Manualshelf

HP VPN Firewall Appliances Attack Protection Command Reference

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
10
bandwidth of the protected network is small, set a smaller silence threshold to help release the traffic
pressure.
Examples
# Set the global action threshold to 3000 packets per second and the global silence threshold to 1000
packets per second for ICMP flood attack.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense icmp-flood rate-threshold high 3000 low 1000
Related commands
defense icmp-flood action drop-packet
defense icmp-flood enable
display attack-defense policy
defense scan add-to-blacklist
Use defense scan add-to-blacklist to enable the blacklist function for scanning attack protection.
Use undo defense scan add-to-blacklist to restore the default.
Syntax
defense scan add-to-blacklist
undo defense scan add-to-blacklist
Default
The blacklist function for scanning attack protection is not enabled.
Views
Attack protection policy view
Default command level
2: System level
Usage guidelines
With scanning attack protection enabled, a device checks the connection rate by IP address. If the
connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate
command), the device considers the IP address a scanning attack source and drops subsequent packets
from the IP address until it finds that the rate is less than the threshold. At the same time, if the blacklist
function for scanning attack protection is also enabled, the device adds the source IP address to the
blacklist, which then filters packets until the blacklist entry is aged out (the aging time is set by the defense
scan blacklist-timeout command).
The blacklist entries added by the scanning attack protection function take effect only after you enable
the blacklist function for the device by using the blacklist enable command.
If you delete an entry blacklisted by scanning attack protection short after the entry is added (within 1
second), the system does not add the entry again. This is because the system considers the subsequent
packets matching the entry the packets of the same attack.
Examples
# Enable scanning attack protection.
<Sysname> system-view