R3303-HP HSR6800 Routers Security Configuration Guide
17
Traffic statistics configuration example
Network requirements
As shown in Figure 131, configure traffic statistics in the outbound direction of GigabitEthernet 3/0/1,
and configure UDP flood attack protection to protect the internal server against external UDP flood
attacks.
Figure 131 Network diagram
Configuration procedure
# Configure IP addresses for interfaces. (Details not shown.)
# Create attack protection policy 1.
<Router> system-view
[Router] attack-defense policy 1
# Enable UDP flood attack protection.
[Router-attack-defense-policy-1] defense udp-flood enable
# Set the global action threshold for UDP flood attack protection to 100 packets per second.
[Router-attack-defense-policy-1] defense udp-flood rate-threshold high 100
# Configure the policy to drop the subsequent packets once a UDP flood attack is detected.
[Router-attack-defense-policy-1] defense udp-flood action drop-packet
[Router-attack-defense-policy-1] quit
# Apply policy 1 to GigabitEthernet 3/0/1.
[Router] interface gigabitethernet 3/0/1
[Router-GigabitEthernet3/0/1] attack-defense apply policy 1
# Enable the traffic statistics function in the outbound direction of GigabitEthernet 3/0/1.
[Router-GigabitEthernet3/0/1] flow-statistic enable outbound
# Enable traffic statistics based on destination IP address.
[Router-GigabitEthernet3/0/1] flow-statistic enable destination-ip
Verifying the configuration
If you suspect that the server is under an attack, you can view the traffic statistics information on the
interface to check whether there is an attack.
[Router-GigabitEthernet3/0/1] display flow-statistics statistics destination-ip 10.1.1.2
Flow Statistics Information
------------------------------------------------------------
IP Address : 10.1.1.2
------------------------------------------------------------
Total number of existing sessions : 13676
Session establishment rate : 2735/s
TCP sessions : 0