Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
441442443444445446447448449450
432
# Enable SYN flood attack protection.
[Router-attack-defense-policy-2] defense syn-flood enable
# Configure SYN flood attack protection for the internal server 10.1.1.2 and set the action threshold to
5000 and silence threshold to 1000.
[Router-attack-defense-policy-2] defense syn-flood ip 10.1.1.2 rate-threshold high 5000
low 1000
# Configure the policy to drop the subsequent packets after a SYN flood attack is detected.
[Router-attack-defense-policy-2] defense syn-flood action drop-packet
[Router-attack-defense-policy-2] quit
# Apply policy 2 to GigabitEthernet 1/3.
[Router] interface gigabitethernet 1/3
[Router-GigabitEthernet1/3] attack-defense apply policy 2
[Router-GigabitEthernet1/3] quit
Verifying the configuration
Use the display attack-defense policy command to view the contents of attack protection policy 1 and 2.
If Smurf attack packets are received on GigabitEthernet 1/2, the device should output alarm logs. If
scanning attack packets are received on GigabitEthernet 1/2, the device should output alarm logs and
add the IP addresses of the attackers to the blacklist. If SYN flood attack packets are received on
GigabitEthernet 1/3, the device should output alarm logs and drop the subsequent attack packets.
After a period of time, you can use the display attack-defense statistics interface command to display the
attack protection statistics of each interface. If scanning attacks occur, you can use the display blacklist
command to see the blacklist entries added automatically by scanning attack protection.
Blacklist configuration example
Network requirements
As shown in Figure 140, assume that you find an attacker (Host D) in the outside network by analyzing
the traffic statistics, and decide to configure the router to filter packets from Host D permanently. In
addition, to control Host C's access temporarily, configure the router to filter packets from Host C for 50
minutes.
Figure 140 Network diagram
Configuration procedure
# Configure IP addresses for interfaces. (Details not shown.)
# Enable the blacklist function.