R3102-R3103-HP 6600/HSR6600 Routers Security Configuration Guide
495
the server is under a UDP flood attack. Use the display attack-defense statistics command to view the
related statistics collected after the UDP flood protection function takes effect.
TCP proxy configuration example
Network requirements
Configure the TCP proxy function on the router to protect internal servers from SYN flood attacks.
Configure the function to operate in bidirectional mode.
Figure 243 Network diagram
Configuration procedure
# Configure IP addresses for interfaces. (Details not shown.)
# Create attack protection policy 1.
<Router> system-view
[Router] attack-defense policy 1
# Enable SYN flood attack protection.
[Router-attack-defense-policy-1] defense syn-flood enable
# Set the global action threshold for SYN flood attack protection to 100 packets per second.
[Router-attack-defense-policy-1] defense syn-flood rate-threshold high 100
# Configure the device to use the TCP proxy for subsequent packets after a SYN flood attack is detected.
[Router-attack-defense-policy-1] defense syn-flood action trigger-tcp-proxy
[Router-attack-defense-policy-1] quit
# Apply policy 1 to GigabitEthernet 3/0/2.
[Router] interface gigabitethernet 3/0/2
[Router-GigabitEthernet3/0/2] attack-defense apply policy 1
[Router-GigabitEthernet3/0/2] quit
# Set the TCP proxy operating mode to bidirectional.
[Router] undo tcp-proxy mode
# Enable TCP proxy on GigabitEthernet 3/0/1.
[Router] interface gigabitethernet 3/0/1
[Router-GigabitEthernet3/0/1] tcp-proxy enable
[Router-GigabitEthernet3/0/1] quit
# Enable TCP proxy on GigabitEthernet 3/0/1.