R0106-HP MSR Router Series Security Command Reference(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router

621

622

623

624

625

626

627

628

629

630

613

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address

belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify

this option if the protected IP address is on the public network.

port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a

port by its port number or a range of ports in the form of start-port-number to end-port-number. The

end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the

global ports apply.

threshold threshold-value: Sets the threshold for triggering DNS flood attack prevention. The value range

is 1 to 1000000 in units of DNS packets sent to the specified IP address per second.

action: Specifies the actions when a DNS flood attack is detected. If no action is specified, the global

actions set by the dns-flood action command apply.

client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client

verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent DNS packets destined for the protected IP address.

logging: Enables logging for DNS flood attack events. The log information records the detection

interface, victim IP address, MPLS L3VPN instance name, current packet statistics, prevention action, and

start time of the attack.

Usage guidelines

You can configure DNS flood attack detection for multiple IP addresses in one attack defense policy.

With DNS flood attack detection configured, the device is in attack detection state. An attack occurs

when the device detects that the sending rate of DNS packets to a protected IP address reaches or

exceeds the threshold. The device enters prevention state and takes actions to protect the target IP

address. When the rate is below the silence threshold (three-fourths of the threshold), the device

considers that the threat is over and returns to the attack detection state.

Examples

# Configure DNS flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect ip 192.168.1.2 port 53

threshold 2000

Related commands

• dns-flood action

• dns-flood detect non-specific

• dns-flood threshold

• dns-flood port

dns-flood detect non-specific

Use dns-flood detect non-specific to enable DNS flood attack detection for non-specific IP addresses.

Use undo dns-flood detect non-specific to restore the default.

Syntax

dns-flood detect non-specific

undo dns-flood detect non-specific