HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Ste

Command

Remarks

5. Configure the ICMP packet

length threshold that triggers

large ICMP attack protection.

signature-detect large-icmp

max-length length

Optional.

4000 bytes by default.

6. Configure the device to drop

single-packet attack packets.

signature-detect action

drop-packet

Optional.

By default, the device only

outputs alarm logs if detecting a

single-packet attack.

You can configure a maximum

of 250 protected IP addresses

for each security zone.

Configuring a scanning attack protection policy

The scanning attack protection function detects scanning attacks by monitoring the establishment rate of

connections to the target systems. It is typically applied to security zones connecting external networks

and inspects only the inbound packets of the security zones. If the device detects that the rate at which

an IP address initiates connections reaches or exceeds the pre-defined threshold, the device outputs an

alarm log, and it can blacklist the IP address depending on your configuration. Subsequent packets from

the blacklisted IP address are dropped.

To configure a policy for preventing scanning attacks:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VD system view.

switchto vd vd-name Required for a non-default VD.

3. Enter attack protection

policy view.

attack-defense policy

policy-number

N/A

4. Enable scanning attack

protection.

defense scan enable Disabled by default.

5. Specify the connection rate

threshold that triggers

scanning attack protection.

defense scan max-rate

rate-number

Optional.

4000 connections per second by

default.

6. Configure the blacklist

function for scanning attack

protection.

• Enable the blacklist function

for scanning attack protection:

defense scan add-to-blacklist

• Set the aging time for entries

blacklisted by the scanning

attack protection function:

defense scan blacklist-timeout

minutes

Optional.

By default:

• The blacklist function for scanning

attack protection is disabled.

• The aging time for entries

blacklisted by the scanning attack

protection function is 10 minutes.

7. Return to system view.

quit N/A

8. Enable the blacklist function.

blacklist enable

Required to make the blacklist entries

added by the scanning attack

protection function take effect.

By default, the blacklist function is

disabled.