R0106-HP MSR Router Series Security Configuration Guide(V7)
455
To configure a single-packet attack defense policy:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter attack defense policy
view.
attack-defense policy policy-name N/A
3. Configure signature
detection for single-packet
attacks.
• signature detect { fraggle | fragment
| impossible | ip-option-abnormal |
land | large-icmp | large-icmpv6 |
ping-of-death | smurf | snork |
tcp-all-flags | tcp-fin-only |
tcp-invalid-flags | tcp-null-flag |
tcp-syn-fin | teardrop | tiny-fragment
| traceroute | udp-bomb | winnuke }
[ action { { drop | logging } * |
none } ]
• signature detect icmp-type
{ icmp-type-value |
address-mask-reply |
address-mask-request |
destination-unreachable | echo-reply
| echo-request | information-reply |
information-request |
parameter-problem | redirect |
source-quench | time-exceeded |
timestamp-reply |
timestamp-request } [ action { { drop |
logging } * | none } ]
• signature detect icmpv6-type
{ icmpv6-type-value |
destination-unreachable | echo-reply
| echo-request | group-query |
group-reduction | group-report |
packet-too-big | parameter-problem
| time-exceeded } [ action { { drop |
logging } * | none } ]
• signature detect ip-option
{ option-code | internet-timestamp |
loose-source-routing | record-route |
route-alert | security | stream-id |
strict-source-routing } [ action { { drop
| logging } * | none } ]
Use at least one of the
commands.
By default, signature detection
is not configured for
single-packet attacks.
4. (Optional.) Set the
maximum length of safe
ICMP or ICMPv6 packets.
signature { large-icmp | large-icmpv6 }
max-length length
By default, the maximum length
of safe ICMP or ICMPv6
packets is 4000 bytes.
A large ICMP or ICMPv6 attack
occurs if an ICMP or ICMPv6
packet larger than the specified
length is detected.