R3303-HP HSR6800 Routers Security Configuration Guide
14
Protect internal hosts against Smurf attacks and scanning attacks from the external network. Protect the
internal server against SYN flood attacks from the external network. To meet the requirements, perform
the following configurations:
• On GigabitEthernet 3/0/2, configure Smurf attack protection and scanning attack protection,
enable the blacklist function for scanning attack protection, and set the connection rate threshold
that triggers the scanning attack protection to 4500 connections per second.
• On GigabitEthernet 3/0/3, configure SYN flood attack protection, so that the device drops
subsequent SYN packets when the SYN packet sending rate to a server constantly reaches or
exceeds 5000 packets per second, and permits SYN packets to be sent to the server again when
this rate drops below 1000 packets per second.
Figure 129 Network diagram
Configuration procedure
# Configure IP addresses for interfaces. (Details not shown.)
# Enable the blacklist function.
<Router> system-view
[Router] blacklist enable
# Create attack protection policy 1.
[Router] attack-defense policy 1
# Enable Smurf attack protection.
[Router-attack-defense-policy-1] signature-detect smurf enable
# Enable scanning attack protection.
[Router-attack-defense-policy-1] defense scan enable
# Set the connection rate threshold that triggers scanning attack protection to 4500 connections per
second.
[Router-attack-defense-policy-1] defense scan max-rate 4500
# Enable the blacklist function for scanning attack protection.
[Router-attack-defense-policy-1] defense scan add-to-blacklist
[Router-attack-defense-policy-1] quit
# Apply policy 1 to GigabitEthernet 3/0/2.
[Router] interface gigabitethernet 3/0/2
[Router-GigabitEthernet3/0/2] attack-defense apply policy 1
Internet
Router
Server
Host C
GE3/0/2GE3/0/1
GE3/0/3
Host A Host B
Attacker
Host D
5.5.5.5/24
202.1.0.1/16192.168.1.1/16
10.1.1.2/24
10.1.1.1/24