F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100
37
Ste
p
Command
Remarks
6. Configure the blacklist
function for scanning attack
protection.
• Enable the blacklist
function for scanning
attack protection:
defense scan
add-to-blacklist
• Set the aging time for
entries blacklisted by the
scanning attack protection
function:
defense scan
blacklist-timeout minutes
Optional.
By default:
• The blacklist function for scanning
attack protection is disabled.
• The aging time for entries blacklisted
by the scanning attack protection
function is 10 minutes.
7. Return to system view.
quit N/A
8. Enable the blacklist function.
blacklist enable
Required to make the blacklist entries
added by the scanning attack protection
function take effect.
By default, the blacklist function is
disabled.
155BConfiguring a flood attack protection policy
The flood attack protection function is mainly used to protect servers. It detects various flood attacks by
monitoring the rate at which connection requests are sent to a server. The flood attack protection function
is usually applied to the security zones connecting the internal network and inspects only the outbound
packets of the security zones.
With flood attack protection enabled, the device is in attack detection state. When the device detects that
the rate of sending connection requests to a server constantly reaches or exceeds the specified action
threshold, the device considers the server is under attack and enters the attack protection state. Then, the
device takes protection actions as configured (by default, the device only outputs alarm logs, but can be
configured to drop the subsequent connection request packets or use the TCP proxy as well). When the
device detects that the packet sending rate to the server drops below the silence threshold, it considers
that the attack to the server is over, turns back to the attack detection state, and stops taking the protection
actions.
You can configure attack protection for specific IP addresses. For IP addresses for which you do not
configure attack protection specifically, the device uses the global attack protection settings.
To configure a SYN flood attack protection policy:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view. switchto vd vd-name Required for a non-default VD.
3. Enter attack protection
policy view.
attack-defense policy
policy-number
N/A
4. Enable SYN flood attack
protection.
defense syn-flood enable Disabled by default.