beautypg.com

Configuring a scanning attack protection policy – H3C Technologies H3C SecBlade LB Cards User Manual

Page 257

background image

246

Step Command

Remarks

4.

Enable signature detection for

single-packet attacks.

signature-detect { fraggle |
icmp-redirect | icmp-unreachable
| land | large-icmp |

route-record | smurf |

source-route | tcp-flag | tracert |
winnuke } enable

By default, signature detection is
disabled for all kinds of
single-packet attacks.

5.

Configure the ICMP packet

length threshold that triggers
large ICMP attack protection.

signature-detect large-icmp

max-length length

Optional.
4000 bytes by default.

6.

Configure the device to drop

single-packet attack packets.

signature-detect action
drop-packet

Optional.
By default, the device only

outputs alarm logs if detecting a
single-packet attack.

Configuring a scanning attack protection policy

The scanning attack protection function detects scanning attacks by monitoring the establishment rate of

connections to the target systems. It is usually applied to security zones connecting external networks and

inspects only the inbound packets of the security zones. If the device detects that the rate at which an IP
address initiates connections reaches or exceeds the pre-defined threshold, the device outputs an alarm

log, and it can blacklist the IP address depending on your configuration. Subsequent packets from the

blacklisted IP address are dropped.
To configure a policy for preventing scanning attacks:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter VD system view.

switchto vd vd-name

Required for a non-default VD.

3.

Enter attack protection
policy view.

attack-defense policy
policy-number

N/A

4.

Enable scanning attack

protection.

defense scan enable

Disabled by default.

5.

Specify the connection
rate threshold that triggers

scanning attack
protection.

defense scan max-rate
rate-number

Optional.
4000 connections per second by
default.

6.

Configure the blacklist
function for scanning

attack protection.

Enable the blacklist function
for scanning attack protection:

defense scan add-to-blacklist

Set the aging time for entries

blacklisted by the scanning

attack protection function:

defense scan blacklist-timeout

minutes

Optional.
By default:

The blacklist function for scanning
attack protection is disabled.

The aging time for entries

blacklisted by the scanning attack
protection function is 10 minutes.

7.

Return to system view.

quit

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: