Configuring a flood attack protection policy – H3C Technologies H3C SecBlade LB Cards User Manual

247

Step Command

Remarks

8.

Enable the blacklist
function.

blacklist enable

Required to make the blacklist entries
added by the scanning attack
protection function take effect.
By default, the blacklist function is
disabled.

Configuring a flood attack protection policy

The flood attack protection function is mainly used to protect servers. It detects various flood attacks by

monitoring the rate at which connection requests are sent to a server. The flood attack protection function
is usually applied to the security zones connecting the internal network and inspects only the outbound

packets of the security zones.
With flood attack protection enabled, the device is in attack detection state. When the device detects that

the rate of sending connection requests to a server constantly reaches or exceeds the specified action
threshold, the device considers the server is under attack and enters the attack protection state. Then, the

device takes protection actions as configured (by default, the device only outputs alarm logs, but can be

configured to drop the subsequent connection request packets or use the TCP proxy as well). When the

device detects that the packet sending rate to the server drops below the silence threshold, it considers
that the attack to the server is over, turns back to the attack detection state, and stops taking the protection

actions.
You can configure attack protection for specific IP addresses. For IP addresses for which you do not

configure attack protection specifically, the device uses the global attack protection settings.
To configure a SYN flood attack protection policy:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter VD system view.

switchto vd vd-name

Required for a non-default VD.

3.

Enter attack protection
policy view.

attack-defense policy
policy-number

N/A

4.

Enable SYN flood attack

protection.

defense syn-flood enable

Disabled by default.

5.

Configure the global action

and silence thresholds for
SYN flood attack protection.

defense syn-flood rate-threshold
high rate-number [ low

rate-number ]

Optional.
By default, the action threshold is

1000 packets per second and the
silence threshold is 750 packets per

second.

6.

Configure the action and
silence thresholds for SYN

flood attack protection of a

specific IP address.

defense syn-flood ip ip-address
rate-threshold high rate-number

[ low rate-number ]

Optional.
Not configured by default.

7.

Configure the device to drop
SYN flood attack packets or

use the TCP proxy.

defense syn-flood action
{ drop-packet | trigger-tcp-proxy }

Optional.
By default, the device only outputs

alarm logs if detecting an attack.

To configure an ICMP flood attack protection policy: