R3303-HP HSR6800 Routers Security Configuration Guide
19
Figure 132 Network diagram
Configuration procedure
# Configure IP addresses for interfaces. (Details not shown.)
# Create attack protection policy 1.
<Router> system-view
[Router] attack-defense policy 1
# Enable SYN flood attack protection.
[Router-attack-defense-policy-1] defense syn-flood enable
# Set the global action threshold for SYN flood attack protection to 100 packets per second.
[Router-attack-defense-policy-1] defense syn-flood rate-threshold high 100
# Configure the device to use the TCP proxy for subsequent packets after a SYN flood attack is detected.
[Router-attack-defense-policy-1] defense syn-flood action trigger-tcp-proxy
[Router-attack-defense-policy-1] quit
# Apply policy 1 to GigabitEthernet 3/0/2.
[Router] interface gigabitethernet 3/0/2
[Router-GigabitEthernet3/0/2] attack-defense apply policy 1
[Router-GigabitEthernet3/0/2] quit
# Set the TCP proxy operating mode to bidirectional.
[Router] undo tcp-proxy mode
# Enable TCP proxy on GigabitEthernet 3/0/1.
[Router] interface gigabitethernet 3/0/1
[Router-GigabitEthernet3/0/1] tcp-proxy enable
[Router-GigabitEthernet3/0/1] quit
# Enable TCP proxy on GigabitEthernet 3/0/1.
[Router] interface gigabitethernet 3/0/2
[Router-GigabitEthernet3/0/2] tcp-proxy enable
[Router-GigabitEthernet3/0/2] quit
Verifying the configuration
When a SYN flood attack targeting an internal server occurs, execute the display tcp-proxy protected-ip
command to display information about the IP addresses protected by the TCP proxy function.
[Router] display tcp-proxy protected-ip
Protected IP Port number Type Lifetime(min) Rejected packets
192.168.1.10 any Dynamic 30 8