3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

151

152

153

154

155

156

157

158

159

160

Configuring Attack Prevention 155

By default, the ICMP unreachable packet control function is disabled.

Enabling/Disabling the

IP Sweep Attack

Prevention Function

Perform the following configuration in system view.

By default, the IP Sweep attack prevention function is disabled. The max-rate

keyword indicates the maximum sweeping rate, in the range of 1 to 10,000. The

default value is 4000. The blacklist-timeout keyword indicates the time when

the address is in the blacklist, in the range of 1 to 1,000 in minutes. The default

value is 0 indicating the address is not added in the blacklist.

CAUTION:

■ To enable the IP Sweep attack prevention function, make sure you enable the

outbound IP statistics function in the zone where the connection is initiated

and configure the IP Sweep attack prevention function.

■ The timeout time for an address to remain blacklisted must be greater than the

firewall session aging time (configured with the firewall session aging-time

command); otherwise, an attack may bypass the Firewall module.

■ The blacklist function configured with this command takes effect only after the

blacklist function is enabled on the firewall.

Enabling/Disabling the

Port Scan Attack

Prevention Function

Perform the following configuration in system view.

By default, the port scan attack prevention function is disabled. The max-rate

keyword indicates the maximum scanning rate, in the range of 1 to 10,000. The

default value is 4000. The blacklist-timeout keyword indicates the time when

the address is in the blacklist, in the range of 1 to 1,000 in minutes. The default

value is 0 indicating the address is not added in the blacklist.

CAUTION:

Disable the ICMP unreachable packet control

function

undo firewall defend icmp-unreachable

Table 166 Enable/disable the ICMP unreachable packet control function

Operation Command

Tab le 167 Enable/disable the IP Sweep attack prevention function

Operation Command

Enable the IP Sweep attack prevention

function

firewall defend ip-sweep [ max-rate

rate-number ] [ blacklist-timeout minutes ]

Disable the IP Sweep attack prevention

function

undo firewall defend ip-sweep

Tab le 168 Enable/disable the port scan attack prevention function

Operation Command

Enable the port scan attack prevention

function

firewall defend port-scan [ max-rate

rate-number ] [ blacklist-timeout minutes ]

Disable the port scan attack prevention

function

undo firewall defend port-scan