R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

461

462

463

464

465

466

467

468

469

470

456

Step Command Remarks

5. (Optional.) Specify the

actions against

single-packet attacks of a

specific level.

signature level { high | info | low |

medium } action { { drop | logging } * |

none }

The default action is logging for

single-packet attacks of the

informational and low levels.

The default actions are logging

and drop for single-packet

attacks of the medium and high

levels.

6. (Optional.) Enable

signature detection for

single-packet attacks of a

specific level.

signature level { high | info | low |

medium } detect

By default, signature detection

is disabled for all levels of

single-packet attacks.

Configuring a scanning attack defense policy

Configure a scanning attack defense policy on the Layer 3 interface that connects to the external

network.

Scanning attack detection inspects the incoming packet rate of connections to the target system. If a

suspected source initiates connections at a rate equal to or exceeding the pre-defined threshold, the

device can take the following actions:

• Output logs.

• Drop subsequent packets from the IP address of the attacker.

• Add the attacker's IP address to the blacklist.

To make the blacklist function take effect, enable the blacklist function globally or on the interface where

the defense policy is applied. For more information about the blacklist function, see "Configuring the

blac

klist function."

To configure a scanning attack defense policy:

Step Command Remarks

1. Enter system view.

system-view N/A

2. Enter attack defense policy

view.

attack-defense policy

policy-name

N/A

3. Configure scanning attack

detection.

scan detect level { high | low |

medium } action { { block-source

[ timeout minutes ] | drop } |

logging } *

By default, scanning attack detection

is not configured.

Configuring a flood attack defense policy

Configure a flood attack defense policy on the interface that connects to the external network to protect

internal servers.

Flood attack detection monitors the rate at which connections are initiated to the internal servers.

With flood attack detection enabled, the device is in attack detection state. An attack occurs when the

device detects that the packet sending rate to a protected IP address reaches or exceeds the threshold.

The device enters prevention state, and takes actions to protect the target IP address. When the rate is