R0106-HP MSR Router Series Security Configuration Guide(V7)
476
[Router-attack-defense-policy-a1] syn-flood action logging client-verify
[Router-attack-defense-policy-a1] quit
# Apply attack defense policy a1 to interface GigabitEthernet 2/1/1.
[Router] interface gigabitethernet 2/1/1
[Router-GigabitEthernet2/1/1] attack-defense apply policy a1
[Router-GigabitEthernet2/1/1] quit
# Enable TCP client verification in SYN cookie mode on interface GigabitEthernet 2/1/1.
[Router] interface gigabitethernet 2/1/1
[Router-GigabitEthernet2/1/1] client-verify tcp enable mode syn-cookie
[Router-GigabitEthernet2/1/1] quit
Verifying the configuration
# If a SYN flood attack occurs, verify that the victim's IP address is added to the protected IP list for TCP
client verification.
[Router] display client-verify tcp protected ip
IP address VPN instance Port Type TTL(min) Requested Trusted
192.168.1.10 -- any Dynamic 30 20 12
DNS client verification configuration example
Network requirements
As shown in Figure 145, configure DNS client verification on Router to protect internal servers against
DNS flood attacks.
Figure 145 Network diagram
Configuration procedure
# Configure IP addresses for the interfaces on Router. (Details not shown.)
# Create attack defense policy a1.
<Router> system-view
[Router] attack-defense policy a1
# Enable DNS flood attack detection for non-specific IP addresses.
[Router-attack-defense-policy-a1] dns-flood detect non-specific
# Set the global threshold to 10000 for triggering DNS flood attack prevention.
[Router-attack-defense-policy-a1] dns-flood threshold 10000
# Specify logging and client-verify as the global actions against DNS flood attacks.