R0106-HP MSR Router Series Security Configuration Guide(V7)
454
Attack detection and prevention configuration task
list
Tasks at a glance
(Required.) Configuring an attack defense policy:
• (Required.) Creating an attack defense policy
• (Required.) Perform at least one of the following tasks to configure attack detection:
{ Configuring a single-packet attack defense policy
{ Configuring a scanning attack defense policy
{ Configuring a flood attack defense policy
• (Optional.) Configuring attack detection exemption
(Required.) Perform at least one of the tasks to apply an attack defense policy:
• Applying an attack defense policy to a Layer 3 interface
• Applying an attack defense policy to the device
(Optional.) Enabling non-aggregated log output for single-packet attack events
(Optional.) Configuring client verification:
• Configuring TCP client verification
• Configuring DNS client verification
• Configuring HTTP client verification
(Optional.) Configuring the blacklist function
Configuring an attack defense policy
Creating an attack defense policy
An attack defense policy can contain a set of attack detection configuration against multiple attacks.
To create an attack defense policy:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an attack defense
policy and enter its view.
attack-defense policy policy-name
By default, no attack defense policy
exists.
Configuring a single-packet attack defense policy
Configure the single-packet attack defense policy on the interface that connects to the external network.
Single-packet attack detection inspects incoming packets based on the packet signature. If an attack
packet is detected, the device can take the following actions:
• Output logs (the default action).
• Drop attack packets.
You can also configure the device to not take any actions.