F3215-HP Load Balancing Module Security Configuration Guide-6PW101
218
UDP session establishment rate : 2735/s
ICMP sessions : 0
ICMP session establishment rate : 0/s
RAWIP sessions : 0
RAWIP session establishment rate : 0/s
The output shows that in security zone Trust, a large number of UDP packets are destined for 10.1.1.2, and
the session establishment rate has exceeded the specified threshold. Therefore, you can determine that
the server is under a UDP flood attack. You can use the display attack-defense statistics command to
view the related statistics collected after the UDP flood protection function takes effect.
Configuring TCP proxy
Network requirements
Configure a bidirectional TCP proxy on LB to protect Server A, Server B, and Server C from SYN flood
attacks.
Add the IP address of Server A as a static protected IP and protect other servers dynamically.
Figure 114 Network diagram
Configuration procedure
# Assign IP addresses to the interfaces. (Details not shown)
# Add interface to security zone. (Details not shown)
# Configure the operating mode of TCP Proxy as bidirectional.
[LB] undo tcp-proxy mode
# Configure TCP proxy for IP address 192.168.1.10 and port number 21.
[LB] tcp-proxy protected-ip 192.168.1.10 21
# Enable TCP proxy for security zone Untrust.
[LB] zone name Untrust
[LB-zone-Untrust] tcp-proxy enable
[LB-zone-Untrust] quit
# Create attack protection policy 1.
<LB> system-view
[LB] attack-defense policy 1
# Enable SYN flood attack protection.
[LB-attack-defense-policy-1] defense syn-flood enable
# Set the global action threshold for SYN flood attack protection to 100 packets per second.
Internet
LB
Server C
GE0/3GE0/2
Server A
192.168.1.10/24
Server B
202.1.0.1/16192.168.1.1/16
Trust
Untrust