F3215-HP Load Balancing Module Security Configuration Guide-6PW101
212
• In security zone Untrust, configure Smurf attack protection and scanning attack protection, enable
the blacklist function for scanning attack protection, and set the connection rate threshold that
triggers the scanning attack protection to 4500 connections per second.
• In security zone DMZ, configure SYN flood attack protection, so that LB module drops subsequent
SYN packets when the SYN packet sending rate to a server constantly reaches or exceeds 5000
packets per second, and permits SYN packets to be sent to the server again when this rate drops
below 1000 packets per second.
Figure 110 Network diagram
Configuration procedure
# Assign IP addresses to the interfaces. (Details not shown.)
# Add interface to security zone. (Details not shown.)
# Enable blacklist function.
[LB] blacklist enable
# Create attack protection policy 1.
[LB] attack-defense policy 1
# Enable Smurf attack protection.
[LB-attack-defense-policy-1] signature-detect smurf enable
# Enable scanning attack protection.
[LB-attack-defense-policy-1] defense scan enable
# Set the connection rate threshold that triggers scanning attack protection to 4500 connections per
second.
[LB-attack-defense-policy-1] defense scan max-rate 4500
# Add source IP addresses detected by scanning attack protection to the blacklist.
[LB-attack-defense-policy-1] defense scan add-to-blacklist
[LB-attack-defense-policy-1] quit
# Apply attack protection policy 1 to the security zone Untrust.
[LB] zone name Untrust id 4
[LB-zone-Untrust] attack-defense apply policy 1
[LB-zone-Untrust] quit
# Create attack protection policy 2.
Internet
LB
Server
Host C
GE0/3GE0/2
GE0/4
Host A Host B
202.1.0.1/16192.168.1.1/16
10.1.1.2/24
10.1.1.1/24
Trust
DMZ
Untrust