undo http-flood action
Default
No global action is specified for HTTP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client verification is enabled, the device provides proxy services for protected servers. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent HTTP packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent HTTP packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for HTTP flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the HTTP flood attack detection to collaborate with the HTTP client verification, make sure the client-verify keyword is specified and the HTTP client verification is enabled. To enable HTTP client verification, use the client-verify http enable command.
The logging keyword enables the attack detection and prevention module to log HTTP flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output HTTP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view HTTP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against HTTP flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood action drop
Related commands
client-verify http enable
http-flood detect
http-flood detect non-specific
http-flood source-threshold
http-flood threshold
http-flood detect
Use http-flood detect to configure IP address-specific HTTP flood attack detection.
Use undo http-flood detect to remove the IP address-specific HTTP flood attack detection configuration.
Syntax
http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific HTTP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 24 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold threshold-value: Specifies the maximum receiving rate in pps for HTTP packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected HTTP flood attack. If no action is specified, the global actions set by the http-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent HTTP packets destined for the protected IP address.
logging: Enables logging for HTTP flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With HTTP flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of HTTP packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure HTTP flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log HTTP flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output HTTP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view HTTP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure HTTP flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood detect ip 192.168.1.2 port 80 8080 threshold 2000
Related commands
http-flood action
http-flood detect non-specific
http-flood port
http-flood threshold
http-flood detect non-specific
Use http-flood detect non-specific to enable global HTTP flood attack detection.
Use undo http-flood detect non-specific to disable global HTTP flood attack detection.
Syntax
http-flood detect non-specific
undo http-flood detect non-specific
Default
Global HTTP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following HTTP flood attack prevention types:
· Source-based HTTP response flood attack prevention—Monitors the receiving rate of HTTP packets on a per-source IP basis.
· Destination-based HTTP response flood attack prevention—Monitors the receiving rate of HTTP packets on a per-destination IP basis.
The global HTTP flood attack detection applies to all IP addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold or http-flood source-threshold command and global actions specified by the http-flood action command.
Examples
# Enable global HTTP flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood detect non-specific
Related commands
http-flood action
http-flood detect
http-flood source-threshold
http-flood threshold
http-flood port
Use http-flood port to specify the global ports to be protected against HTTP flood attacks.
Use undo http-flood port to restore the default.
Syntax
http-flood port port-list
undo http-flood port
Default
The global HTTP flood attack prevention protects port 80.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only HTTP packets destined for the specified ports.
The global ports apply to global HTTP flood attack detection and IP address-specific HTTP flood attack detection with no port specified.
Examples
# Specify the ports 80 and 8080 as the global ports to be protected against HTTP flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood port 80 8080
Related commands
http-flood action
http-flood detect
http-flood detect non-specific
http-flood source-threshold
http-flood threshold
http-flood threshold
Use http-flood threshold to set the global threshold for triggering destination-based HTTP flood attack prevention.
Use undo http-flood threshold to restore the default.
Syntax
http-flood threshold threshold-value
undo http-flood threshold
Default
The global threshold is 10000 for triggering destination-based HTTP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for HTTP packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based HTTP flood attack prevention is disabled.
Usage guidelines
With global HTTP flood attack detection configured, the device is in attack detection state. When the receiving rate of HTTP packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global HTTP flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of HTTP packets sent to a protected HTTP server is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering HTTP flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood threshold 100
Related commands
http-flood action
http-flood detect
http-flood detect non-specific
http-flood port
http-flood source-threshold
Use http-flood source-threshold to set the global threshold for triggering source-based HTTP flood attack prevention.
Use undo http-flood source-threshold to restore the default.
Syntax
http-flood source-threshold threshold-value
undo http-flood source-threshold
Default
The global threshold is 10000 for triggering source-based HTTP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for HTTP packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based HTTP flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global HTTP flood attack detection configured, the device is in attack detection state. When the receiving rate of HTTP packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based HTTP flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood source-threshold 100
Related commands
http-flood action
http-flood detect
http-flood detect non-specific
http-flood port
http-slow-attack action
Use http-slow-attack action to specify the global actions against HTTP slow attacks.
Use undo http-slow-attack action to restore the default.
Syntax
http-slow-attack action { block-source [ timeout minutes ] | logging } *
undo http-slow-attack action
Default
No global actions are specified for HTTP slow attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
block-source: Drops subsequent packets from IP addresses that launch HTTP slow attacks. When the device detects an HTTP slow attack, it adds the IP address of the attack source as a dynamic IP blacklist entry. If the blacklist feature is enabled in the security zone to which the attack defense policy applies, the device drops packets originating from this IP address.
timeout minutes: Specifies the aging time in minutes for dynamically added blacklist entries. The value range is 1 to 10080, and the default is 10.
logging: Enables logging for HTTP slow attack events. The log messages will be sent to the log system.
Usage guidelines
Non-default vSystems do not support this command.
For the dynamically added IP blacklist entries to take effect, make sure the blacklist feature is enabled in the security zone to which the attack defense policy applies.
Examples
# In attack defense policy atk-policy-1, specify block-source and logging as the global actions against HTTP slow attacks, and set the aging time to 10 minutes for dynamic blacklist entries.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-slow-attack action logging block-source timeout 10
Related commands
blacklist enable
blacklist global enable
http-slow-attack detect
http-slow-attack detect non-specific
http-slow-attack period
http-slow-attack port
http-slow-attack threshold
http-slow-attack detect
Use http-slow-attack detect to configure IP address-specific HTTP slow attack detection.
Use undo http-slow-attack detect to remove the IP address-specific HTTP slow attack detection configuration.
Syntax
http-slow-attack detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port { start-port-number [ to end-port-number ] } &<1-16> ] [ threshold { alert-number alert-number | content-length content-length | payload-length payload-length | packet-number packet-number }* ] [ period period ] [ action { block-source [ timeout minutes ] | logging }* ]
undo http-slow-attack detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific HTTP slow attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 16 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold: Specifies the threshold for triggering HTTP slow attack prevention. If you do not specify this argument, the global threshold settings for triggering HTTP slow attack prevention apply.
alert-number alert-number: Specifies a threshold for HTTP concurrent connections. The value range is 1 to 1200000, and the default is 5000.
content-length content-length: Specifies a threshold for the Content-Length field value in an HTTP packet. The value range is 100 to 100000000, and the default is 10000.
payload-length payload-length: Specifies a threshold for the payload size in an HTTP packet. The value range is 1 to 1000, and the default is 50.
packet-number packet-number: Specifies a threshold for abnormal packets. The value range is 1 to 1000, and the default is 10.
period period: Specifies a detection period in the range of 1 to 1200 seconds. If you do not specify this option, the global detection period applies.
action: Specifies actions against HTTP slow attacks. If you do not specify an action, the global defensive actions apply.
block-source: Drops subsequent packets from IP addresses that launch HTTP slow attacks. When the device detects an HTTP slow attack, it adds the IP address of the attack source as a dynamic IP blacklist entry. If the blacklist feature is enabled in the security zone to which the attack defense policy applies, the device drops packets from this IP address.
timeout minutes: Specifies the aging time in minutes for dynamically added blacklist entries. The value range is 1 to 10080, and the default is 10. If you do not specify this option, the global setting applies.
logging: Enables logging for HTTP slow attack events. The log messages will be sent to the log system.
Usage guidelines
Non-default vSystems do not support this command.
For the dynamically added IP blacklist entries to take effect, make sure the blacklist feature is enabled in the security zone to which the attack defense policy applies.
If you specify part of threshold parameters for IP address-specific HTTP slow attack detection, the default settings rather than the global settings apply to the unspecified threshold parameters.
Examples
# Configure HTTP slow attack detection for 1.1.1.1 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-slow-attack detect ip 1.1.1.1 port 80 8080 threshold alert-number 3000 content-length 10000 payload-length 20 packet-number 10 action block-source
Related commands
blacklist enable
blacklist global enable
http-slow-attack action
http-slow-attack detect non-specific
http-slow-attack period
http-slow-attack port
http-slow-attack threshold
http-slow-attack detect non-specific
Use http-slow-attack detect non-specific to enable global HTTP slow attack detection.
Use undo http-slow-attack detect non-specific to disable global HTTP slow attack detection.
Syntax
http-slow-attack detect non-specific
undo http-slow-attack detect non-specific
Default
Global HTTP slow attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
After you enable global HTTP slow attack detection, the device uses the following global settings to protect IP addresses:
· Threshold settings set by using the http-slow-attack threshold command.
· Detection period set by using the http-slow-attack period command.
· Ports set by using the http-slow-attack port command.
· Defensive actions set by using the http-slow-attack action command.
Examples
# Enable global HTTP slow attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-slow-attack detect non-specific
Related commands
http-slow-attack action
http-slow-attack detect
http-slow-attack period
http-slow-attack port
http-slow-attack threshold
http-slow-attack period
Use http-slow-attack period to set the global HTTP slow attack detection period.
Use undo http-slow-attack period to restore the default.
Syntax
http-slow-attack period period
undo http-slow-attack period
Default
The global HTTP slow attack detection period is 60 seconds.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
period period: Specifies the detection period in seconds. The value range is 1 to 1200, and the default is 60.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Set the HTTP slow attack detection period to 10 seconds in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-slow-attack period 10
Related commands
http-slow-attack action
http-slow-attack detect
http-slow-attack detect non-specific
http-slow-attack port
http-slow-attack threshold
http-slow-attack port
Use http-slow-attack port to specify global ports to be protected against HTTP slow attacks.
Use undo http-slow-attack port to restore the default.
Syntax
http-slow-attack port port-list &<1-32>
undo http-slow-attack port
Default
The global HTTP slow attack prevention protects port 80.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
port-list &<1-32>: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
Non-default vSystems do not support this command.
The device detects only HTTP packets destined for the specified ports.
The global ports are used in global HTTP slow attack detection and IP address-specific HTTP slow attack detection with no protected ports specified.
As a best practice, specify port 80 as the global protected port against HTTP slow attacks. If you specify other ports, make sure these ports are used for HTTP communication. If the specified ports are not used for HTTP communication, the device resources will be wasted in inspecting non-HTTP slow attack packets.
Examples
# Specify ports 80 and 8080 as the global ports to be protected against HTTP slow attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-slow-attack port 80 8000
Related commands
http-slow-attack action
http-slow-attack detect
http-slow-attack detect non-specific
http-slow-attack period
http-slow-attack threshold
http-slow-attack threshold
Use http-slow-attack threshold to set global thresholds for triggering HTTP slow attack prevention.
Use undo http-slow-attack threshold to restore the default.
Syntax
http-slow-attack threshold [ alert-number alert-number | content-length content-length | payload-length payload-length | packet-number packet-number ]*
undo http-slow-attack threshold
Default
The device enters HTTP slow attack detection state when the number of HTTP concurrent connections exceeds 5000. An HTTP packet is a slow attack packet if its Content-Length field value is greater than 10000 and its payload is less than 50 bytes. When the device receives more than 10 slow attack packets within the detection period, it takes defensive actions.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
alert-number alert-number: Specifies a threshold for HTTP concurrent connections. The value range is 1 to 1200000, and the default is 5000.
content-length content-length: Specifies a threshold for the Content-Length field value in an HTTP packet. The value range is 100 to 100000000, and the default is 10000.
payload-length payload-length: Specifies a threshold for the payload size in an HTTP packet. The value range is 1 to 1000, and the default is 50.
packet-number packet-number: Specifies a threshold for HTTP slow attack packets. The value range is 1 to 1000, and the default is 10.
Usage guidelines
Non-default vSystems do not support this command.
The device enters the HTTP slow attack detection state when the number of HTTP concurrent connections exceeds the threshold. An HTTP packet is a slow attack packet if its Content-Length field value is greater than the content-length value and its payload is less than the payload-length value. When the number of attack packets received within the detection period exceeds the threshold, the device takes defensive actions.
If you do not specify a threshold for a parameter, the default value for the parameter applies.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure global HTTP slow attack detection thresholds in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-slow-attack threshold alert-number 3000 content-length 10000 payload-length 20 packet-number 10
Related commands
http-slow-attack action
http-slow-attack detect
http-slow-attack detect non-specific
http-slow-attack period
http-slow-attack port
https-flood action
Use https-flood action to specify global actions against HTTPS flood attacks.
Use undo https-flood action to restore the default.
Syntax
https-flood action { client-verify | drop | logging } *
undo https-flood action
Default
No global action is specified for HTTPS flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for HTTPS client verification. If HTTPS client verification is enabled, the device provides proxy services for protected servers. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent HTTPS packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent HTTPS packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for HTTPS flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the HTTPS flood attack detection to collaborate with the HTTPS client verification, make sure the client-verify keyword is specified and the HTTPS client verification is enabled in the security zone. To enable HTTPS client verification, use the client-verify https enable command.
The logging keyword enables the attack detection and prevention module to log HTTPS flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output HTTPS flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view HTTPS flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against HTTPS flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] https-flood action drop
Related commands
client-verify https enable
https-flood detect
https-flood detect non-specific
https-flood source-threshold
https-flood threshold
https-flood detect
Use https-flood detect to configure IP address-specific HTTPS flood attack detection.
Use undo https-flood detect to remove the IP address-specific HTTPS flood attack detection configuration.
Syntax
https-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo https-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific HTTPS flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 24 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold threshold-value: Specifies the maximum receiving rate in pps for HTTPS packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected HTTPS flood attack. If no action is specified, the global actions set by the https-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for HTTPS client verification. If HTTPS client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent HTTPS packets destined for the protected IP address.
logging: Enables logging for HTTPS flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With HTTPS flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of HTTPS packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure HTTPS flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log HTTPS flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output HTTPS flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view HTTPS flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure HTTPS flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] https-flood detect ip 192.168.1.2 port 443 threshold 2000
Related commands
https-flood action
https-flood detect non-specific
https-flood port
https-flood threshold
https-flood detect non-specific
Use https-flood detect non-specific to enable global HTTPS flood attack detection.
Use undo https-flood detect non-specific to disable global HTTPS flood attack detection.
Syntax
https-flood detect non-specific
undo https-flood detect non-specific
Default
Global HTTPS flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following HTTPS flood attack prevention types:
· Source-based HTTPS response flood attack prevention—Monitors the receiving rate of HTTPS packets on a per-source IP basis.
· Destination-based HTTPS response flood attack prevention—Monitors the receiving rate of HTTPS packets on a per-destination IP basis.
The global HTTPS flood attack detection applies to all IP addresses except for those specified by the https-flood detect command. The global detection uses the global trigger threshold set by the https-flood threshold or https-flood source-threshold command and global actions specified by the https-flood action command.
Examples
# Enable global HTTPS flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] https-flood detect non-specific
Related commands
https-flood action
https-flood detect
https-flood source-threshold
https-flood threshold
https-flood port
Use https-flood port to specify the global ports to be protected against HTTPS flood attacks.
Use undo https-flood port to restore the default.
Syntax
https-flood port port-list
undo https-flood port
Default
The global HTTPS flood attack prevention protects port 443.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only HTTPS packets destined for the specified ports.
The global ports apply to global HTTPS flood attack detection and IP address-specific HTTPS flood attack detection with no port specified.
Examples
# Specify the port 443 as the global ports to be protected against HTTPS flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] https-flood port 443
Related commands
https-flood action
https-flood detect
https-flood detect non-specific
https-flood source-threshold
https-flood threshold
https-flood threshold
Use https-flood threshold to set the global threshold for triggering destination-based HTTPS flood attack prevention.
Use undo https-flood threshold to restore the default.
Syntax
https-flood threshold threshold-value
undo https-flood threshold
Default
The global threshold is 10000 for triggering destination-based HTTPS flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for HTTPS packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based HTTPS flood attack prevention is disabled.
Usage guidelines
With global HTTPS flood attack detection configured, the device is in attack detection state. When the receiving rate of HTTPS packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global HTTPS flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of HTTPS packets sent to a protected HTTPS server is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering HTTPS flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] https-flood threshold 100
Related commands
https-flood action
https-flood detect
https-flood detect non-specific
https-flood port
https-flood source-threshold
Use https-flood source-threshold to set the global threshold for triggering source-based HTTPS flood attack prevention.
Use undo https-flood source-threshold to restore the default.
Syntax
https-flood source-threshold threshold-value
undo https-flood source-threshold
Default
The global threshold is 10000 for triggering source-based HTTPS flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for HTTPS packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based HTTPS flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global HTTPS flood attack detection configured, the device is in attack detection state. When the receiving rate of HTTPS packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based HTTPS flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] https-flood source-threshold 100
Related commands
https-flood action
https-flood detect
https-flood detect non-specific
https-flood port
icmp-flood action
Use icmp-flood action to specify global actions against ICMP flood attacks.
Use undo icmp-flood action to restore the default.
Syntax
icmp-flood action { drop | logging } *
undo icmp-flood action
Default
No global action is specified for ICMP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
drop: Drops subsequent ICMP packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent ICMP packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for ICMP flood attack events. The log messages will be sent to the log system.
Usage guidelines
The logging keyword enables the attack detection and prevention module to log ICMP flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output ICMP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view ICMP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against ICMP flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood action drop
Related commands
icmp-flood detect non-specific
icmp-flood detect ip
icmp-flood source-threshold
icmp-flood threshold
icmp-flood detect ip
Use icmp-flood detect ip to configure IP address-specific ICMP flood attack detection.
Use undo icmp-flood detect ip to remove the IP address-specific ICMP flood attack detection configuration.
Syntax
icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]
undo icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ]
Default
IP address-specific ICMP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the maximum receiving rate in pps for ICMP packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected ICMP flood attack. If no action is specified, the global actions set by the icmp-flood action command apply.
drop: Drops subsequent ICMP packets destined for the protected IP address.
logging: Enables logging for ICMP flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With ICMP flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of ICMP packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure ICMP flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log ICMP flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output ICMP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view ICMP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure ICMP flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect ip 192.168.1.2 threshold 2000
Related commands
icmp-flood action
icmp-flood detect non-specific
icmp-flood threshold
icmp-flood detect non-specific
Use icmp-flood detect non-specific to enable global ICMP flood attack detection.
Use undo icmp-flood detect non-specific to disable global ICMP flood attack detection.
Syntax
icmp-flood detect non-specific
undo icmp-flood detect non-specific
Default
Global ICMP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following ICMP flood attack prevention types:
· Source-based ICMP flood attack prevention—Monitors the receiving rate of ICMP packets on a per-source IP basis.
· Destination-based ICMP flood attack prevention—Monitors the receiving rate of ICMP packets on a per-destination IP basis.
The global ICMP flood attack detection applies to all IP addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold or icmp-flood source-threshold command and global actions specified by the icmp-flood action command.
Examples
# Enable global ICMP flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect non-specific
Related commands
icmp-flood action
icmp-flood detect ip
icmp-flood source-threshold
icmp-flood threshold
icmp-flood threshold
Use icmp-flood threshold to set the global threshold for triggering destination-based ICMP flood attack prevention.
Use undo icmp-flood threshold to restore the default.
Syntax
icmp-flood threshold threshold-value
undo icmp-flood threshold
Default
The global threshold is 10000 for triggering destination-based ICMP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for ICMP packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based ICMP flood attack prevention is disabled.
Usage guidelines
With global ICMP flood attack detection configured, the device is in attack detection state. When the receiving rate of ICMP packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global ICMP flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of ICMP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based ICMP flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood threshold 100
Related commands
icmp-flood action
icmp-flood detect ip
icmp-flood detect non-specific
icmp-flood source-threshold
Use icmp-flood source-threshold to set the global threshold for triggering source-based ICMP flood attack prevention.
Use undo icmp-flood source-threshold to restore the default.
Syntax
icmp-flood source-threshold threshold-value
undo icmp-flood source-threshold
Default
The global threshold is 10000 for triggering source-based ICMP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for ICMP packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based ICMP flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global ICMP flood attack detection configured, the device is in attack detection state. When the receiving rate of ICMP packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based ICMP flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood source-threshold 100
Related commands
icmp-flood action
icmp-flood detect
icmp-flood detect non-specific
icmpv6-flood action
Use icmpv6-flood action to specify global actions against ICMPv6 flood attacks.
Use undo icmpv6-flood action to restore the default.
Syntax
icmpv6-flood action { drop | logging } *
undo icmpv6-flood action
Default
No global action is specified for ICMPv6 flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
drop: Drops subsequent ICMPv6 packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent ICMPv6 packets originating from the attacker IPv6 addresses in source-based flood attack prevention.
logging: Enables logging for ICMPv6 flood attack events. The log messages will be sent to the log system.
Usage guidelines
The logging keyword enables the attack detection and prevention module to log ICMPv6 flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output ICMPv6 flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view ICMPv6 flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against ICMPv6 flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood action drop
Related commands
icmpv6-flood detect ipv6
icmpv6-flood detect non-specific
icmpv6-flood source-threshold
icmpv6-flood threshold
icmpv6-flood detect ipv6
Use icmpv6-flood detect ipv6 to configure IPv6 address-specific ICMPv6 flood attack detection.
Use undo icmpv6-flood detect ipv6 to remove the IPv6 address-specific ICMPv6 flood attack detection configuration.
Syntax
icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]
undo icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ]
Default
IPv6 address-specific ICMPv6 flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
Ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
threshold threshold-value: Specifies the maximum receiving rate in pps for ICMPv6 packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected ICMPv6 flood attack. If no action is specified, the global actions set by the icmpv6-flood action command apply.
drop: Drops subsequent ICMPv6 packets destined for the protected IPv6 address.
logging: Enables logging for ICMPv6 flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With ICMPv6 flood attack detection configured for an IPv6 address, the device is in attack detection state. When the receiving rate of ICMPv6 packets to the IPv6 address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure ICMPv6 flood attack detection for multiple IPv6 addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log ICMPv6 flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output ICMPv6 flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view ICMPv6 flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure ICMPv6 flood attack detection for 2012::12 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect ipv6 2012::12 threshold 2000
Related commands
icmpv6-flood action
icmpv6-flood detect non-specific
icmpv6-flood threshold
icmpv6-flood detect non-specific
Use icmpv6-flood detect non-specific to enable global ICMPv6 flood attack detection.
Use undo icmpv6-flood detect non-specific to disable global ICMPv6 flood attack detection.
Syntax
icmpv6-flood detect non-specific
undo icmpv6-flood detect non-specific
Default
Global ICMPv6 flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following ICMPv6 flood attack prevention types:
· Source-based ICMPv6 flood attack prevention—Monitors the receiving rate of ICMPv6 messages on a per-source IP basis.
· Destination-based ICMPv6 flood attack prevention—Monitors the receiving rate of ICMPv6 messages on a per-destination IP basis.
The global ICMPv6 flood attack detection applies to all IPv6 addresses except for those specified by the icmpv6-flood detect ipv6 command. The global detection uses the global trigger threshold set by the icmpv6-flood threshold or icmpv6-flood source-threshold command and global actions specified by the icmpv6-flood action command.
Examples
# Enable global ICMPv6 flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect non-specific
Related commands
icmpv6-flood action
icmpv6-flood detect ipv6
icmpv6-flood source-threshold
icmpv6-flood threshold
icmpv6-flood threshold
Use icmpv6-flood threshold to set the global threshold for triggering destination-based ICMPv6 flood attack prevention.
Use undo icmpv6-flood threshold to restore the default.
Syntax
icmpv6-flood threshold threshold-value
undo icmpv6-flood threshold
Default
The global threshold is 10000 for triggering destination-based ICMPv6 flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for ICMPv6 packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based ICMPv6 flood attack prevention is disabled.
Usage guidelines
With global ICMPv6 flood attack detection configured, the device is in attack detection state. When the receiving rate of ICMPv6 packets destined for an IPv6 address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global ICMPv6 flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of ICMPv6 packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based ICMPv6 flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood threshold 100
Related commands
icmpv6-flood action
icmpv6-flood detect ipv6
icmpv6-flood detect non-specific
icmpv6-flood source-threshold
Use icmpv6-flood source-threshold to set the global threshold for triggering source-based ICMPv6 flood attack prevention.
Use undo icmpv6-flood source-source-threshold to restore the default.
Syntax
icmpv6-flood source-threshold threshold-value
undo icmpv6-flood source-threshold
Default
The global threshold is 10000 for triggering source-based ICMPv6 flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for ICMPv6 packets that originate from an IPv6 address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based ICMPv6 flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global ICMPv6 flood attack detection configured, the device is in attack detection state. When the receiving rate of ICMPv6 packets originating from an IPv6 address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based ICMPv6 flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood source-threshold 100
Related commands
icmpv6-flood action
icmpv6-flood detect
icmpv6-flood detect non-specific
reset attack-defense malformed-packet statistics
Use reset attack-defense malformed-packet statistics to clear statistics about malformed packets.
Syntax
reset attack-defense malformed-packet statistics
Views
User view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This command clears all statistics about malformed packets.
Examples
# Clear statistics about malformed packets.
<Sysname> reset attack-defense malformed-packet statistics
Related commands
display attack-defense malformed-packet statistics
reset attack-defense policy flood
Use reset attack-defense policy flood statistics to clear flood attack detection and prevention statistics for protected IP addresses.
Syntax
reset attack-defense policy policy-name flood protected { ip | ipv6 } statistics
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
ip: Specifies protected IPv4 addresses.
ipv6: Specifies protected IPv6 addresses.
statistics: Clears flood attack detection and prevention statistics.
Examples
# Clear flood attack detection and prevention statistics for protected IPv4 addresses in attack defense policy abc.
<Sysname> reset attack-defense policy abc flood protected ip statistics
# Clear flood attack detection and prevention statistics for protected IPv6 addresses in attack defense policy abc.
<Sysname> reset attack-defense policy abc flood protected ipv6 statistics
Related commands
display attack-defense policy ip
display attack-defense policy ipv6
reset attack-defense statistics security-zone
Use reset attack-defense statistics interface to clear attack detection and prevention statistics for a security zone.
Syntax
reset attack-defense statistics security-zone zone-name
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
zone-name: Specifies a security zone by its name. The zone-name argument is a case-insensitive string of 1 to 31 characters. It cannot contain hyphens (-).
Examples
# Clear attack detection and prevention statistics for security zone DMZ.
<Sysname> reset attack-defense statistics security-zone dmz
Related commands
display attack defense policy
reset attack-defense top-attack-statistics
Use reset attack-defense top-attack-statistics to clear top 10 attack statistics.
Syntax
reset attack-defense top-attack-statistics
Views
User view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Clear top 10 attack statistics.
<Sysname> reset attack-defense top-attack-statistics
Related commands
attack-defense top-attack-statistics enable
display attack-defense top-attack-statistics
reset blacklist destination-ip
Use reset blacklist destination-ip to delete dynamic destination IPv4 blacklist entries.
Syntax
reset blacklist destination-ip { destination-ip-address [ vpn-instance vpn-instance-name ]| all }
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
destination-ip-address: Specifies an IPv4 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
all: Specifies all dynamic destination IPv4 blacklist entries.
Usage guidelines
This command deletes only dynamic destination IPv4 blacklist entries. To delete manual destination IPv4 blacklist entries, use the undo blacklist destination-ip command.
Examples
# Delete all dynamic destination IPv4 blacklist entries.
<Sysname> reset blacklist destination-ip all
Related commands
display blacklist destination-ip
reset blacklist destination-ipv6
Use reset blacklist destination-ipv6 to delete dynamic destination IPv6 blacklist entries.
Syntax
reset blacklist destination-ipv6{ destination-ipv6-address [ vpn-instance vpn-instance-name ]| all }
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
destination-ipv6-address : Specifies an IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
all: Specifies all dynamic destination IPv4 blacklist entries.
Usage guidelines
This command deletes only dynamic destination IPv6 blacklist entries. To delete manual destination IPv6 blacklist entries, use the undo blacklist destination-ipv6 command.
Examples
# Delete all dynamic destination IPv6 blacklist entries.
<Sysname> reset blacklist destination-ipv6 all
Related commands
display blacklist ipv6
reset blacklist ip
Use reset blacklist ip to delete dynamic IPv4 blacklist entries.
Syntax
reset blacklist ip { source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] | all }
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
source-ip-address: Specifies the IPv4 address for a blacklist entry.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
ds-lite-peer ds-lite-peer-address: Specifies the IPv6 address of the B4 element of the DS-Lite tunnel that transmits packets from the blacklisted IPv4 address. Do not specify this option if the IPv4 address is on the public network.
all: Specifies all dynamic IPv4 blacklist entries.
Usage guidelines
This command deletes only dynamic IPv4 blacklist entries. To delete manual IPv4 blacklist entries, use the undo blacklist ip command.
Examples
# Delete all dynamic IPv4 blacklist entries.
<Sysname> reset blacklist ip all
Related commands
display blacklist ip
reset blacklist ipv6
Use reset blacklist ipv6 to delete dynamic IPv6 blacklist entries.
Syntax
reset blacklist ipv6 { source-ipv6-address [ vpn-instance vpn-instance-name ] | all }
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
source-ipv6-address: Specifies the IPv6 address for a blacklist entry.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
all: Specifies all dynamic IPv6 blacklist entries.
Usage guidelines
This command deletes only dynamic IPv6 blacklist entries. To delete manual IPv6 blacklist entries, use the undo blacklist ipv6 command.
Examples
# Delete all dynamic IPv6 blacklist entries.
<Sysname> reset blacklist ipv6 all
Related commands
display blacklist ipv6
reset blacklist statistics
Use reset blacklist statistics to clear blacklist statistics.
Syntax
reset blacklist statistics
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This command resets the counter for dropped packets for all blacklist entries.
Examples
# Clear blacklist statistics.
<Sysname> reset blacklist statistics
Related commands
display blacklist ip
display blacklist ipv6
reset client-verify protected statistics
Use reset client-verify protected statistics to clear protected IP statistics for client verification.
Syntax
reset client-verify { dns| dns-reply | http | https | sip | tcp } protected { ip | ipv6 } statistics
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
dns: Specifies the DNS client verification feature.
dns-reply: Specifies the DNS response verification feature.
http: Specifies the HTTP client verification feature.
https: Specifies the HTTPS client verification feature.
sip: Specifies the SIP client verification feature.
tcp: Specifies the TCP client verification feature.
ip: Specifies the protected IPv4 list.
ipv6: Specifies the protected IPv6 list.
Examples
# Clear the protected IPv4 statistics for TCP client verification.
<Sysname> reset client-verify tcp protected ip statistics
Related commands
display client-verify protected ip
display client-verify protected ipv6
reset client-verify trusted
Use reset client-verify trusted to clear the trusted IP list for client verification.
Syntax
reset client-verify { dns| dns-reply | http | https | sip | tcp } trusted { ip | ipv6 }
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
dns: Specifies the DNS client verification feature.
dns-reply: Specifies the DNS response verification feature.
http: Specifies the HTTP client verification feature.
https: Specifies the HTTPS client verification feature.
sip: Specifies the SIP client verification feature.
tcp: Specifies the TCP client verification feature.
ip: Specifies the trusted IPv4 list.
ipv6: Specifies the trusted IPv6 list.
Examples
# Clear the trusted IPv4 list for DNS client verification.
<Sysname> reset client-verify dns trusted ip
Related commands
display client-verify trusted ip
display client-verify trusted ipv6
reset whitelist statistics
Use reset whitelist statistics to clear statistics about packets that match the address object groups on the whitelist.
Syntax
reset whitelist statistics
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This command clears statistics about packets that match all address object groups on the whitelist.
Examples
# Clear statistics about packets that match the address object groups on the whitelist.
<Sysname> reset whitelist statistics
Related commands
display whitelist object-group
rst-flood action
Use rst-flood action to specify global actions against RST flood attacks.
Use undo rst-flood action to restore the default.
Syntax
rst-flood action { client-verify | drop | logging } *
undo rst-flood action
Default
No global action is specified for RST flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent RST packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent RST packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for RST flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the RST flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
The logging keyword enables the attack detection and prevention module to log RST flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output RST flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view RST flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against RST flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood action drop
Related commands
client-verify tcp enable
rst-flood detect
rst-flood detect non-specific
rst-flood source-threshold
rst-flood threshold
rst-flood detect
Use rst-flood detect to configure IP address-specific RST flood attack detection.
Use undo rst-flood detect to remove the IP address-specific RST flood attack detection configuration.
Syntax
rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific RST flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the maximum receiving rate in pps for RST packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected RST flood attack. If no action is specified, the global actions set by the rst-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent RST packets destined for the protected IP address.
logging: Enables logging for RST flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With RST flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of RST packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device considers returns to the attack detection state.
You can configure RST flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log RST flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output RST flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view RST flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure RST flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect ip 192.168.1.2 threshold 2000
Related commands
rst-flood action
rst-flood detect non-specific
rst-flood threshold
rst-flood detect non-specific
Use rst-flood detect non-specific to enable global RST flood attack detection.
Use undo rst-flood detect non-specific to disable global RST flood attack detection.
Syntax
rst-flood detect non-specific
undo rst-flood detect non-specific
Default
Global RST flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following RST flood attack prevention types:
· Source-based RST flood attack prevention—Monitors the receiving rate of RST packets on a per-source IP basis.
· Destination-based RST flood attack prevention—Monitors the receiving rate of RST packets on a per-destination IP basis.
The global RST flood attack detection applies to all IP addresses except for those specified by the rst-flood detect command. The global detection uses the global trigger threshold set by the rst-flood threshold or rst-flood source-threshold command and global actions specified by the rst-flood action command.
Examples
# Enable global RST flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect non-specific
Related commands
rst-flood action
rst-flood detect
rst-flood source-threshold
rst-flood threshold
rst-flood threshold
Use rst-flood threshold to set the global threshold for triggering destination-based RST flood attack prevention.
Use undo rst-flood threshold to restore the default.
Syntax
rst-flood threshold threshold-value
undo rst-flood threshold
Default
The global threshold is 10000 for triggering destination-based RST flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for RST packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based RST flood attack prevention is disabled.
Usage guidelines
With global RST flood attack detection configured, the device is in attack detection state. When the receiving rate of RST packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global RST flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of RST packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based RST flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100
Related commands
rst-flood action
rst-flood detect
rst-flood detect non-specific
rst-flood source-threshold
Use rst-flood source-threshold to set the global threshold for triggering source-based RST flood attack prevention.
Use undo rst-flood source-threshold to restore the default.
Syntax
rst-flood source-threshold threshold-value
undo rst-flood source-threshold
Default
The global threshold is 10000 for triggering source-based RST flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for RST packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based RST flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global RST flood attack detection configured, the device is in attack detection state. When the receiving rate of RST packets originating from to an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based RST flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood source-threshold 100
Related commands
rst-flood action
rst-flood detect
rst-flood detect non-specific
scan detect
Use scan detect to configure scanning attack detection.
Use undo scan detect to remove the scanning attack detection configuration.
Syntax
scan detect level { { high | low | medium } | user-defined { port-scan-threshold threshold-value | ip-sweep-threshold threshold-value } * [ period period-value ] } action { { block-source [ timeout minutes ] | drop } | logging } *
undo scan detect
Default
No scanning attack detection is configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
level: Specifies the level of the scanning attack detection.
high: Specifies the high level. This level can detect most of the scanning attacks, but has a high false alarm rate. Some packets from active hosts might be considered as attack packets. For high level detection, the detection cycle is 10 seconds. The threshold for triggering port scan attack prevention is 5000 packets in a detection cycle. The threshold for triggering IP sweep attack prevention is 5000 packets in a detection cycle.
low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected. For low level detection, the detection cycle is 10 seconds. The threshold for triggering port scan attack prevention is 100000 packets in a detection cycle. The threshold for triggering IP sweep attack prevention is 100000 packets in a detection cycle.
medium: Specifies the medium level. Compared with the high and low levels, this level has medium false alarm rate and attack detection accuracy. For medium level detection, the detection cycle is 10 seconds. The threshold for triggering port scan attack prevention is 40000 packets. The threshold for triggering IP sweep attack prevention is 40000 packets.
user-defined: Specifies the user-defined level. This level allows you to set the thresholds and detection cycle for port scan and IP sweep attacks on demand.
port-scan-threshold threshold-value: Specifies the maximum number of packets sent from an IP address to different ports within a detection cycle. The value range is 1 to 1000000000.
ip-sweep-threshold threshold-value: Specifies the maximum number of packets sent from an IP address to different IP addresses within a detection cycle. The value range is 1 to 1000000000.
period period-value: Sets the scanning attack detection cycle in the range of 1 to 1000000000 seconds. The default value is 10.
action: Specifies the actions against scanning attacks.
block-source: Adds the attackers' IP addresses to the IP blacklist. If the blacklist feature is enabled on the receiving security zone, the device drops subsequent packets from the blacklisted IP addresses.
timeout minutes: Specifies the aging timer in minutes for the dynamically added blacklist entries, in the range of 1 to 10080. The default aging timer is 10 minutes.
drop: Drops subsequent packets from detected scanning attack sources. The log messages will be sent to the log system.
logging: Enables logging for scanning attack events.
Usage guidelines
To collaborate with the IP blacklist feature, make sure the blacklist feature is enabled in the security zone to which the attack defense policy is applied.
The aging timer set by the timeout minutes option must be longer than the statistics collection interval.
The logging keyword enables the attack detection and prevention module to log RST flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output scanning attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view scanning attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure low level scanning attack detection and specify the prevention action as drop in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action drop
# Configure scanning attack detection in attack defense policy atk-policy-1. Specify the detection level as low and the prevention actions as block-source and logging. Set the aging time for the dynamically added IP blacklist entries to 10 minutes.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action logging block-source timeout 10
# Configure scanning attack detection in the attack defense policy atk-policy-1. Specify the detection level as user-defined and detection cycle as 30 seconds. Set the port scan attack prevention threshold and IP sweep attack prevention threshold to 6000 packets and 80000 packets, respectively. Specify the prevention action as block-source and logging. Set the aging time for the dynamically added IP blacklist entries to 10 minutes.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level user-defined port-scan-threshold 6000 ip-sweep-threshold 80000 period 30 action logging block-source timeout 10
Related commands
blacklist enable
blacklist global enable
signature { large-icmp | large-icmpv6 } max-length
Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.
Use undo signature { large-icmp | large-icmpv6 } max-length to restore the default.
Syntax
signature { large-icmp | large-icmpv6 } max-length length
undo signature { large-icmp | large-icmpv6 } max-length
Default
The maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
large-icmp: Specifies large ICMP packet attack signature.
large-icmpv6: Specifies large ICMPv6 packet attack signature.
length: Specifies the maximum length of safe ICMP or ICMPv6 packets, in bytes. The value range for ICMP packets is 28 to 65534. The value range for ICMPv6 packets is 48 to 65534.
Examples
# Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature large-icmp max-length 50000
Related commands
signature detect
signature detect
Use signature detect to enable signature detection for single-packet attacks and specify the prevention actions.
Use undo signature detect to disable signature detection for single-packet attacks.
Syntax
signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]
undo signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke }
signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } *
undo signature detect { ip-option-abnormal | ping-of-death | teardrop }
signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]
undo signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request }
signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]
undo signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded }
signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]
undo signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing }
signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]
undo signature detect ipv6-ext-header next-header-value
signature detect ipv6-ext-header-abnormal [ action { { drop | logging } * | none } ]
undo signature detect ipv6-ext-header-abnormal
signature detect ipv6-ext-header-exceed [ limit limit-value ] [ action { { drop | logging } * | none } ]
undo signature detect ipv6-ext-header-exceed
Default
Signature detection is disabled for all single-packet attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
fraggle: Specifies the fraggle attack.
fragment: Specifies the IP fragment attack.
icmp-type: Specifies an ICMP packet attack by the packet type. You can specify the packet type by a number or a keyword:
· icmp-type-value: Specifies the ICMP packet type in the range of 0 to 255.
· address-mask-reply: Specifies the ICMP address mask reply type.
· address-mask-request: Specifies the ICMP address mask request type.
· destination-unreachable: Specifies the ICMP destination unreachable type.
· echo-reply: Specifies the ICMP echo reply type.
· echo-request: Specifies the ICMP echo request type.
· information-reply: Specifies the ICMP information reply type.
· information-request: Specifies the ICMP information request type.
· parameter-problem: Specifies the ICMP parameter problem type.
· redirect: Specifies the ICMP redirect type.
· source-quench: Specifies the ICMP source quench type.
· time-exceeded: Specifies the ICMP time exceeded type.
· timestamp-reply: Specifies the ICMP timestamp reply type.
· timestamp-request: Specifies the ICMP timestamp request type.
icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword:
· icmpv6-type-value: Specifies the ICMPv6 packet type in the range of 0 to 255.
· destination-unreachable: Specifies the ICMPv6 destination unreachable type.
· echo-reply: Specifies the ICMPv6 echo reply type.
· echo-request: Specifies the ICMPv6 echo request type.
· group-query: Specifies the ICMPv6 group query type.
· group-reduction: Specifies the ICMPv6 group reduction type.
· group-report: Specifies the ICMPv6 group report type.
· packet-too-big: Specifies the ICMPv6 packet too big type.
· parameter-problem: Specifies the ICMPv6 parameter problem type.
· time-exceeded: Specifies the ICMPv6 time exceeded type.
impossible: Specifies the IP impossible packet attack.
ip-option: Specifies an IP option. You can specify the IP option by a number or a keyword:
· option-code: Specifies the IP option in the range of 1 to 255.
· internet-timestamp: Specifies the timestamp option.
· loose-source-routing: Specifies the loose source routing option.
· record-route: Specifies the record route option.
· route-alert: Specifies the route alert option.
· security: Specifies the security option.
· stream-id: Specifies the stream identifier option.
· strict-source-routing: Specifies the strict source route option.
ip-option-abnormal: Specifies the abnormal IP option attack.
ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255.
ipv6-ext-header-abnormal: Specifies the abnormal IPv6 extension header attack.
ipv6-ext-header-exceed: Specifies the IPv6 extension header exceeded attack.
land: Specifies the Land attack.
large-icmp: Specifies the large ICMP packet attack.
large-icmpv6: Specifies the large ICMPv6 packet attack.
limit limit-value: Specifies the upper limit of IPv6 extension headers. The value range is 0 to 7, and the default is 0. An IPv6 packet is an IPv6 extension header exceeded attack packet if the number of its IPv6 extension headers exceeds the upper limit.
ping-of-death: Specifies the ping-of-death attack.
smurf: Specifies the smurf attack.
snork: Specifies the UDP snork attack.
tcp-all-flags: Specifies the attack where the TCP packet has all flags set.
tcp-fin-only: Specifies the attack where the TCP packet has only the FIN flag set.
tcp-invalid-flags: Specifies the attack that uses TCP packets with invalid flags.
tcp-null-flag: Specifies the attack where the TCP packet has no flags set.
tcp-syn-fin: Specifies the attack where the TCP packet has both SYN and FIN flags set.
teardrop: Specifies the teardrop attack.
tiny-fragment: Specifies the tiny fragment attack.
traceroute: Specifies the traceroute attack.
udp-bomb: Specifies the UDP bomb attack.
winnuke: Specifies the WinNuke attack.
action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.
drop: Drops packets that match the specified signature.
logging: Enables logging for the specified single-packet attack.
none: Takes no action.
Usage guidelines
You can use this command multiple times to enable signature detection for multiple single-packet attack types.
When you specify a packet type by a number, if the packet type has a corresponding keyword, the keyword is displayed in command output. If the packet type does not have a corresponding keyword, the number is displayed.
In abnormal IPv6 extension header and IPv6 extension header exceeded attack detection, the device examines the ESP header and headers before it. Headers after the ESP header are not examined.
The logging keyword enables the attack detection and prevention module to log single-packet attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output single-packet attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view single-packet attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable signature detection for the IP fragment attack and specify the prevention action as drop in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature detect fragment action drop
Related commands
signature level action
signature level action
Use signature level action to specify the actions against single-packet attacks on a specific level.
Use undo signature level action to restore the default.
Syntax
signature level { high | info | low | medium } action { { drop | logging } * | none }
undo signature level { high | info | low | medium } action
Default
For informational-level and low-level single-packet attacks, the action is logging.
For medium-level and high-level single-packet attacks, the actions are logging and drop.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.
info: Specifies the informational level. For example, large ICMP packet attack is on this level.
low: Specifies the low level. For example, the traceroute attack is on this level.
medium: Specifies the medium level. For example, the WinNuke attack is on this level.
drop: Drops packets that match the specified level.
logging: Enable logging for single-packet attacks on the specified level.
none: Takes no action.
Usage guidelines
According to their severity, single-packet attacks are divided into four levels: info, low, medium, and high. Enabling signature detection for a specific level enables signature detection for all single-packet attacks on that level.
If you enable signature detection for a single-packet attack also by using the signature detect command, action parameters in the signature detect command take effect.
The logging keyword enables the attack detection and prevention module to log single-packet attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output single-packet attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view single-packet attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify the action against informational-level single-packet attacks as drop in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature level info action drop
Related commands
signature detect
signature level detect
signature level detect
Use signature level detect to enable signature detection for single-packet attacks on a specific level.
Use undo signature level detect to disable signature detection for single-packet attacks on a specific level.
Syntax
signature level { high | info | low | medium } detect
undo signature level { high | info | low | medium } detect
Default
Signature detection is disabled for all levels of single-packet attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.
info: Specifies the informational level. For example, large ICMP packet attack is on this level.
low: Specifies the low level. For example, the traceroute attack is on this level.
medium: Specifies the medium level. For example, the WinNuke attack is on this level.
Usage guidelines
According to their severity, single-packet attacks are divided into four levels: info, low, medium, and high. Enabling signature detection for a specific level enables signature detection for all single-packet attacks on that level. Use the signature level action command to specify the actions against single-packet attacks on a specific level. If you enable signature detection for a single-packet attack also by using the signature detect command, action parameters in the signature detect command take effect.
To display the level to which a single-packet attack belongs, use the display attack-defense policy command.
Examples
# Enable signature detection for informational-level single-packet attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature level info detect
Related commands
display attack-defense policy
signature detect
signature level action
sip-flood action
Use sip-flood action to specify global actions against SIP flood attacks.
Use undo sip-flood action to restore the default.
Syntax
sip-flood action { client-verify | drop | logging } *
undo sip-flood action
Default
No global action is specified for SIP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for SIP client verification. If SIP client verification is enabled, the device provides proxy services for protected servers. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent SIP packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent SIP packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for SIP flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the SIP flood attack detection to collaborate with the SIP client verification, make sure the client-verify keyword is specified and the SIP client verification is enabled. To enable SIP client verification, use the client-verify sip enable command.
The logging keyword enables the attack detection and prevention module to log SIP flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output SIP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view SIP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against SIP flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] sip-flood action drop
Related commands
client-verify sip enable
sip-flood detect
sip-flood detect non-specific
sip-flood port
sip-flood source-threshold
sip-flood threshold
sip-flood detect
Use sip-flood detect to configure IP address-specific SIP flood attack detection.
Use undo sip-flood detect to remove IP address-specific SIP flood attack detection configuration.
Syntax
sip-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo sip-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific SIP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold threshold-value: Specifies the maximum receiving rate in pps for SIP packets that are destined for the protected IP address. The value range is 1 to 1000000, and the default value is 1000.
action: Specifies the actions against a detected SIP flood attack. If no action is specified, the global actions set by the sip-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for SIP client verification. If SIP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SIP packets destined for the protected IP address.
logging: Enables logging for SIP flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With SIP flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of SIP packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure SIP flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log SIP flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output SIP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view SIP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure SIP flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] sip-flood detect ip 192.168.1.2 threshold 2000
Related commands
client-verify sip enable
sip-flood action
sip-flood detect non-specific
sip-flood port
sip-flood threshold
sip-flood detect non-specific
Use sip-flood detect non-specific to enable global SIP flood attack detection.
Use undo sip-flood detect non-specific to disable global SIP flood attack detection.
Syntax
sip-flood detect non-specific
undo sip-flood detect non-specific
Default
Global SIP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following SIP flood attack prevention types:
· Source-based SIP flood attack prevention—Monitors the receiving rate of SIP packets on a per-source IP basis.
· Destination-based SIP flood attack prevention—Monitors the receiving rate of SIP packets on a per-destination IP basis.
The global SIP flood attack detection applies to all IP addresses except those specified by the sip-flood detect command. The global detection is configured by using the following commands:
· Global ports set by using the sip-flood port command.
· Global trigger threshold set by using the sip-flood threshold or sip-flood source-threshold command.
· Global actions specified by using the sip-flood action command.
Examples
# Enable global SIP flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] sip-flood detect non-specific
Related commands
sip-flood action
sip-flood detect
sip-flood port
sip-flood source-threshold
sip-flood threshold
sip-flood port
Use sip-flood port to specify the global ports to be protected against SIP flood attacks.
Use undo sip-flood port to restore the default.
Syntax
sip-flood port port-list
undo sip-flood port
Default
The global SIP flood attack prevention protects port 5060.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only SIP packets destined for the specified ports.
The global ports apply to global SIP flood attack detection and IP address-specific SIP flood attack detection with no port specified.
Examples
# Specify ports 5060 and 65530 as the global ports to be protected against SIP flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] sip-flood port 5060 65530
Related commands
sip-flood action
sip-flood detect
sip-flood detect non-specific
sip-flood source-threshold
sip-flood threshold
sip-flood threshold
Use sip-flood threshold to set the global threshold for triggering destination-based SIP flood attack prevention.
Use undo sip-flood threshold to restore the default.
Syntax
sip-flood threshold threshold-value
undo sip-flood threshold
Default
The global threshold is 10000 for triggering destination-based SIP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for SIP packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based SIP flood attack prevention is disabled.
Usage guidelines
With global SIP flood attack detection configured, the device is in attack detection state. When the receiving rate of SIP packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global SIP flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of SIP packets sent to a protected SIP server is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based SIP flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] sip-flood threshold 100
Related commands
sip-flood action
sip-flood detect
sip-flood detect non-specific
sip-flood source-threshold
Use sip-flood source-threshold to set the global threshold for triggering source-based SIP flood attack prevention.
Use undo sip-flood source-threshold to restore the default.
Syntax
sip-flood source-threshold threshold-value
undo sip-flood source-threshold
Default
The global threshold is 10000 for triggering source-based SIP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for SIP packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based SIP flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global SIP flood attack detection configured, the device is in attack detection state. When the receiving rate of SIP packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based SIP flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] sip-flood source-threshold 100
Related commands
sip-flood action
sip-flood detect
sip-flood detect non-specific
sip-flood port
snmp-agent trap enable attack-defense
Use snmp-agent trap enable attack-defense to enable SNMP notifications for attack detection and prevention.
Use undo snmp-agent trap enable attack-defense to disable SNMP notifications for attack detection and prevention.
Syntax
snmp-agent trap enable attack-defense [ blacklist | flood | scan | slow-attack ] *
undo snmp-agent trap enable attack-defense [ blacklist | flood | scan | slow-attack ] *
Default
SNMP notifications for attack detection and prevention are disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
blacklist: Generates a notification when the number of blacklist entries reaches or drops below the threshold.
flood: Generates a notification when the number of flood attack packets reaches or drops below the threshold
scan: Generates a notification when the number of scanning attack packets reaches or drops below the threshold.
slow-attack: Generates a notification when the number of slow attack packets reaches or drops below the threshold.
Usage guidelines
Non-default vSystems do not support this command.
To report critical attack detection and prevention events to an NMS, enable SNMP notifications for attack detection and prevention. For attack detection and prevention event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
If you do not specify any parameters, this command enables or disables all types of SNMP notifications for attack detection and prevention.
To enable or disable multiple types of SNMP notifications for attack detection and prevention, repeat this command.
Examples
# Enable all types of SNMP notifications for attack detection and prevention.
<Sysname> system-view
[Sysname] snmp-agent trap enable attack-defense
Related commands
ack-flood source-threshold
ack-flood threshold
dns-flood source-threshold
dns-flood threshold
dns-reply-flood source-threshold
dns-reply-flood threshold
fin-flood source-threshold
fin-flood threshold
http-flood source-threshold
http-flood threshold
http-slow-attack threshold
https-flood source-threshold
https-flood threshold
icmp-flood source-threshold
icmp-flood threshold
icmpv6-flood source-threshold
icmpv6-flood threshold
rst-flood source-threshold
rst-flood threshold
sip-flood source-threshold
sip-flood threshold
snmp-agent (Network Management and Monitoring Command Reference)
syn-ack-flood source-threshold
syn-ack-flood threshold
syn-flood source-threshold
syn-flood threshold
udp-flood source-threshold
udp-flood threshold
syn-ack-flood action
Use syn-ack-flood action to specify global actions against SYN-ACK flood attacks.
Use undo syn-ack-flood action to restore the default.
Syntax
syn-ack-flood action { client-verify | drop | logging }*
undo syn-ack-flood action
Default
No global action is specified for SYN-ACK flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent SYN-ACK packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent SYN-ACK packets originating from the attacker IP addresses in source-based flood attack prevention..
logging: Enables logging for SYN-ACK flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the SYN-ACK flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
The logging keyword enables the attack detection and prevention module to log SYN-ACK flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output SYN-ACK flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view SYN-ACK flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against SYN-ACK flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood action drop
Related commands
client-verify tcp enable
syn-ack-flood detect
syn-ack-flood detect non-specific
syn-ack-flood source-threshold
syn-ack-flood threshold
syn-ack-flood detect
Use syn-ack-flood detect to configure IP address-specific SYN-ACK flood attack detection.
Use undo syn-ack-flood detect to remove the IP address-specific SYN-ACK flood attack detection configuration.
Syntax
syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific SYN-ACK flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the maximum receiving rate in pps for SYN-ACK packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected SYN-ACK flood attack. If no action is specified, the global actions set by the syn-ack-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN-ACK packets destined for the protected IP address.
logging: Enables logging for SYN-ACK flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With SYN-ACK flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of SYN-ACK packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure SYN-ACK flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log SYN-ACK flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output SYN-ACK flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view SYN-ACK flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure SYN-ACK flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect ip 192.168.1.2 threshold 2000
Related commands
syn-ack-flood action
syn-ack-flood detect non-specific
syn-ack-flood threshold
syn-ack-flood detect non-specific
Use syn-ack-flood detect non-specific to enable global SYN-ACK flood attack detection.
Use undo syn-ack-flood detect non-specific to disable global SYN-ACK flood attack detection.
Syntax
syn-ack-flood detect non-specific
undo syn-ack-flood detect non-specific
Default
Global SYN-ACK flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following SYN-ACK flood attack prevention types:
· Source-based SYN-ACK flood attack prevention—Monitors the receiving rate of SYN-ACK packets on a per-source IP basis.
· Destination-based SYN-ACK flood attack prevention—Monitors the receiving rate of SYN-ACK packets on a per-destination IP basis.
The global SYN-ACK flood attack detection applies to all IP addresses except for those specified by the syn-ack-flood detect command. The global detection uses the global trigger threshold set by the syn-ack-flood threshold or syn-ack-flood source-threshold command and global actions specified by the syn-ack-flood action command.
Examples
# Enable global SYN-ACK flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect non-specific
Related commands
syn-ack-flood action
syn-ack-flood detect
syn-ack-flood source-threshold
syn-ack-flood threshold
syn-ack-flood threshold
Use syn-ack-flood threshold to set the global threshold for triggering destination-based SYN-ACK flood attack prevention.
Use undo syn-ack-flood threshold to restore the default.
Syntax
syn-ack-flood threshold threshold-value
undo syn-ack-flood threshold
Default
The global threshold is 10000 for triggering destination-based SYN-ACK flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for SYN-ACK packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based SYN-ACK flood attack prevention is disabled.
Usage guidelines
With global SYN-ACK flood attack detection configured, the device is in attack detection state. When the receiving rate of SYN-ACK packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global SYN-ACK flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of SYN-ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based SYN-ACK flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood threshold 100
Related commands
syn-ack-flood action
syn-ack-flood detect
syn-ack-flood detect non-specific
syn-ack-flood source-threshold
Use syn-ack-flood source-threshold to set the global threshold for triggering source-based SYN-ACK flood attack prevention.
Use undo syn-ack-flood source-threshold to restore the default.
Syntax
syn-ack-flood source-threshold threshold-value
undo syn-ack-flood source-threshold
Default
The global threshold is 10000 for triggering source-based SYN-ACK flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for SYN-ACK packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based SYN-ACK flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global SYN-ACK flood attack detection configured, the device is in attack detection state. When the receiving rate of SYN-ACK packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based SYN-ACK flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood source-threshold 100
Related commands
syn-ack-flood action
syn-ack-flood detect
syn-ack-flood detect non-specific
syn-flood action
Use syn-flood action to specify global actions against SYN flood attacks.
Use undo syn-flood action to restore the default.
Syntax
syn-flood action { client-verify | drop | logging } *
undo syn-flood action
Default
No global action is specified for SYN flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers. This keyword does not take effect on source-based flood attack prevention.
drop: Drops subsequent SYN packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent SYN packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for SYN flood attack events. The log messages will be sent to the log system.
Usage guidelines
For the SYN flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
The logging keyword enables the attack detection and prevention module to log SYN flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output SYN flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view SYN flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against SYN flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood action drop
Related commands
syn-flood detect
syn-flood detect non-specific
syn-flood source-threshold
syn-flood threshold
syn-flood detect
Use syn-flood detect to configure IP address-specific SYN flood attack detection.
Use undo syn-flood detect to remove the IP address-specific SYN flood attack detection configuration.
Syntax
syn-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo syn-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific SYN flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the maximum receiving rate in pps for SYN packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected SYN flood attack. If no action is specified, the global actions set by the syn-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN packets destined for the protected IP address.
logging: Enables logging for SYN flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With SYN flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of SYN packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure SYN flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log SYN flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output SYN flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view SYN flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure SYN flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood detect ip 192.168.1.2 threshold 2000
Related commands
syn-flood action
syn-flood detect non-specific
syn-flood threshold
syn-flood detect non-specific
Use syn-flood detect non-specific to enable global SYN flood attack detection.
Use undo syn-flood detect non-specific to disable global SYN flood attack detection.
Syntax
syn-flood detect non-specific
undo syn-flood detect non-specific
Default
Global SYN flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following SYN flood attack prevention types:
· Source-based SYN flood attack prevention—Monitors the receiving rate of SYN packets on a per-source IP basis.
· Destination-based SYN flood attack prevention—Monitors the receiving rate of SYN packets on a per-destination IP basis.
The global SYN flood attack detection applies to all IP addresses except for those specified by the syn-flood detect command. The global detection uses the global trigger threshold set by the syn-flood threshold or syn-flood source-threshold command and global actions specified by the syn-flood action command.
Examples
# Enable global SYN flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood detect non-specific
Related commands
syn-flood action
syn-flood detect
syn-flood source-threshold
syn-flood threshold
syn-flood threshold
Use syn-flood threshold to set the global threshold for triggering destination-based SYN flood attack prevention.
Use undo syn-flood threshold to restore the default.
Syntax
syn-flood threshold threshold-value
undo syn-flood threshold
Default
The global threshold is 10000 for triggering destination-based SYN flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for SYN packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based SYN flood attack prevention is disabled.
Usage guidelines
With global SYN flood attack detection configured, the device is in attack detection state. When the receiving rate of SYN packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global SYN flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of SYN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based SYN flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood threshold 100
Related commands
syn-flood action
syn-flood detect
syn-flood detect non-specific
syn-flood source-threshold
Use syn-flood source-threshold to set the global threshold for triggering source-based SYN flood attack prevention.
Use undo syn-flood source-threshold to restore the default.
Syntax
syn-flood source-threshold threshold-value
undo syn-flood source-threshold
Default
The global threshold is 10000 for triggering source-based SYN flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for SYN packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based SYN flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global SYN flood attack detection configured, the device is in attack detection state. When the receiving rate of SYN packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based SYN flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood source-threshold 100
Related commands
syn-flood action
syn-flood detect
syn-flood detect non-specific
threshold-learn apply
Use threshold-learn apply to apply the most recent threshold that the device has learned.
Syntax
threshold-learn apply
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
You can configure this command to apply the most recent threshold that the device has learned to a flood attack defense policy that meets the following requirements:
· The threshold learning feature is enabled for the policy.
· Auto applying the learned threshold is disabled for the policy.
The learned threshold is set as the global threshold for triggering flood attack prevention. The command does not take effect when auto application of the learned threshold is enabled for the policy. If you execute this command multiple times, the most recent configuration takes effect.
Before you apply the most recently learned threshold to a flood attack defense policy, make sure global attack detection is enabled for all existing flood types in this policy.
Examples
# Apply the most recent threshold that the device has learned to attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn apply
Related commands
threshold-learn enable
threshold-learn auto-apply enable
Use threshold-learn auto-apply enable to enable auto application of the learned threshold.
Use undo threshold-learn auto-apply enable to disable auto application of the learned threshold.
Syntax
threshold-learn auto-apply enable
undo threshold-learn auto-apply enable
Default
Auto application of the learned threshold is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This command applies to only flood attack defense policies that are enabled with the threshold learning feature (set with the threshold-learn enable command). Each time the device learns a threshold, it uses the learned value to update the global threshold for triggering flood attack prevention. The formula for calculating the new global threshold is learned threshold × (1 + tolerance value). The learned threshold equals the peak packet receiving rate that the device has learned within the learning duration.
To set a tolerance value, execute the threshold-learn tolerance-value command. Setting a tolerance value can prevent packet loss when the network experiences a traffic spike without being attacked.
Before you apply the most recently learned threshold to a flood attack defense policy, make sure global attack detection is enabled for all existing flood types in this policy.
Examples
# Enable auto application of the learned threshold for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn auto-apply enable
Related commands
threshold-learn enable
threshold-learn tolerance-value
threshold-learn duration
Use threshold-learn duration to set the threshold learning duration.
Use undo threshold-learn duration to restore the default.
Syntax
threshold-learn duration duration
undo threshold-learn duration
Default
The threshold learning duration is 1440 minutes.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
duration: Specifies the threshold learning duration in the range of 1 to 1200000 minutes.
Usage guidelines
The device starts threshold learning when you apply an attack defense policy enabled with the threshold learning feature. The learned threshold equals the peak packet receiving rate learned within the duration. To ensure that the device learns the peak rate in a whole day, set a learning duration longer than 1440 minutes (24 hours). If you change the learning duration during the learning process, the device will restart threshold learning.
Examples
# Set the threshold learning duration to 2880 minutes (48 hours) for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn duration 2880
Related commands
threshold-learn enable
threshold-learn loop
threshold-learn enable
Use threshold-learn enable to enable the threshold learning feature for flood attack prevention.
Use undo threshold-learn enable to disable the threshold learning feature for flood attack prevention.
Syntax
threshold-learn enable
undo threshold-learn enable
Default
The threshold learning feature for flood attack prevention is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
An appropriate threshold can effectively prevent attacks. If the global threshold for triggering flood attack prevention is too low, false positives might occur, causing performance degradation or packet loss. If the global threshold is too high, false negatives might occur, making the network defenseless. Therefore, it is a good practice to enable the threshold learning feature. This feature allows the device to automatically learn the global threshold based on the traffic flows in the network.
Examples
# Enable the threshold learning feature for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn enable
Related commands
threshold-learn auto-apply enable
threshold-learn duration
threshold-learn interval
Use threshold-learn interval to set the threshold learning interval.
Use undo threshold-learn interval to restore the default.
Syntax
threshold-learn interval interval
undo threshold-learn interval
Default
The threshold learning interval is 1440 minutes.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
interval: Specifies a threshold learning interval in the range of 1 to 1200000 minutes.
Usage guidelines
The device performs periodic threshold learning when you apply an attack defense policy that meets the following requirements:
· The threshold learning feature is enabled for the policy by using the threshold-learn enable command.
· The periodic learning mode is set by using the threshold-learn mode periodic command.
Examples
# Set the threshold learning interval to 120 minutes for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn interval 120
Related commands
threshold-learn enable
threshold-learn mode
threshold-learn mode
Use threshold-learn mode to set the threshold learning mode.
Use undo threshold-learn mode to restore the default.
Syntax
threshold-learn mode { once | periodic }
undo threshold-learn mode
Default
The one-time learning mode is set.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
once: Specifies the one-time learning mode.
periodic: Specifies the periodic learning mode.
Usage guidelines
This command allows you to set the following threshold learning modes:
· One-time learning—The device performs threshold learning only once. This mode is applicable to stable networks.
· Periodic learning—The device performs threshold learning at intervals. The most recent learned threshold always takes effect. This mode is applicable to unstable networks. To set the threshold learning duration, use the threshold-learn duration command. To set the threshold learning interval, use the threshold-learn interval command.
Examples
# Set the periodic learning mode for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn mode periodic
Related commands
threshold-learn duration
threshold-learn enable
threshold-learn interval
threshold-learn tolerance-value
Use threshold-learn tolerance-value to set the threshold learning tolerance value.
Use undo threshold-learn tolerance-value to restore the default.
Syntax
threshold-learn tolerance-value tolerance-value
undo threshold-learn tolerance-value
Default
The threshold learning tolerance value is 50.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
tolerance-value: Specifies the threshold learning tolerance value in percentage, in the range of 0 to 4000.
Usage guidelines
When auto applying the learned threshold is enabled, the device uses the learned threshold and tolerance value to calculate the global threshold for triggering flood attack prevention. The formula for calculating the global threshold is learned threshold × (1 + tolerance value). Therefore, the calculated global threshold is larger than the learned threshold. This can prevent packet loss when the network experiences a traffic spike without being attacked.
The tolerance value takes effect only when auto applying the learned threshold is enabled.
Examples
# Set the threshold learning tolerance value to 100 for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn auto-apply enable
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn tolerance-value 100
Related commands
threshold-learn auto-apply enable
threshold-learn enable
udp-flood action
Use udp-flood action to specify global actions against UDP flood attacks.
Use undo udp-flood action to restore the default.
Syntax
udp-flood action { drop | logging } *
undo udp-flood action
Default
No global action is specified for UDP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
drop: Drops subsequent UDP packets destined for the victim IP addresses in destination-based flood attack prevention, or drops subsequent UDP packets originating from the attacker IP addresses in source-based flood attack prevention.
logging: Enables logging for UDP flood attack events. The log messages will be sent to the log system.
Usage guidelines
The logging keyword enables the attack detection and prevention module to log UDP flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output UDP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view UDP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Specify drop as the global action against UDP flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood action drop
Related commands
udp-flood detect
udp-flood detect non-specific
udp-flood source-threshold
udp-flood threshold
udp-flood detect
Use udp-flood detect to configure IP address-specific UDP flood attack detection.
Use undo udp-flood detect to remove the IP address-specific UDP flood attack detection configuration.
Syntax
udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]
undo udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific UDP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The IPv6 address cannot be a multicast address or ::
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the maximum receiving rate in pps for UDP packets that are destined for the protected IP address. The value range is 1 to 1000000.
action: Specifies the actions against a detected UDP flood attack. If no action is specified, the global actions set by the udp-flood action command apply.
drop: Drops subsequent UDP packets destined for the protected IP address.
logging: Enables logging for UDP flood attack events. The log messages will be sent to the log system.
none: Takes no action.
Usage guidelines
With UDP flood attack detection configured for an IP address, the device is in attack detection state. When the receiving rate of UDP packets destined for the IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
You can configure UDP flood attack detection for multiple IP addresses in one attack defense policy.
The logging keyword enables the attack detection and prevention module to log UDP flood attack events and send log messages to the information center.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output UDP flood attack logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view UDP flood attack logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure UDP flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect ip 192.168.1.2 threshold 2000
Related commands
udp-flood action
udp-flood detect non-specific
udp-flood threshold
udp-flood detect non-specific
Use udp-flood detect non-specific to enable global UDP flood attack detection.
Use undo udp-flood detect non-specific to disable global UDP flood attack detection.
Syntax
udp-flood detect non-specific
undo udp-flood detect non-specific
Default
Global UDP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The device supports the following UDP flood attack prevention types:
· Source-based UDP flood attack prevention—Monitors the receiving rate of UDP packets on a per-source IP basis.
· Destination-based UDP flood attack prevention—Monitors the receiving rate of UDP packets on a per-destination IP basis.
The global UDP flood attack detection applies to all IP addresses except for those specified by the udp-flood detect command. The global detection uses the global trigger threshold set by the udp-flood threshold or udp-flood source-threshold command and global actions specified by the udp-flood action command.
Examples
# Enable global UDP flood attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect non-specific
Related commands
udp-flood action
udp-flood detect
udp-flood source-threshold
udp-flood threshold
udp-flood threshold
Use udp-flood threshold to set the global threshold for triggering destination-based UDP flood attack prevention.
Use undo udp-flood threshold to restore the default.
Syntax
udp-flood threshold threshold-value
undo udp-flood threshold
Default
The global threshold is 10000 for triggering destination-based UDP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for UDP packets that are destined for an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the destination-based UDP flood attack prevention is disabled.
Usage guidelines
With global UDP flood attack detection configured, the device is in attack detection state. When the receiving rate of UDP packets destined for an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
The global threshold applies to global UDP flood attack detection. Adjust the threshold according to the application scenarios.
· If the number of UDP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a high threshold. A low threshold might affect the server services.
· For a network that is unstable or susceptible to attacks, set a low threshold.
Examples
# Set the global threshold to 100 for triggering destination-based UDP flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100
Related commands
udp-flood action
udp-flood detect
udp-flood detect non-specific
udp-flood source-threshold
udp-flood source-threshold
Use udp-flood source-threshold to set the global threshold for triggering source-based UDP flood attack prevention.
Use undo udp-flood source-threshold to restore the default.
Syntax
udp-flood source-threshold threshold-value
undo udp-flood source-threshold
Default
The global threshold is 10000 for triggering source-based UDP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
context-admin
Parameters
threshold-value: Specifies the maximum receiving rate in pps for UDP packets that originate from an IP address. The value range is 0 to 1000000. If you set the threshold value to 0, the source-based UDP flood attack prevention is disabled.
Usage guidelines
Non-default vSystems do not support this command.
With global UDP flood attack detection configured, the device is in attack detection state. When the receiving rate of UDP packets originating from an IP address keeps reaching or exceeding the threshold, the device enters prevention state and takes the specified actions. When the rate drops below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering source-based UDP flood attack prevention in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood source-threshold 100
Related commands
udp-flood action
udp-flood detect
udp-flood detect non-specific
whitelist enable
Use whitelist enable to enable the whitelist feature on a security zone.
Use undo whitelist enable to disable the whitelist feature on a security zone.
Syntax
whitelist enable
undo whitelist enable
Default
The whitelist feature is disabled on a security zone.
Views
Security zone view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
If the global whitelist feature is enabled, the whitelist feature is enabled on all security zones. If the global whitelist feature is disabled, you can use this command to enable the whitelist feature on individual security zones.
Examples
# Enable the whitelist feature on security zone Untrust.
<Sysname> system-view
[Sysname] security-zone name untrust
[Sysname-security-zone-Untrust] whitelist enable
whitelist global enable
Use whitelist global enable to enable the global whitelist feature.
Use undo whitelist global enable to disable the global whitelist feature.
Syntax
whitelist global enable
undo whitelist global enable
Default
The global whitelist feature is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
If you enable the global whitelist feature, the whitelist feature is enabled on all security zones.
Examples
# Enable the global whitelist feature.
<Sysname> system-view
[Sysname] whitelist global enable
whitelist object-group
Use whitelist object-group to add an address object group to the whitelist.
Use undo whitelist object-group to restore the default.
Syntax
whitelist object-group object-group-name
undo whitelist object-group
Default
No address object group is added to the whitelist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command must be used together with the address object group feature. For more information about address object groups, see object group configuration in Security Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Add address object group object-group1 to the whitelist.
<Sysname> system-view
[Sysname] whitelist object-group object-group1
