R0106-HP MSR Router Series Security Configuration Guide(V7)
477
[Router-attack-defense-policy-a1] dns-flood action logging client-verify
[Router-attack-defense-policy-a1] quit
# Apply attack defense policy a1 to interface GigabitEthernet 2/1/1.
[Router] interface gigabitethernet 2/1/1
[Router-GigabitEthernet2/1/1] attack-defense apply policy a1
[Router-GigabitEthernet2/1/1] quit
# Enable DNS client verification on interface GigabitEthernet 2/1/1.
[Router] interface gigabitethernet 2/1/1
[Router-GigabitEthernet2/1/1] client-verify dns enable
[Router-GigabitEthernet2/1/1] quit
Verifying the configuration
# If a DNS flood attack occurs, verify that the victim's IP address is added to the protected IP list for DNS
client verification.
[Router] display client-verify dns protected ip
IP address VPN instance Port Type TTL(min) Requested Trusted
192.168.1.10 -- 53 Dynamic 30 20 12
HTTP client verification configuration example
Network requirements
As shown in Figure 146, configure HTTP client verification on Router to protect internal servers against
HTTP flood attacks.
Figure 146 Network diagram
Configuration procedure
# Configure IP addresses for the interfaces on Router. (Details not shown.)
# Create attack defense policy a1.
<Router> system-view
[Router] attack-defense policy a1
# Enable HTTP flood attack detection for non-specific IP addresses.
[Router-attack-defense-policy-a1] http-flood detect non-specific
# Set the global threshold to 10000 for triggering HTTP flood attack prevention.
[Router-attack-defense-policy-a1] http-flood threshold 10000
# Specify logging and client-verify as the global actions against HTTP flood attacks.