R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

401

402

403

404

405

406

407

408

409

410

Ste

Command

Remarks

4. Configure the ICMP packet

length threshold that triggers

large ICMP attack protection.

signature-detect large-icmp

max-length length

Optional.

4000 bytes by default.

5. Configure the device to drop

single-packet attack packets.

signature-detect action

drop-packet

Optional.

By default, the device does not

process the attack packets if it

detects an attack.

6. Return to system view.

quit N/A

7. Enable attack protection logging.

attack-defense logging enable

Optional.

By default, attack protection

logging is disabled.

Configuring a scanning attack protection policy

The scanning attack protection function detects scanning attacks by monitoring the establishment rate of

connections to the target systems. It is usually applied to interfaces connecting external networks and

inspects only the inbound packets of the interfaces. If the device detects that the rate at which an IP

address initiates connections reaches or exceeds the pre-defined threshold, depending on your

configuration, the device adds the IP address to the blacklist to drop subsequent packets received from

the IP address.

To configure a policy for preventing scanning attacks:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter attack protection

policy view.

attack-defense policy policy-number N/A

3. Enable scanning attack

protection.

defense scan enable Disabled by default.

4. Specify the connection

rate threshold that

triggers scanning attack

protection.

defense scan max-rate rate-number

Optional.

4000 connections per second

by default.

5. Configure the blacklist

function for scanning

attack protection.

• Enable the blacklist function for

scanning attack protection

defense scan add-to-blacklist

• Set the aging time for entries blacklisted

by the scanning attack protection

function

defense scan blacklist-timeout minutes

Optional.

By default:

• Blacklist function for

scanning attack protection is

disabled.

• The aging time for entries

blacklisted by the scanning

attack protection function is

10 minutes.

6. Return to system view.

quit N/A