R3303-HP HSR6800 Routers Security Configuration Guide
7
Configuring attack protection functions for an
interface
Creating an attack protection policy
Before configuring attack protection functions for an interface, you need to create an attack protection
policy and enter its view. In attack protection policy view, you can define one or more signatures used for
attack detection and specify the corresponding protection measures.
When creating an attack protection policy, you can also specify an interface so that the interface uses the
policy exclusively.
To create an attack protection policy:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an attack protection
policy and enter attack
protection policy view.
attack-defense policy
policy-number [ interface
interface-type interface-number ]
By default, no attack protection
policy is created.
Configuring an attack protection policy
In an attack protection policy, you can specify the signatures for attack detection and the corresponding
protection measures according to the security requirements of your network.
Different types of attack protection policies have different configurations, which are described below in
terms of single-packet attacks, scanning attacks, and flood attacks.
Configuring a single-packet attack protection policy
The single-packet attack protection function determines whether a packet is an attack packet mainly by
analyzing the characteristics of the packet. It is usually applied to interfaces connecting external
networks, and inspects only the inbound packets of the interfaces. If detecting an attack packet, the
device drops or forwards the packet depending on your configuration.
To configure a policy for preventing single-packet attacks:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter attack protection policy
view.
attack-defense policy
policy-number
N/A
3. Enable signature detection for
single-packet attacks.
signature-detect { fraggle |
icmp-redirect | icmp-unreachable
| land | large-icmp |
route-record | smurf |
source-route | tcp-flag | tracert |
winnuke } enable
By default, signature detection is
disabled for all kinds of
single-packet attacks.