R0106-HP MSR Router Series Security Command Reference(V7)
614
Default
DNS flood attack detection is not enabled for non-specific IP addresses.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
This command enables global DNS flood attack detection. It applies to all IP addresses except for those
specified by the dns-flood detect command. The system uses the global trigger threshold set by the
dns-flood threshold command and global actions specified by the dns-flood action command.
Examples
# Enable DNS flood attack detection for non-specific IP addresses in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific
Related commands
• dns-flood action
• dns-flood detect
• dns-flood threshold
dns-flood port
Use dns-flood port to specify the global ports to be protected against DNS flood attacks.
Use undo dns-flood port to restore the default.
Syntax
dns-flood port port-list
undo dns-flood port
Default
The DNS flood attack prevention protects port 53.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
port-list: Specifies a global list of ports to be protected. Specify this argument in the format of
{ start-port-number [ to end-port-number ] } &<1-65535>. &<1-65535> indicates that you can specify up
to 65535 ports or port lists. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only DNS packets destined for the specified ports.