R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

471

472

473

474

475

476

477

478

479

480

461

Step Command Remarks

5. (Optional.) Specify the global

ports to be protected against

DNS flood attacks.

dns-flood port port-list

By default, DNS flood attack

prevention protects port 53.

6. Specify global actions

against DNS flood attacks.

dns-flood action { client-verify |

drop | logging } *

By default, no global action is

specified for DNS flood attacks.

7. Configure IP-specific DNS

flood attack detection.

dns-flood detect { ip ip-address |

ipv6 ipv6-address } [ vpn-instance

vpn-instance-name ] [ port

port-list ] [ threshold

threshold-value ] [ action

{ client-verify | drop | logging }

* ]

By default, DNS flood attack

detection is not configured for any IP

address.

Configuring an HTTP flood attack defense policy

Step Command Remarks

1. Enter system view.

system-view N/A

2. Enter attack defense policy

view.

attack-defense policy policy-name

N/A

3. Enable HTTP flood attack

detection for non-specific IP

addresses.

http-flood detect non-specific

By default, HTTP flood attack

detection is disabled for non-specific

IP addresses.

4. Set the global trigger

threshold for HTTP flood

attack prevention.

http-flood threshold

threshold-value

By default, the global trigger

threshold is 1000 for HTTP flood

attack prevention.

5. (Optional.) Specify the global

ports to be protected against

HTTP flood attacks.

http-flood port port-list

By default, HTTP flood attack

prevention protects port 80.

6. Specify global actions

against HTTP flood attacks.

http-flood action { client-verify |

drop | logging } *

By default, no global action is

specified for HTTP flood attacks.

7. Configure IP-specific HTTP

flood attack detection.

http-flood detect { ip ip-address |

ipv6 ipv6-address } [ vpn-instance

vpn-instance-name ] [ port

port-list ] [ threshold

threshold-value ] [ action

{ client-verify | drop | logging }

* ]

By default, HTTP flood attack

detection is not configured for any IP

address.

Configuring attack detection exemption

The attack defense policy uses the ACL to identify exempted packets. The policy does not check the

packets permitted by the ACL. You can configure the ACL to identify packets from trusted servers. The

exemption feature reduces the false alarm rate and improves packet processing efficiency.

To configure attack detection exemption: