R0106-HP MSR Router Series Security Configuration Guide(V7)
475
Configuration procedure
# Configure IP addresses for the interfaces on Router. (Details not shown.)
# Enable the global blacklist function.
<Router> system-view
[Router] blacklist global enable
# Add a blacklist entry for Host D.
[Router] blacklist ip 5.5.5.5
# Add a blacklist entry for Host C and set the aging time to 50 minutes for the entry.
[Router] blacklist ip 192.168.1.4 timeout 50
Verifying the configuration
# Verify that the blacklist entries are successfully added.
<Router> display blacklist ip
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
5.5.5.5 -- -- Manual Never 0
192.168.1.4 -- -- Manual 2989 0
TCP client verification configuration example
Network requirements
As shown in Figure 144, configure TCP client verification in SYN cookie mode on Router to protect the
internal servers against SYN flood attacks.
Figure 144 Network requirements
Configuration procedure
# Configure IP addresses for the interfaces on Router. (Details not shown.)
# Create attack defense policy a1.
<Router> system-view
[Router] attack-defense policy a1
# Enable SYN flood attack detection for non-specific IP addresses.
[Router-attack-defense-policy-a1] syn-flood detect non-specific
# Set the global threshold to 10000 for triggering SYN flood attack prevention.
[Router-attack-defense-policy-a1] syn-flood threshold 10000
# Specify logging and client-verify as the global actions against SYN flood attacks.