Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
411412413414415416417418419420
15
[Router-GigabitEthernet3/0/2] quit
# Create attack protection policy 2.
[Router] attack-defense policy 2
# Enable SYN flood attack protection.
[Router-attack-defense-policy-2] defense syn-flood enable
# Configure SYN flood attack protection for the internal server 10.1.1.2 and set the action threshold to
5000 and silence threshold to 1000.
[Router-attack-defense-policy-2] defense syn-flood ip 10.1.1.2 rate-threshold high 5000
low 1000
# Configure the policy to drop the subsequent packets after a SYN flood attack is detected.
[Router-attack-defense-policy-2] defense syn-flood action drop-packet
[Router-attack-defense-policy-2] quit
# Apply policy 2 to GigabitEthernet 3/0/3.
[Router] interface gigabitethernet 3/0/3
[Router-GigabitEthernet3/0/3] attack-defense apply policy 2
[Router-GigabitEthernet3/0/3] quit
# Enable attack protection logging.
[Router] attack-defense logging enable
Verifying the configuration
# Execute the display attack-defense policy command to display the contents of attack protection policy
1 and 2.
If Smurf attack packets are received on GigabitEthernet 3/0/2, the device should output alarm logs. If
scanning attack packets are received on GigabitEthernet 3/0/2, the device should output alarm logs
and add the IP addresses of the attackers to the blacklist. If SYN flood attack packets are received on
GigabitEthernet 3/0/3, the device should output alarm logs and drop the subsequent attack packets.
After a period of time, you can use the display attack-defense statistics interface command to display the
attack protection statistics of each interface. If scanning attacks occur, you can use the display blacklist
command to see the blacklist entries added automatically by scanning attack protection.
Blacklist configuration example
Network requirements
As shown in Figure 130, assume that you find an attacker (Host D) in the outside network by analyzing
the traffic statistics, and decide to configure the router to filter packets from Host D permanently. In
addition, to control Host C's access temporarily, configure the router to filter packets from Host C for 50
minutes.