R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

401

402

403

404

405

406

407

408

409

410

Ste

Command

Remarks

7. Enable the blacklist

function.

blacklist enable

Required to make the blacklist

entries added by the scanning

attack protection function take

effect.

By default, the blacklist function

is disabled.

Configuring a flood attack protection policy

The flood attack protection function is used to protect servers. It detects various flood attacks by

monitoring the rate at which connection requests are sent to a server. The flood attack protection function

is usually applied to the interfaces connecting the internal network and inspects only outbound packets

of the interfaces.

With flood attack protection enabled, the device is in attack detection state. When the device detects that

the rate of sending connection requests to a server constantly reaches or exceeds the specified action

threshold, the device considers the server is under attack and enters the attack protection state. Then, the

device takes protection actions as configured (by default, the device can be configured to drop the

subsequent connection request packets or use the TCP proxy as well). When the device detects that the

packet sending rate to the server drops below the silence threshold, it considers that the attack to the

server is over, turns back to the attack detection state, and stops taking the protection actions.

You can configure attack protection for specific IP addresses. For IP addresses for which you do not

configure attack protection specifically, the device uses the global attack protection settings.

To configure a SYN flood attack protection policy:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter attack protection

policy view.

attack-defense policy

policy-number

N/A

3. Enable SYN flood attack

protection.

defense syn-flood enable Disabled by default.

4. Configure the global action

and silence thresholds for

SYN flood attack protection.

defense syn-flood rate-threshold

high rate-number [ low

rate-number ]

Optional.

By default, the action threshold is

1000 packets per second and the

silence threshold is 750 packets per

second.

5. Configure the action and

silence thresholds for SYN

flood attack protection of a

specific IP address.

defense syn-flood ip ip-address

rate-threshold high rate-number

[ low rate-number ]

Optional.

Not configured by default.

6. Configure the device to drop

SYN flood attack packets or

use the TCP proxy.

defense syn-flood action

{ drop-packet | trigger-tcp-proxy }

Optional.

By default, the device does not

process the attack packets if it

detects an attack.

To configure an ICMP flood attack protection policy: