R3303-HP 6600/HSR6600 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG Router

501

502

503

504

505

506

507

508

509

510

495

# Configure the policy to drop the subsequent packets after a SYN flood attack is detected.

[Router-attack-defense-policy-2] defense syn-flood action drop-packet

[Router-attack-defense-policy-2] quit

# Apply policy 2 to GigabitEthernet 3/0/3.

[Router] interface gigabitethernet 3/0/3

[Router-GigabitEthernet3/0/3] attack-defense apply policy 2

[Router-GigabitEthernet3/0/3] quit

# Enable attack protection logging.

[Router] attack-defense logging enable

Verifying the configuration

# Execute the display attack-defense policy command to display the contents of attack protection policy

1 and 2.

If Smurf attack packets are received on GigabitEthernet 3/0/2, the device should output alarm logs. If

scanning attack packets are received on GigabitEthernet 3/0/2, the device should output alarm logs

and add the IP addresses of the attackers to the blacklist. If SYN flood attack packets are received on

GigabitEthernet 3/0/3, the device should output alarm logs and drop the subsequent attack packets.

After a period of time, you can use the display attack-defense statistics interface command to display the

attack protection statistics of each interface. If scanning attacks occur, you can use the display blacklist

command to see the blacklist entries added automatically by scanning attack protection.

Blacklist configuration example

Network requirements

As shown in Figure 241, assume that you find an attacker (Host D) in the outside network by analyzing

the traffic statistics, and decide to configure the router to filter packets from Host D permanently. In

addition, to control Host C's access temporarily, configure the router to filter packets from Host C for 50

minutes.

Figure 241 Network diagram

Configuration procedure

# Configure IP addresses for interfaces. (Details not shown.)

# Enable the blacklist function.

<Router> system-view

[Router] blacklist enable

# Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it.

Internet

Router

Host C

GE3/0/2GE3/0/1

Host A Host B

Attacker

Host D

5.5.5.5/24

202.1.0.1/16192.168.1.1/16

192.168.1.4/16