Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
471472473474475476477478479480
458
Configuring a SYN-ACK flood attack defense policy
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter attack defense policy
view.
attack-defense policy policy-name
N/A
3. Enable SYN-ACK flood attack
detection for non-specific IP
addresses.
syn-ack-flood detect non-specific
By default, SYN-ACK flood attack
detection is disabled for non-specific
IP addresses.
4. Set the global trigger
threshold for SYN-ACK flood
attack prevention.
syn-ack-flood threshold
threshold-value
By default, the global trigger
threshold is 1000 for SYN-ACK
flood attack prevention.
5. Specify global actions
against SYN-ACK flood
attacks.
syn-ack-flood action { client-verify
| drop | logging } *
By default, no global action is
specified for SYN-ACK flood attacks.
6. Configure IP-specific
SYN-ACK flood attack
detection.
syn-ack-flood detect { ip
ip-address | ipv6 ipv6-address }
[ vpn-instance vpn-instance-name ]
[ threshold threshold-value ]
[ action { client-verify | drop |
logging } * ]
By default, SYN-ACK flood attack
detection is not configured for any IP
address.
Configuring a FIN flood attack defense policy
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter attack defense policy
view.
attack-defense policy policy-name
N/A
3. Enable FIN flood attack
detection for non-specific IP
addresses.
fin-flood detect non-specific
By default, FIN flood attack detection
is disabled for non-specific IP
addresses.
4. Set the global trigger
threshold for FIN flood attack
prevention.
fin-flood threshold threshold-value
By default, the global trigger
threshold is 1000 for FIN flood
attack prevention.
5. Specify global actions
against FIN flood attacks.
fin-flood action { client-verify |
drop | logging } *
By default, no global action is
specified for FIN flood attacks.
6. Configure IP-specific FIN
flood attack detection.
fin-flood detect { ip ip-address |
ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] [ threshold
threshold-value ] [ action
{ client-verify | drop | logging }
* ]
By default, FIN flood attack detection
is not configured for any IP address.
Configuring an RST flood attack defense policy
Step Command Remarks
1. Enter system view.
system-view N/A