R0106-HP MSR Router Series Security Command Reference(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

631

632

633

634

635

636

637

638

639

640

621

Parameters

client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client

verification is enabled, the device provides proxy services for protected servers.

drop: Drops subsequent HTTP packets destined for the victim IP addresses.

logging: Enables logging for HTTP flood attack events. The log information records the detection

interface, victim IP address, MPLS L3VPN instance name, current packet statistics, prevention actions,

and start time of the attack.

Usage guidelines

To configure the HTTP flood attack detection to collaborate with the HTTP client verification, make sure

the client-verify keyword is specified and the HTTP client verification is enabled. To enable HTTP client

verification, use the client-verify http enable command.

Examples

# Specify drop as the global action against HTTP flood attacks in attack defense policy atk-policy-1.

<Sysname> system-view

[Sysname] attack-defense policy atk-policy-1

[Sysname-attack-defense-policy-atk-policy-1] http-flood action drop

Related commands

• client-verify http enable

• http-flood detect

• http-flood detect non-specific

• http-flood threshold

http-flood detect

Use http-flood detect to configure IP-specific HTTP flood attack detection.

Use undo http-flood detect to remove the HTTP flood attack detection configuration for an IP address.

Syntax

http-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ]

[ threshold threshold-value ] [ action { client-verify | drop | logging } * ]

undo http-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

HTTP flood attack detection is not configured for any IP address.

Views

Attack defense policy view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s.

ipv6 ipv6-address: Specifies the IPv6 address to be protected. The ipv6-address argument cannot be a

multicast address or all 0s.