Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
461462463464465466467468469470
457
below the silence threshold (three-fourths of the threshold), the device considers that the threat is over and
returns to the attack detection state.
You can configure flood attack detection and prevention for a specific IP address. For non-specific IP
addresses, the device uses the global attack prevention settings.
Configuring a SYN flood attack defense policy
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter attack defense policy
view.
attack-defense policy policy-name
N/A
3. Enable SYN flood attack
detection for non-specific IP
addresses.
syn-flood detect non-specific
By default, SYN flood attack
detection is disabled for non-specific
IP addresses.
4. Set the global trigger
threshold for SYN flood attack
prevention.
syn-flood threshold
threshold-value
By default, the global trigger
threshold is 1000 for SYN flood
attack prevention.
5. Specify global actions
against SYN flood attacks.
syn-flood action { client-verify |
drop | logging } *
By default, no global action is
specified for SYN flood attacks.
6. Configure IP-specific SYN
flood attack detection.
syn-flood detect { ip ip-address |
ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] [ threshold
threshold-value ] [ action
{ client-verify | drop | logging }
* ]
By default, SYN flood attack
detection is not configured for any IP
address.
Configuring an ACK flood attack defense policy
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter attack defense policy
view.
attack-defense policy policy-name
N/A
3. Enable ACK flood attack
detection for non-specific IP
addresses.
ack-flood detect non-specific
By default, ACK flood attack
detection is disabled for non-specific
IP addresses.
4. Set the global trigger
threshold for ACK flood
attack prevention.
ack-flood threshold
threshold-value
By default, the global trigger
threshold is 1000 for ACK flood
attack prevention.
5. Specify global actions
against ACK flood attacks.
ack-flood action { client-verify |
drop | logging } *
By default, no global action is
specified for ACK flood attacks.
6. Configure IP-specific ACK
flood attack detection.
ack-flood detect { ip ip-address |
ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] [ threshold
threshold-value ] [ action
{ client-verify | drop | logging }
* ]
By default, ACK flood attack
detection is not configured for any IP
address.