R3303-HP 6600/HSR6600 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG TAA-compliant Router

501

502

503

504

505

506

507

508

509

510

493

Task Command

Remarks

Display the configuration

information about one or all attack

protection policies.

display attack-defense policy

[ policy-number ] [ | { begin | exclude |

include } regular-expression ]

Available in any view.

Display information about blacklist

entries.

display blacklist { all | ip source-ip-address

[ slot slot-number ] | slot slot-number } [ |

{ begin | exclude | include }

regular-expression ]

Available in any view.

Display the traffic statistics of an

interface.

display flow-statistics statistics interface

interface-type interface-number { inbound |

outbound } [ | { begin | exclude | include }

regular-expression ]

Available in any view.

Display the interface traffic

statistics based on IP addresses.

display flow-statistics statistics [ slot

slot-number ] { destination-ip dest-ip-address

| source-ip src-ip-address } [ vpn-instance

vpn-instance-name ] [ | { begin | exclude |

include } regular-expression ]

Available in any view.

Display information about the IP

addresses protected by the TCP

proxy function.

display tcp-proxy protected-ip [ slot

slot-number ] [ | { begin | exclude | include }

regular-expression ]

Available in any view.

Clear attack protection statistics

about an interface.

reset attack-defense statistics interface

interface-type interface-number

Available in user view.

Attack detection and protection configuration

examples

Attack protection functions on interfaces configuration example

Network requirements

As shown in Figure 240, GigabitEthernet 3/0/1 is connected with the internal network, GigabitEthernet

3/0/2 is connected to the external network, and GigabitEthernet 3/0/3 is connected with an internal

server.

Protect internal hosts against Smurf attacks and scanning attacks from the external network. Protect the

internal server against SYN flood attacks from the external network. To meet the requirements, perform

the following configurations:

• On GigabitEthernet 3/0/2, configure Smurf attack protection and scanning attack protection,

enable the blacklist function for scanning attack protection, and set the connection rate threshold

that triggers the scanning attack protection to 4500 connections per second.

• On GigabitEthernet 3/0/3, configure SYN flood attack protection, so that the device drops

subsequent SYN packets when the SYN packet sending rate to a server constantly reaches or

exceeds 5000 packets per second, and permits SYN packets to be sent to the server again when

this rate drops below 1000 packets per second.