Configuring syn flood detection – H3C Technologies H3C SecPath F1000-E User Manual

17

Item

Description

Global Configuration
of Security Zone

Action Threshold

Set the protection action threshold for DNS flood attacks that
target a host in the protected security zone.
If the sending rate of DNS query requests destined for a host in
the security zone constantly reaches or exceeds this threshold,

the firewall enters all extra requests and logs the event.

NOTE:

Host-specific settings take precedence over the global settings for security zones.

Configuring SYN flood detection

NOTE:

SYN flood detection is mainly intended to protect servers and is usually configured for an internal zone.

From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood to enter the SYN

flood detection configuration page, as shown in

Figure 17

. You can select a security zone and then view

and configure SYN flood detection rules for the security zone.

Figure 17 SYN flood detection configuration page

To configure SYN flood detection, follow these steps:

1.

In the Attack Prevention Policy area, specify the protection actions to be taken upon detection of a
SYN flood attack. If you do not select any option, the firewall only collects SYN flood attack

statistics. The available protection actions include:

{

Discard packets when the specified attack is detected. If detecting that a protected object in the
security zone is under SYN flood attack, the firewall drops the TCP connection requests to the

protected host to block subsequent TCP connections.

{

Add protected IP entry to TCP Proxy. If detecting that a protected object in the security zone is
under SYN flood attack, the firewall adds the target IP address to the protected IP list on the TCP

proxy as a dynamic one, setting the port number as any. If TCP proxy is configured for the