R0106-HP MSR Router Series Security Configuration Guide(V7)
470
# Enable the global blacklist function.
<Router> system-view
[Router] blacklist global enable
# Create attack defense policy a1.
[Router] attack-defense policy a1
# Configure signature detection for smurf attacks, and specify the prevention action as logging.
[Router-attack-defense-policy-a1] signature detect smurf action logging
# Configure low level scanning attack detection. Specify the prevention action as logging and
block-source, and set the aging time to 10 minutes for the blacklist entries.
[Router-attack-defense-policy-a1] scan detect level low action logging block-source
timeout 10
[Router-attack-defense-policy-a1] quit
# Apply attack defense policy a1 to interface GigabitEthernet 2/1/2.
[Router] interface gigabitethernet 2/1/2
[Router-GigabitEthernet2/1/2] attack-defense apply policy a1
[Router-GigabitEthernet2/1/2] quit
# Create attack defense policy a2.
[Router] attack-defense policy a2
# Configure SYN flood attack detection for 10.1.1.2. Set the threshold for triggering attack prevention to
5000. Specify the prevention actions as logging and drop.
[Router-attack-defense-policy-a2] syn-flood detect ip 10.1.1.2 threshold 5000 action
logging drop
[Router-attack-defense-policy-a2] quit
# Apply attack defense policy a2 to interface GigabitEthernet 2/1/2.
[Router] interface gigabitethernet 2/1/2
[Router-GigabitEthernet2/1/2] attack-defense apply policy a2
[Router-GigabitEthernet2/1/2] quit
Verifying the configuration
# Verify that the attack defense policy a1 is successfully configured.
[Router] display attack-defense policy a1
Attack-defense Policy Information
--------------------------------------------------------------------------
Policy name : a1
Applied list : GE2/1/2
--------------------------------------------------------------------------
Exempt IPv4 ACL : Not configured
Exempt IPv6 ACL : Not configured
--------------------------------------------------------------------------
Actions: CV-Client verify BS-Block source L-Logging D-Drop N-None
Signature attack defense configuration:
Signature name Defense Level Actions
Fragment Disabled low L
Impossible Disabled medium L,D
Teardrop Disabled medium L,D