HP VPN Firewall Appliances Attack Protection Configuration Guide
39
Ste
p
Command
Remarks
5. Configure the global action
and silence thresholds for
DNS flood attack protection.
defense dns-flood rate-threshold
high rate-number [ low
rate-number ]
Optional.
By default, the action threshold is
1000 packets per second and the
silence threshold is 750 packets per
second.
6. Configure the action and
silence thresholds for DNS
flood attack protection of a
specific IP address.
defense dns-flood ip ip-address
rate-threshold high rate-number
[ low rate-number ]
Optional.
Not specifically configured for an IP
address by default.
Applying an attack protection policy to a security zone
To make a configured attack protection policy take effect, you need to apply the policy to a specific
security zone.
To apply an attack protection policy to a security zone:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VD system view.
switchto vd vd-name Required for a non-default VD.
3. Enter security zone view.
zone name zone-name id zone-id
N/A
4. Apply an attack protection
policy to the security zone.
attack-defense apply policy
policy-number
By default, no attack protection
policy is applied to any security
zone.
The attack protection policy to be
applied to a security zone must
already exist.
Configuring TCP proxy
Typically, TCP proxy is used on a device's security zones connected to external networks to protect
internal servers from SYN flood attacks. When detecting a SYN flood attack, the device can take
protection actions as configured by using the defense syn-flood action command. If the trigger-tcp-proxy
keyword is specified for the defense syn-flood action command, the device starts TCP proxy in the
specified mode to inspect and process subsequent TCP connection requests destined to the protected IP
address. The protected IP address can be configured manually or generated dynamically by SYN flood
attack detection.
To configure the TCP proxy function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure TCP proxy
operating mode.
• Unidirectional mode:
tcp-proxy mode unidirection
• Bidirectional mode:
undo tcp-proxy mode
Optional.
By default, the TCP proxy operates in
bidirectional mode.