R2511-HP MSR Router Series Security Configuration Guide(V5)
431
• On GigabitEthernet 1/2, configure Smurf attack protection and scanning attack protection, enable
the blacklist function for scanning attack protection, and set the connection rate threshold that
triggers the scanning attack protection to 4500 connections per second.
• On GigabitEthernet 1/3, configure SYN flood attack protection, so that the device drops
subsequent SYN packets when the SYN packet sending rate to a server constantly reaches or
exceeds 5000 packets per second, and permits SYN packets to be sent to the server again when
this rate drops below 1000 packets per second.
Figure 139 Network diagram
Configuration procedure
# Configure IP addresses for interfaces. (Details not shown.)
# Enable the blacklist function.
<Router> system-view
[Router] blacklist enable
# Create attack protection policy 1.
[Router] attack-defense policy 1
# Enable Smurf attack protection.
[Router-attack-defense-policy-1] signature-detect smurf enable
# Enable scanning attack protection
[Router-attack-defense-policy-1] defense scan enable
# Set the connection rate threshold that triggers scanning attack protection to 4500 connections per
second.
[Router-attack-defense-policy-1] defense scan max-rate 4500
# Enable the blacklist function for scanning attack protection.
[Router-attack-defense-policy-1] defense scan add-to-blacklist
[Router-attack-defense-policy-1] quit
# Apply policy 1 to GigabitEthernet 1/2.
[Router] interface gigabitethernet 1/2
[Router-GigabitEthernet1/2] attack-defense apply policy 1
[Router-GigabitEthernet1/2] quit
# Create attack protection policy 2.
[Router] attack-defense policy 2
Internet
Router
Server
Host C
GE1/2GE1/1
GE1/3
Host A Host B
Attacker
Host D
5.5.5.5/24
202.1.0.1/16192.168.1.1/16
10.1.1.2/24
10.1.1.1/24